1 WAN, 3 LANs, can't access host on one LAN



  • Ok.. I have WAN, and LAN (172.16.0.0/24), WLAN_G (172.16.1.0/24), and WLAN_N (172.16.2.0/24).

    I have a brother printer on WLAN_G (172.16.1.5)

    I cannot ping or print to it from LAN, or WLAN_N. pfsense can ping it directly. I can ping other hosts on the WLAN_G from either other LAN. I can ping the printer from WLAN_G. There are no settings I can find on the printer that would cause it to refuse access from outside its subnet. How do I go about fixing this? NAT if the host is from another subnet?

    Also, I have an apple TV on WLAN_N that I'd like to be able to access from WLAN_G and LAN for AirPlay. How do I do this?



  • sounds like printer is missing default gateway, or does have wrong ip on it



  • You do not need nat between lans, just routing.

    Change outbound nat to manual and leave just wan on list.

    Also you need to change one of wlan networks, both are on same 172.16.2, both are on same ip range.

    Last thing to check are wlan firewall rules.



  • @marcelloc:

    You do not need nat between lans, just routing.

    Change outbound nat to manual and leave just wan on list.

    Also you need to change one of wlan networks, both are on same 172.16.2, both are on same ip range.

    Last thing to check are wlan firewall rules.

    Apologies for a typo. It actually is on a different subnet (172.16.1). There are no rules on either wlan interface, and outbound NAT only has WAN present. Even checked printer and it lists itself as having the correct IP & gateway



  • @hunterisgreat:

    There are no rules on either wlan interface.

    So, there is no outbound traffic. Firewall is blocking everything.  :(



  • @marcelloc:

    @hunterisgreat:

    There are no rules on either wlan interface.

    So, there is no outbound traffic. Firewall is blocking everything.  :(

    There is a floating rule for allow anything from LAN, and the two wireless LANs, to go anywhere. Outbound works fine. I am able to ping other hosts on the 172.16.1 subnet so I suspect its something goofy with this printer… I setup a NAT from the two non-172.16.1 subnets to the 172.16.1 subnet, and now I can ping and access the http interface of the printer but still cannot print to it (on a macbook, believe using bojour)



  • @hunterisgreat:

    There is a floating rule for allow anything from LAN, and the two wireless LANs, to go anywhere. Outbound works fine. I am able to ping other hosts on the 172.16.1 subnet so I suspect its something goofy with this printer… I setup a NAT from the two non-172.16.1 subnets to the 172.16.1 subnet, and now I can ping and access the http interface of the printer but still cannot print to it (on a macbook, believe using bojour)

    You do not need nat for this internal communication.

    Make some tcpdumps form opt1 to lan to see how packages are flowing.

    check and recheck your printers network setup(netmask, gateway, etc)



  • I have a config that is similar and I'm not sure how to configure.  See my image for what I am trying to do.  What is the recommended method for this?  My printer exist on the LAN and I have two other networks OPT1 and OPT2.  I want OPT1 and OPT2 to see the printers on the LAN.  The issue is the application on the devices on OPT1 can only find the printer with a search of the local (OPT1) subnet and do not allow entering the IP:PORT directly.  Is it possible to make it appear on the OPT1 network for this purpose?




  • Disable nat between networks and create firewall rules on OPTx and LAN to specify traffic you want to permit.



  • How do I disable NAT between LAN & OPTx while maintaining NAT for WAN?



  • firewall -> nat -> outbound.

    change to manual and leave only WAN rule.



  • to accomplish the same thing as you are trying i did the following;

    first created aliases of the ips of all printers and file servers i wanted seen by other lans and subs called fileservers
    created a alias for the ports required for the subnets and lan to talk to the printers. this is based on the os of the client called it nfsports

    here is a list of some ports you may require

    netbios-ns - 137/tcp # NETBIOS Name Service
        netbios-dgm - 138/tcp # NETBIOS Datagram Service
        netbios-ssn - 139/tcp # NETBIOS session service
        microsoft-ds - 445/tcp # if you are using Active Directory

    Other ports

    Port 389 (TCP) - for LDAP (Active Directory Mode)
        Port 445 (TCP) - NetBIOS was moved to 445 after 2000 and beyond, (CIFS)
        Port 901 (TCP) - for SWAT service (not related to client communication)

    and the the port 631 for cups there might be more if you require file sharing across subnets

    after that in the  subnet or lan (opt tab) in firewall rules
    i created a rule as below
    TCP/UDP WIFI net * fileServers nfsPorts * none   NFS/CUPS NETBIOS traffic

    the wifi net is what i name the opt(x) that was allowed to share files and printers
    also in cups there is a command that has to be set  for it to talk to different subnets

    if i can remember it is BrowseAllow all and Browsing On and there is BrowseAddress xxx.xxx.xxx.xxx is the ip of the subnet
    this should help.


Log in to reply