Printer on different VLAN

whuupwhuup · Thu Jan 09, 2025 12:27 am

Hi everyone

I have a slight issue with a Brother printer which is located on a different VLAN than the devices from which I intend to print from. My setup is quite simple:

VLAN ID10: Home devices

VLAN ID20: Work devices

VLAN ID30: IOT devices and Brother printer

The entire VLAN setup works apart of that I am unable to print from the devices located on VLAN ID10. I therefore made the printer IP static and added the following firewall rule:

add action=accept chain=forward comment=\
    "Access Printer on Printing Network from Home Network" dst-address=\
    192.168.30.8 in-interface=VLAN-Home out-interface=VLAN-Printer-IOT

This firewall rule allows me to ping the printer from the devices located on VLAN ID10. However I am still unable to print. I tried to add the printer via the dedicated IP directly in windows ("add a printer or a scanner") and also via the Brother software (the software can initially locate the printer, but is also unable to add it). Does anyone have an idea what I am doing wrong?

The firewall goal is:
1. As strict as possible firewall rules
2. VLANs shall not communicate with eachother (exception: VLAN ID10 devices shall be able to send data to the printer located on VLAN ID30 for printing purposes, but not the other way around)

My entire config is as follows:

# 2025-01-08 19:28:18 by RouterOS 7.16.2
# software id = KSYB-YVIV
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add name=Bridge-LAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] disabled=yes name=ether2-LAN
set [ find default-name=ether3 ] disabled=yes name=ether3-LAN
set [ find default-name=ether4 ] disabled=yes name=ether4-LAN
set [ find default-name=ether5 ] disabled=yes name=ether5-LAN
/interface vlan
add interface=Bridge-LAN name=VLAN-Home vlan-id=10
add interface=Bridge-LAN name=VLAN-Work vlan-id=20
add interface=Bridge-LAN name=VLAN-Printer-IOT vlan-id=30
/interface list
add name=WAN
add name=VLAN
add name=VLAN-Admin
/interface wifi configuration
add channel.band=2ghz-ax .width=20mhz country=Germany disabled=no mode=ap \
    name="2.4ghz Config" security.authentication-types=wpa3-psk \
    .disable-pmkid=yes .encryption=ccmp,gcmp .wps=disable ssid=TestNet tx-power=\
    10
add channel.band=5ghz-ax .width=20/40mhz country=Germany disabled=no mode=\
    ap name="5ghz Config" security.authentication-types=wpa3-psk \
    .disable-pmkid=yes .encryption=ccmp,gcmp,ccmp-256,gcmp-256 .wps=disable \
    ssid=TestNet5G tx-power=18
add channel.band=2ghz-ax .width=20mhz country=Germany disabled=no mode=ap \
    name="2.4ghz Config-Work" security.authentication-types=wpa3-psk \
    .disable-pmkid=yes .encryption=ccmp,gcmp,ccmp-256,gcmp-256 .wps=disable \
    ssid=TestNet-Work tx-power=10
add channel.band=2ghz-n .width=20mhz country=Germany disabled=no mode=ap \
    name="2.4ghz Config-Printer-IOT" security.authentication-types=wpa2-psk \
    .disable-pmkid=yes .encryption=ccmp .wps=disable ssid=TestNet-Printer tx-power=10
/interface wifi
set [ find default-name=wifi1 ] configuration="5ghz Config" \
    configuration.mode=ap name=Wifi1-5ghz
set [ find default-name=wifi2 ] configuration="2.4ghz Config" \
    configuration.mode=ap disabled=no name=Wifi2-2.4ghz
add configuration="2.4ghz Config-Printer-IOT" configuration.mode=ap disabled=\
    no mac-address=XX:XX:XX:XX:XX:XX master-interface=Wifi2-2.4ghz name=\
    Wifi2-2.4ghz-Printer-IOT
add configuration="2.4ghz Config-Work" configuration.mode=ap disabled=no \
    mac-address=XX:XX:XX:XX:XX:XX master-interface=Wifi2-2.4ghz name=\
    Wifi2-2.4ghz-Work
/ip pool
add name=VLAN-Home-Pool ranges=192.168.10.20-192.168.10.254
add name=VLAN-Work-Pool ranges=192.168.20.20-192.168.20.254
add name=VLAN-Printer-IOT-Pool ranges=192.168.30.20-192.168.30.254
/ip dhcp-server
add address-pool=VLAN-Home-Pool interface=VLAN-Home name=VLAN-Home-DHCP
add address-pool=VLAN-Work-Pool interface=VLAN-Work name=VLAN-Work-DHCP
add address-pool=VLAN-Printer-IOT-Pool interface=VLAN-Printer-IOT name=\
    VLAN-Printer-IOT
/interface bridge port
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi2-2.4ghz pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi1-5ghz pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi2-2.4ghz-Work pvid=20
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi2-2.4ghz-Printer-IOT pvid=30
/ip neighbor discovery-settings
set discover-interface-list=VLAN-Admin
/ip settings
set rp-filter=loose
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no
/interface bridge vlan
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=Wifi2-2.4ghz-Work vlan-ids=\
    20
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=\
    ether2-LAN,ether3-LAN,ether4-LAN,ether5-LAN,Wifi1-5ghz,Wifi2-2.4ghz \
    vlan-ids=10
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=Wifi2-2.4ghz-Printer-IOT \
    vlan-ids=30
/interface list member
add interface=ether1-WAN list=WAN
add interface=VLAN-Home list=VLAN
add interface=VLAN-Work list=VLAN
add interface=VLAN-Home list=VLAN-Admin
add interface=VLAN-Printer-IOT list=VLAN
/ip address
add address=192.168.10.1/24 interface=VLAN-Home network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN-Work network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN-Printer-IOT network=192.168.30.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.10.15 client-id=1:XX:XX:XX:XX:XX:XX mac-address=\
    XX:XX:XX:XX:XX:XX server=VLAN-Home-DHCP
add address=192.168.10.16 client-id=1:XX:XX:XX:XX:XX:XX mac-address=\
    XX:XX:XX:XX:XX:XX server=VLAN-Home-DHCP
add address=192.168.30.8 client-id=1:XX:XX:XX:XX:XX:XX mac-address=\
    XX:XX:XX:XX:XX:XX server=VLAN-Printer-IOT
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.10.15 list=Authorized
add address=192.168.10.16 list=Authorized
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" in-interface-list=\
    VLAN-Admin src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack chain=forward comment="fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    VLAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "Access Printer on Printing Network from Home Network" dst-address=\
    192.168.30.8 in-interface=VLAN-Home out-interface=VLAN-Printer-IOT
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2421
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall filter
add action=drop chain=input comment="Drop all IPv6 input traffic"
add action=drop chain=forward comment="Drop all IPv6 forward traffic"
/ipv6 nd
set [ find default=yes ] disabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system logging
add topics=wireless
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system scheduler
add interval=1w name="1.1 MO Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-30 start-time=07:00:00
add interval=1w name="1.2 MO Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-30 start-time=20:00:00
add interval=1w name="2.1 TU Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-31 start-time=07:00:00
add interval=1w name="2.2 TU Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-31 start-time=20:00:00
add interval=1w name="3.1 WE Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-01 start-time=07:00:00
add interval=1w name="3.2 WE Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-01 start-time=20:00:00
add interval=1w name="4.1 TH Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-02 start-time=07:00:00
add interval=1w name="4.2 TH Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-02 start-time=20:00:00
add interval=1w name="5.1 FR Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-03 start-time=07:00:00
add interval=1w name="5.2 FR Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-03 start-time=20:00:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=VLAN-Admin
/tool mac-server ping
set enabled=no

anav · Thu Jan 09, 2025 1:56 am

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] disabled=yes name=ether2-LAN
set [ find default-name=ether3 ] disabled=yes name=ether3-LAN
set [ find default-name=ether4 ] disabled=yes name=ether4-LAN
set [ find default-name=ether5 ] disabled=yes name=ether5-LAN

Rest looks peachy!

McGremlin · Thu Jan 09, 2025 12:05 pm

This firewall rule allows me to ping the printer from the devices located on VLAN ID10. However I am still unable to print. I tried to add the printer via the dedicated IP directly in windows ("add a printer or a scanner") and also via the Brother software (the software can initially locate the printer, but is also unable to add it). Does anyone have an idea what I am doing wrong?

For testing purposes connect one of the devices from VLAN ID10 to the VLAN ID30 (inside the printer subnet) and then try to print. Maybe it's not a network/firewall issue but more printer/driver thing itself.

WeWiNet · Thu Jan 09, 2025 12:17 pm

You need a second firewall rule that also allows the traffic from IOT / Print as in interface to the out interface home. Basically the "return traffic".

Simple way to test firewall issue, is to add a dummy accept all rule at the end (before final drop rule) which you enable only for testing purpose (maybe even log that one if traffic is not too heavy).
If it works then, you know you filter some traffic that is needed... and need to tune filter rules.

mkx · Thu Jan 09, 2025 12:19 pm

You need a second firewall rule that also allows the traffic from IOT / Print as in interface to the out interface home. Basically the "return traffic".

It's already there, this is the one:

add action=accept chain=forward comment=\
    "accept established,related,untracked" connection-state=\
    established,related,untracked

My suspicion is rather with line of @McGremlin: printer might refuse communication with devices outside its own subnet (some kind of security setting). So either that has to be disabled or changed ... or construct a SRC-NAT rule which will masquerade all traffic between VLAN10 and printer to appear to come from router itself, like this one:

/ip/firewall/nat
add action=masquerade chain=srcnat comment="masquerade traffic between normal LAN and IoT" \
    in-interface=VLAN-Home out-interface=VLAN-Printer-IOT dst-address=192.168.30.8

whuupwhuup · Thu Jan 09, 2025 9:34 pm

Thank you everyone for looking into this, I appreciate all your inputs!

@anav: I am always very grateful for your feedback, however for once I am not entirely sure if I fully understand your response. Neither the printer nor anything else is connected to ether2 - ether5. Could you please elaborate why and how changing ether2 - ether5 may help?

@McGremlin: Good idea. I tried that, if a device is conntected to the wifi network "TestNet-Printer" (VLAN ID30), printing and all other services work without any issues.

@mkx: This may indeed be the issue. I have tried to apply your solution:

/ip/firewall/nat
add action=masquerade chain=srcnat comment="masquerade traffic between normal LAN and IoT" \
    in-interface=VLAN-Home out-interface=VLAN-Printer-IOT dst-address=192.168.30.8

Unfortunately I receive the following error message: "failure: incoming interface matching not possible in output and postrouting chains". Any ideas?

anav · Thu Jan 09, 2025 10:57 pm

Hi Whussup.....
I review the config from top to bottom and thus its what I noticed first off.
Concur it doesnt effect any of the wifi settings. However since you do have those port in /interface bridge ports, it still appears to the reader/reviewer to be in error for them to be disabled!
I know for printers where I need two way talk ( full setup of a printer to one PC) or the ability to send scanned items directly to a PC I will have to allow traffic originated in both directions

What mkx is saying is that if you allow pc user to originate traffic to a printer return traffic will be permitted by the existing rules.
I am saying something completely different in that for some printer functionality, the printer may need to originate traffic to the PC............
I see no reason to monkey with ( or should I say orange tabby with) sourcenat rules for printer case.

I have multiple printers in the house so I have
a. firewall address list for printers
b. firewall address list of users that need access to printer one way ( if not in the same vlan of course )
c. firewall address list of users, printer needs access to.

add chain=forward action=accept comment="users to printer" in-interface-list=LAN src-address-list=PrinterAccess dst-address-list=ListOfPrinters
add chain=forward action=accept comment="printer to select users" in-interface-list=LAN src-address-list=ListofPrinters dst-address-list=selectUsers

mkx · Fri Jan 10, 2025 8:46 am

Unfortunately I receive the following error message: "failure: incoming interface matching not possible in output and postrouting chains". Any ideas?

Then just omit the in-interface property from NAT rule definition. You can instead use src-address property (e.g. src-address=!192.168.30.0/24 or something like that) to narrow down the effects of NAT rule if you feel urge to do so.

If you need/want to limit connectivity towards printer, it's may be actually better to use firewall filter rules (there can be multiple affecting different aspects of connectivity towards printer(s) ) and with firewall rules it's possible to use both in-interface and out-interface properties.

Worko · Fri Jan 10, 2025 6:36 pm

I have a similar problem with Mikrotik TB5009UPr+S+ with OS 16.2.
- VLAN34 - Normal (192.168.34.0/24)
- VLAN200 - IOT (192.169.200.40 Brother printer)

I did get it to work by:
1. Having the printer reside in the VL34 and install it with the Brother full driver and utilities EXE. The printer was found automatically and installed successfully.
2. Put printer into the IOT vlan
3. Static DHCP entry for printer inside to IOT VLAN set to 192.168.200.40
4. Setting firewall rules as follows:

add action=accept chain=forward comment="ALLOW LAN34 to Brother Printer - ICMP" dst-address=192.168.200.40 protocol=icmp src-address-list=ADR_LST-LAN34
add action=accept chain=forward comment="ALLOW Brother Printer to LAN34 - ICMP" dst-address-list=ADR_LST-LAN34 protocol=icmp src-address=192.168.200.40
add action=accept chain=forward comment="ALLOW LAN34 to Brother Printer - TCP" dst-address=192.168.200.40 dst-port=137,161,515,54921 log=yes log-prefix=LAN34-Print-TCP protocol=tcp src-address-list=\
    ADR_LST-LAN34
add action=accept chain=forward comment="ALLOW LAN34 to Brother Printer - UDP" dst-address=192.168.200.40 dst-port=137,161,515,54925 log=yes log-prefix=LAN34-Print-UDP protocol=udp src-address-list=\
    ADR_LST-LAN34
add action=accept chain=forward comment="ALLOW Brother Printer to LAN34 - TCP" dst-address-list=ADR_LST-LAN34 log=yes log-prefix=Print-34-TCP protocol=tcp src-address=192.168.200.40 src-port=\
    515,54921
add action=accept chain=forward comment="ALLOW Brother Printer to LAN34 - UDP" dst-address-list=ADR_LST-LAN34 log=yes log-prefix=Print-34-UDP protocol=udp src-address=192.168.200.40 src-port=\
    137,161,54925

Note, that I even had to allow ICMP both ways so I can ping it. I thought that allowing the VLAN34->Printer ICMP would be enough. After I added the return ICMP Rule Printer->VLAN34 the ping started to work and both rules incremented their packet and byte counters. Weird...

Now I wanted to make everything from scratch again. I reinstalled my laptop to Win11 24H2, upgraded Brother firmware. I thought that the printer installation will be easy given all the FW rules were in place. But no. The automatic search feature in the Brother Full driver did not found the printer (I expected that cause they were not in the same broadcast domain). After putting the IP statically - printer was found immediately but installation failed. Even adding a FORWARD rule of allowing ALL from VLAN34->Printer and vice versa ALL from Printer->VLAN34 did not help.

When I tried to install the printer manually inside Windows, that worked, but scanner was always showing an error. Once I put the printer back to VLAN34 - install went smooth and functionality was 100%. Now I am going to add rules:
- forward ANY -> 192.168.200.40
- forward 192.168.200.40 -> ANY

to see, if some weird port is being hit. Will get you posted.

Amm0 · Fri Jan 10, 2025 6:55 pm

The automatic search feature in the Brother Full driver did not found the printer (I expected that cause they were not in the same broadcast domain). After putting the IP statically - printer was found immediately but installation failed. Even adding a FORWARD rule of allowing ALL from VLAN34->Printer and vice versa ALL from Printer->VLAN34 did not help.

I suspect their full driver/app it's using HTTP/S (443) or some additional to get info. But allowing ALL should work, you can also add a log=yes to rule to see what ports were actually used.

If you want discovery to work, you can likely use in the /ip/dns's mdns-repeater-iface= using your IOT and main VLANs (and allow udp/5353 for mDNS in firewall too).

Worko · Fri Jan 10, 2025 6:56 pm

By having following two lines on the first two FORWARD position of the firewall rule-set:

add action=accept chain=forward comment="ALLOW LAN34 to Brother Printer - ALL" dst-address=192.168.200.40 log=yes log-prefix=ALL->Brother
add action=accept chain=forward comment="ALLOW Brother Printer to ALL" log=yes log-prefix=Brother->ALL src-address=192.168.200.40

.. I was able to find the printer manually in the Brother install wizard:

Screenshot 2025-01-10 175436.png

.. with following FW log outputted:

Screenshot 2025-01-10 174959.png

... i got an immediate Error saying "The installer has detected a connection problem between your computer and the Brother MFC / Printer.".

Screenshot 2025-01-10 175518.png

.. without having any relevant firewall log being added. It appears to me like it would use some broadcast-type communication before executing the printer installation, which does not hit any forward rules.

Any ideas?

vingjfg · Fri Jan 10, 2025 8:20 pm

Mdns.

Use the mdns repeater, see https://help.mikrotik.com/docs/spaces/R ... figuration

Worko · Fri Jan 10, 2025 8:41 pm

Using documentation and a little bit of chatGPT a following script has been generated. Is that it?

# Enable mDNS on MikroTik
/ip dns set allow-remote-requests=yes

# Add mDNS Repeater interfaces
/interface mdns
add interfaces=LAN-34,IOT-200 comment="mDNS Repeater for Printer"

# Optional: Add firewall rules to allow mDNS traffic
/ip firewall filter
add chain=forward action=accept protocol=udp dst-port=5353 src-address=192.168.34.0/24 dst-address=192.168.200.40 comment="Allow mDNS traffic from VLAN-34 to Printer"
add chain=forward action=accept protocol=udp dst-port=5353 src-address=192.168.200.40 dst-address=192.168.34.0/24 comment="Allow mDNS traffic from Printer to VLAN-34"

Amm0 · Fri Jan 10, 2025 8:52 pm

Well, at least we have a test of AI's AGI abilities - if an LLM can figure out RouterOS config, we're got AGI and domed. But seems were long way from that...

Change the "/interface mdns" to:

/ip/dns/set mdns-repeat-ifaces=LAN-34,IOT-200

And, the firewall rules are likely not optional, but needed.

I should note that the CLI offer "tab completion" - i.e., hitting the <tab> after /ip/dns/set<tab> or mdns-repeat-ifaces=<tab> lets you pick the interface. I find <tab> helps figure out options better than ChatGPT...

Worko · Sat Jan 11, 2025 12:26 pm

WORKS! Now I got a working Brother Wi-FI MFP printer, which prints and scans residing in a different VLAN than the client PC. BTW, the most recent firewall rules enabling mDNS UDP 5353 did not increment at all whilst installing the printer nor whilst printing/scanning. Will try to add the MFP on a different Windows 11 and Linux PC without those 2 FW rules to see, if they are needed at all.

Thanx all for helping out <3

vingjfg · Sat Jan 11, 2025 12:44 pm

Mdns uses multicast, which means that should hit an input rule, not a forward one.

Worko · Sat Jan 11, 2025 1:23 pm

One thing I have discovered after using this mDNS approach is, that before all traffic was TCP or UDP with one of these ports 137, 161, 515, 54921, 54925. Now everything runs only on these three combinations:

TCP: PC_Client: Random_High_port -> Printer: 80
TCP: Printer: Random_High_port -> PC_Client: 5357
TCP: Printer: 80 -> PC_Client: Random_High_port

So obviously the Brother's well known unicast ports have been replaced with HTTP and WSD.

Actually I do not like the behavior of this printer residing in a different VLAN. I would expect standard and transparent TCP/UDP unicast communication for printer and also for the scanner function, so it is obvious which ports should the traffic be locked down to. Now, one Win11 PC generates UDP traffic whilst printing or scanning and one this weird HTTP and WSD type of traffic. And I am using it only at home. I do not want to imagine what a pain in the ass it must be in an enterprise without using NG L7 firewall services with this kind of printer connected to the infrastructure. Anyway, I will put the printer back to my normal VLAN and lock the communication from/to it as much as possible. Thanx for all help.

whuupwhuup · Sat Jan 11, 2025 9:54 pm

Thanks a lot for all the insights, very helpful!

@anav: Makes sense, thanks for pointing it out! I will adjust that

@mkx: I tried different nat variants, unfortunately it does not solve the problem. I guess firewall filter rules is the only way to go.

I will need some time figure out if the solutions above work and I will keep this forum updated, so other users have some feedback if they ever face the same issue. Just a quick general question: My goal was to enhance security by creating different VLANs and separating the printer & IOT devices from my home devices. From a strict security standpoint, what exactly is the remaining benefit of having the printer on VLAN30 and my home devices on VLAN10 if anyway need to grant the printer access to VLAN10 by creating e.g. the following rule:

add chain=forward action=accept comment="printer to select users" in-interface-list=LAN src-address-list=ListofPrinters dst-address-list=selectUsers

Would it not be easier in such a case to simply allocate the printer to VLAN10?

anav · Sat Jan 11, 2025 10:22 pm

What makes sense is specific to your location.
How is the printer connected to the router, via ethernet jack at specific location, are there managed switches in between etc etc......
Clearly if all users are in vlan10, why put it on its own vlan. If untrusted users are allowed to use the printer, nothing wrong with isolating the printer in its own vlan etc/

Printer on different VLAN

Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN

Re: Printer on different VLAN