[SOLVED] Network Scanner cannot send e-file to LAN PC

wallabybob · Oct 8, 2011, 12:49 AM

You have some sort of firewall on the PC?

A recent automatic update meddled with crucial PC settings (crucial to the scanning)?

Normally I would expect the PC and scanner to be on the same network (as determined by IP address and network mask). If they aren't (even if they are on the same physical network) then traffic between them will go through the network gateway (presumably pfSense, in which case firewall rules will apply).

jikjik101 · Oct 8, 2011, 1:31 AM

You have some sort of firewall on the PC? None

A recent automatic update meddled with crucial PC settings (crucial to the scanning)? No recent updates via WSUS

Normally I would expect the PC and scanner to be on the same network (as determined by IP address and network mask). If they aren't (even if they are on the same physical network) then traffic between them will go through the network gateway (presumably pfSense, in which case firewall rules will apply). Yes, they are on the same network with subnet /22. What puzzled me is that the other scanner is working fine while this one does not. Both scanners have same settings in terms of network options.

I am expecting that since I am using DHCP with reserved IPs in my LAN, I think my scanner has a conflict IP with a PC.
I checked both, Enable DHCP server on LAN interface and Deny unknown clients.
Also checked is the Enable Static ARP entries in the DHCP option of the pfSense.

wallabybob · Oct 8, 2011, 1:06 PM

@jikjik101:

I checked both, Enable DHCP server on LAN interface and Deny unknown clients.
Also checked is the Enable Static ARP entries in the DHCP option of the pfSense.

These settings may not have any impact on communication between two LAN stations.

@jikjik101:

I am expecting that since I am using DHCP with reserved IPs in my LAN, I think my scanner has a conflict IP with a PC.

I suggest you find the MAC address and IP address of the scanner, then on the PC examine the ARP table and check the MAC address for the Scanner's IP address is correct.

I have a networked Brother Printer/Fax/Scanner. I can initiate a scan from a PC or from the Brother. If your scanner has similar capability do you get different results depending on where the scan is initiated?

jikjik101 · Oct 10, 2011, 1:39 AM

@wallabybob:

@jikjik101:

I checked both, Enable DHCP server on LAN interface and Deny unknown clients.
Also checked is the Enable Static ARP entries in the DHCP option of the pfSense.

These settings may not have any impact on communication between two LAN stations.

I think this is to ensure no conflict IP in my LAN, that is if there is a new LAN workstation and even if he puts a static IP which is reserved to another PC, that new workstation will not be in conflict to my existing PC.

@wallabybob:

@jikjik101:

I am expecting that since I am using DHCP with reserved IPs in my LAN, I think my scanner has a conflict IP with a PC.

I suggest you find the MAC address and IP address of the scanner, then on the PC examine the ARP table and check the MAC address for the Scanner's IP address is correct.

MAC address is correct, there is no DHCP request that is in conflict with the reserved IP of the scanner

@wallabybob:

I have a networked Brother Printer/Fax/Scanner. I can initiate a scan from a PC or from the Brother. If your scanner has similar capability do you get different results depending on where the scan is initiated?

Mine is a Kyocera 3060 printer/scanner/photocopier. I can print from the PC to photocopier. This machine has no feature that can initiate scan from a PC.
I can print from a PC to the machine but cannot scan from the machine to the PC. It seems the traffic is only one way.

I will do a fresh install of my pfSense and check if it has something to do with it.

wallabybob · Oct 10, 2011, 4:25 AM

@jikjik101:

@wallabybob:

@jikjik101:

I checked both, Enable DHCP server on LAN interface and Deny unknown clients.
Also checked is the Enable Static ARP entries in the DHCP option of the pfSense.

These settings may not have any impact on communication between two LAN stations.

I think this is to ensure no conflict IP in my LAN, that is if there is a new LAN workstation and even if he puts a static IP which is reserved to another PC, that new workstation will not be in conflict to my existing PC.

I can understand how the pfSense settings might stop a system with "unauthorised" IP address accessing the internet through pfSense but can't see how these pfSense settings would stop a system with "unauthorised" IP address communicating with another system on the LAN.

@jikjik101:

Mine is a Kyocera 3060 printer/scanner/photocopier. I can print from the PC to photocopier. This machine has no feature that can initiate scan from a PC.
I can print from a PC to the machine but cannot scan from the machine to the PC. It seems the traffic is only one way.

Well then, I guess the scanner has to be configured with IP address of the PC to receive the scan. Maybe a hostname is allowed as well as a IP address. What (IP address or hostname) is in the scanner that works? What is in the scanner that doesn't work? Maybe the scanner that doesn't work can't find the IP address of the PC to receive the scan. Does the scanner report anything or is there a log with some detailed error reporting? What DNS does the scanner use?

@jikjik101:

I will do a fresh install of my pfSense and check if it has something to do with it.

Shouldn't do any harm but it is not clear to me that it would help. Why do you think a reinstall might make a difference.

jikjik101 · Oct 11, 2011, 1:15 AM

Do you mean that an unauthorized IP/workstation can still communicated with the valid workstations in my LAN? So if a staff guess a usable IP and manually put it in his PC, then he can have access to my LAN? If that's the case, how can I prevent him from doing that?

The scanner can send both IP address and hostname as destination. But it doesn't have the feature of able to scan from the PC, only from the machine itself. It seems that the scanner cannot communicate to the PC but the PC can communicate to the scanner because the PCs can network print on the scanner/printer.

I have another machine, KM-2560, almost the same settings with this one, KM-3060, and there are some PC destinations that it can't send scanned files, but some destinations are okay.

I am really lost on the way this machine communicates, it seems it is only a one-way traffic. I am suspecting that it might be with the pfSense or with the NIC/network protocol of the scanner.

marcelloc · Oct 11, 2011, 1:42 AM

check at pfsense system logs if scanners ip is not in use by another machine.

the message will look like

Ip address x.y.z.a moved from mac aa:ff:cc:dd:eff to ee:ff:Gtt:df:aa

also check scanner netmask. If it believes that your pc is on another lan, it will forward to pfsense.

wallabybob · Oct 11, 2011, 2:07 AM

@jikjik101:

Do you mean that an unauthorized IP/workstation can still communicated with the valid workstations in my LAN? So if a staff guess a usable IP and manually put it in his PC, then he can have access to my LAN? If that's the case, how can I prevent him from doing that?

I don't have enough configuration information about your network, so this illustration might not be particuarly relevant. You have a LAN with 2 computers connected: pfSense with IP 192.168.7.1/24, a server with ip 192.168.7.11/24. Someone walks up to a LAN socket and connects a laptop with static IP 192.168.7.159. The laptop can immediately communicate with the server with NO involvement of pfSense.

Appropriate prevention mechanisms depend on network configuration and what sort of access you are trying to secure against and what sort of access you want to allow. Suppose you have a public area with LAN sockets and you want to allow those sockets to access the internet but not systems on your LAN. Then you connect those sockets in the public area to another switch which connects to a separate interface ("OPTx") on pfSense and you set appropriate firewall rules in pfSense. Or you put the sockets in the public area on a separate VLAN.

@jikjik101:

The scanner can send both IP address and hostname as destination. But it doesn't have the feature of able to scan from the PC, only from the machine itself. It seems that the scanner cannot communicate to the PC but the PC can communicate to the scanner because the PCs can network print on the scanner/printer.

If the PC can send print jobs to the scanner then it is almost certainly possible for the scanner to communicate with the PC because the printer side of things must be sending TCP ACKs back to the PC to allow the PC to send more data.

When the scanner tries to send a job to the PC there could be a number of things going wrong including:

the scanner has a hostname for the PC but can't translate the hostname to an IP address
the path from scanner to PC goes through a firewall that blocks it
the PC is unable to start the software to receive the scan in "sufficient time" and the scanner gives up

@jikjik101:

I have another machine, KM-2560, almost the same settings with this one, KM-3060, and there are some PC destinations that it can't send scanned files, but some destinations are okay.

Is there anything that distinguishes the destinations the scanner can send to from those it can't? For example, the PCs it can't send to are on a different IP network from the scanner?

@jikjik101:

I am really lost on the way this machine communicates, it seems it is only a one-way traffic. I am suspecting that it might be with the pfSense or with the NIC/network protocol of the scanner.

Some logging information, error reports, network configuration etc could be all helpful. There are a lot of things that could go wrong. If there is a firewall between two systems, "one way" communication can often indicate a firewall "misconfiguration".

jikjik101 · Oct 11, 2011, 2:40 AM

@marcelloc:

The machine has the correct IP, no other machines use the scanner's IP.
Correct IP addressing, correct subnet mask, the LAN is /22 so the scanner has a 255.255.252.0 mask.
Correct domain name, correct DNS, correct gateway.
The scanner gets its IP via DHCP.

I really don't know why it can't send the scan files to the LAN PCs. ???

@wallybob:
My LAN is something like this: I group my LAN clients to route traffic to a particular ISP, i have 3 WANs.
LAN = 192.168.100.0/22
pfSense = 192.168.100.1/32
Group A = 192.168.100.1/24 - 192.168.100.254/24 (KM-3060 - 192.168.100.2/32)
Group B = 192.168.101.1/24 - 192.168.101.254/24
Group C = 192.168.102.1/24 - 192.168.102.254/24 (KM-2560 - 192.168.102.2/32)
Group D = 192.168.103.1/24 - 192.168.103.254/24

All authorized LAN clients should be able to communicate the devices in my LAN like the printer, scanner and file server.

How can I prevent someone from using the IP of KM-3060 from being used? In my DHCP server, I enabled:
Enable DHCP server on LAN interface
Deny unknown clients
Enable Static ARP entries

@wallabybob:

If the PC can send print jobs to the scanner then it is almost certainly possible for the scanner to communicate with the PC because the printer side of things must be sending TCP ACKs back to the PC to allow the PC to send more data.

When the scanner tries to send a job to the PC there could be a number of things going wrong including:

the scanner has a hostname for the PC but can't translate the hostname to an IP address

the path from scanner to PC goes through a firewall that blocks it

the PC is unable to start the software to receive the scan in "sufficient time" and the scanner gives up

I am really puzzled by this "one-way" traffic.
I tried putting the IP address of the PC but still same result.
The PC doesn't need a special software to receive the scan file like the TWAIN driver.
pfSense is the only firewall in my LAN.

I especially put the IP address of the 3060 in the LAN firewall rules:

192.168.100.2 * * * * none (I also tried disabling this rule, but still the same)
Group A * * * ISP1 none
Group B * * * ISP2 none
Group C * * * ISP3 none
Group D * * * ISP1 none

My PC is in the Group A so same subnet with the scanner.

I also enabled in the Advances>Firewall/NAT: Bypass firewall rules for traffic on the same interface

jikjik101 · Oct 11, 2011, 7:25 AM

I finally knew the problem.

I tried changing my domain name in System>General Setup.
But when I checked with my PC and the scanner machine, the domain name was the previous domain.
I did an ipconfig/flushdns, restarted the NIC of my PC but still the same.

So I checked with the DHCP server, under Domain name, I specified my previous domain name.
Even if I change the domain name, I always get my previous domain.
I empty the box under Domain name, did a flushdns and restarted the scanner and everything is now ok.

I still don't get it how that option affected my LAN.

Anyway, thanks to all especially WALLYBOB for helping me with this.