Skip to main content
tanr
tanr
New Member
November 19, 2017
Question

VIP Between VLANS and Broadcast

  • November 19, 2017
  • 1 reply
  • 8031 views

From the docs it looks like this might work, but wanted to check here before trying it out.

 

TL;DR version:  Will a VIP between VLANS on the FortiGate (5.4.6) do both proxy-arp and forwarding of L2 unicast and broadcast?  How about multicast?

 

Longer version:

 

I've got a couple networked printers in a separate vlan and subnet, accessed by IP through the FortiGate from a secure lan with its own vlan and subnet.  I only allow initiation of the connection from the lan side, not the printer side.  This works okay, except for two things.  Adding a Windows 10 printer tends to fail to find the printer, even when given its IP, and the printers' remote scanning software fails completely if the printer isn't in the same subnet.

 

So, I'm considering creating a VIP on the lan side mapped to each of the printers in the printer vlan.  This still lets me control initiation of the connection through security policies (with match-vip as needed) and I think should allow the Windows 10 printer drivers to think the printer is within their own subnet.

 

Does this seem reasonable?  I'm open to suggestions for a better way to handle this.

    1 reply

    packetpusher
    packetpusher
    New Member
    November 20, 2017

    I guess you are adding a win10 printer to the printer's VLAN? I would sniff the traffic on both ends (src & dst) in order to identify the root cause of the failure. I suspect the printer is requiring multicast forwarding. Ref. http://help.fortinet.com/...icast%20forwarding.htm

    tanr
    tanrAuthor
    New Member
    November 20, 2017

    Hi packetpusher,

     

    Already sniffed the traffic and saw some mDNS and Bonjour.  However, enabling multicast forwarding and providing the security policies for the attempted traffic still didn't allow the printer driver to install.  I didn't try it with mutlicast-ttl-notchange enabled though.

     

    Note that once I've forced the printer setup in Windows 10 (manual, never letting Windows attempt to identify the printer or it dies) printing works just fine.  It's remote scanning that then fails (with or without multicast forwarding).  It appears the problem has to do with the Windows 10 scanning software (Canon) assuming the scanner's IP is in the local subnet, even though the IP I give it is in the printers subnet.  Hence my interest in VIP and proxy-arp.

     

    packetpusher
    packetpusher
    New Member
    November 20, 2017

    So, it sounds like there is an issue with the application layer not related to the normal network operations. Any windows related articles or applied fixes?

    Terms & ConditionsAccessibility statement