Solved

Need to bridge 2 subnets but with restrictions...

Posted on 2010-08-28
13
337 Views
Last Modified: 2012-05-10
I have an office that has all their retail cash systems on one subnet 192.168.0.x and all their admin PCs on another subnet 192.168.2.x

There is a cash computer that needs access to a TCP printer on the Admin side.  Currently the cash computer can ping the printer, but when you try to add the printer in the Windows XP add printer wizard, it installs, but cannot print to it.

The router is a Nortel Business Secure Router that was installed by the folks who installed the phone system.  The subnets are used to prevent casual navigating to the cash computers by the admin people.

Any thoughts on how I get a computer 192.168.0.11 to print to a printer 192.168.2.80?

David
0
Comment
Question by:DaveWWW
  • 5
  • 3
  • 2
  • +3
13 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 33549207
From what you have said (i.e the ping is working) i would assume that the router is configured to allow routing between the subnets fine... it suggests that the router may be setup with some accesslists - without knowing the model it would be hard to give specific information , but assuming you have access look for a section on 'access lists' or firewall.

Alternatively - give the model number and we can try and assist more.

0
 
LVL 2

Expert Comment

by:MrPete_
ID: 33549567
I do exactly this kind of thing every day, but with different equipment.

There are two keys to accomplishing printing:
1) Routing
2) Firewall configuration

As the other commenter noted, the fact that you can ping indicates that routing is working.

Unfortunately, by default most Windows firewalls treat only the local subnet (in this case
192.168.0.*) as trustworthy. Most services on any other subnet are blocked.

It is possible your router has a firewall blocking print services, but I doubt it. Most likely the issue is in the windows computers and has nothing to do with the router.

You'll likely need to fix this BOTH in the source (cash computer) and destination (admin/print computer) sides.

How to fix it depends on the firewall in use. What we do is simply declare that all of our local subnets are completely trustworthy. You may not want to be that "open" but this works nicely in our situation.

For example:

ZoneAlarm Free: go into the Zones definition and add all local subnets as "Trusted" subnets.
Windows 7 Firewall: add custom rules allowing full access to/from the local computer and all local subnets.

BTW, you can also verify that this is the issue. Before touching the firewall(s), first turn on firewall logging... and watch to see if the attempt to print gets blocked by the firewall(s).

Hope that helps!
0
 
LVL 2

Expert Comment

by:MrPete_
ID: 33549568
OH... just noticed you said it is a TCP printer. Unlikely the TCP printer is firewalled. So even easier: just need to fix in your cash computer.
0
 

Author Comment

by:DaveWWW
ID: 33550020
Woolnoir, the router is a Nortel Business Secure Router 222.

The firewall rules are as follows:

Source Address                          Dest. Address         Service Type                                     Action
-----------------------------------------------------------------------------------------------------------------------
192.168.2.0 /255.255.255.0          192.168.0.0             PCAnywhere (TCP/UDP 5631-5632)  Forward
192.168.0.0 /255.255.255.0          192.168.2.0             PCAnywhere (TCP/UDP 5631-5632)  Forward
192.168.2.0 /255.255.255.0          192.168.0.0             Any (UDP)                                           Block
192.168.0.0 /255.255.255.0          192.168.2.0             Any (UDP)                                           Block

Those are the four active rules.  Do I need to add a rule above the blocking rules that allow traffic between the desired computer and the printer?  I assumed since UDP was blocked it would not affect TCP/IP printing, but is that an error in my assumption?

I have tried printing with the Windows firewall completely off - still doesn't work.

David
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 33550418
The only Forward rules are for ports 5631-5632.
What happens if you temporarily add:
192.168.2.0 /255.255.255.0          192.168.0.0            Forward
192.168.0.0 /255.255.255.0          192.168.2.0            Forward

If that fixes it, then you have a clue.

But, since you can ping the printer, I've had success with installing hp printers by their suggestion this way:

Add the printer.
Select that it is a "Local Printer" ( strange but true)
Deselect Auto find.
If necessary, add a TCP/IP port.  Give it the IP address of the printer.
Go from there.....
0
 

Author Comment

by:DaveWWW
ID: 33550447
The strange thing is that it seems to be subnet-related.  For example, though I can ping one subnet computer to another, I can't see the shared devices.  If I sit at 192.168.0.11, I can ping 192.168.2.110.  But if I go to the run box and type \\192.168.2.110 it eventually times out with an error saying no such device on the network (or whatever).  So it doesn't seem to be HP related.  It seems that the UDP blocking is causing the issue somehow.  I can try turning off the rule, but I won't be able to leave it that way.

On the firewall page, it also says this:
Action for packets that don't match firewall rules: FORWARD

So it would seem that likely the last two rules are the issue.

Question: is printing through to a TCP printer accomplished via a certain port?  If so, perhaps I could enter a new rule that allows that port to operate while blocking all others.

David
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 20

Expert Comment

by:woolnoir
ID: 33550456
Ok so the default is to forward, but all UDP is blocked. Try removing the blocking UDP rules on a temporary basis and see what happens. If that does fix it we can tighten it.
0
 
LVL 20

Accepted Solution

by:
woolnoir earned 500 total points
ID: 33550467
if removing the default blocks works, then re add them, but add these two first.

 192.168.0.11  192.168.2.80 any(udp) forward
 192.168.2.80 192.168.0.11 any(udp) forward

if any of the above need masks (i.e the 255.255... bit, then do 255.255.255.255)

The issue seems to be , that the default rule is to forward, but since all UDP traffic is matched by the block rule its blocking it. We need to add a rule to match the specific UDP traffic between the two hosts.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33553260
Regular printing to HP print servers happens on port tcp/9100. Try opening that one up.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33556587
@DaveWWW were these replies helpfull - or did you need more info?
0
 

Author Comment

by:DaveWWW
ID: 33557080
Hi Woolnoir,

These replies are *very* helpful indeed!  In fact I'll be on site with the client this morning, and I'm hoping it's all a memory by luch time! :-)  I'll let you know.  Thanks.
David
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33557084
nice - do let us know how you do :)
0
 
LVL 4

Expert Comment

by:JeffSchaper
ID: 33573484
Going back 1 step, do a tracert in the command prompt, i.e. Start -> cmd <enter> type tracert 192.168.2.80 If the trace goes to the router then you are good to check the router.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now