Help with how-to use LAN printer with VPN clients?

  • I followed the OpenVPN tutorial for setting up PIA with pfSense, very cool stuff.  Now I have a printer on the Lan and would like VPN clients to be able to use it.  Maybe even the 'scan to computer' piece, that would be swell.  Does anyone know of a tutorial/step by step to configure this?  I searched and found different pieces but nothing total for this situation.  I am learning and contributed a step-by-step for vpn'ing only certain IP's/machines and bypassing the rest with the OpenVPN/PIA tutorial.  I can do the same for the printer if someone can get me started.  Thanks!

  • I can do the same for the printer if someone can get me started.

    In normal if the VPN connection is established, you will be able to reach and use all
    the device on the other side inside of the far away network or plain behind the VPN.

    If you has up the VPN connection, then you should be sitting in front of a PC with
    admin privileges and rights to install a so called new printer. Chose new printer,
    network printer and then chose the model and the driver will be installed.
    Once the printer is added to your PC or on his OS you are able to print on
    this device.

  • LAYER 8 Global Moderator

    What does pfsense making a vpn connection have to do with using a printer on your LAN?

    Clients on lan don't talk to pfsense, and then vpn to talk to printers on their network.. Is this printer on a different segment on your local network?

  • Further to johnpoz's comment, you should be able to print to the printer just as you would any other machine.

    The only hitch might be in setting up a VPN connected workstation to "find" the printer as the two will be on different subnets.

    Often the simplest thing to do is install the printer driver on the VPN workstation so that it talks to the printer's IP address rather than it's "Broadcast" name.

    What printer are we talking about?

  • Thanks all.  I think divsys is close to what I'm needing to do.  When following the PIA/OpenVPN tutorial, all clients behind the pfSense box automatically get a VPN connection thru the box to 'x' endpoint using PIA.  DHCP address are given out by pfSense.  There is a networked HP printer also getting a DHCP connection, but obviously not using the PIA vpn.  In addition to the previous, some pc's have been excluded from using the VPN in the firewall rules.  One of these PC's can see and print to the printer, one can't.  Another PC which isn't excluded from using the VPN can't see the printer either.  Do you know what I mean and do I have to do something to let the VPN machines see the firewall-excluded (non-vpn using) machines?  I wish I knew a whole lot more some days; and others I'm just happy to get ice cream.

  • LAYER 8 Global Moderator

    Dude again what do you think pfsense connection be it to a wan or vpn have to do with printing to a printer on your local network?  Does not matter if pfsense had internet connection at all when comes to printing to your local printer be it you route the traffic through vpn or not.  Pfsense wan side connection, firewall rules have ZERO do do with machine on talking to another machine or printer also on

    Are you installing a vpn client on your PC directly - then yes if set to use default gateway of the vpn this could lock you out of your own printers.  But this is not how you described your setup - you stated you setup the connection to your vpn server on pfsense.

    See picture attached.

    Are you printers on different segment?  See pic 2

  • JohnPoz,
    Thanks a bunch for the graphic.  I apologize for leaving some parts out; and since I only print every 2-3 months I now have my question properly to ask:
    1.  Wireless DSL router giving out wireless IP- 192….1.10,11,12 etc
    2.  The pfSense server is connected to this wireless router, on 1 of the 4 wired ports. 
    3.  Then the printer is connected to the pfsense DHCP server via wired giving out client addresses @ 192...2.1.25,26,27 etc
    4.  The wireless clients can't print to the printer because they're on a diff subnet, correct?
    Q:  How to make the printer visible to the wireless clients?

  • LAYER 8 Global Moderator

    So you have this?  See first pic.

    So you have devices on WAN side of pfsense wanting to print to LAN side of pfsense?  No they wouldn't be able to print unless you did a port forward.  But why would you set it up like that?  What does pfsense vpn have to do with anything??

    What are you using pfsense for exactly?  Normally you put all your networks be wired or wireless behind pfsense to the internet..

  • Yes, that's it, #1.  Because I need the wifi to be open for users in the house to access the net less the VPN; you know, for only certain devices [huh..hmmm] and my router can't be modded to load pfs and setup only certain users, so I have to put the pfs behind the router.  Hence pfs is behind the router and only certain devices get the vpn feed, others like the printer and other users don't need the vpn so they're getting dhcp from pfs but not using the vpn. 
    The printer is wireless also but only works either wireless or wired, not both at same time, so I have it wired due to most clients which need to print are on the wired network.  So somehow I bridge the 2 networks to allow access to the printer?
    Also, it may be handy to have some vpn-using clients able to 'serve' to the non-vpn using clients, if that's possible?

  • LAYER 8 Global Moderator

    You can put your wifi behind pfsense and with use of policy routing have some clients use the vpn and others not..

    Just get yourself another wifi router and use it as AP or just a plain AP, the stuff from unifi is pretty good stuff at good price point.  Then turn off the wifi on your isp device.. Setup your rules in pfsense to send specific devices to vpn or even better only specific destinations down the vpn, etc.

    IMHO your going about it ALL wrong..  All your devices should be behind pfsense - be it pfsense has to have private on its wan or not because you can not bridge the device your isp gave you has little to do with having control over your own devices behind you own firewall.  You can put them all on the same network if you want, isolate devices on their own segments/vlans and control firewall rules to what can talk to what.

    You can setup guest wifi with vlans so they can not talk to any of your other devices and only internet, etc. etc..  And have some devices go through your vpn if you want them too..

  • Agree.  If there were enough SBSI (step-by-step-instruction) I would do all that.  But one piece at a time.  Are there instructions on how to send specific destinations down the vpn?  As I mentioned I hope I've helped some folks figure out how to send only certain devices (Ip's) down the vpn and let others bypass it in my SBSI I wrote on the OpenVPN PIA thread. I guess the next thing would be to put both my netgear WNr3500l routers behind the pfsense and configure them to serve wireless.  That's a lot of trial and error without SBSI, and I'm happy to get some guidance and write up another guide if you want to entertain my questions.

  • LAYER 8 Global Moderator

    SBSI ?? For policy based routing?

    Your VPN is your gateway, you setup a rule to use that gateway when you wan to use it, either based on dest, port, source IP..  Put this rule above your other rules that allow other traffic to internet..  Do you really need a picture of such a basic concept?

    Guess I can fire up a vpn connection to one of my vpses and show you a picture..

Log in to reply