Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FTAdmin
New Contributor III

Printing across VLANs

Firewall: FortiGate 60F

Firmware: 6.4.8 Build 1914 (GA)

Mode: NAT

NGFW Mode: Profile-based

Central SNAT: Enabled

Switches: S148FP

Switches Firmware: S148FP-v7.0.2-build0049 

 

Issue: VLAN 30 (Workstations) cannot add a printer via TCPIP to VLAN 60 (Printers)

 

Firewall Policy is set to wide open for traffic to pass either way, but cannot connect any printer.

 

I have tried to use a NAT rule going both ways with no luck.

 

Also tried a multicast policy both way with no luck.

 

Been going back and fourth with a Fortinet tech but have gotten no where.

 

If more details are required, please let me know.

 

Any advise would be appreciated.

31 REPLIES 31
FTAdmin
New Contributor III

gfleming

At this point there is no evidence that the FortiGate is blocking any traffic between Windows and your Printer.

 

Next steps I would recommend:

- Try adding the printer manually. After auto discovery fails you should be able to add the printer manually. 

gfleming_0-1664989082672.png

- Make sure printer is listening on Port 9100

- If printer is using some other protocol you may need to add it again using IPP device type

- If you want further idea of how the printer is working, run a packet capture using Wireshark on your Windows endpoint while you add the printer successfully when the endpoint is on the same VLAN. This should show you how Windows is discovering it and which protocol it is using.

 

Most likely what's happening is auto discovery is not working since the printer is not on the same subnet. Need to manually configure it basically.

Cheers,
Graham
FTAdmin
New Contributor III

I can confirm the port is on.

FTAdmin_0-1664992087649.png

and the port is setup correctly.

FTAdmin_1-1664992139451.png

Still unable to print.

FTAdmin_2-1664992374046.png

 

 

gfleming

OK what is the error message? "Error - Prin...."

 

Can you please do packet capture but this time filter out for port 9100.

 

Also try the flow trace debug with a filter on port 9100 (diagnose debug flow filter port 9100).

 

Then try printing and see what we see in the network traffic.

 

So far we have only seen SNMP traffic and it is not getting blocked.

 

 

Cheers,
Graham
FTAdmin
New Contributor III

The full message was "Error - Printing"

 

Here is the PCAP - https://wormhole.app/Xbp5a#E42ceDN2LDeTyD5XbRFk5w

 

I used the following setting for the debug:

diag debug enable
diagnose debug flow filter saddr 10.100.30.22
diagnose debug flow filter daddr 10.100.60.40
diagnose debug flow filter port 9100
diag debug flow show iprope enable
diag debug flow trace start 100
diag debug enable

 

diag debug enable
diagnose debug flow filter port 9100
diag debug flow show iprope enable
diag debug flow trace start 100
diag debug enable

 

Both did not produce any output.

gfleming

So there is no evidence your workstation is communicating with the printer on port 9100. At this point it's not a FortiGate issue. This is a Windows issue. Need to figure out how to get Windows to communicate with the printer on port 9100.

 

It's obviously trying to poll it using SNMP and that is failing. But there should be a way to override this step and add the printer using LPP or some other protocol manually. Unfortunately not a Windows expert so I can't help much more.

 

I would suggest posing this issue in a Windows forum. The issue you are having is you are unable to add a printer to a workstation in a different subnet as the printer. The firewall is not blocking anything. Windows is, however, unable to add it for some reason.

Cheers,
Graham
FTAdmin
New Contributor III

I appreciate you helping me with this and thanks for the showing me ways to trace traffic.

 

I'll post here when I have found out the actual issue.

FTAdmin
New Contributor III

I forgot to mention. The printer can be discovered and be added by IP with no issues. It's not until I move the printer into a different VLAN that the problems appear.

gfleming

Yes fully aware of the fact you can add it on the same subnet—we covered that earlier.

 

The fact that we do not see any traffic blocked on the FortiGate or any traffic on port 9100 on your captures when its on the different subnet is pretty clear evidence that its a Windows issue. Hence why we need to take this to a Windows forum for assistance.

 

The only thing I could suggest doing before that is comparing a packet capture from the workstation when adding the printer when it's on the local subnet and then comparing the capture with one when it's on the different subnet.

Cheers,
Graham
jintrah_FTNT

Hi,

Is NAT enabled on the policy? If not, could you try enabling NAT and check if it brings any difference?

 

Best regards,

Jin

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors