VLANs and AirPrint

GiuseppeR
GiuseppeR Posts: 257  Master Member
Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula First Comment Friend Collector
edited October 2 in Security

Hello everyone,

I would like to share a cable linked printer on LAN1 with other VLANs, to save money instead of having other printers in the same office.

I have VLAN1 and VLAN2 for WiFi and LAN guests' networks.

The printer is on LAN1 at 192.168.1.150, its main service is for internal usage.

  1. How can I let VLAN1 and VLAN2 see only 192.168.1.150 without scanning other devices on 192.168.1.x ?
  2. How can I let WiFi devices on VLAN1 and VLAN2 see the printer at 192.168.1.150 as AirPrint capable?

I think that I could go with some rules, like:

  • block traffic from VLAN1 to LAN1
  • block traffic from VLAN2 to LAN1
  • allow traffic from VLAN1 to 192.168.1.150
  • allow traffic from VLAN2 to 192.168.1.150

The problem is that I have remote access to that network, so I would like to manage those settings remotely. Are those rules working properly?

Anyway my big problem is how to see AirPrint going across different VLANs.

Thanks for your support

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,311  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @GiuseppeR,

    This is because AirPrint uses the Bonjour protocol which is the mDNS technique. mDNS is a multicast protocol that requires a special function to route between different VLANs. Currently, Zyxel firewall doesn't have this function. I will send you a private message to get your scenario for this case.

  • mMontana
    mMontana Posts: 1,382  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    edited October 5

    AirPrint is a "cupertino esclusive" (ish). If the protocol works, praise to them. If that does not do what you want it's your wish issue, not them (at least, that what they more or less say).

    Back to reality: as been stated, mDNS currenty by design is not routable, only multicasted. Some people are trying to deliver a nDNS proxy package, design to receive mDNS queries on one side and replicate them into other subnets; another network product brand deliver this kind of service/application into the switches, routers and APs software.

    I hope that sooner than later Zyxel could integrate that into firewall appliances.

Security Highlight