VLAN 40 - 10.40.40.1/24
5.VLAN 50 - 10.50.50.1/24(Area1_ WIFI)
The Users in VLANS 10,30 & 40 have their own printer. I would like the users on VLAN 20 to be access a Printer 10.10.10.250 which is on VLAN 10. This should be the only device they can access on VLAN 10.
As for the guys connected to Area1_WIFI, they should be able to access a printer on VLAN 30 (10.30.30.250) & 40 (10.40.40.250). Any other Inter-VLAN communication should be dropped.
Thanks in advance.
How are these printer configured today on the PC’s that need to print ? Or do you rely on some “discovery” to see what printers are out there ?
Obviously you need to gather technical requirements before implementing. Gather the different protocols in scope for “printing”
Printing can be different sorts of protocols, tcp & udp ports. (including SNMP to check the status of the printers et,cetc)
Sure, but does each PC (that needs to print) already has the hostname/IP of the pinter “hardcoded” in the PC (by means of IP or dns-name) or is there still some discovery mechanism ongoing ?
If so then basically either you make a rule in the FORWARD chain (so THROUGH the Mikrotik) to allow all ports to the IP from the printer of you limit/specify more the protocols but then you need to understand the printing in detail.
No hardcoding done. A PC that wants to print on the same VLAN would “Add a Printer by TCP/IP Name” . I guess this is what you refer to “discovery mechanism”. Once installed, that is done for future. Will configure the forward rules i.e. add chain=forward action=allow in interface=“VLAN x” dst address= IP Printer and see if this works.
Easy peasy.
Assuming your forward firewall rule chain has a drop all rule at the end
So that all traffic is stopped.
Then after the initial default rules you should have the following.
add rule for allow LAN to WAN traffic (internet) in-interface-list=LAN out-interface-list=WAN {covers all vlans and WAN connections)
add rule to allow port forwarding {only if required}
add rule for printer access in-interface=VLAN20 out-interface=VLAN10 dst-address=10.10.10.250
add rule for printer access in-interface=VLAN50 dst-address-list=Printers30-40
last rule add chain=forward action=drop comment=“drop all else”
++++++++++++++++++++++++++++++++++++++++++++++++++++
Where firewall address list is
add address=10.30.30.250 list=Printers30-40
add address=10.40.40.250 list=Printers30-40
I would also be tempted to make an interface list
/interface list
add SharePrinters
/Interface list members
add interface=VLAN30 list=SharePrinters
add interface=VLAN40 list=SharePrinters
rule becomes
add rule for printer access in-interface=VLAN50 out-interface-list=SharePrinter dst-address-list=Printers30-40