Cross-LAN to share a single printer/scan

Options
dlauri
dlauri Posts: 6
First Comment
edited April 2021 in Security

Hello folks, I set a new USG20-VPN with last firmware 4.35(ABAQ.2). There are 2 LAN (lan-1 & lan-2) and only one Printer on LAN1. So I set the Policy Route between the LANs and create an object (Printer-Scan) with static IP (192.168.1.100) on LAN1. So easy but it does'nt work at all. No Ping from the LAN2 and of course no Traffic. What I missed ? Thank you


All Replies

  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Anniversary First Answer First Comment
    Options

    After disable firewall, Is ping working?

    Check Layer 2 isolation is disabled.

  • dlauri
    dlauri Posts: 6
    First Comment
    edited February 2020
    Options

    Hi Jeremylin thank you for your suggestions. I will check if with firewall DISABLE something change, anyway today I found a very strange behaviour ! If the printer is set on LAN2 (192.168.2.100) in this case, from LAN1 (192.168.1.0/24) is possible to ping the host on LAN2 (when the rule is active). Viceversa Not. But I don't want put the Printer on LAN2. I need the Printer on LAN1.

    Really it looks as an anomaly.

    Moreover this PRINTER is even a SCANNER and in this case the Source Address of IP Traffic Is on LAN2 to the share on LAN1 and again the Rule LAN2 -> LAN1 doesn't work ....

    Really frustrating ....

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,062  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @dlauri

    Welcome to Zyxel community

    In your scenario, could you changed the printer to PC and try to ping from Lan1 to Lan2 ,Lan2 to Lan1.

    I would like to know if the configuration works on PC.

    Try to disable Layer 2 Isolation and ping from Lan1 to Lan2 ,Lan2 to Lan1 to check if it works?

  • dlauri
    dlauri Posts: 6
    First Comment
    edited February 2020
    Options

    Hello Jerry,

    I try to reset-factory default the USG to start with a new configuration.

    I swapped even the lan between Port 3 and Port 4.

    The result doesn't change, there will be some logic issue (on LAN2).

    Anyway this is the current testbed:

    P3 = LAN1 192.168.1.0/24 [printer-scan (Kyocera) on LAN1 - 192.168.1.100]

    P4 = LAN2 192.168.2.0/24 [PC on LAN2 (MacBookPro) 192.168.2.60]

    rule: LAN2 subnet allowed to alias-printer (192.168.1.100)

    From MacBookPro in LAN2, I cannot see the printer

    NEW SCENARIO

    but if I set a new rule where LAN1 Subnet is allowed to send traffic to alias MacbookPro (on LAN2)

    in this case from LAN1 I can ping the MacBookPro on LAN2. It looks that cross-LAN working (LAN1 -> LAN2).

    So probably if I set the printer on LAN2 it will work as a printer, but not as a scanner ! Becouse again, the ping generate from LAN2 doesn't reach LAN1. The previous rule, doesn't work, seems that every packet starting from LAN2 doesn't reach LAN1. The rule is on of course (LAN2 Subnet allowed to alias-Printer or other host as access point or switch managed).

    Any PC on LAN1 ping my MacBookPro on LAN2. From LAN2 I cannot ping any host on LAN1. It's a behavior affected LAN2 [beside I don't want to set the Printer on LAN2].

    Thank you for your analysis.

    daniele

  • PeterUK
    PeterUK Posts: 2,730  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2020
    Options

    When setting up the printer IP does it have a gateway option and is set to LAN1 gateway?

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,062  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2020
    Options

    Hi @dlauri

    Using default setting, it works fine to use pc ping from lan1 to lan2, viceversa.

    Can you private message your configuration for check further?

  • dlauri
    dlauri Posts: 6
    First Comment
    edited March 2020
    Options

    @ PeterUK, yes I checked the DG of the printer is set (192.168.1.1)

    @ Zyxel_Jerry ok I got now the configuration files and sent to you.


    Tnx

  • dlauri
    dlauri Posts: 6
    First Comment
    edited March 2020
    Options

    sorry after many many several tests, I changed the firewall (another vendor) and the strange behavior was that !!!

    Last I chanded even mine PC (MAC-OS-X) with a Windows PC and now the IP traffic is going both directions. Never happend to me such strange anomaly with my favorite MacBookPro OS X Maverick 10.9.5.

    Even the ping doesn't work correctly between the devices crossing network (when the ping is launched from Apple to Windows hosts). With a 'poor' Windows PC the issue was solved. Sorry for this escalation. I cannot understand the rational reasons. A ping from Apple is different from a ping from Windows, moreover if the ping is sent from the same network by Apple, it works ! The same opening a web page on port 80/443 as usual in the same network (i.e. LAN1) MacBook working fine. Crossing network viceversa doesn't work. That's a mistery for me.

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,062  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @dlauri

    I’ve test your configuration, and try to ping from lan1 to lan2 between two windows, it works fine, and vice versa.

    Do you mean after changed the firewall (another vendor) , you did the test try to ping Apple to Windows hosts , it fails,but from windows client to window client it works fine?

  • dlauri
    dlauri Posts: 6
    First Comment
    edited March 2020
    Options

    Right !

    Moreover if the APPLE notebook stay on the same LAN (i.e. LAN1) I can ping every host and open every page as a manager web page of an access point. So working fine Apple. But, If I move the macbook on LAN2 with all the policies enable (i.e. LAN2-to-LAN1) in this case the Apple notebook doesn't work. In the same scenario with a Windows PC on LAN2 every thing is working crossing the LAN. I discovered it after many tests. Before with apple than at the end with a Windows PC. Could be something regarding NETBIOS or other protocols ??? Really I don't know ....

Security Highlight