Airprint for guest network

steamy · October 15, 2024, 4:17am

I’m setting up an RB5009 to replace a router with ‘Freshtomato.’ I have VLANS to isolate networks as follows.
vlan1 = 10.1.0.0: default VLAN, home devices like TVs and phones.
vlan2 = 10.2.0.0: business VLAN. Only business PCs, with printers.
vlan3 = 10.3.0.0: Guest network - isolated from each other and everything but printers

My current router has mDNS built in and that allows AirPrint to work from my guest WiFi VLAN. This looks more complicated on RouterOS so I’d love some help.
I need AirPrint to work on vlan1 and vlan3. vlan2 will have wired Windows PC’s so they will need a route to the printers but not AirPrint. What is the simplest way to do this on RouterOS? Would allowing vlan clients to print to a printer on other VLANs defeat the purpose of segmenting the network? Is there a recommended way of doing this?

Thanks!

steamy · October 15, 2024, 4:58am

Okay since posting I found this: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
I should make a vlan just for printers and devices that need to be used across vlans.

And then this: http://forum.mikrotik.com/t/mdns-between-vlans-with-just-bridge-filters-look-mum-no-containers/173295/61
Now there IS an mDNS repeater built in!?

Please feel free to weigh in, especially if I’m off track.

eabs · October 15, 2024, 5:30pm

Setting up AirPrint across VLANs can be a bit of a headache, but I’ve had some success with it on RouterOS. I recommend creating firewall rules that allow traffic specifically between VLAN1 and VLAN3 for AirPrint while keeping VLAN2 completely isolated. For printing, you could set up your printer on VLAN2 and configure rules to let VLAN1 and VLAN3 access it without exposing the whole network. I’ve found that getting mDNS working properly is key, so you might need to fiddle with some settings or use a multicast helper to ensure devices can discover each other.

steamy · October 16, 2024, 2:56pm

Thank you for all the input. I was wondering how I was going to test it without using an actual printer and I wasn’t aware of a ‘multicast helper’ so far.

Amm0 · October 16, 2024, 4:44pm

The new mDNS repeater in 7.16 is in in /ip/dns via CLI/webbox - it’s basic: it will “copy” the multicast mDNS traffic between the interfaces defined.

Now… @eabs points out if you have firewall/routing rules that block inter-vlan communications, those have to be adjusted to allow the resulting AirPrint traffic. If all your VLANs are in the “LAN” group in /interface/list, the default firewall will allow the resulting AirPort.

But I’m not sure I’d mess with any IGMP proxy stuff - that really should not be needed (unless default are changed).

But key is a mDNS repeater just re-sends DNS via multicast … but it’s actually via the IPP protocol is how it actually print & that part is separate from mDNS “discovery”. mDNS just helps get the possible IP/ports for printers - but the network has to allow the resulting IPP (port 631) traffic between the device and printer, one-way-or-another. The mDNS repeater does not do that part - it just copies the mDNS messages between the specified networks, that’s it. And the actual sending of printer job happens via unicast between the device and printer, not via any multicast things.

You can use the “dns-sd” command-line to query mDNS to see if it’s working. On Mac (and sure similar GUIs on Windows/Linux), there is the free “Discovery” app: https://apps.apple.com/us/app/discovery-dns-sd-browser/id1381004916?mt=12

So in above photo, _ipp._tcp.* section will show your printers, and the IP (and other info used by apps to know to show duplexing/color/etc options in print dialogs). But the 192.168.74.x IP address shown must be routable from the current LAN. Repeating mDNS will get something to show in Discovery app (or dns-sd) - but may not print depending on firewall/routing.

Basically:
If a printer is not “showing up”… then mDNS repeating is not working. But… if you see the printer… but gets errors when attempting to print: perhaps firewall/routing issues that’s blocking the IPP printing protocol

jaclaz · October 16, 2024, 5:32pm

… and the usual advice: don’t use VLAN1 on Mikrotiks.

steamy · October 16, 2024, 9:36pm

Thanks so much. I’ll make sure printing from a PC with a manually entered IP works across the VLANs in question first to confirm the routing is working, then I will dig into mDNS.

Amm0 · October 17, 2024, 3:15am

Great plan. If you have troubles, just post your config.

steamy · October 31, 2024, 8:16pm

I have this working I think. Thanks for the help! I used a Chromecast for testing by trying to cast from VLAN to VLAN. For anyone who finds this thread, or anyone who would review what I’ve done:
I followed the VLAN sticky guide on this forum (http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1). Allowed access to the printer VLAN from the other VLANS with firewall filters in the examples. I don’t think any reference to the mdns repeater is there because it’s newer than the post.
For that I found that by adding all VLANs involved, it will work. I didn’t add the bridge because it didn’t seem to make any difference.

/ip dns
set allow-remote-requests=yes mdns-repeat-ifaces=VLAN1, VLAN2, VLAN3, VLAN4, VLAN5 servers=9.9.9.9

I guess the only issue would be the printers’ VLAN will now see broadcasts from other VLANs as well, but the firewall should drop any attempt to connect from the printer VLAN to another.