[SOLVED] Isolate Printer from internet access

Jaidee · March 7, 2025, 8:51am

My printer is currently working fine and is set up on a separate SSID on my main lan with a static lease.
My initial thread -

However I was just reading this story https://www.theregister.com/2025/03/06/brother_firmware_update_toner/ and when checking my set up realised that presumably it can connect out/in if it wants to and would like to be able to stop that.

I have tried to look up similar threads but the more I read the less I understand....
Is there a simple firewall rule I can put in place and if so what?
Otherwise do I need to do something else to achieve this and what is that - separate bridged network perhaps?

I can set it up on either GL-MT6000 (main router) or dumb AP AX3000T. Currently it is on the Flint2. Wired is still not an option.
Both are running 23.05.5

anon63541380 · March 7, 2025, 10:10am

Set up a "guest network" without intwrnet connection.

frollic · March 7, 2025, 10:16am

if it's a DHCP client, don't provide any DNS and default gw, as in https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#client_classifying_and_individual_options, options 3 and 6.

if it's using a static IP, simply don't add any GW and DNS IPs.

Jaidee · March 7, 2025, 10:47am

Thanks but my command of the CLI is pretty non existent so not sure exactly which options you were referring to on that page.
However in the editable settings for a static lease in Luci if I set the IPV4 address as "Ignore" does that achieve the same ?
I am only basing that on the description below it.

Apologies but if not can you be a bit more specific on which options on that page I should be looking at?

frollic · March 7, 2025, 10:56am

don't think all those settings are exposed in LuCI.

uci set dhcp.mac1="Brother"
uci set dhcp.mac1.mac="PR:IN:TE:RM:AC"
uci set dhcp.mac1.networkid="nointernet"
uci add_list dhcp.mac1.dhcp_option="3"
uci add_list dhcp.mac1.dhcp_option="6"
uci commit dhcp
service dnsmasq restart

you could try this with the MAC of a device where you can actually see the result, the printer is kind of a black box, unless you tcpdump the traffic.

Jaidee · March 7, 2025, 11:00am

No they are not unfortunately.

Presume I can just change Brother for "Print", which is the SSID, or not?
For my understanding can you tell me also what the PR/IN etc refers to?
Thanks

frollic · March 7, 2025, 11:02am

AFAIK Brother is just a name, it has nothing to do with the settings, nor has it anything to do with your LAN, it will be applied to any device with a matching MAC, wired or wireless.

wite-out the : and read the string again.

Jaidee · March 7, 2025, 11:20am

I feel even more stupid now.......

So I put the actual MAC address there - sorry I know it is like spoon feeding a child.

frollic · March 7, 2025, 11:21am

... of the printer, yes.

slh · March 7, 2025, 4:15pm

If your printer is ethernet connected (respectively can be connected by ethernet reasonably), the non-internet guest network is more reliable. Relying on DHCP settings depend on the printer manufacturer being a good citizen and voluntarily obeying your settings (without hardcoded fallbacks, changing MAC addresses or other shenanigans), while it 'should' work, it can't really put a lid on it (while the isolated guest network can).

moeller0 · March 7, 2025, 4:35pm

I would simply create firewall rules to drop all wan traffic to/from the printer IP and assign a static IP to the printer...

Jaidee · March 8, 2025, 3:24am

This is what I asked in my opening post because I cannot see how to do that with a wireless SSID?
It already has a static IP - set under Static lease in Luci.

Jaidee · March 8, 2025, 3:26am

No. As mentioned unfortunately it is not an option.

psherman · March 8, 2025, 4:10am

With this in mind, simply do as @moeller0 suggested and create a firewall rule that blocks the device from the internet. That's the least friction method for you, and the printer cannot circumvent this restriction as long as it is properly implemented.

Jaidee · March 8, 2025, 4:23am

Thanks but can you point me at something to help me to achieve that as using Luci I cannot see how to do that as mentioned.
I may not be seeing the wood for the trees but if CLI I definitely need some steering help?

psherman · March 8, 2025, 4:27am

I don't know if there is a tutorial on this specific thing, but here's the documentation:

https://openwrt.org/docs/guide-user/firewall/start

It's pretty simple, though...
You want to make a traffic rule that is set to:

Reject
all protocols
Source zone: lan
Source address: [IPaddress.of.your.printer]
Destination zone: wan

Jaidee · March 8, 2025, 5:17am

So is this example minus the times and days basically what you are suggesting?
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_config_examples#block_access_to_the_internet_for_a_specific_lan_station_between_certain_times

psherman · March 8, 2025, 5:33am

it's similar, but uses the IP address rather than the MAC and blocks all protocols.

Jaidee · March 8, 2025, 6:15am

Yes but that was the closest I could find
Is there any benefit to using the IP rather than the Mac in this instance?
For all do I literally put 'all' in place of tcp udp?

psherman · March 8, 2025, 6:21am

It's really simple... I've used 192.168.1.23 as the IP address for the printer. Adjust as necessary....

And this is the equivalent rule in the config file:

config rule
	option name 'Block Printer'
	option src 'lan'
	list src_ip '192.168.1.23'
	option dest 'wan'
	option target 'REJECT'
	list proto 'all'