HP printer subnet issue and isolating the device

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,
I have a HP LaserJet Pro printer which I am trying to connect to from my other devices (Linux and Android). The printer is connected via ethernet to the OpenWRT router. Since I don't want to have smart devices in my LAN zone, I put it on a different interface with a different subnet and firewall zone. Problem is that the printer seems to have some built-in rules that block connections from different subnets, for detection, printing and accessing its web interface. Even putting it on the same firewall zone didn't help, only using it on the same subnet did. I would like to keep the printer isolated as much as possible and only allow what is required to make it work in conjunction with my other devices. Does anyone know a solution?

2

You just add IP address directly.

1 Like
3

Add which IP to what?

4

Did you set a gateway in the printer, as well as IP?

Failure to do so would make you unable to reach other networks.

5

Yes. Got the correct IP and gateway via DHCP.

There seem to be various users reporting problems with HP printers/scanners not working across different subnets.

A possible solution is proposed here: https://h30434.www3.hp.com/t5/Printer-Setup-Software-Drivers/Print-to-different-subnet-HP-Smart-Solved/td-p/9093246 , but I have difficulties implementing it.

  • Enabling Muticast on router interfaces

Done for interfaces printer and lan via LuCI.

For the part

  • Enabling multicast forwarding for multicast IPs 224.0.0.251, 224.0.0.252, and 239.255.255.250

First implementation try:

cat /etc/config/igmpproxy

config igmpproxy
        option quickleave 1
#       option verbose [0-3](none, minimal[default], more, maximum)

config phyint
        option network printer
        option zone printer
        option direction upstream
        list altnet 224.0.0.251/31          
        list altnet 239.255.255.250/32
             
config phyint             
        option network lan
        option zone lan            
        option direction downstream

Probably still need firewall rules.

Have no clue about this part:

  • Enable UDP broadcast forwarding for UDP ports 137 and 138
6

Enter printer IP address manually.

7

Didnt't work accross different subnets, even if zone forwarding is allowed, and even if put on the same zone.

1 Like
8

What is the problem adding printer IP address instead of spending a day juggling multicast discovery?

1 Like
9

Adding the printer IP to what?

1 Like
10

I think the other user is asking if you allow port 9100 on your firewall and configure your HP/IP-based printer on the clients manually?

This is a Linux example - the host would be the IP address of the printer:

screen851

11

You can configure ipp, lpd and so on, even android has dialog to enter printer ip next to auto discover.
hostname works too.

1 Like
12

Did you actually try this with a HP printer across different subnets?

Because it does not work for my devices, even when put into the same firewall zone. within the same subnet it works. Manually entering it does not help either. Other users reported the same issue with HP printers/scanner in the HP community.

13

Odd, yes this works here for me. I've set up HP printers across different networks my entire career. Also other model printers that speak the HP JetDirect protocol.

Using 3 now thru an OpenWrt router.

What model printer?

1 Like
14

Roughly 20 years in total, never ever choked.
you are shouting it does not work, but you are pinching auto discovery, never even trying to connect a printer.

1 Like
15

HP LaserJet Pro 200 color MFP M276n

I have tried to manually connect for many times, trying different solutions, wasting basically a whole day with finding a solution. It works via USB, it works within several subnets and zones, if other devices are within the same subnet. As soon as a device is in a different subnet it does not work anymore, even with fully allowed firewall zone forwarding in both directions and even if put into the same firewall zone. Not my first printer, but never had such problems.

1 Like
16

screen853
screen853687×597 34.5 KB

screen854

user@machine:~$ ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: xxxxxxxx: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    altname xxxxxxxxx
    inet 192.168.1.xxx/24 brd 192.168.1.255 scope global dynamic noprefixroute xxxxxxxxx
       valid_lft 39506sec preferred_lft 39506sec
  • Have you opened port 9100 on the firewall?
  • Can you ping the printer's IP from the SRC network?

Broadcast and multicast generally do not work across networks.

17

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
18

Doesn't full zone forwarding between the printer's zone and the other devices' zones already allows this? Even tried putting it into the same zone, so no opened port should be needed.

1 Like
19

OK.

screen855
screen855710×101 8.39 KB

~From: https://support.hp.com/us-en/document/c03315988

  • Can you reach it's web server?
  • Can you ping the printer's IP?
2 Likes
20

You can put it on the same subnet and use Firewall rules to isolate it. However, I don't really see the benefit in isolating a single device on a home network. The risk posed is pretty low and it will just add complexity.

1 Like