Need to bridge 2 subnets but with restrictions...

I have an office that has all their retail cash systems on one subnet 192.168.0.x and all their admin PCs on another subnet 192.168.2.x

There is a cash computer that needs access to a TCP printer on the Admin side.  Currently the cash computer can ping the printer, but when you try to add the printer in the Windows XP add printer wizard, it installs, but cannot print to it.

The router is a Nortel Business Secure Router that was installed by the folks who installed the phone system.  The subnets are used to prevent casual navigating to the cash computers by the admin people.

Any thoughts on how I get a computer to print to a printer

Who is Participating?
woolnoirConnect With a Mentor Commented:
if removing the default blocks works, then re add them, but add these two first. any(udp) forward any(udp) forward

if any of the above need masks (i.e the 255.255... bit, then do

The issue seems to be , that the default rule is to forward, but since all UDP traffic is matched by the block rule its blocking it. We need to add a rule to match the specific UDP traffic between the two hosts.
From what you have said (i.e the ping is working) i would assume that the router is configured to allow routing between the subnets fine... it suggests that the router may be setup with some accesslists - without knowing the model it would be hard to give specific information , but assuming you have access look for a section on 'access lists' or firewall.

Alternatively - give the model number and we can try and assist more.

I do exactly this kind of thing every day, but with different equipment.

There are two keys to accomplishing printing:
1) Routing
2) Firewall configuration

As the other commenter noted, the fact that you can ping indicates that routing is working.

Unfortunately, by default most Windows firewalls treat only the local subnet (in this case
192.168.0.*) as trustworthy. Most services on any other subnet are blocked.

It is possible your router has a firewall blocking print services, but I doubt it. Most likely the issue is in the windows computers and has nothing to do with the router.

You'll likely need to fix this BOTH in the source (cash computer) and destination (admin/print computer) sides.

How to fix it depends on the firewall in use. What we do is simply declare that all of our local subnets are completely trustworthy. You may not want to be that "open" but this works nicely in our situation.

For example:

ZoneAlarm Free: go into the Zones definition and add all local subnets as "Trusted" subnets.
Windows 7 Firewall: add custom rules allowing full access to/from the local computer and all local subnets.

BTW, you can also verify that this is the issue. Before touching the firewall(s), first turn on firewall logging... and watch to see if the attempt to print gets blocked by the firewall(s).

Hope that helps!
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

OH... just noticed you said it is a TCP printer. Unlikely the TCP printer is firewalled. So even easier: just need to fix in your cash computer.
DaveWWWAuthor Commented:
Woolnoir, the router is a Nortel Business Secure Router 222.

The firewall rules are as follows:

Source Address                          Dest. Address         Service Type                                     Action
----------------------------------------------------------------------------------------------------------------------- /             PCAnywhere (TCP/UDP 5631-5632)  Forward /             PCAnywhere (TCP/UDP 5631-5632)  Forward /             Any (UDP)                                           Block /             Any (UDP)                                           Block

Those are the four active rules.  Do I need to add a rule above the blocking rules that allow traffic between the desired computer and the printer?  I assumed since UDP was blocked it would not affect TCP/IP printing, but is that an error in my assumption?

I have tried printing with the Windows firewall completely off - still doesn't work.

Fred MarshallPrincipalCommented:
The only Forward rules are for ports 5631-5632.
What happens if you temporarily add: /            Forward /            Forward

If that fixes it, then you have a clue.

But, since you can ping the printer, I've had success with installing hp printers by their suggestion this way:

Add the printer.
Select that it is a "Local Printer" ( strange but true)
Deselect Auto find.
If necessary, add a TCP/IP port.  Give it the IP address of the printer.
Go from there.....
DaveWWWAuthor Commented:
The strange thing is that it seems to be subnet-related.  For example, though I can ping one subnet computer to another, I can't see the shared devices.  If I sit at, I can ping  But if I go to the run box and type \\ it eventually times out with an error saying no such device on the network (or whatever).  So it doesn't seem to be HP related.  It seems that the UDP blocking is causing the issue somehow.  I can try turning off the rule, but I won't be able to leave it that way.

On the firewall page, it also says this:
Action for packets that don't match firewall rules: FORWARD

So it would seem that likely the last two rules are the issue.

Question: is printing through to a TCP printer accomplished via a certain port?  If so, perhaps I could enter a new rule that allows that port to operate while blocking all others.

Ok so the default is to forward, but all UDP is blocked. Try removing the blocking UDP rules on a temporary basis and see what happens. If that does fix it we can tighten it.
Regular printing to HP print servers happens on port tcp/9100. Try opening that one up.
@DaveWWW were these replies helpfull - or did you need more info?
DaveWWWAuthor Commented:
Hi Woolnoir,

These replies are *very* helpful indeed!  In fact I'll be on site with the client this morning, and I'm hoping it's all a memory by luch time! :-)  I'll let you know.  Thanks.
nice - do let us know how you do :)
Going back 1 step, do a tracert in the command prompt, i.e. Start -> cmd <enter> type tracert If the trace goes to the router then you are good to check the router.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.