Hi,
Openwrt is on TPLINK Archer C50.
LAN interface (wifi) is IPv4: 192.168.2.1/24.
WAN interface is IPv4: 192.168.1.150/24, connected to my optical fiber modem.
My Canon printer (Pixma TS5050) is on the LAN network via WIFI.
I have no problem to print or scan from the LAN (wifi).
But I can't print or scan from my PC wired to my modem (static ip 192.168.1.2) although I can admin Openwrt from it through the wan port.
According to this https://support.usa.canon.com/kb/index?page=content&id=ART109227
I forwarded ports 8611-8613 from WAN to 'any zone' in 'traffic rules'. Idem for ports 515 and 9100. But my PC apps (scan and print) don't see the printer.
It was OK when my tplink was in bridge mode with the tplink firmware.
So do you have any ideas to see my printer from my PC ?
Thanks for advices...
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
Hi,
here it is :
cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:2e47::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
config device 'lan_dev'
option name 'eth0.1'
option macaddr 'xx:xx:xx:xx:48:fe'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_dev'
option name 'eth0.2'
option macaddr 'xx:xx:xx:xx:48:ff'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
and
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option masq '1'
option mtu_fix '1'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option src 'wan'
option target 'ACCEPT'
option name 'Admin depuis mon PC'
list src_ip '192.168.1.2'
config rule
option src_port '8611-8613'
option src 'wan'
option dest '*'
option target 'ACCEPT'
option dest_port '8611-8613'
option name 'Scanner'
config rule
option src_port '9100'
option src 'wan'
option name 'Imprimante'
option dest '*'
option target 'ACCEPT'
option dest_port '9100'
config rule
option src_port '515'
option src 'wan'
option name 'Imprimante 2'
option dest '*'
option target 'ACCEPT'
option dest_port '515'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
-
Is there some reason you don't use OpenWrt as a bridge? For the typical home user it is much easier to have the PC and the printer in the same network. Either bridge OpenWrt ("dumb AP" configuration), or move all of your PCs and printers to the LAN side of the OpenWrt router, using the ISP router only as a link to the Internet.
-
The second easiest way is to have two networks, but directly route the .2 network to .1 instead of NAT/masquerade. This requires installing a route to the .2 network on the .1 main router (192.168.2.0/24 via 192.168.1.X, where X is the IP of the OpenWrt router's WAN port).
-
The hard way is what you're trying to do now, forward ports back through NAT. This requires writing the rules as DNATs that send the port to the printer's specific IP on the .2 network.
--
- This works directly with "Add a new printer" etc.
- To print from a PC on the .1 network, you will need to know the printer's IP on the .2 network and manually add it to the PC. Auto-discovery does not work across networks.
- Like 2, but effectively the printer's IP for a .1 machine is the IP of the router's WAN on the .1 network. This also means you can only have one printer so routed unless you use non-standard port numbers for the second one.
This configuration was tested with wired network printer, manually installed with option "Add a printer using a TCP/IP address or hostname". It creates Standard TCP/IP Port Monitor in the printer Properties.
-
If your printer has a static IP address, make sure that the default gateway is set to 192.168.2.1
-
Delete all previously created printer rules
config rule
option src_port '8611-8613'
option src 'wan'
option dest '*'
option target 'ACCEPT'
option dest_port '8611-8613'
option name 'Scanner'
config rule
option src_port '9100'
option src 'wan'
option name 'Imprimante'
option dest '*'
option target 'ACCEPT'
option dest_port '9100'
config rule
option src_port '515'
option src 'wan'
option name 'Imprimante 2'
option dest '*'
option target 'ACCEPT'
option dest_port '515'
- Create a rule, allowing routing from wan to lan zone.
uci add firewall rule
uci set firewall.@rule[-1].name="Allow-WAN-LAN"
uci set firewall.@rule[-1].src="wan"
uci set firewall.@rule[-1].dest="lan"
uci set firewall.@rule[-1].dest_ip="192.168.2.0/24"
uci set firewall.@rule[-1].src_ip="192.168.1.0/24"
uci set firewall.@rule[-1].proto="all"
uci set firewall.@rule[-1].target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
If you don't want to route the entire network, you could tune the IP addresses later.
- For testing purposes, add a static route in the wired PC. Open dos prompt as admin and type
route add 192.168.2.0 mask 255.255.255.0 192.168.1.150
If it works, you should add a static route in 192.168.1.1, as mk24 suggested. According to the configuration you posted, 192.168.1.150 is dynamically assigned, so you have to consider make the wan IP address of the OpenWrt router static, or create a static lease in the DHCP server for it.
- Ping the printer from the wired PC and if it replies, try to install it manually.
The solution with port forwarding doesn't work stable. In my case, after some time the printer goes "offline".
However, it may be best to follow @mk24 's advice to configure your router as dumb AP and connect one of its lan ports to the modem. If you move all your device to the LAN zone of the OpenWrt router, you may experience some download speed drop, especially with the wired devices.
Thank's a lot to both of you.
I choose the easiest way : the dumb AP mode and it's OK to print and scan.
Have a nice day !
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.