Community discussions

MikroTik App
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Making holes in Firewall to allow for AirPrint from WiFi LAN

Tue Jul 26, 2022 10:13 am

We have a WiFi network that can't see the the physical network, but some users require AirPrint capabilities from a mobile phone to our printers.

I have separate WiFi for internal connections, but would like to set up some holes in the firewall to allow airprint.

Did anyone tried to do something similar? I don't have a clue what ports I would have to open, because I presume I have to open both bonjour discovery and airprint stuff for this to work seamlessly. Would probably target printer IPs with port opens.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Making holes in Firewall to allow for AirPrint from WiFi LAN

Tue Jul 26, 2022 10:51 am

Aruba has it nicely documented. Perhaps something like this?

https://community.arubanetworks.com/bro ... aea3730ce7

...and note the comment below from a test-user

There a few ports beyond this I've seen with brief testing, here are my current service definitions:

netservice JCU-AirPlay-TCP-1 tcp list 5000,7000,7001,7100,8612
netservice JCU-AirPlay-TCP-2 tcp 49152 65535
netservice JCU-AirPlay-UDP-1 udp list 6001,6002,7000,7010,7011,8612
netservice JCU-AirPlay-UDP-2 udp 49152 65535
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Making holes in Firewall to allow for AirPrint from WiFi LAN

Tue Jul 26, 2022 5:21 pm

Quack quack...........
Create a vlan for untrusted wifi users.
Create a vlan for ShARED devices
Add firewall rules for the ports in question from one vlan to the other,
since I am not familiar with the requirements this is one case, because one has isolated the printer vlan, to MAYBE allow printer vlan send traffic back to untrusted wifi users.

add chain=forward action=accept in-interface=untrusted_vlan out-interface=printer_vlan dst-ports=ssss,xxxx,ttttt,yyyy,vvvv etc...... protocol= ??

Try the above and if not completely working perhaps you need the the printer to originate some traffic and if so then add this..........................
add chain=forward action=accept out-interface=untrusted_vlan in-interface=printer_vlan dst-ports=ssss,xxxx,ttttt,yyyy,vvvv etc...... protocol= ??
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Making holes in Firewall to allow for AirPrint from WiFi LAN

Tue Jul 26, 2022 5:22 pm

If the above does not work then they all need to be in the same vlan together.............. as some programs dont care about firewall rules they only SEARCH for or broadcast to devices within the same subnet. Sorry but this means regular home users need their own printer LOL
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 244
Joined: Fri Oct 02, 2020 1:42 pm

Re: Making holes in Firewall to allow for AirPrint from WiFi LAN

Wed Jul 27, 2022 1:07 pm

Thanks guys :-)

I will try making holes to IPs for starters for these non-HTTP ports for AirPrint, and then will see how this behaves. Not sure will it work, but won't know until I test.

Another this that occurred to me is that Android clients won't be able to print to AirPrint devices. No Google Print services on Canon printers any more...
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: Making holes in Firewall to allow for AirPrint from WiFi LAN

Sun Jul 31, 2022 10:18 pm

Airprint relies on broadcast. Broadcasts don't jump subnets without a helper. Something like mDNS.

You wanna reach that subnet... You can install another device to act as the repeater across subnets...

But you are much better off properly bridging your wired and wireless network.

Who is online

Users browsing this forum: synchro and 33 guests