Has anyone successfully setup a firewall rule to allow users on a guest zone to print to a printer on a different zone? IPP is the protocol that works for users on the main zone to which the printer is connected. I thought it would be as simple as forwarding a port from guest --> main pointing at the printer's IP address but I am unsure which port IPP uses despite googling.
Plan B might be to put the printer in its own zone that both others can reach. Sort of in a DMZ that only has connections back to two LAN tyoe networks. Not sure exactly how without thinking about it more, but it'd keep things a bit more symmetric.
You need a config forwarding to allow guest to forward to lan. By itself that would allow guests to reach everything on lan, so in addition you need a rule that rejects src guest from all IP addresses in lan. Then open the printer's IP and port with a specific rule to allow it. This allow rule needs to be higher in the list than the general reject rule.
The guests will need to know the IP of the printer, or you can use DNS, perhaps reserving it a name that is easier to remember than HP-suchandsuch. If the printer is using DHCP you need to reserve it a specific IP address since the firewall doesn't work by names. Also autodiscovery methods don't work across networks.
You also may want to allow ICMP to the printer so it can be pinged from the guest side, at least for testing.
Good catch from @mk24, you didn't specify the destination address and guests have access on any lan host (on port 631, which might be closed). Also add another rule for ping, that could come handy.
Pretty sure you don't need that forwarding and any explicit prohibitive rules.
A permissive rule is enough to reach for unicast traffic across zones even without forwardings.
I did define the IP of the printer initially, just forgot to post it above. Edited to reflect current rule. Also added src port and limited it to two devices.
