printer VLAN firewall rules



  • I have a couple networks where they want users on the guest wifi to be able to print to printers that are currently on the LAN. I was thinking of putting the printers on their own VLAN. For those of you that have done this, what rules are you setting between the VLANS?



  • I'm not a networking guy, but can't you add routes to the router to go from one VLAN to another, even to a single IP address on another VLAN?



  • @NerdyDad said in printer VLAN firewall rules:

    I'm not a networking guy, but can't you add routes to the router to go from one VLAN to another, even to a single IP address on another VLAN?

    Yes.



  • @Mike-Davis said in printer VLAN firewall rules:

    I have a couple networks where they want users on the guest wifi to be able to print to printers that are currently on the LAN. I was thinking of putting the printers on their own VLAN. For those of you that have done this, what rules are you setting between the VLANS?

    This is overcomplicated IMO.

    If it is strictly for a couple print devices, just add an allow at the router that currently handles the VLAN blocking.



  • So just allow full communication from the guest-wifi VLAN to the PrinterVLAN and do the same for the DefaultVLAN to the PrinterVLAN? Seems like you would want to block port 80/443 from the guest-wifi to the PrinterVLAN to block guests from trying to get to the admin interfaces on the printers.



  • @Mike-Davis or you could secure the printer admin interfaces with something other than the default credentials.



  • @DustinB3403 said in printer VLAN firewall rules:

    @Mike-Davis or you could secure the printer admin interfaces with something other than the default credentials.

    Already doing that. Seems odd to just give them full access on every port when I'm thinking they only need access to port 9100. I was going to do that, but wondered if others ran in to issues with some printers using non standard ports or something.



  • @Mike-Davis said in printer VLAN firewall rules:

    @DustinB3403 said in printer VLAN firewall rules:

    @Mike-Davis or you could secure the printer admin interfaces with something other than the default credentials.

    Already doing that. Seems odd to just give them full access on every port when I'm thinking they only need access to port 9100. I was going to do that, but wondered if others ran in to issues with some printers using non standard ports or something.

    Risk is very low, attacking a printer network is an extremely low results attack vector. You can secure it "more" by locking it down more, but the risk is already super low.



  • @Mike-Davis said in printer VLAN firewall rules:

    So just allow full communication from the guest-wifi VLAN to the PrinterVLAN and do the same for the DefaultVLAN to the PrinterVLAN? Seems like you would want to block port 80/443 from the guest-wifi to the PrinterVLAN to block guests from trying to get to the admin interfaces on the printers.

    No, I said why make a printer VLAN in the first place? It is still going to have full capabilities back to the LAN.

    So having a rule between the guest VLAN and the LAN or the guest VLAN and the printer VLAN is no different.



  • @JaredBusch said in printer VLAN firewall rules:

    @Mike-Davis said in printer VLAN firewall rules:

    So just allow full communication from the guest-wifi VLAN to the PrinterVLAN and do the same for the DefaultVLAN to the PrinterVLAN? Seems like you would want to block port 80/443 from the guest-wifi to the PrinterVLAN to block guests from trying to get to the admin interfaces on the printers.

    No, I said why make a printer VLAN in the first place? It is still going to have full capabilities back to the LAN.

    So having a rule between the guest VLAN and the LAN or the guest VLAN and the printer VLAN is no different.

    I'm thinking have a printerVLAN so I can only allow port 9100 from Guest-wifi to printerVLAN.



  • @Mike-Davis said in printer VLAN firewall rules:

    @JaredBusch said in printer VLAN firewall rules:

    @Mike-Davis said in printer VLAN firewall rules:

    So just allow full communication from the guest-wifi VLAN to the PrinterVLAN and do the same for the DefaultVLAN to the PrinterVLAN? Seems like you would want to block port 80/443 from the guest-wifi to the PrinterVLAN to block guests from trying to get to the admin interfaces on the printers.

    No, I said why make a printer VLAN in the first place? It is still going to have full capabilities back to the LAN.

    So having a rule between the guest VLAN and the LAN or the guest VLAN and the printer VLAN is no different.

    I'm thinking have a printerVLAN so I can only allow port 9100 from Guest-wifi to printerVLAN.

    That's the only thing I have done when I need to on Sonicwall or any other firewall rules.



  • @Mike-Davis said in printer VLAN firewall rules:

    @JaredBusch said in printer VLAN firewall rules:

    @Mike-Davis said in printer VLAN firewall rules:

    So just allow full communication from the guest-wifi VLAN to the PrinterVLAN and do the same for the DefaultVLAN to the PrinterVLAN? Seems like you would want to block port 80/443 from the guest-wifi to the PrinterVLAN to block guests from trying to get to the admin interfaces on the printers.

    No, I said why make a printer VLAN in the first place? It is still going to have full capabilities back to the LAN.

    So having a rule between the guest VLAN and the LAN or the guest VLAN and the printer VLAN is no different.

    I'm thinking have a printerVLAN so I can only allow port 9100 from Guest-wifi to printerVLAN.

    /sign FFS am I using words that are too big?



  • @JaredBusch said in printer VLAN firewall rules:

    @Mike-Davis said in printer VLAN firewall rules:

    @JaredBusch said in printer VLAN firewall rules:

    @Mike-Davis said in printer VLAN firewall rules:

    So just allow full communication from the guest-wifi VLAN to the PrinterVLAN and do the same for the DefaultVLAN to the PrinterVLAN? Seems like you would want to block port 80/443 from the guest-wifi to the PrinterVLAN to block guests from trying to get to the admin interfaces on the printers.

    No, I said why make a printer VLAN in the first place? It is still going to have full capabilities back to the LAN.

    So having a rule between the guest VLAN and the LAN or the guest VLAN and the printer VLAN is no different.

    I'm thinking have a printerVLAN so I can only allow port 9100 from Guest-wifi to printerVLAN.

    /sign FFS am I using words that are too big?

    I don't follow. Can you provide the TL;DR



  • @Mike-Davis said in printer VLAN firewall rules:

    I was thinking of putting the printers on their own VLAN

    This means there is not currently a printer VLAN.

    I said

    @JaredBusch said in printer VLAN firewall rules:

    This is overcomplicated IMO.

    If it is strictly for a couple print devices, just add an allow at the router that currently handles the VLAN blocking.

    This means add an allow from the current guest network to the specific printer IP and ports (9100 for RAW, and likely something else for discovery) so they can print from the Guest WiFi.

    It does not mean

    @Mike-Davis said in printer VLAN firewall rules:

    So just allow full communication from the guest-wifi VLAN to the PrinterVLAN and do the same for the DefaultVLAN to the PrinterVLAN?

    Where the fuck did you get create a printer VLAN from my statement? Let alone allow EVERYTHING.....

    @DustinB3403 said in printer VLAN firewall rules:

    I don't follow. Can you provide the TL;DR

    No.





  • I have 16 printers on that network and they are adding two more wireless ones. Currently the only wifi devices that can get to the LAN are Windows domain devices that match the NPS rules. Since I can't push the windows cert to the new printers, that got me started thinking about the separate VLAN for printers. Then I remembered how they wanted to print from guest devices and I thought I could take care of two things at once.

    I was going to just allow port 9100, but was thinking that it would work for older devices, but there was probably some catch with chrome printing or something like that.



  • @Mike-Davis do the guest really need the ability to print to every printer?


Log in to reply