Wireless printer across different vlans/subnets

Hi,
I have a HP Laserjet Neverstop 1200W with wifi.
It seems that these stupid printers work only when printing is initiated within the same wifi network/subnet - anyone experienced similar behaviour?

I have 2 SSIDs configured as different vlans, each with its own subnet, for the sake of vlan1 routed out via vpn, and vlan2 routed out to internet directly.
printer is on vlan1.

So whenever our laptops or phones are connected to vlan2, printing does not work, just gets stuck. even though printer is pingable, I can even reach its web interface, but printing itself gets stuck.
It's not the end of the world to switch over to another wifi network to print something, but it's just bloodly annoying, I hate impractical things :slight_smile:

I have no limitations between the subnets, they are not isolated in any way, both zones are configured as ACCEPT ACCEPT ACCEPT to each other.
any ideas how to work around this, what seems to be HP wireless printing limitation?

Hi @megacar1

if printer is really "sensitive" :smiley: to own subnet, you could try with firewal
something like
if packet arrive from vlan2 (laptops) and destination is vlan1, IP of Printer, then Masquerade

this way, printer will see only own subnet

one more thing

try to install HP printer when you are on Vlan2 (laptops)

this way, HP driver will be forced to use IP address of printer and not mdns/pnp/whatewer for printing port

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

hi

main router (wifi disabled on this one)

root@blanja:~# ubus call system board
{
        "kernel": "5.10.176",
        "hostname": "blanja",
        "system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
        "model": "TP-Link TL-WR1043ND v2",
        "board_name": "tplink,tl-wr1043nd-v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "ath79/generic",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}
root@blanja:~# cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'

config interface 'LAN'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option device 'eth1'
        option type 'bridge'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 4 3 2 1'
        option description 'LAN'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '6 5'
        option description 'WAN'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 4t 3t 2t 1t'
        option vid '3'
        option description 'NOVPN'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '0t 4t 3t 2t 1t'
        option vid '4'
        option description 'GUEST'

config interface 'LTE'
        option device 'eth0'
        option proto 'static'
        option ipaddr '192.168.70.2'
        option netmask '255.255.255.0'
        option gateway '192.168.70.1'
        option delegate '0'

config interface 'NOVPN'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr '192.168.5.1'
        option device 'eth1.3'
        option type 'bridge'

config interface 'GUEST'
        option proto 'static'
        option device 'eth1.4'
        option ipaddr '192.168.6.1'
        option netmask '255.255.255.0'

config interface 'VPN'
        option proto 'wireguard'
        option private_key '***'
        list addresses '10.9.0.2/32'
        option listen_port '51830'
        option delegate '0'
        option force_link '1'
        option defaultroute '0'
        option mtu '1420'

config wireguard_VPN 'wg0'
        option public_key '***'
        option route_allowed_ips '1'
        option persistent_keepalive '0'
        option endpoint_port '51830'
        list allowed_ips '10.9.0.1/32'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '10.9.0.3/32'
        option endpoint_host '***'

root@blanja:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option country 'US'
        option path 'platform/ahb/18100000.wmac'
        option cell_density '0'
        option htmode 'HT20'
        option channel '2'
        option txpower '25'
        option disabled '1'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2'
        option key '*'
        option max_inactivity '180'
        option network 'NOVPN'
        option ssid 'mado'
        option ieee80211r '1'
        option mobility_domain 'd011'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option disabled '1'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2'
        option isolate '1'
        option key '**'
        option network 'GUEST'
        option max_inactivity '180'
        option ssid 'gosti'
        option disabled '1'

root@blanja:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option domain 'doma'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '0'
        option noresolv '1'
        option strictorder '1'
        option filterwin2k '1'
        option serversfile '/var/run/simple-adblock.servers'
        option allservers '1'
        option nonegcache '1'
        option local '/doma/'
        list doh_backup_server '1.1.1.1'
        option confdir '/tmp/dnsmasq.d'
        list server '192.168.4.10'
        option localservice '0'

config dhcp 'doma'
        option interface 'LAN'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wan'
        option interface 'WAN'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config domain


config dhcp 'GUEST'
        option interface 'GUEST'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@blanja:~# cat /etc/config/firewall

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src '*'

config rule
        option name 'Allow-Ping'
        option src 'WAN'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'WAN'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'WAN'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'WAN'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Wireguard'
        option src 'WAN'
        option proto 'udp'
        option dest_port '51830'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'WAN'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'WAN'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option src 'WAN'
        option dest 'LAN'
        option proto 'esp'
        option target 'ACCEPT'
        option name 'VPN IPSec'

config rule
        option src 'WAN'
        option dest 'LAN'
        option dest_port '51830'
        option proto 'udp'
        option target 'ACCEPT'
        option name 'VPN Wireguard'

config rule
        option src 'LAN'
        option src_mac '50:C7:BF:4B:C7:FB'
        option target 'REJECT'
        option name 'HS100-Plug1'
        option dest '*'

config rule
        option src 'LAN'
        option name 'HS100-Plug2'
        option src_mac '50:C7:BF:4B:D2:A6'
        option dest '*'
        option target 'REJECT'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option synflood_protect '1'

config zone
        option name 'LAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        list network 'LAN'

config zone
        option name 'WAN'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'LTE'

config include
        option path '/etc/firewall.user'

config zone
        option name 'VPN'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'VPN'

config forwarding
        option dest 'VPN'
        option src 'LAN'

config forwarding
        option dest 'LAN'
        option src 'VPN'

config rule
        option target 'ACCEPT'
        option src 'VPN'
        option name 'VPN Ping'

config forwarding
        option dest 'WAN'
        option src 'LAN'

config forwarding
        option dest 'LAN'
        option src 'WAN'

config zone
        option name 'GUEST'
        option input 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'
        list network 'GUEST'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
        option src 'GUEST'
        option dest 'VPN'

config forwarding
        option src 'VPN'
        option dest 'GUEST'

config forwarding
        option src 'GUEST'
        option dest 'WAN'

config forwarding
        option src 'WAN'
        option dest 'GUEST'

config zone
        option name 'NOVPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'NOVPN'

config forwarding
        option src 'NOVPN'
        option dest 'VPN'

config forwarding
        option src 'NOVPN'
        option dest 'WAN'

config forwarding
        option src 'VPN'
        option dest 'NOVPN'

config forwarding
        option src 'WAN'
        option dest 'NOVPN'

config forwarding
        option src 'LAN'
        option dest 'NOVPN'

config forwarding
        option src 'NOVPN'
        option dest 'LAN'

config rule
        option name 'GUEST'
        option src 'GUEST'
        option target 'REJECT'
        option dest_port '443 22'

wifi AP:

root@tanjur:~# ubus call system board
{
        "kernel": "5.10.176",
        "hostname": "tanjur",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "Ubiquiti UniFi AC Lite",
        "board_name": "ubnt,unifiac-lite",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "ath79/generic",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}
root@tanjur:~# cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.4.10'
        option netmask '255.255.255.0'
        option gateway '192.168.4.1'
        option dns '192.168.4.1'
        option delegate '0'
        option device 'br-lan'
        option ipv6 'off'

config interface 'VLAN3'
        option proto 'static'
        option ipaddr '192.168.5.10'
        option netmask '255.255.255.0'
        option delegate '0'
        option device 'br-VLAN3'

config interface 'VLAN4'
        option proto 'static'
        option ipaddr '192.168.6.10'
        option netmask '255.255.255.0'
        option delegate '0'
        option device 'br-VLAN4'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'br-VLAN3'
        option type 'bridge'
        list ports 'eth0.3'

config device
        option name 'br-VLAN4'
        option type 'bridge'
        list ports 'eth0.4'
		
root@tanjur:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '1'
        option localservice '1'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5053'
        list doh_backup_server '127.0.0.1#5054'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'
        option dhcpv6 'disabled'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@tanjur:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option country 'US'
        option cell_density '0'
        option htmode 'VHT80'
        option channel '40'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option htmode 'HT20'
        option country 'US'
        option path 'platform/ahb/18100000.wmac'
        option cell_density '0'
        option channel '7'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'doma'
        option encryption 'psk2'
        option key '***'
        option macfilter 'deny'
        list maclist '3C:20:F6:58:04:B7'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2'
        option network 'VLAN3'
        option key '***'
        option max_inactivity '180'
        option ssid 'madobar'

config wifi-iface 'wifinet2'
        option ssid 'gosti'
        option encryption 'psk2'
        option device 'radio1'
        option mode 'ap'
        option network 'VLAN4'
        option key '***'
        option isolate '1'
        option max_inactivity '180'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'mado'
        option encryption 'psk2'
        option key '***'
        option network 'VLAN3'

root@tanjur:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option name 'GUEST'
        option src '*'
        list src_ip '192.168.6.0/24'
        option dest_port '443 22'
        option target 'REJECT'

This version is EOL and unsupported. You should upgrade to [23.05](https://TP-Link TL-WR1043N/ND v2). Along the way, I'd recommend resetting to defaults (as part of the upgrade process -- do not 'keep settings') and then starting fresh as there are several issues with your config -- it's easier just to build up from scratch.

Similarly, for your UAP-AC-Lite, I'd recommend upgrading that to 23.05 as well. This one can keep settings, although when you're done we'll want to fix a few things.

thanks for info. I will upgrade them when I get the time around.

Whoa, building it from scratch sounds like a lot of work with all the custom stuff like adblocker, policy based routing, vlans, dhcp reservations, wireguard, etc...
Also, if I don't know what is wrong with the current config, I will just recreate the same mistake again :slight_smile:

did you try anything i wrote above ?

Ok... if that's the case, we can edit the existing files.

Just an example of what is wrong...

The bridge must be defined outside the network interface -- that line is invalid inside an interface and may break things. It should look like this:

config device 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'LAN'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option device 'br-lan'

You've got several of these throughout your config, so you need to clean those up. There are probably other thigns, too, but we'll get to them once you've upgraded.

i will try with firewall rule, thanks for suggestion.
I am mostly printing from android phone, so fiddling with windows is not worth it..

thanks, will report back once upgraded and fixed these

it will not work
Android print is tied to mdns/avahi/bonjur

so, without reflector on your router, it is waste of time
and yes, using HP will not help either :frowning:

okay, I got the time around to upgrade my openwrt equipment (I'm doing it every summer, and there will be no upgrades until next august). both ubiquiti AP and tplink router on latest 23 version.

Meanwhile, I gave up on chasing this printer issue, I can live with it, and judging by the comments it will never work.

Out of curiosity, I went ahead and did your change (separated bridge) as you say my config could break things, but actually after I did the change I lost access to the router.
I tried to access it from 2 different VLANs, no dice. I guess my config is so broken that VLAN configuration depends on that bridge, so it has all fallen apart.
Luckily, router remained accessible to its wireguard peer (as only the local network was broken), so I just accessed it from a remote machine and reverted back to my "broken" config.

I guess it has something to do with the fact I have vlans configured like eth1.3, eth1.4 and they need the LAN interface to be eth1.
probably I could just remove bridge definition from that LAN eth1 interface and everything might work...
As I don't need wlan and lan bridged here, wlan is disabled on this router, as I am using other device as AP (ubiquiti unifi ap lite with openwrt). maybe I dont need any bridge here at all,

Share your latest config and we'll try to figure out what's wrong.

My latest config is the same as posted above, it remains unchanged as I opted to keep settings during upgrade

In that case, my advice should still be accurate. You said you lost connectivity -- I would make a guess that it was a typo or other mistake that was responsible for the issue.

root@blanja:~# cat /etc/config/network
config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'

config device 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'LAN'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option device 'br-lan'
root@blanja:~# /etc/init.d/network restart
'radio0' is disabled
Failed to load config file: : Parse error (invalid character in name field) at line 9, byte 23

I give up.

found it should be this format:
openwrt /etc/config/network defaults examples

config device 'lan_br'
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

also found this guy has bridged lan

also this guy

it seems this is the correct syntax

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

edit: I did it, it survived...

but i could run a CUPS server in a docker, and then access the shared printer via cups (which is in the same network as the stupid hp wifi printer). Then I should be able to print from wherever I want?

hi @megacar1
in theory, yes
in practice ,,, you need docker/cups for non x86 arch, and thinkering with OWRT+Docker combo

good luck