Impossible to print through pfsense

marmotteNZ

Dear all,

I am banging my head around trying to sort out my printing problem. Any help would be highly appreciated.
See picture attached: I'm using pfsense to run an openVPN connection to my workplace. All lines on the picture are ethernet wired connections, not wi-fi.

When I unplug my PC from the ethernet and connect to my home gateway directly through wifi, I can print.
When I'm connected through ethernet/pfsense, I can't.

I have recently sorted out that the DNSing was not working. I have already fixed that through an host override in the DNS forwarder options. Now I can ping the printer by name, and I can access its web config page by name too.
But it is still not printing. The print queue just shows "printing error". It resumes though when I unplug the ethernet and connect to the gateway through wifi, hence bypassing pfsense.

I have some suspicion regarding the use of a fully qualified domain name for the printer; nevertheless I have no clue how to find out what to use!!
This is just a suspicion, as I cannot either, when connected to pfsense, remote desktop for instance into other machines by name (but can do by IP) ; hence I believe the host override I did is incomplete and somehow/miraculously work for ping and http but not for printing. but IMHO I should be able to setup the DNS forwarder properly and not to need any override??

I understand that PFsense 2.2 uses a completely different set of DNS services. SHould I upgrade?  (I'm wary to try that directly as it may require the IT dpt at my workplace to have to upgrade their side as well :(

Note that I have inserted too a "pass all" rule, from the printer's IP on the WAN side and to the printer's IP on the LAN side…
I also run wireshark when trying to print - I haven't found anything helpful in the logs...happy to posyt them if that can help.

Any advice would be greatly appreciated!

THANKS



tim.mcmanus

Wow, where to begin with this.

You have three routers set up in series.  That is very bad, you should expect to have problems.

pfSense may not route bogon addresses depending on how you've got your WAN interface set up.  That means it won't route your 10.x.x.x/8 network at all.  It mans no traffic will travel to/from the LAN side of your pfSense installation.

Remove the Netgear router and connect directly into the pfSense LAN port with your PC.  Check the WAN and LAN interface and make sure they are passing bogon traffic.  See attached.


marmotteNZ

@tim.mcmanus:

That means it won't route your 10.x.x.x/8 network at all.  It mans no traffic will travel to/from the LAN side of your pfSense installation.

Thanks for your advice Tim. Note though that,
1.  besides of this printing issues, I have no problem communicating to and from both sides: remote desktoping, samba shares, dlna server work just fine.
2. My picture is quite ambiguous in that the netgear "router" is actually used just as a switch (DHCP disabled). I can;t see why it could be the source of any issue…

3. [edit] in point 1 above..I actually do a lot from my "Work" subnet (192.168.10.x) to my personal subnet (10.0.0.x)…but indeed I don't do anything in the other direction.
I guess then now that my windows PC can "go to" my printer (ping, web access etc), but printing probably also requires the printer to initiate a reply to the client PC? And hence, when the printer asks the Comcast Gateway for the IP address of my client PC...this ones cannot be seen as it is on the other subnet. (I cannot ping from a 10.0.0.X machien to a 192.68.10.x machine)

Is it something that could be done via port forwarding in  A/ the gateway settings so it routes replies back to pfSense and B/ in pfsense so it knows how to transfer these replies back from the WAN to the windows PC...

Sorry if my questions are stupid...I'm really learning as I do with this thing :-(

Tim, if you could suggest another way/topology for me to :
1. have both my work machines and personal machines use the one Comcast connection I have.
2. allow me to have my work machines behind pfsense both for security reason and to support an openVPN tunnel with my office
3. allow me not to have to spend $$ in a wireless router and yet have fast wifi access for the many devices in my personal subnet (ROKU TV, kids ipads, phones etc). I HAVE TO use this gateway anyway as it is my cable modem provided by the ISP - it has two class ac wifi access points in there which woudl be a shame not to use.

Derelict

Impossible to print through pfsense

I do it e'r'yday.  Even over OpenVPN.

Are you sure it's not some zeroconf/auto config that's not working across the router?

KOM

pfSense may not route bogon addresses depending on how you've got your WAN interface set up.  That means it won't route your 10.x.x.x/8 network at all.

To be clear, bogons are NOT RFC1918 addresses.  RFC1918 aka private IP space is non-routable address space.  Bogons are valid public IP addresses that have not been allocated to anyone so they should technically not be in use.

johnpoz

Well if this isp device is so good why are you using pfsense..  You have put your w7 pc behind a NAT to your 10.x network connected to your isp router.

Yeah your going to have problems using say airprint, etc.

Note that I have inserted too a "pass all" rule, from the printer's IP on the WAN side and to the printer's IP on the LAN side…

This is pointless and BAD.. and doesn't even work if your using NAT

How exactly are you trying to print?  I have my printer on a different segment than my pc..  I am on 192.168.9.100/24 and my printer is on 192.168.2.50/24 -- I print to it just fine my pc.. But I have setup the driver to point to the printers IP via fqdn host name brother.local.lan.  Which resolves to 192.168.2.50

C:>ping brother.local.lan

Pinging brother.local.lan [192.168.2.50] with 32 bytes of data:
Reply from 192.168.2.50: bytes=32 time=2ms TTL=254
Reply from 192.168.2.50: bytes=32 time=2ms TTL=254
Reply from 192.168.2.50: bytes=32 time=1ms TTL=254
Reply from 192.168.2.50: bytes=32 time=2ms TTL=254

Ping statistics for 192.168.2.50:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

Your setup is not optimal at all..  If your isp wifi is so great then might as well drop pfsense and just use it with all your stuff on the same segment.  If me I would get some AP and use them as different segment in pfsense vs putting your devices behind a double nat and separating your own networks with a nat, etc..

doktornotor

You are having WiFi segments on WAN with some RFC1918 IPs? Good luck with this BS setup.

johnpoz

@KOM:

pfSense may not route bogon addresses depending on how you've got your WAN interface set up.  That means it won't route your 10.x.x.x/8 network at all.

To be clear, bogons are NOT RFC1918 addresses.  RFC1918 aka private IP space is non-routable address space.  Bogons are valid public IP addresses that have not been allocated to anyone so they should technically not be in use.

Then why are they listed in the bogons?  And why are they defined including rfc1918?

http://www.team-cymru.org/bogon-reference.html
Bogons are defined as Martians (private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598) and netblocks that have not been allocated to a regional internet registry (RIR) by the Internet Assigned Numbers Authority.

http://www.team-cymru.org/bogon-dotted-decimal.html

clearly rfc1918 is in the above listing.
10.0.0.0 255.0.0.0
172.16.0.0 255.240.0.0
192.168.0.0 255.255.0.0

Someone should get team cymru to change what they define and include, or someone should update the wikipedia page ;)

Also need to adjust the rfc https://tools.ietf.org/html/rfc3871#section-1.8

Bogon.

A "Bogon" (plural: "bogons") is a packet with an IP source address
      in an address block not yet allocated by IANA or the Regional
      Internet Registries (ARIN, RIPE, APNIC…) as well as all
      addresses reserved for private or special use by RFCs.  See
      [RFC3330] and [RFC1918].

KOM

You learn something new every day.  It was previously explained to me that bogons were specifically reserved for valid public IPs that were not yet allocated.  I stand corrected.

johnpoz

what would be a nice feature is the ability to easy block the different aspects of "bogons"  For example its kind of issue using the full list from cymru that pfsense downloads because they list stuff that can cause problems.  Especially in the ipv6 version.

they seem to aggregate everything into 1 list, and then it has to be edited at your end..  Would be nicer if they broke up the different rfcs address apce and non allocated netblocks - which I believe is pretty much gone anyway in the ip4 space.

The ipv6 version is the one that is pain to try and use currently.

Back to the OP topic ;)
"but printing probably also requires the printer to initiate a reply to the client PC? And hence, when the printer asks the Comcast Gateway for the IP address of my client PC…this ones cannot be seen as it is on the other subnet. (I cannot ping from a 10.0.0.X machien to a 192.68.10.x machine)"

Why would printer need to initiate a conversation to your PC?  It would always be a reply - but yes if your NOT natting then run into a problem with your setup because your printer doesn't know how to get to 192.168 network, so would send to your isp gateway.  This is a asymmetrical routing problem and yes cause lots of issues with a stateful firewall like pfsense.  If you were natting this should not be a problem since printer would see all traffic as coming from pfsense wan interface in the 10 network.  And answer to it.

So if natting your printing should work - but have no idea how your trying to talk to the printer.. Maybe its trying to look it up via a netbios broadcast?  What printing protocol are you trying to use?  As stated before air print for sure would not work.

marmotteNZ

Funny how a printing debugging question ends up in a philosophical debate about the nature of bogons (Do not mix up His bogons with Higgs boson…).

"Well if this isp device is so good why are you using pfsense.."
I never said my ISP device was "so" good...but it does fast wifi which reaches well in all the rooms of my house.
I am using pfsense in a first place because i NEED an openVPN tunnel to my workplace, from my work computer only, not from my kids' ipad...

"Good luck with this BS setup"
THX. As I wrote, if somebody can advise a different setup that 1. addresses all my needs and 2. does not require me to buy any more hardware...please do.

Otherwise, I have found a solution that most here will probably think is BS too, but it works (so far...fingers crossed):
I have shared the printer through samba from my Linux Samba/DLNA server (on the "personal side, not the work one). Now my W7 machine on the work side can print through this shared printer :-D.

Happy to close the thread as "Resolved" or whatever policy is usual over here ; let me know :-)

tim.mcmanus

My guess, based on some of the suggestions here, is that the printer may have been configured with ZeroConfig, also known as mDNS or Bonjour on Macs. It only works within the scope of one subnet. Using your SAMBA server to share the printer allowed it to be shared across networks.

I have to configure printers on my MacBook Pro using internal DNS hostnames to print across OpenVPN. Not really the same as your situation, but if I use Apple's quick configuration utility, it will leverage mDNS, and I cannot print because I'm not on the same subnet.

Glad you got it all worked out.

doktornotor

Regarding the bogons. Do NOT use that Team Cymru file as is, disaster will follow. When you look at /etc/rc.update_bogons.sh, that RFC1918 and link-local stuff is explicitly removed on install.

# : grep egrep /etc/rc.update_bogons.sh
                        egrep -v "^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" /tmp/bogons > /etc/bogons
                                egrep -iv "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6
                                egrep -iv "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6

johnpoz

While I can see bogons from a routing point of view, your router shouldn't route to the internet anything in bogon..  But to me as a firewall blocking rule it seems kind of pointless in a setup where your blocking everything by default which is the pfsense default and most firewalls to be honest.

So the only thing allowed is stuff I specifically allowed, I could care less if the IP that hits my block just to be dropped is valid or to route on the internet.. What does it matter I am going to drop it anyway.

So it only comes into play when hitting one of my allowed rules, if my allow rule is locked down to source IP or block then again its pointless.  So it only comes into play when your source is ANY to a service you want the public net to talk too..  So its ok to allow all all the valid IPs in bot infections normally on actual valid IPs, script kiddies again normally valid IPs for the internet - your elite ninja hackers, yet again prob on a valid public IP, etc..  But stuff that prob not even going to route and just noise from your local IP.. Don't let it hit your service – seems like a lot of work keeping bogons clean and not having stuff you want to allow like rfc1918 for some really high level very tip top of the tree sort of fruit to pick.. Got to go get the ladder and safety rope, etc..  When its much easier to just pick the low lying fruit - or shit for that matter the fruit laying on the ground ;)

Now I can see in a router that is doing advertisements or getting advertisements -- hey someone says route this, tell them to FO, etc..  But as a firewall rule not really sure I see the usefulness of bogons, especially since the listing has to be manipulated because it contains stuff that causes problems in many networks even though it shouldn't route on the public net..

Now if you have picked all the low laying fruit and even the shit high up in the tree and the only thing left is that apple at the very tip top that you need a crane to come in and get -- then ok ;)  This might be what your doing in a dod sort of firewall, but home/typical smb -- not so much.