Allowing users on guest zone to print to an IPP printer on private zone

Has anyone successfully setup a firewall rule to allow users on a guest zone to print to a printer on a different zone? IPP is the protocol that works for users on the main zone to which the printer is connected. I thought it would be as simple as forwarding a port from guest --> main pointing at the printer's IP address but I am unsure which port IPP uses despite googling.

EDIT: I got it

Traffic Rule:

Protocol: TCP+UDP
Source: guest
Source address: (laptop 1)
       (laptop 2)
Destination zone: home
Destination address: (printer)
Destination port: 631
Action: accept

Plan B might be to put the printer in its own zone that both others can reach. Sort of in a DMZ that only has connections back to two LAN tyoe networks. Not sure exactly how without thinking about it more, but it'd keep things a bit more symmetric.

You can leave only tcp in the rule.

1 Like

You need a config forwarding to allow guest to forward to lan. By itself that would allow guests to reach everything on lan, so in addition you need a rule that rejects src guest from all IP addresses in lan. Then open the printer's IP and port with a specific rule to allow it. This allow rule needs to be higher in the list than the general reject rule.

The guests will need to know the IP of the printer, or you can use DNS, perhaps reserving it a name that is easier to remember than HP-suchandsuch. If the printer is using DHCP you need to reserve it a specific IP address since the firewall doesn't work by names. Also autodiscovery methods don't work across networks.

You also may want to allow ICMP to the printer so it can be pinged from the guest side, at least for testing.

1 Like

Good catch from @mk24, you didn't specify the destination address and guests have access on any lan host (on port 631, which might be closed). Also add another rule for ping, that could come handy.

Pretty sure you don't need that forwarding and any explicit prohibitive rules.
A permissive rule is enough to reach for unicast traffic across zones even without forwardings.

1 Like

I did define the IP of the printer initially, just forgot to post it above. Edited to reflect current rule. Also added src port and limited it to two devices.

No, don't add that, the source port is not the same as destination. Leave it blanc.


Edited post and rule, thanks.

Actually there might be some reason both are open here:

1 Like

Both TCP and UDP are allocated to IPP from what I've found. However IPP only uses TCP. I don't think it will make any difference to leave one or both.

1 Like

I just want the rule to work so added back UDP and edited original post. Math is hard :smiley:

Perhaps it's specific to CUPS:

If I remember correctly, it uses UDP for status/queue info.

1 Like

This is my firewall rule:

config rule
	option target 'ACCEPT'
	option src 'guest'
	option name 'GUEST CUPS'
	option family 'ipv4'
	option proto 'tcp udp'
	option dest 'lan'
	option dest_port '631'
	list dest_ip '<IP-of-CUPS-server>'
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.