Having problems setting up a network attached printer
I have a Netgate M1n1wall running pfsense and I'm having problems setting up a network attached printer.
pfsense is set up as follows:
The externally labeled LAN interface is assigned to OPT1 and given static ip 192.168.2.1/24
The externally labeled OPT1 interface is assigned to OPT3 and given static ip 192.168.3.1/24
The wireless card is assigned to WLAN and given static ip 192.168.4.1/24
OPT1, OPT3, and WLAN are bridged into bridge0 and assigned to LAN, given static ip 192.168.1.1/24
DHCP server is running on LAN, handing out IPs from 192.168.1.10 to 192.168.1.250
The network is set up as follows:
My desktop is plugged directly into the externally labeled LAN interface on the m1n1wall and has the ip 192.168.1.121 assigned by the DHCP server.
The network attached printer (a Brother HL-3170CDW) is plugged directly into the externally labeled OPT1 interface on the m1n1wall. Originally it was connecting wirelessly and had been assigned the ip 188.8.131.52 by the DHCP server, but I've been trying (failing) to get things working and now it has the static ip 192.168.1.2.
Various other wireless devices connecting via WLAN, and having their ip addresses assigned by DHCP.
If this looks weird and wrong, that's because I have no idea what I'm doing. If not, then it's purely by luck that I got anything right.
When using a regular home router the installer for the print drivers scans the network for the printer, finds the printer, and assigns it a name. Using the pfsense firewall, it fails to find the printer. After searching the forums a bit it seemed like maybe I needed to install Avahi, to handle whatever the installer was broadcasting, but that didn't help. So I got a pcap from my desktop while running the installer and I'm pretty sure this is the packet that goes out:
65 2.892109000 192.168.1.121 255.255.255.255 SNMP 190 get-request 184.108.40.206.4.1.24220.127.116.11.18.104.22.168 22.214.171.124.126.96.36.199.0 188.8.131.52.184.108.40.206.1.6.1 220.127.116.11.4.1.2418.104.22.168.1240.1.3.0 22.214.171.124.126.96.36.199.0 188.8.131.52.184.108.40.206.0 220.127.116.11.4.1.1240.2.3.4.18.104.22.168
Which, I'm pretty sure, is an SNMP broadcast. So I turned SNMP on in pfsense under Services -> SNMP. Went with the default values, and a random string for the "Read Community String" field. Unfortunately that didn't help either.
Another thing I've noticed is that when I look at the DHCP leases it says 'online' only when it has first connected to the network, but after a few minutes the DHCP lease says 'offline'. That being said, the installer doesn't find the printer when it says either of these things.
I've also tried giving the printer a static ip, and telling the installer to use the static ip instead of scanning the network. This allows the installer to finish, but the printer is not accessible.
Is there a problem with how I set up the interfaces, in a bridge like that? Should I have used vlans instead? Could I use vlans instead? How would I do that?
Am I missing something obvious?
Just so that I understand your network a little better, what are you trying to achieve by using the Opt1 interface? Also, you didn't mention a WAN port. Do you want pfSense to be a gateway firewall (to the Internet), an internal only router/firewall (no Internet connected to pfSense), an internal only transparent firewall, or just a smart switch?
Typical pfSense installs look something like this. Does this match your set up at all?
Internet <–> modem <--> [WAN pfSense LAN] <–> switch/hub <--> workstations, printers, servers, phones, etc.
Here's a couple of things that might help. For bridging you generally do not assign IP addresses to the interfaces. Generally you create the bridge, assign the bridge itself as an interface, then give the the bridge interface the IP address. (All this bridging is generally unnecessary if you have a switch available.)
If you suspect the firewall itself is blocking traffic, check the firewall log at Status: System logs: Firewall.
Yes, the bridged interfaces should usually be assigned as type 'none'.
If the printer driver uses multicast/broadcast and you haven't moved bridge filtering from the member interfaces you may need to enable advanved IP options in the firewall rules between the interfaces.
Thanks for the suggestions. I have made a little progress.
Yes, the WAN interface is being used. Plugged into the cable modem.
Internet<->modem<->[WAN(vr1) pfsense LAN(bridge0)]<->workstation and wireless devices(including this damn printer)
bridge0 is OPT1(vr0), OPT3(vr2), and wlan(ath0). All now assigned type 'none'.
Just making those changes didn't do anything, but it certainly seems like less of a mess.
However, when I was poking around in System -> Advanced -> System Tunables I edited the values for net.link.bridge.pfil_onlyip, net.link.bridge.pfil_member, and net.link.bridge.pfil_bridge. I changed each of them to their non-default values. And suddenly I can connect to the printer from my workstation (hardwired into the LAN port on the m1n1wall). I can't connect to it by name, like the installer wants, but if I use the IP address it connects just fine. That's cool, I'll use the IP address. So everything's fine except that now I can't get a laptop, connected to the LAN wirelessly through ath0 (just like the printer), to connect to the printer. Same OS (Windows 8.1) as the workstation. Only thing different is the connection type (wireless vs wired).
Which has me scratching my head, and wondering "is there a
easierbetter way to do what I want"?
What I want is…
Internet <-> Modem <-> pfsense -> LAN -> 1 workstation -> WLAN -> workstations, laptops, and network devices -> OPT1 -> nothing (but possibly a file server in the future)
I would like all of the devices on all of the interfaces to be able to communicate with each other via IP address (ie all on the same subnet).
How should I go about doing this? Is the bridged interface the right way to go? Is there a better way?
Yes bridged interfaces is correct.
If you move the bridge filtering from the bridge members to the bridge itself, as you have done, then firewall rules you have on the bridged interfaces no longer do anything. Instead you need to add firewall rules to the bridge interface. However if your bridge0 interface is assigned as LAN then the default allow all rule should be in effect.
If you haven't rebooted since you moved the filtering you should. The sysctl changed only apply when the bridge is created, as it is at boot.