Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

print to a printer on another router

JCKJCK Newbie ✭
edited August 2023 in Entry Level Firewalls

My client moved to a shared office. Two companies with separate networks on one network rack. Company A has agreed to allow Company B to share their printer. What is the best way to do this? I thought I could configure the X2 interface on Company B's TZ 500 with a static IP on Company A's LAN, connect it directly to Company A's LAN switch, set up an address object on the TZ 500 with Company A's printer's IP, and send traffic to that object through the X2 interface...but not sure what rules and routes would be needed to make this work. So far, I can't ping Company B's printer from Company A's LAN. Thanks for any suggestions.

Category: Entry Level Firewalls
Reply

Best Answers

  • CORRECT ANSWER
    MustafaAMustafaA SonicWall Employee
    Answer ✓

    Hi @JCK

    There are multiple solutions for your requirement, and the following is one of it. Since both companies are on the same premise, you can create a point to point connection between the two firewalls. For a user in Company-A to be be able to communicate with the printer in Company-B, you need to add a Static Route on Company-A firewall.

    Static Route Example:

    Source: Any or you can limit to certain IP addresses within 192.168.10.0/24 subnet

    Destination: 192.168.20.200, which is the printer

    Interface: X2:192.168.99.1

    Gateway: 192.168.99.2, which is the X2 interface of the firewall of Company-B

    You can add additional Access Rules on both firewalls to tighten the security and limit the communication.


  • CORRECT ANSWER
    MustafaAMustafaA SonicWall Employee
    edited September 2023 Answer ✓

    This is not a preferred path due to the following reasons:

    1. With this setup, you are tapping into Company-B's network, and Firewall-A will have access to broadcast messages and other traffic coming from Company-B. Not a good solution from security stand-point.
    2. The default gateway for the printer is 192.168.20.1, which is the Firewall-B. You can possibly change Switch-B to a layer-3 switch and have the switch act as the default gateway for Company-B's network and then add route policies on the switch so that the specific traffic can be routed to Company-A, but then you are making things more convoluted.
    3. The best option is to keep it simple and controllable for both Company-A and Company-B.

Answers

  • MustafaAMustafaA SonicWall Employee

    @JCK , are both companies using the same firewall? Can you share a simple sketch of the topology?

  • JCKJCK Newbie ✭
    edited September 2023

    Thanks for the reply, MustafaA, sorry for the slow follow-up. I hope my sketch is readable. The two companies have separate networks and firewalls that are housed on the same network rack. Maybe what I'm trying won't work but I saw it suggested on another forum. I control Company B's setup, not Company A, but they would likely cooperate if changes were needed on their side. When I connect a laptop directly to Company A's LAN switch, I can print to their printer.


  • JCKJCK Newbie ✭

    Thank you very much for the clear answer, MustafaA! Working from the diagram you sent, would it also be possible to configure Company A's X2 interface for connecting directly to the LAN switch of Company B? If so, how do you recommend to configure that X2 interface? Would other settings be needed on Company A's router? Thanks.

  • JCKJCK Newbie ✭

    Hello MustafaA,

    I have tried to set up the configuration you suggest, but Company B's printer is still not accessible from Company A's LAN (doesn't respond to pings or attempts to configure a print queue). It may be that Company B didn't configure their interface or access rules as requested, but can you please check my X2 interface and access rule settings to see if you notice anything incorrect? Thank you in advance.


  • MustafaAMustafaA SonicWall Employee

    In your Access Rule, use the Zone instead of the X2 as the Destination.

  • JCKJCK Newbie ✭

    Thanks, MustafaA. I removed the access rule as superfluous since X0, X2 and the address objects for the Company B firewall interface and printer are all in the LAN zone. The printer responds to pings from Company A's firewall, so it looks like the static route is working. However, I still can't ping the printer from a computer on Company A's LAN. Can you suggest what else I might check? Thanks again for your help.

  • MustafaAMustafaA SonicWall Employee

    Can you ping from from a host behind Company-A and do packet capture on Company-A's firewall. Filter the traffic based on ICMP and Printer IP.

  • JCKJCK Newbie ✭

    Thanks.

    Screenshot of the packet capture attached, detail copied below. 10.10.18.5 is the host on Company-A's LAN, 192.168.50.200 is the printer. It looks like it's forwarding out the X2 interface as desired?

    Ethernet Header

     Ether Type: IP(0x800), Src=[68:5b:35:c2:4c:f4], Dst=[18:b1:69:f3:c6:c0]

    IP Packet Header

     IP Type: ICMP(0x1), Src=[10.10.18.5], Dst=[192.168.50.200]

    ICMP Packet Header

     ICMP Type = 8(ECHO_REQUEST), ICMP Code = 0, ICMP Checksum = 18311

    Value:[0]

    Forwarded 1:2)

  • MustafaAMustafaA SonicWall Employee

    Packets are being forwarded correctly on X2 interface, but we are not receiving any response. You need to do a similar capture on Firewall-B and trace the packet flow.

  • JCKJCK Newbie ✭

    Sorry for the long delay. Company B's packet sniffer saw my (Company A) LAN host's pings to their printer, but no reply. They weren't able to identify a reason on their end why our firewall's X2 interface gets a reply from their printer but our LAN host does not. From their side, they were able to ping our LAN host from their printer. Is there anything else I should check on our side that might interfere with the communication?

    Also, since connecting to their firewall, some computers on our LAN were running slow and getting a prompt to log in to their internet gateway. How can we limit traffic on our X3 interface to 192.168.50.200? Thanks again.

  • JCKJCK Newbie ✭

    Hello Mustafa,

    I still haven't resolved this. I did a new packet capture, and this time filtered to include source of 192.168.99.2 (Company B X2 interface) or 192.168.50.200 (Company B printer, the ping target). See attachment.

    It shows that 192.168.99.2 is replying with ARP requests that are being dropped by Company A's SonicWALL. Since all relevant objects are in the LAN zone, why is this happening? Do you think this is also why Company A's LAN cannot access the Company B printer? Do I need to change NAT policies, or something else? Thanks.

  • TonyATonyA SonicWall Employee

    Hi @JCK

    If you expand the dropped packet, it should give a drop reason - do you still have the capture to check this?

  • JCKJCK Newbie ✭

    Thanks for your response, Tony. I finally got a chance to export the log and got detail on one of the dropped ARP requests. I have pasted it below my message here. A couple of clues:

    1: 'ARP bridge not supported' Not sure what to make of this.

    2: 'Target IP address: 10.10.18.254'. I don't understand how that came up as the target IP as there is no host at this address. Could it be the configuration of the X0 interface is wrong? The X0 interface (10.10.18.1) is currently configured with a Default Gateway of 0.0.0.0.

    Thanks.

    =====

    *Packet number: 3*

    Header Values:

     Bytes captured: 60, Actual Bytes on the wire: 60

    Packet Info(Time:10/26/2023 16:26:58.128):

     in:X2*(interface), out:--, DROPPED, Drop Code: 61(Classical mode, ARP bridge not supported), Module Id: 47(ARP), (Ref.Id: _820_iboemfJodpnjohBsqSfrvftu), 1:1)

    Ethernet Header

     Ether Type: ARP(0x806), Src=[d4:76:a0:eb:0c:82], Dst=[ff:ff:ff:ff:ff:ff]

    ARP Packet:

     ARP TYPE: ARP Request

     Sender MAC Address: d4:76:a0:eb:0c:82

     Sender IP Address: 192.168.99.2

     Target MAC Address: 00:00:00:00:00:00

     Target IP Address: 10.10.18.254

    Value:[0]

    Hex and ASCII dump of the packet:

     ffffffff ffffd476 a0eb0c82 08060001 08000604 0001d476 *.......v...............v*

     a0eb0c82 c0a86302 00000000 00000a0a 12fe0000 00000000 *......c.................*

     00000000 00000000 00000000              *............      *

  • TonyATonyA SonicWall Employee

    Hi @JCK ,

    You might need to call support for deeper troubleshooting - but please check for the local ip in the ARP table if it is showing up there.

    If it is, give Sonicwall support a call as we would need to troubleshoot a bit deeper based on the drop code.

  • JCKJCK Newbie ✭

    Thanks again for your reply—it's taken me a while to get access to the network again.

    I changed the default gateway on the X2 interface to 192.168.99.2 (the other company's firewall) and now the dropped ARP requests from the other firewall (in response to pings from our LAN host) show our LAN host as the destination IP—so that looks good now.

    But ARP requests are still dropping, with 'Drop Code: 61(Classical mode, ARP bridge not supported).' I found another discussion that said enabling ARP bridging should address this, but I haven't found that setting. Our FW is on SonicOS Enhanced 6.5.1.3-12n, support has expired and I haven't gotten permission to renew. Purse strings tight right now. Any further suggestions, including where to enable ARP bridging would be appreciated. Thanks again!

  • TonyATonyA SonicWall Employee

    Hi @JCK

    Do you have any bridges on any of the interfaces? like L2 bridge on X2 by any chance?

  • JCKJCK Newbie ✭

    No bridges. I looked at the L2 bridge for X2 but since it wipes out the static IP I didn't see how the static route to the Company B firewall would function.

  • TonyATonyA SonicWall Employee

    Arp bridging should be enabled by default but you can check on the diag page. You can navigate to it via the address bar:

    example: 192.168.168.168/diag.html

    it should be the first option under arp settings


  • JCKJCK Newbie ✭

    Got it, thanks, and you're right, ARP Bridging was already enabled. I also added a static entry in the ARP table for the LAN host I was pinging from but that didn't help. When I checked the box to Publish Entry, it changed the MAC address to the X0 interface address, and wouldn't allow me to change that, so I left Publish Entry unchecked. Any other suggestions very welcome!

  • TonyATonyA SonicWall Employee

    @JCK

    Going through the history on this post again to regain some details - I know you are getting an arp drop, but do you know the specific port that the print jobs would use? I would suggest a capture based on that first as the arp drop could be something secondary or not needed at all.

    If not able to get this working for whatever reason, you could try making a site to site vpn between both sites on unused interfaces - will probably make this a lot easier.

Sign In or Register to comment.