Solved

networking printing from one private subnet to another private subnet at same site

Posted on 2006-07-13
10
783 Views
Last Modified: 2008-02-01
I want to do networking printing from one private subnet to another private subnet. Both private subnets are behind same firewall.

routerA = 2 public static IPS NAT to 192.168.1.1 & 192.168.2.1
routerB = private static 192.168.1.1 NAT to 10.1.1.1
routerC = private static 192.168.2.1 NAT to 10.1.2.1
static IP network printer 10.1.1.50 sits on routerB subnet
PC on 10.1.2.20 sitting on routerC subnet

I want to print from pc on routerC to printer on routerB.

Is this possible? Can I set up ports for this on routerA? Do I need ports on routers B & C?

Thanks
0
Comment
Question by:popexpert
  • 5
  • 3
10 Comments
 
LVL 30

Expert Comment

by:ded9
ID: 17106391
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 500 total points
ID: 17106429
Outgoing from routerc is probably allowed already (unless you know better).  I assume router A is just doing routing so there is no need to change unless there is a firewall between routerB and router C subnets.
Router C would need port forwarding from potr 515 (LPR printing) and/or port 9100 (direct printing) to 10.1.1.50.  I suggest you put in a rule that says 192.168.1.1 to 10.1.1.50 only.

I presume there isn't one-to-one NAT going on where 192.168.1.2 is 10.1.1.2 etc., just all hiding behind 192.168.1.1 in which case user on network C prints to 192.168.1.1



Steve

Does that help?

Steve



http://www.portforward.com gives instructions for most routers.
0
 

Author Comment

by:popexpert
ID: 17165646
Thanks Steve:

I think you may have made a slight error in your detail that I need to "setup port forward on router C". Since you correctly noted that router c already had outgoing open, I figured you must have meant setup port forward on router B so that is what I set up. At any rate, your explanation led me to making it work. I am unsure about the "rule" you suggest. Do you mean this on router B in addition to port forwarding? Is this to prevent other subnets from accessing the printer? I am using a Linksys BEFSR41 for router B and a Linksys BEFVP41 for router C. I don't see "rules". Do you know if Linksys calls it by another name?

Thanks
PE
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 43

Expert Comment

by:Steve Knight
ID: 17165936
Sorry, yes of course the port forwarding needs to be on routerb.  The rule I mentioned was suggesting a firewall rule.  If you just set a port forward up then the port is open to the internet for anyone to access and print to.

You may be able to restrict the usage in the printer but unlikely so the best way without a VPN in place between the sites is to put a firewall rule which only allows the specific address of the other site through the firewall with the printer behind it.  At least then no-one else can get in too.

Don't know those routers off hand I'm afraid but looking at the screenshots here:

http://www.portforward.com/english/routers/port_forwarding/Linksys/BEFVP41/HTTP.htm

it looks like there is a firewall tab on the router.  If it possible I would put an entry in as suggested above.  If you get in there and are not sure please ask.

regards

Steve
0
 

Author Comment

by:popexpert
ID: 17182424
Steve:

I toally understand what your are telling me from a smart security standpoint and I would like to secure this issue. But for the record, what kind of damage could someone do if they accessed the printer from the WAN besides waste paper and toner?

Regarding the firewall: You might make me feel very silly when you tell me where it is, but I do not see a firewall tab. I see "forwarding" and "filters", they both start with an "F". Will either of those work?

also to help in setting this up and working within two subnets and two routers, can I setup a port(s) on router b or c or both routers if needed to allow me to reach the admin of the router on the other subnet. Currently I have to go to another PC or change the lan connection, etc
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17184374
Well frankly it's a not a huge issue, perhaps something worth monitoring.  I don't know of any cases of someone using a Jetdirect print server as a backdoor into a network through the LPR port, I suppose it might be possible though!

To be honest I don't know the router you have, perhaps the screen shots on that page I linked to are for a different model or fimware revision.  If you look at the second picture up on that page I think one of the tabs sayd Firewall!

I presume you want to administer a server there over RDP?  In which case you could put a port forward for port 3389 on your routerb to the relevant server on 10.1.1.x.  Then connect using RDP to the external address of that router 192.168.1.x or whatever.  Same principal for other thuings -- VNC for instance tends to use port 5800.

RDP protocol is encrypted but login is only as secure as your passwords etc. unless you restrict who can use it by IP address again.

Hang on a minute ignore all the security bits, had mixed this up with another Q.  Neitehr network has access to the internet directly the WAN side of it's router so it is a non issue re: the IP address filtering - it just means anyone in networkc can print or rdp to network b etc.  Presumably the external router only forwards packets to 192.168.1.x for specific port forwards or maybe nothing incoming at all?

hth

Steve
0
 

Author Comment

by:popexpert
ID: 17213317
Steve:

I finally see the “firewall” tab on the second picture. And the page IS titled with the correct router model#. However, my router doesn't have that tab (and I just recently updated firmware too) -- that screen capture may be from a different router that is similar. If you look at the third picture you will see that the position of that "firewall" tab will show "MAC clone" instead. The third picture with "MAC CLone" is what I see on my router. For now I will accept that my router doesn’t appear to have that restriction available. Let me know if you think of anything helpful. The printing works but it is not really protected by router A as I realized it is a bridge to my two public IP addresses routers B & C.

I guess my final question on this network printing issue is whether you would aggree that if I don't have the firewall tab, I can't protect the printer from the internet now that I have opened up the port on routerB.

You noted a question to me whether I wanted to "administer a server there over RDP?". I meant I wanted to be able to administer both routers B and C from the B subnet or vice versa. I mean be able to setup ports, etc on either router from either subnet.  Currently, I have to physically change the computer network cable from one lan to the other lan to make changes to the other router.

I will post the router admin question as a new question you might like to also tackle.

Thanks
PE
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17213834
I see what you mean now.  Guess it is a rogue screenshot on there.  You arn't at risk from the internet as I presume routera does not forward any packets for incoming printing TCP ports.

Sorry if I misunderstood the remote admin.  Most routers I have dealt with allow you to specifiy an IP or range of IPs' for remote admin and/or have an option to allow WAN access to remote admin at all.  In your case as long as the ports aren't open at the routera then you should be able to connect to the WAN side of routerB from networkC and viceversa OK.  Otherwise you could, if this is allowed, have one computer with two network cards in, one in each network.  This might not be alowed if the networks have to be seperate for a specific security reason.

I would suggest you run a ShieldsUp! scan of all service ports from www.grc.com just to check what is open to the world, once from each network so it tries both internet addresses.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17365444
I wuld suggest "accept dragon-it" :-)
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question