Wireless printer across different vlans/subnets

Hi,
I have a HP Laserjet Neverstop 1200W with wifi.
It seems that these stupid printers work only when printing is initiated within the same wifi network/subnet - anyone experienced similar behaviour?

I have 2 SSIDs configured as different vlans, each with its own subnet, for the sake of vlan1 routed out via vpn, and vlan2 routed out to internet directly.
printer is on vlan1.

So whenever our laptops or phones are connected to vlan2, printing does not work, just gets stuck. even though printer is pingable, I can even reach its web interface, but printing itself gets stuck.
It's not the end of the world to switch over to another wifi network to print something, but it's just bloodly annoying, I hate impractical things :slight_smile:

I have no limitations between the subnets, they are not isolated in any way, both zones are configured as ACCEPT ACCEPT ACCEPT to each other.
any ideas how to work around this, what seems to be HP wireless printing limitation?

Hi @megacar1

if printer is really "sensitive" :smiley: to own subnet, you could try with firewal
something like
if packet arrive from vlan2 (laptops) and destination is vlan1, IP of Printer, then Masquerade

this way, printer will see only own subnet

one more thing

try to install HP printer when you are on Vlan2 (laptops)

this way, HP driver will be forced to use IP address of printer and not mdns/pnp/whatewer for printing port

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

hi

main router (wifi disabled on this one)

root@blanja:~# ubus call system board
{
        "kernel": "5.10.176",
        "hostname": "blanja",
        "system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
        "model": "TP-Link TL-WR1043ND v2",
        "board_name": "tplink,tl-wr1043nd-v2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "ath79/generic",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}
root@blanja:~# cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'

config interface 'LAN'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option delegate '0'
        option device 'eth1'
        option type 'bridge'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 4 3 2 1'
        option description 'LAN'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '2'
        option ports '6 5'
        option description 'WAN'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 4t 3t 2t 1t'
        option vid '3'
        option description 'NOVPN'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '0t 4t 3t 2t 1t'
        option vid '4'
        option description 'GUEST'

config interface 'LTE'
        option device 'eth0'
        option proto 'static'
        option ipaddr '192.168.70.2'
        option netmask '255.255.255.0'
        option gateway '192.168.70.1'
        option delegate '0'

config interface 'NOVPN'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr '192.168.5.1'
        option device 'eth1.3'
        option type 'bridge'

config interface 'GUEST'
        option proto 'static'
        option device 'eth1.4'
        option ipaddr '192.168.6.1'
        option netmask '255.255.255.0'

config interface 'VPN'
        option proto 'wireguard'
        option private_key '***'
        list addresses '10.9.0.2/32'
        option listen_port '51830'
        option delegate '0'
        option force_link '1'
        option defaultroute '0'
        option mtu '1420'

config wireguard_VPN 'wg0'
        option public_key '***'
        option route_allowed_ips '1'
        option persistent_keepalive '0'
        option endpoint_port '51830'
        list allowed_ips '10.9.0.1/32'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '10.9.0.3/32'
        option endpoint_host '***'

root@blanja:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option country 'US'
        option path 'platform/ahb/18100000.wmac'
        option cell_density '0'
        option htmode 'HT20'
        option channel '2'
        option txpower '25'
        option disabled '1'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2'
        option key '*'
        option max_inactivity '180'
        option network 'NOVPN'
        option ssid 'mado'
        option ieee80211r '1'
        option mobility_domain 'd011'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option disabled '1'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2'
        option isolate '1'
        option key '**'
        option network 'GUEST'
        option max_inactivity '180'
        option ssid 'gosti'
        option disabled '1'

root@blanja:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option domain 'doma'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '0'
        option noresolv '1'
        option strictorder '1'
        option filterwin2k '1'
        option serversfile '/var/run/simple-adblock.servers'
        option allservers '1'
        option nonegcache '1'
        option local '/doma/'
        list doh_backup_server '1.1.1.1'
        option confdir '/tmp/dnsmasq.d'
        list server '192.168.4.10'
        option localservice '0'

config dhcp 'doma'
        option interface 'LAN'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'wan'
        option interface 'WAN'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

config domain


config dhcp 'GUEST'
        option interface 'GUEST'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@blanja:~# cat /etc/config/firewall

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src '*'

config rule
        option name 'Allow-Ping'
        option src 'WAN'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'WAN'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'WAN'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'WAN'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Wireguard'
        option src 'WAN'
        option proto 'udp'
        option dest_port '51830'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'WAN'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'WAN'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option src 'WAN'
        option dest 'LAN'
        option proto 'esp'
        option target 'ACCEPT'
        option name 'VPN IPSec'

config rule
        option src 'WAN'
        option dest 'LAN'
        option dest_port '51830'
        option proto 'udp'
        option target 'ACCEPT'
        option name 'VPN Wireguard'

config rule
        option src 'LAN'
        option src_mac '50:C7:BF:4B:C7:FB'
        option target 'REJECT'
        option name 'HS100-Plug1'
        option dest '*'

config rule
        option src 'LAN'
        option name 'HS100-Plug2'
        option src_mac '50:C7:BF:4B:D2:A6'
        option dest '*'
        option target 'REJECT'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option synflood_protect '1'

config zone
        option name 'LAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        list network 'LAN'

config zone
        option name 'WAN'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'LTE'

config include
        option path '/etc/firewall.user'

config zone
        option name 'VPN'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'VPN'

config forwarding
        option dest 'VPN'
        option src 'LAN'

config forwarding
        option dest 'LAN'
        option src 'VPN'

config rule
        option target 'ACCEPT'
        option src 'VPN'
        option name 'VPN Ping'

config forwarding
        option dest 'WAN'
        option src 'LAN'

config forwarding
        option dest 'LAN'
        option src 'WAN'

config zone
        option name 'GUEST'
        option input 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'
        list network 'GUEST'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
        option src 'GUEST'
        option dest 'VPN'

config forwarding
        option src 'VPN'
        option dest 'GUEST'

config forwarding
        option src 'GUEST'
        option dest 'WAN'

config forwarding
        option src 'WAN'
        option dest 'GUEST'

config zone
        option name 'NOVPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'NOVPN'

config forwarding
        option src 'NOVPN'
        option dest 'VPN'

config forwarding
        option src 'NOVPN'
        option dest 'WAN'

config forwarding
        option src 'VPN'
        option dest 'NOVPN'

config forwarding
        option src 'WAN'
        option dest 'NOVPN'

config forwarding
        option src 'LAN'
        option dest 'NOVPN'

config forwarding
        option src 'NOVPN'
        option dest 'LAN'

config rule
        option name 'GUEST'
        option src 'GUEST'
        option target 'REJECT'
        option dest_port '443 22'

wifi AP:

root@tanjur:~# ubus call system board
{
        "kernel": "5.10.176",
        "hostname": "tanjur",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "Ubiquiti UniFi AC Lite",
        "board_name": "ubnt,unifiac-lite",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "ath79/generic",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}
root@tanjur:~# cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.4.10'
        option netmask '255.255.255.0'
        option gateway '192.168.4.1'
        option dns '192.168.4.1'
        option delegate '0'
        option device 'br-lan'
        option ipv6 'off'

config interface 'VLAN3'
        option proto 'static'
        option ipaddr '192.168.5.10'
        option netmask '255.255.255.0'
        option delegate '0'
        option device 'br-VLAN3'

config interface 'VLAN4'
        option proto 'static'
        option ipaddr '192.168.6.10'
        option netmask '255.255.255.0'
        option delegate '0'
        option device 'br-VLAN4'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'br-VLAN3'
        option type 'bridge'
        list ports 'eth0.3'

config device
        option name 'br-VLAN4'
        option type 'bridge'
        list ports 'eth0.4'
		
root@tanjur:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option nonwildcard '1'
        option localservice '1'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5053'
        list doh_backup_server '127.0.0.1#5054'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'
        option dhcpv6 'disabled'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@tanjur:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option country 'US'
        option cell_density '0'
        option htmode 'VHT80'
        option channel '40'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option htmode 'HT20'
        option country 'US'
        option path 'platform/ahb/18100000.wmac'
        option cell_density '0'
        option channel '7'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'doma'
        option encryption 'psk2'
        option key '***'
        option macfilter 'deny'
        list maclist '3C:20:F6:58:04:B7'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2'
        option network 'VLAN3'
        option key '***'
        option max_inactivity '180'
        option ssid 'madobar'

config wifi-iface 'wifinet2'
        option ssid 'gosti'
        option encryption 'psk2'
        option device 'radio1'
        option mode 'ap'
        option network 'VLAN4'
        option key '***'
        option isolate '1'
        option max_inactivity '180'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'mado'
        option encryption 'psk2'
        option key '***'
        option network 'VLAN3'

root@tanjur:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option name 'GUEST'
        option src '*'
        list src_ip '192.168.6.0/24'
        option dest_port '443 22'
        option target 'REJECT'

This version is EOL and unsupported. You should upgrade to [23.05](https://TP-Link TL-WR1043N/ND v2). Along the way, I'd recommend resetting to defaults (as part of the upgrade process -- do not 'keep settings') and then starting fresh as there are several issues with your config -- it's easier just to build up from scratch.

Similarly, for your UAP-AC-Lite, I'd recommend upgrading that to 23.05 as well. This one can keep settings, although when you're done we'll want to fix a few things.

thanks for info. I will upgrade them when I get the time around.

Whoa, building it from scratch sounds like a lot of work with all the custom stuff like adblocker, policy based routing, vlans, dhcp reservations, wireguard, etc...
Also, if I don't know what is wrong with the current config, I will just recreate the same mistake again :slight_smile:

did you try anything i wrote above ?

Ok... if that's the case, we can edit the existing files.

Just an example of what is wrong...

The bridge must be defined outside the network interface -- that line is invalid inside an interface and may break things. It should look like this:

config device 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'LAN'
        option proto 'static'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'
        option device 'br-lan'

You've got several of these throughout your config, so you need to clean those up. There are probably other thigns, too, but we'll get to them once you've upgraded.

i will try with firewall rule, thanks for suggestion.
I am mostly printing from android phone, so fiddling with windows is not worth it..

thanks, will report back once upgraded and fixed these

it will not work
Android print is tied to mdns/avahi/bonjur

so, without reflector on your router, it is waste of time
and yes, using HP will not help either :frowning: