Hi everyone
I have a slight issue with a Brother printer which is located on a different VLAN than the devices from which I intend to print from. My setup is quite simple:
The entire VLAN setup works apart of that I am unable to print from the devices located on VLAN ID10. I therefore made the printer IP static and added the following firewall rule:
This firewall rule allows me to ping the printer from the devices located on VLAN ID10. However I am still unable to print. I tried to add the printer via the dedicated IP directly in windows ("add a printer or a scanner") and also via the Brother software (the software can initially locate the printer, but is also unable to add it). Does anyone have an idea what I am doing wrong?
The firewall goal is:
1. As strict as possible firewall rules
2. VLANs shall not communicate with eachother (exception: VLAN ID10 devices shall be able to send data to the printer located on VLAN ID30 for printing purposes, but not the other way around)
My entire config is as follows:
I have a slight issue with a Brother printer which is located on a different VLAN than the devices from which I intend to print from. My setup is quite simple:
- VLAN ID10: Home devices
- VLAN ID20: Work devices
- VLAN ID30: IOT devices and Brother printer
The entire VLAN setup works apart of that I am unable to print from the devices located on VLAN ID10. I therefore made the printer IP static and added the following firewall rule:
Code:
add action=accept chain=forward comment=\ "Access Printer on Printing Network from Home Network" dst-address=\ 192.168.30.8 in-interface=VLAN-Home out-interface=VLAN-Printer-IOTThis firewall rule allows me to ping the printer from the devices located on VLAN ID10. However I am still unable to print. I tried to add the printer via the dedicated IP directly in windows ("add a printer or a scanner") and also via the Brother software (the software can initially locate the printer, but is also unable to add it). Does anyone have an idea what I am doing wrong?
The firewall goal is:
1. As strict as possible firewall rules
2. VLANs shall not communicate with eachother (exception: VLAN ID10 devices shall be able to send data to the printer located on VLAN ID30 for printing purposes, but not the other way around)
My entire config is as follows:
Code:
# 2025-01-08 19:28:18 by RouterOS 7.16.2# software id = KSYB-YVIV## model = C53UiG+5HPaxD2HPaxD/interface bridgeadd name=Bridge-LAN vlan-filtering=yes/interface ethernetset [ find default-name=ether1 ] name=ether1-WANset [ find default-name=ether2 ] disabled=yes name=ether2-LANset [ find default-name=ether3 ] disabled=yes name=ether3-LANset [ find default-name=ether4 ] disabled=yes name=ether4-LANset [ find default-name=ether5 ] disabled=yes name=ether5-LAN/interface vlanadd interface=Bridge-LAN name=VLAN-Home vlan-id=10add interface=Bridge-LAN name=VLAN-Work vlan-id=20add interface=Bridge-LAN name=VLAN-Printer-IOT vlan-id=30/interface listadd name=WANadd name=VLANadd name=VLAN-Admin/interface wifi configurationadd channel.band=2ghz-ax .width=20mhz country=Germany disabled=no mode=ap \ name="2.4ghz Config" security.authentication-types=wpa3-psk \ .disable-pmkid=yes .encryption=ccmp,gcmp .wps=disable ssid=TestNet tx-power=\ 10add channel.band=5ghz-ax .width=20/40mhz country=Germany disabled=no mode=\ ap name="5ghz Config" security.authentication-types=wpa3-psk \ .disable-pmkid=yes .encryption=ccmp,gcmp,ccmp-256,gcmp-256 .wps=disable \ ssid=TestNet5G tx-power=18add channel.band=2ghz-ax .width=20mhz country=Germany disabled=no mode=ap \ name="2.4ghz Config-Work" security.authentication-types=wpa3-psk \ .disable-pmkid=yes .encryption=ccmp,gcmp,ccmp-256,gcmp-256 .wps=disable \ ssid=TestNet-Work tx-power=10add channel.band=2ghz-n .width=20mhz country=Germany disabled=no mode=ap \ name="2.4ghz Config-Printer-IOT" security.authentication-types=wpa2-psk \ .disable-pmkid=yes .encryption=ccmp .wps=disable ssid=TestNet-Printer tx-power=10/interface wifiset [ find default-name=wifi1 ] configuration="5ghz Config" \ configuration.mode=ap name=Wifi1-5ghzset [ find default-name=wifi2 ] configuration="2.4ghz Config" \ configuration.mode=ap disabled=no name=Wifi2-2.4ghzadd configuration="2.4ghz Config-Printer-IOT" configuration.mode=ap disabled=\ no mac-address=XX:XX:XX:XX:XX:XX master-interface=Wifi2-2.4ghz name=\ Wifi2-2.4ghz-Printer-IOTadd configuration="2.4ghz Config-Work" configuration.mode=ap disabled=no \ mac-address=XX:XX:XX:XX:XX:XX master-interface=Wifi2-2.4ghz name=\ Wifi2-2.4ghz-Work/ip pooladd name=VLAN-Home-Pool ranges=192.168.10.20-192.168.10.254add name=VLAN-Work-Pool ranges=192.168.20.20-192.168.20.254add name=VLAN-Printer-IOT-Pool ranges=192.168.30.20-192.168.30.254/ip dhcp-serveradd address-pool=VLAN-Home-Pool interface=VLAN-Home name=VLAN-Home-DHCPadd address-pool=VLAN-Work-Pool interface=VLAN-Work name=VLAN-Work-DHCPadd address-pool=VLAN-Printer-IOT-Pool interface=VLAN-Printer-IOT name=\ VLAN-Printer-IOT/interface bridge portadd bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \ interface=ether2-LAN pvid=10add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \ interface=ether3-LAN pvid=10add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \ interface=ether4-LAN pvid=10add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \ interface=ether5-LAN pvid=10add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \ interface=Wifi2-2.4ghz pvid=10add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \ interface=Wifi1-5ghz pvid=10add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \ interface=Wifi2-2.4ghz-Work pvid=20add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \ interface=Wifi2-2.4ghz-Printer-IOT pvid=30/ip neighbor discovery-settingsset discover-interface-list=VLAN-Admin/ip settingsset rp-filter=loose/ipv6 settingsset accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \ forward=no/interface bridge vlanadd bridge=Bridge-LAN tagged=Bridge-LAN untagged=Wifi2-2.4ghz-Work vlan-ids=\ 20add bridge=Bridge-LAN tagged=Bridge-LAN untagged=\ ether2-LAN,ether3-LAN,ether4-LAN,ether5-LAN,Wifi1-5ghz,Wifi2-2.4ghz \ vlan-ids=10add bridge=Bridge-LAN tagged=Bridge-LAN untagged=Wifi2-2.4ghz-Printer-IOT \ vlan-ids=30/interface list memberadd interface=ether1-WAN list=WANadd interface=VLAN-Home list=VLANadd interface=VLAN-Work list=VLANadd interface=VLAN-Home list=VLAN-Adminadd interface=VLAN-Printer-IOT list=VLAN/ip addressadd address=192.168.10.1/24 interface=VLAN-Home network=192.168.10.0add address=192.168.20.1/24 interface=VLAN-Work network=192.168.20.0add address=192.168.30.1/24 interface=VLAN-Printer-IOT network=192.168.30.0/ip cloudset update-time=no/ip dhcp-clientadd interface=ether1-WAN/ip dhcp-server leaseadd address=192.168.10.15 client-id=1:XX:XX:XX:XX:XX:XX mac-address=\ XX:XX:XX:XX:XX:XX server=VLAN-Home-DHCPadd address=192.168.10.16 client-id=1:XX:XX:XX:XX:XX:XX mac-address=\ XX:XX:XX:XX:XX:XX server=VLAN-Home-DHCPadd address=192.168.30.8 client-id=1:XX:XX:XX:XX:XX:XX mac-address=\ XX:XX:XX:XX:XX:XX server=VLAN-Printer-IOT/ip dhcp-server networkadd address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1/ip dnsset allow-remote-requests=yes/ip firewall address-listadd address=192.168.10.15 list=Authorizedadd address=192.168.10.16 list=Authorized/ip firewall filteradd action=accept chain=input comment="accept established,related,untracked" \ connection-state=established,related,untrackedadd action=drop chain=input comment="drop invalid" connection-state=invalidadd action=accept chain=input comment="accept ICMP" protocol=icmpadd action=accept chain=input comment="admin access" in-interface-list=\ VLAN-Admin src-address-list=Authorizedadd action=accept chain=input comment="users to services" dst-port=53 \ in-interface-list=VLAN protocol=udpadd action=accept chain=input comment="users to services" dst-port=53 \ in-interface-list=VLAN protocol=tcpadd action=drop chain=input comment="drop all else"add action=fasttrack chain=forward comment="fasttrack" \ connection-state=established,relatedadd action=accept chain=forward comment=\ "accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="drop invalid" connection-state=invalidadd action=accept chain=forward comment="internet traffic" in-interface-list=\ VLAN out-interface-list=WANadd action=accept chain=forward comment=\ "Access Printer on Printing Network from Home Network" dst-address=\ 192.168.30.8 in-interface=VLAN-Home out-interface=VLAN-Printer-IOTadd action=drop chain=forward comment="drop all else"/ip firewall natadd action=masquerade chain=srcnat out-interface=ether1-WAN/ip ipsec profileset [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset ssh disabled=yes port=2421set api disabled=yesset api-ssl disabled=yes/ip sshset strong-crypto=yes/ipv6 firewall filteradd action=drop chain=input comment="Drop all IPv6 input traffic"add action=drop chain=forward comment="Drop all IPv6 forward traffic"/ipv6 ndset [ find default=yes ] disabled=yes/system clockset time-zone-name=Europe/Berlin/system loggingadd topics=wireless/system noteset show-at-login=no/system ntp clientset enabled=yes/system ntp client serversadd address=0.pool.ntp.orgadd address=1.pool.ntp.orgadd address=2.pool.ntp.orgadd address=3.pool.ntp.org/system scheduleradd interval=1w name="1.1 MO Wifi-Work enable" on-event=\ "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\ 2024-12-30 start-time=07:00:00add interval=1w name="1.2 MO Wifi-Work disable" on-event=\ "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\ 2024-12-30 start-time=20:00:00add interval=1w name="2.1 TU Wifi-Work enable" on-event=\ "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\ 2024-12-31 start-time=07:00:00add interval=1w name="2.2 TU Wifi-Work disable" on-event=\ "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\ 2024-12-31 start-time=20:00:00add interval=1w name="3.1 WE Wifi-Work enable" on-event=\ "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\ 2025-01-01 start-time=07:00:00add interval=1w name="3.2 WE Wifi-Work disable" on-event=\ "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\ 2025-01-01 start-time=20:00:00add interval=1w name="4.1 TH Wifi-Work enable" on-event=\ "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\ 2025-01-02 start-time=07:00:00add interval=1w name="4.2 TH Wifi-Work disable" on-event=\ "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\ 2025-01-02 start-time=20:00:00add interval=1w name="5.1 FR Wifi-Work enable" on-event=\ "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\ 2025-01-03 start-time=07:00:00add interval=1w name="5.2 FR Wifi-Work disable" on-event=\ "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\ 2025-01-03 start-time=20:00:00/tool bandwidth-serverset enabled=no/tool mac-serverset allowed-interface-list=none/tool mac-server mac-winboxset allowed-interface-list=VLAN-Admin/tool mac-server pingset enabled=noStatistics: Posted by whuupwhuup — Thu Jan 09, 2025 12:27 am