Issues printing/accessing webgui on different subnets



  • I have pfsense 2.1 setup with 3- LAN and 2-WAN interfaces. Just about everything is working (VOIP, Lync, web etc.), but I'm having issues with certain devices on different subnets. I'm unable to reach a network printer from a different subnet, or access a webgui for a device on a different subnet.

    All of the devices have static IPs. I have setup Aliases for them and setup rules to allow the required ports. Logging is enabled on the rules, and I'm seeing the packets pass correctly. I see nothing blocked, in either direction, between the client and the device. Yet I'm still unable to print/access the GUI on LAN3 from LAN1.

    We had untangle setup before, and these scenarios were working without issue.

    What am I missing or what else can I check to find out what is causing this issue?


  • Netgate Administrator

    Are you trying to access it by IP?
    Are the subnets and gateways set correctly on the printer and client?

    Steve



  • Yes, all clients/hardware is pointed to pfsense as the gateway. I always use the IP to try and connect. With the GUI I use the browser. For the printer, I'm trying to add it by IP and it can't be found. If I add the printer on the correct subnet by IP, then move the workstation to the other subnet, all prints will fail.


  • Netgate Administrator

    The usual problem with printers and similar thing across subnets is that the OS attempts to use some discovery protocol to find them that can only look inside its own subnet. It sounds like you're aware of that though.
    Are these Windows clients? Do you have a Windows domain setup? If you have a domain controller you can point everything at that to enable discovery across subnets.

    The other thing is that routing is failing is one or other direction. Does the printer respond to pings? Can you ping it?

    Steve



  • And do these devices have a default gateway defined?
    The printer,… will need the capability to have a default gateway so it can reply to stuff outside its own subnet.



  • @stephenw10:

    The usual problem with printers and similar thing across subnets is that the OS attempts to use some discovery protocol to find them that can only look inside its own subnet. It sounds like you're aware of that though.
    Are these Windows clients? Do you have a Windows domain setup? If you have a domain controller you can point everything at that to enable discovery across subnets.

    The other thing is that routing is failing is one or other direction. Does the printer respond to pings? Can you ping it?

    Steve

    These are windows clients, and we have DCs on site. The workaround for now is to share the printer from a DC on the same subnet, then others have no issue printing. I was hoping to solve the problem without a workaround though.

    I know the discover uses broadcast to try and scan for the printers, but I skip that and enter the IP since I know it won't be found. Even with IP it isn't found, and it won't work if it's setup then moved to another subnet.

    When I check the logs I make sure to check both ways to make sure it isn't return traffic being blocked. I did see that initially with the Webgui issues, but once I allowed the return traffic it still did not work.

    I've been using PFSense for years now, and this has me completely stumped.


  • Netgate Administrator

    @Biznatch:

    When I check the logs I make sure to check both ways to make sure it isn't return traffic being blocked. I did see that initially with the Webgui issues, but once I allowed the return traffic it still did not work.

    Well that's interesting. You should not have had to open firewall rules to allow the return traffic since it would be part of the TCP connection opened by the client which was already allowed.
    The fact that pfSense blocked it might imply its using asynchronous routing some how or send replies via completely the wrong route.

    Steve



  • I have the same issue, up to now been looking for answer to this issue. Client is in another VLAN printing in another VLAN . Printer seem to think and then hung up , the print does not come out. Anybody here would like to help us on this.

    I am suing 2.1.1 PFSense now and the configuration is SQUID using transparent mode patch with Captive portal. Hope someone could shed a light


  • Netgate Administrator

    Nothing in the logs?
    You are running Squid and captive portal on both VLANs? Have you tried disabling them?
    The next step would be to run a packet capture to determine what's happening.

    Steve



  • I made some adjustment, I disable automatic outbound NAT and made a mapping to 0.0.0.0/0 subnet and printing now works without error, however captive portal is not redirecting to the authentication page.Can you share some thoughts about this


  • Netgate Administrator

    Could you clarify exactly where and what your new NAT mapping is? Perhaps a screenshot?

    It sounds like you've managed to by-pass the captive portal somehow. It's not obvious how you've done that though. I don't use the captive portal but last time I checked it's the one element of pfSense that uses IPFW and operates at layer 2.

    Steve



  • To give you a brief overview of my network, i have 6 VLAN. All VLAN is routed on a cisco router going to my IPLC. Internet is under my Fortigate Firewall. PFSense function as proxy and Captive portal for all VLAN.
    PFSense in VLAN is working well however, i have issues when it comes to printing. When I try to connect to a print server the connection fail. So what I did is modified the outbound NAT (** Please see image attached), and now printing works well without any issues. But then again I have another issue Captive portal is not redirecting to authentication page to all those who do not have access on the internet. I am using a voucher to give access on the internet for all the guest and for VIP I have their mac encoded on pass through. Can you share your thoughts on how can i effectively use PFSense portal without any issues on printing and authentication page.

    ** forgot to mention I don't have any filter rules I have any any access for all the interfaces and VLAN

    ![Outbound NAT.jpg](/public/imported_attachments/1/Outbound NAT.jpg)
    ![Outbound NAT.jpg_thumb](/public/imported_attachments/1/Outbound NAT.jpg_thumb)


  • Netgate Administrator

    Ok, so you have a WAN interface and 6 internal VLAN interfaces? Are the internal interfaces using separate private subnets? Are you running DHCP?

    You have added a very wide range NAT rule that NATs everything to WAN. However that shouldn't make any difference to traffic between internal interfaces. I assume you are printing between two internal VLAN interfaces?

    Steve



  • yes you are right 1 wan interface and 6 vlans, i am printing in between vlans. Doing the config for outbound NAT make me print. However if i do a manual outbound NAT redirection of authentication page when an authenticated client fire his browser the captive portal auth page don't show up.

    DHCP is coming from a windows server, i just use an ip helper address on the switch. Each VLAN has its own internal private addresses .

    If there is no PFSense or Captive portal in between I can print without any issues.

    What do you think seems to be the problem



  • i hope someone could help me on this


  • Netgate Administrator

    Hmm, yes it's hard to know quite what happened here.
    Normally you would have individual NAT rules for each of your internal subnets. What rules do you get if you go back to 'automatic outbound NAT' and then back to manual such that it fills in the required rules automatically?

    It seems as thougb you have by-passed the captive portal but I'm not sure how. Perhaps by NATing everything you are including self assigned addresses.  :-\

    Do you have only the one system gateway, the WAN gateway?

    Is the Windows DHCP server handing out the pfSense interface addresses as the gateway for it's clients?

    When print sharing wasn't working were you able to connect between subnets in other ways?

    Steve



  • No i did not bypass Captive portal, Captive portal is working however page for authentication is missing. I test it by removing my mac address in the list and i was not able to go to the internet and when i put my mac again then i can surf the net.

    On gateway, I have multiple gateway for vlan but not all of them are under PFSense Vlan IP.  For my test I am using pfsense as gateway so I can use captive portal, again if i use pfsense as gateway my printing does not work.

    on DHCP yes windows handle all the IP connecting to Pfsense, and I think this is not DHCP issue.

    When printing is not working I can reach all vlan without any problem.