print to a printer on another router
JCK
Newbie ✭
My client moved to a shared office. Two companies with separate networks on one network rack. Company A has agreed to allow Company B to share their printer. What is the best way to do this? I thought I could configure the X2 interface on Company B's TZ 500 with a static IP on Company A's LAN, connect it directly to Company A's LAN switch, set up an address object on the TZ 500 with Company A's printer's IP, and send traffic to that object through the X2 interface...but not sure what rules and routes would be needed to make this work. So far, I can't ping Company B's printer from Company A's LAN. Thanks for any suggestions.
Best Answers
-
OptionsCORRECT ANSWER
MustafaA
SonicWall Employee
Hi @JCK
There are multiple solutions for your requirement, and the following is one of it. Since both companies are on the same premise, you can create a point to point connection between the two firewalls. For a user in Company-A to be be able to communicate with the printer in Company-B, you need to add a Static Route on Company-A firewall.
Static Route Example:
Source: Any or you can limit to certain IP addresses within 192.168.10.0/24 subnet
Destination: 192.168.20.200, which is the printer
Interface: X2:192.168.99.1
Gateway: 192.168.99.2, which is the X2 interface of the firewall of Company-B
You can add additional Access Rules on both firewalls to tighten the security and limit the communication.
1 -
OptionsCORRECT ANSWERMustafaA
SonicWall Employee
This is not a preferred path due to the following reasons:
- With this setup, you are tapping into Company-B's network, and Firewall-A will have access to broadcast messages and other traffic coming from Company-B. Not a good solution from security stand-point.
- The default gateway for the printer is 192.168.20.1, which is the Firewall-B. You can possibly change Switch-B to a layer-3 switch and have the switch act as the default gateway for Company-B's network and then add route policies on the switch so that the specific traffic can be routed to Company-A, but then you are making things more convoluted.
- The best option is to keep it simple and controllable for both Company-A and Company-B.
1
Answers
@JCK , are both companies using the same firewall? Can you share a simple sketch of the topology?
Thanks for the reply, MustafaA, sorry for the slow follow-up. I hope my sketch is readable. The two companies have separate networks and firewalls that are housed on the same network rack. Maybe what I'm trying won't work but I saw it suggested on another forum. I control Company B's setup, not Company A, but they would likely cooperate if changes were needed on their side. When I connect a laptop directly to Company A's LAN switch, I can print to their printer.
Thank you very much for the clear answer, MustafaA! Working from the diagram you sent, would it also be possible to configure Company A's X2 interface for connecting directly to the LAN switch of Company B? If so, how do you recommend to configure that X2 interface? Would other settings be needed on Company A's router? Thanks.
Hello MustafaA,
I have tried to set up the configuration you suggest, but Company B's printer is still not accessible from Company A's LAN (doesn't respond to pings or attempts to configure a print queue). It may be that Company B didn't configure their interface or access rules as requested, but can you please check my X2 interface and access rule settings to see if you notice anything incorrect? Thank you in advance.
In your Access Rule, use the Zone instead of the X2 as the Destination.
Thanks, MustafaA. I removed the access rule as superfluous since X0, X2 and the address objects for the Company B firewall interface and printer are all in the LAN zone. The printer responds to pings from Company A's firewall, so it looks like the static route is working. However, I still can't ping the printer from a computer on Company A's LAN. Can you suggest what else I might check? Thanks again for your help.
Can you ping from from a host behind Company-A and do packet capture on Company-A's firewall. Filter the traffic based on ICMP and Printer IP.
Thanks.
Screenshot of the packet capture attached, detail copied below. 10.10.18.5 is the host on Company-A's LAN, 192.168.50.200 is the printer. It looks like it's forwarding out the X2 interface as desired?
Ethernet Header
Ether Type: IP(0x800), Src=[68:5b:35:c2:4c:f4], Dst=[18:b1:69:f3:c6:c0]
IP Packet Header
IP Type: ICMP(0x1), Src=[10.10.18.5], Dst=[192.168.50.200]
ICMP Packet Header
ICMP Type = 8(ECHO_REQUEST), ICMP Code = 0, ICMP Checksum = 18311
Value:[0]
Forwarded 1:2)
Packets are being forwarded correctly on X2 interface, but we are not receiving any response. You need to do a similar capture on Firewall-B and trace the packet flow.
Sorry for the long delay. Company B's packet sniffer saw my (Company A) LAN host's pings to their printer, but no reply. They weren't able to identify a reason on their end why our firewall's X2 interface gets a reply from their printer but our LAN host does not. From their side, they were able to ping our LAN host from their printer. Is there anything else I should check on our side that might interfere with the communication?
Also, since connecting to their firewall, some computers on our LAN were running slow and getting a prompt to log in to their internet gateway. How can we limit traffic on our X3 interface to 192.168.50.200? Thanks again.
Hello Mustafa,
I still haven't resolved this. I did a new packet capture, and this time filtered to include source of 192.168.99.2 (Company B X2 interface) or 192.168.50.200 (Company B printer, the ping target). See attachment.
It shows that 192.168.99.2 is replying with ARP requests that are being dropped by Company A's SonicWALL. Since all relevant objects are in the LAN zone, why is this happening? Do you think this is also why Company A's LAN cannot access the Company B printer? Do I need to change NAT policies, or something else? Thanks.
Hi @JCK
If you expand the dropped packet, it should give a drop reason - do you still have the capture to check this?
Thanks for your response, Tony. I finally got a chance to export the log and got detail on one of the dropped ARP requests. I have pasted it below my message here. A couple of clues:
1: 'ARP bridge not supported' Not sure what to make of this.
2: 'Target IP address: 10.10.18.254'. I don't understand how that came up as the target IP as there is no host at this address. Could it be the configuration of the X0 interface is wrong? The X0 interface (10.10.18.1) is currently configured with a Default Gateway of 0.0.0.0.
Thanks.
=====
*Packet number: 3*
Header Values:
Bytes captured: 60, Actual Bytes on the wire: 60
Packet Info(Time:10/26/2023 16:26:58.128):
in:X2*(interface), out:--, DROPPED, Drop Code: 61(Classical mode, ARP bridge not supported), Module Id: 47(ARP), (Ref.Id: _820_iboemfJodpnjohBsqSfrvftu), 1:1)
Ethernet Header
Ether Type: ARP(0x806), Src=[d4:76:a0:eb:0c:82], Dst=[ff:ff:ff:ff:ff:ff]
ARP Packet:
ARP TYPE: ARP Request
Sender MAC Address: d4:76:a0:eb:0c:82
Sender IP Address: 192.168.99.2
Target MAC Address: 00:00:00:00:00:00
Target IP Address: 10.10.18.254
Value:[0]
Hex and ASCII dump of the packet:
ffffffff ffffd476 a0eb0c82 08060001 08000604 0001d476 *.......v...............v*
a0eb0c82 c0a86302 00000000 00000a0a 12fe0000 00000000 *......c.................*
00000000 00000000 00000000 *............ *
Hi @JCK ,
You might need to call support for deeper troubleshooting - but please check for the local ip in the ARP table if it is showing up there.
If it is, give Sonicwall support a call as we would need to troubleshoot a bit deeper based on the drop code.
Thanks again for your reply—it's taken me a while to get access to the network again.
I changed the default gateway on the X2 interface to 192.168.99.2 (the other company's firewall) and now the dropped ARP requests from the other firewall (in response to pings from our LAN host) show our LAN host as the destination IP—so that looks good now.
But ARP requests are still dropping, with 'Drop Code: 61(Classical mode, ARP bridge not supported).' I found another discussion that said enabling ARP bridging should address this, but I haven't found that setting. Our FW is on SonicOS Enhanced 6.5.1.3-12n, support has expired and I haven't gotten permission to renew. Purse strings tight right now. Any further suggestions, including where to enable ARP bridging would be appreciated. Thanks again!
Hi @JCK
Do you have any bridges on any of the interfaces? like L2 bridge on X2 by any chance?
No bridges. I looked at the L2 bridge for X2 but since it wipes out the static IP I didn't see how the static route to the Company B firewall would function.
Arp bridging should be enabled by default but you can check on the diag page. You can navigate to it via the address bar:
example: 192.168.168.168/diag.html
it should be the first option under arp settings
Got it, thanks, and you're right, ARP Bridging was already enabled. I also added a static entry in the ARP table for the LAN host I was pinging from but that didn't help. When I checked the box to Publish Entry, it changed the MAC address to the X0 interface address, and wouldn't allow me to change that, so I left Publish Entry unchecked. Any other suggestions very welcome!
@JCK
Going through the history on this post again to regain some details - I know you are getting an arp drop, but do you know the specific port that the print jobs would use? I would suggest a capture based on that first as the arp drop could be something secondary or not needed at all.
If not able to get this working for whatever reason, you could try making a site to site vpn between both sites on unused interfaces - will probably make this a lot easier.