Prevent users from printing directly to printers
Our school has a print server running PaperCut to manage student printing. It "charges" students for each page they print. It works well. However, students can bypass the print server and print directly to a printer once they determine a printers IP address. I need to prevent this. Someone suggested that this could be done using a separate subnet for the printers which would separate them virtually or using a separate network for the printers which would separate them physically. I don't know how to do either and could use some help. I want to redesign our network to meet this criteria.
Here are some specifics on our network and equipment:
Mikrotik router
Windows 2008 server setup as a print server and running PaperCut
Network: 10.0.0.1/21
Gateway: 10.0.0.1
Subnet mask: 255.255.248.0
Address pool: 10.0.1.0-10.0.0.7.254
Network equipment such as switches, servers, access points, and printers are statically assigned in the range 10.0.0.2-10.0.0.255
We are not using active directory.
Here are some specifics on our network and equipment:
Mikrotik router
Windows 2008 server setup as a print server and running PaperCut
Network: 10.0.0.1/21
Gateway: 10.0.0.1
Subnet mask: 255.255.248.0
Address pool: 10.0.1.0-10.0.0.7.254
Network equipment such as switches, servers, access points, and printers are statically assigned in the range 10.0.0.2-10.0.0.255
We are not using active directory.
Most every network printer and MFC nowadays has the capability in the Admin settings to limit which IP or IPs are authorized to print. Just set up your Papercut server IP and maybe your own IP so you can quickly test whether printing issues are related to the server or the printer.
Also be sure to set an admin password on each printer so clever students can change those settings.
If you printers have this ability, it's much easier than adding new subnets.
Good luck--
Also be sure to set an admin password on each printer so clever students can change those settings.
If you printers have this ability, it's much easier than adding new subnets.
Good luck--
Yes, schaps has a good idea...
That being said, it would be a good long-term plan to move your school's flat network to a routed one with separate subnets for students vs. school admin as well as one for servers and printers. Eventually even a limited guest network for teacher-owned devices may be in your plans.
So, I don't disagree with @fmarshal's recommendation, but it's a big step to go from a flat network to one with two VLANs. After that, it's a minor step to add additional VLANs. I have worked in schools, so I know these changes are hard to make when school is in session. This is best planned for a few months, maybe tested over Spring Break, and then implemented next summer.
So, I don't disagree with @fmarshal's recommendation, but it's a big step to go from a flat network to one with two VLANs. After that, it's a minor step to add additional VLANs. I have worked in schools, so I know these changes are hard to make when school is in session. This is best planned for a few months, maybe tested over Spring Break, and then implemented next summer.
ASKER
Looking at the two options provided by fmarshall, I would like to use a separate physical network with separate copper wires and switch on a new subnet.
The printers do not need Internet access. Our router supports VLANs.
These are the steps, as I understand them based on the example provided.
1. Set up new subnet: 10.0.99.0/24 in router.
2. Map eth2 on the router to this subnet.
3. Cable eth2 on the router to a new switch.
4. Add a network interface card addressed to the print server with address 10.0.99.1 255.255.255.0 placing it on the new subnet and assign 10.0.99.1 as the gateway address on the NIC.
5. Connect this new NIC in the print server to the eth2 on the router.
6. Assign the printers addresses in that subnet such as 10.0.99.101, 10.0.99.102, etc.
7. Cable that new print server NIC to the new switch.
8. Cable printers to the new switch.
The print server would then be connected to both subnets through two NICs. Clients on the 10.0.0.0/21 subnet could communicate with the print server through the first NIC (10.0.0.3). Printers on the 10.0.99.0/24 subnet could communicate with the print server through the second NIC (10.0.99.1).
Is this correct?
The printers do not need Internet access. Our router supports VLANs.
These are the steps, as I understand them based on the example provided.
1. Set up new subnet: 10.0.99.0/24 in router.
2. Map eth2 on the router to this subnet.
3. Cable eth2 on the router to a new switch.
4. Add a network interface card addressed to the print server with address 10.0.99.1 255.255.255.0 placing it on the new subnet and assign 10.0.99.1 as the gateway address on the NIC.
5. Connect this new NIC in the print server to the eth2 on the router.
6. Assign the printers addresses in that subnet such as 10.0.99.101, 10.0.99.102, etc.
7. Cable that new print server NIC to the new switch.
8. Cable printers to the new switch.
The print server would then be connected to both subnets through two NICs. Clients on the 10.0.0.0/21 subnet could communicate with the print server through the first NIC (10.0.0.3). Printers on the 10.0.99.0/24 subnet could communicate with the print server through the second NIC (10.0.99.1).
Is this correct?
ASKER
There are copiers that students print to that do not support setting which IP(s) print jobs can be submitted from. Otherwise, that would be a good option.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK. So I was trying to combine the two options you originally gave-a virtual and a physical network. I get it now. I'll use the last five steps you covered.
Seems simple now. Thanks to both of you for your help.
Seems simple now. Thanks to both of you for your help.
ASKER
Didn't speak over my head and provided just the help I needed. Very pleased.
Thank you!!
A separate physical network - i.e. separate copper wires and switches (if necessary) - on a new subnet would work. You would connect that new network to the print server with either an added network interface card addressed on the new subnet.
Here's an example:
In either case, set up a new subnet such as 10.0.99.0/24
Assign the printers addresses in that subnet such as 10.0.99.101, 10.0.99.102, etc.
In the first case, add a NIC to the print server with address 10.0.99.1 255.255.255.0
Or, add 10.0.99.1 to the existing NIC.
In the second case, add a NIC to the print server with address 10.0.99.1 255.255.255.0.
Cable that new NIC to the printer directly.
Assign 10.0.99.1 as the gateway address.
This assumes that the printer doesn't need internet access.
If it does then set up the print server computer to do Internet Connection Sharing as in:
http://msdn.microsoft.com/en-us/library/windows/desktop/dd815252(v=vs.85).aspx
so that the added NIC can get connected to the internet via the print server.
Or, of course, you could add a simple router on the new subnet/LAN to provide the internet connection (which could be connected to the current LAN on its WAN side).
The same idea could be supported with a VLAN on an upstream switch or router. In this case you would cable to the new NIC on the print server and to the printer from 2 VLAN ports.