From the docs it looks like this might work, but wanted to check here before trying it out.
TL;DR version: Will a VIP between VLANS on the FortiGate (5.4.6) do both proxy-arp and forwarding of L2 unicast and broadcast? How about multicast?
Longer version:
I've got a couple networked printers in a separate vlan and subnet, accessed by IP through the FortiGate from a secure lan with its own vlan and subnet. I only allow initiation of the connection from the lan side, not the printer side. This works okay, except for two things. Adding a Windows 10 printer tends to fail to find the printer, even when given its IP, and the printers' remote scanning software fails completely if the printer isn't in the same subnet.
So, I'm considering creating a VIP on the lan side mapped to each of the printers in the printer vlan. This still lets me control initiation of the connection through security policies (with match-vip as needed) and I think should allow the Windows 10 printer drivers to think the printer is within their own subnet.
Does this seem reasonable? I'm open to suggestions for a better way to handle this.
I guess you are adding a win10 printer to the printer's VLAN? I would sniff the traffic on both ends (src & dst) in order to identify the root cause of the failure. I suspect the printer is requiring multicast forwarding. Ref. http://help.fortinet.com/...icast%20forwarding.htm
Hi packetpusher,
Already sniffed the traffic and saw some mDNS and Bonjour. However, enabling multicast forwarding and providing the security policies for the attempted traffic still didn't allow the printer driver to install. I didn't try it with mutlicast-ttl-notchange enabled though.
Note that once I've forced the printer setup in Windows 10 (manual, never letting Windows attempt to identify the printer or it dies) printing works just fine. It's remote scanning that then fails (with or without multicast forwarding). It appears the problem has to do with the Windows 10 scanning software (Canon) assuming the scanner's IP is in the local subnet, even though the IP I give it is in the printers subnet. Hence my interest in VIP and proxy-arp.
So, it sounds like there is an issue with the application layer not related to the normal network operations. Any windows related articles or applied fixes?
Haven't found anything useful yet. Mostly lots of unresolved complaints about canon drivers when dealing with different subnets.
If you place, both, the printer and the client on the same subnet - does it work? Capture the traffic and compare with when the printer is on a different subnet.
Yes, it worked when they were on the same subnet. The printer is currently in use (as a printer, not a scanner) on the other subnet right now, so don't know when I'll be able to test it on the same subnet.
Take your time and let's figure this out :)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.