Printing in other network

RouterOS General
1

Hello to everybody! I would have a question about how to connect two different networks so that I can print to a printer on a second network :slight_smile:

Model situation: family house with two separate internet connections (mother-in-law want own internet and no network changes are allowed) - network 192.168.8.0/24 - mobile router O2 - here is the printer I want to print (192.168.8.10 statically).


And my network 192.168.10.0/24
GW 192.168.10.1 (LHG)

  • switch + RB941 - caps - floor 2
    192.168.10.252 | RB941 - caps AP, floor 1 (ETH1 uplink from floor 2 + second network connected via ETH4)
    192.168.10.253 | I didn’t put ETH4 into the bridge1 - capsman, I set it to IP 192.168.8.15

I pinged from 192.168.8.10 from the router normally (router 192.168.10.253)

  • I tried to set NAT RAW port (9100) but then I realized that router in bridgi will not do this.

  • I want nothing else to flow between the networks - DHCP, sharing and only the ports I allow (I don’t know if my solution is not wrong)

  • best to get only 192.168.8.10 and done

  • my current solution - please review or edit:

  • RB on the 1st floor has a masquerade set

  • In LHG at the beginning, network 192.168.8.0/24 is routed to 192.168.10.252 (then I ping the other from 192.168.8.x .. but I don’t know if this is a very simple solution.

  • printer is not able to connect to two networks at the same time (WIFI = network 1, LAN = network 2, WIFI is automatically deactivated after inserting LAN cable)

  • I sketched it in the picture in the attachment, maybe there is what is needed :slight_smile:

Thank you and have a nice day!
mk_forum.png

2

Just for clarification: if you want to print from a PC in 192.168.10.0/24, you are using printer at 192.168.8.10:9100?

This can’t work because of “routing triangle”. Consider this:

  1. PC with address e.g. 192.168.10.142 decides to connect 192.168.8.10. Doesn’t have direct connectivity, so it decides to send packet to its default gateway 192.168.10.1
    The packet being TCP SYN packet (initiation of TCP connection)
  2. LHG receives packet, consults routing table and finds result which says “use gateway at 192.168.10.252”.
    It also consults firewall filter rules (finds that connection is allowed) and adds it to the connection tracking table.
  3. the RB 1st floor receives packet and sees it needs to do src-nat then sends it to printer
  4. printer receives TCP SYN packet and replies with TCP SYNACK packet
  5. the RB 1st floor receives the reply, does the un-src-nat magic and sees that reply needs to go to 192.168.10.142.
    Sees that the device is directly connected and sends the reply directly to PC.
  6. PC continues with TCP connection establishment sending TCP ACP packet. Sends it to its default gateway.
  7. LHG receives TCP ACK packet, consults connection tracking table and sees that this packet is invalid as far as it knows (because it did not see the first reply SYNACK packet … should have noticed it between steps 5 and 6).
    Drops the packet.

There are (at least) two possibilities:

  1. Perform src-nat on LHG for connections towards 192.168.8.x … this way the RB 1st floor will see those packets as coming from LHG and will deliver return traffic to the LHG.
    Depending on amount of traffic this solution might induce additional load on LHG which you might not want to.
  2. create dst-nat rule for TCP port 9100 on RB 1st floor (in addition to the src-nat already done) and use 192.168.10.252 as printer’s IP address on the PCs in 192.168.10.0/24.

The second possibility will be IMHO more resource-friendly as printing will completely bypass LHG.