Solved

networking printing from one private subnet to another private subnet at same site

Posted on 2006-07-13
10
766 Views
Last Modified: 2008-02-01
I want to do networking printing from one private subnet to another private subnet. Both private subnets are behind same firewall.

routerA = 2 public static IPS NAT to 192.168.1.1 & 192.168.2.1
routerB = private static 192.168.1.1 NAT to 10.1.1.1
routerC = private static 192.168.2.1 NAT to 10.1.2.1
static IP network printer 10.1.1.50 sits on routerB subnet
PC on 10.1.2.20 sitting on routerC subnet

I want to print from pc on routerC to printer on routerB.

Is this possible? Can I set up ports for this on routerA? Do I need ports on routers B & C?

Thanks
0
Comment
Question by:popexpert
  • 5
  • 3
10 Comments
 
LVL 30

Expert Comment

by:ded9
ID: 17106391
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 500 total points
ID: 17106429
Outgoing from routerc is probably allowed already (unless you know better).  I assume router A is just doing routing so there is no need to change unless there is a firewall between routerB and router C subnets.
Router C would need port forwarding from potr 515 (LPR printing) and/or port 9100 (direct printing) to 10.1.1.50.  I suggest you put in a rule that says 192.168.1.1 to 10.1.1.50 only.

I presume there isn't one-to-one NAT going on where 192.168.1.2 is 10.1.1.2 etc., just all hiding behind 192.168.1.1 in which case user on network C prints to 192.168.1.1



Steve

Does that help?

Steve



http://www.portforward.com gives instructions for most routers.
0
 

Author Comment

by:popexpert
ID: 17165646
Thanks Steve:

I think you may have made a slight error in your detail that I need to "setup port forward on router C". Since you correctly noted that router c already had outgoing open, I figured you must have meant setup port forward on router B so that is what I set up. At any rate, your explanation led me to making it work. I am unsure about the "rule" you suggest. Do you mean this on router B in addition to port forwarding? Is this to prevent other subnets from accessing the printer? I am using a Linksys BEFSR41 for router B and a Linksys BEFVP41 for router C. I don't see "rules". Do you know if Linksys calls it by another name?

Thanks
PE
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17165936
Sorry, yes of course the port forwarding needs to be on routerb.  The rule I mentioned was suggesting a firewall rule.  If you just set a port forward up then the port is open to the internet for anyone to access and print to.

You may be able to restrict the usage in the printer but unlikely so the best way without a VPN in place between the sites is to put a firewall rule which only allows the specific address of the other site through the firewall with the printer behind it.  At least then no-one else can get in too.

Don't know those routers off hand I'm afraid but looking at the screenshots here:

http://www.portforward.com/english/routers/port_forwarding/Linksys/BEFVP41/HTTP.htm

it looks like there is a firewall tab on the router.  If it possible I would put an entry in as suggested above.  If you get in there and are not sure please ask.

regards

Steve
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:popexpert
ID: 17182424
Steve:

I toally understand what your are telling me from a smart security standpoint and I would like to secure this issue. But for the record, what kind of damage could someone do if they accessed the printer from the WAN besides waste paper and toner?

Regarding the firewall: You might make me feel very silly when you tell me where it is, but I do not see a firewall tab. I see "forwarding" and "filters", they both start with an "F". Will either of those work?

also to help in setting this up and working within two subnets and two routers, can I setup a port(s) on router b or c or both routers if needed to allow me to reach the admin of the router on the other subnet. Currently I have to go to another PC or change the lan connection, etc
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17184374
Well frankly it's a not a huge issue, perhaps something worth monitoring.  I don't know of any cases of someone using a Jetdirect print server as a backdoor into a network through the LPR port, I suppose it might be possible though!

To be honest I don't know the router you have, perhaps the screen shots on that page I linked to are for a different model or fimware revision.  If you look at the second picture up on that page I think one of the tabs sayd Firewall!

I presume you want to administer a server there over RDP?  In which case you could put a port forward for port 3389 on your routerb to the relevant server on 10.1.1.x.  Then connect using RDP to the external address of that router 192.168.1.x or whatever.  Same principal for other thuings -- VNC for instance tends to use port 5800.

RDP protocol is encrypted but login is only as secure as your passwords etc. unless you restrict who can use it by IP address again.

Hang on a minute ignore all the security bits, had mixed this up with another Q.  Neitehr network has access to the internet directly the WAN side of it's router so it is a non issue re: the IP address filtering - it just means anyone in networkc can print or rdp to network b etc.  Presumably the external router only forwards packets to 192.168.1.x for specific port forwards or maybe nothing incoming at all?

hth

Steve
0
 

Author Comment

by:popexpert
ID: 17213317
Steve:

I finally see the “firewall” tab on the second picture. And the page IS titled with the correct router model#. However, my router doesn't have that tab (and I just recently updated firmware too) -- that screen capture may be from a different router that is similar. If you look at the third picture you will see that the position of that "firewall" tab will show "MAC clone" instead. The third picture with "MAC CLone" is what I see on my router. For now I will accept that my router doesn’t appear to have that restriction available. Let me know if you think of anything helpful. The printing works but it is not really protected by router A as I realized it is a bridge to my two public IP addresses routers B & C.

I guess my final question on this network printing issue is whether you would aggree that if I don't have the firewall tab, I can't protect the printer from the internet now that I have opened up the port on routerB.

You noted a question to me whether I wanted to "administer a server there over RDP?". I meant I wanted to be able to administer both routers B and C from the B subnet or vice versa. I mean be able to setup ports, etc on either router from either subnet.  Currently, I have to physically change the computer network cable from one lan to the other lan to make changes to the other router.

I will post the router admin question as a new question you might like to also tackle.

Thanks
PE
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17213834
I see what you mean now.  Guess it is a rogue screenshot on there.  You arn't at risk from the internet as I presume routera does not forward any packets for incoming printing TCP ports.

Sorry if I misunderstood the remote admin.  Most routers I have dealt with allow you to specifiy an IP or range of IPs' for remote admin and/or have an option to allow WAN access to remote admin at all.  In your case as long as the ports aren't open at the routera then you should be able to connect to the WAN side of routerB from networkC and viceversa OK.  Otherwise you could, if this is allowed, have one computer with two network cards in, one in each network.  This might not be alowed if the networks have to be seperate for a specific security reason.

I would suggest you run a ShieldsUp! scan of all service ports from www.grc.com just to check what is open to the world, once from each network so it tries both internet addresses.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17365444
I wuld suggest "accept dragon-it" :-)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now