Hello folks,
I will make this simple: I have this small location that has been setup with a balance20x and 4 VLANs. The VLANs are used for different groups of users and devices that are independent (until now, see below), so the VLANs were setup with interVLAN routing turned off and (I know it is redundant) internal firewall rules to block traffic between the associated subnets. That worked great until now…
I recently cost reduced the printers and replaced three printers that used to be each on a specific VLAN to serve each of the VLAN clients, by one single larger printer to serve all three of those VLANs.
I would like to avoid opening interVLAN routing because I don’t trust some of the devices and I don’t even want to tell those users about the IPs of other existing subnets, so I was hoping there was a way to create some kind of IP forwarding where each VLAN would see the printer at an IP in their VLAN space, but yet traffic to that IP would end up being translated and sent to the printer which is truly connected to the first VLAN. And the same backward for response traffic from the printer. This would be similar to NAT’ed traffic on the WAN port. I suspect this is not possible, but I thought it was worth double checking.
If this isn’t possible, I guess my only choice would be to turn on InterVLAN routing (does this have to be done on all VLANs including the one hosting the printer so that it can respond back, or only from the VLANs initiating the connection?), and use firewall rules to limit any interVLAN traffic to be to and from that printer only.
If anyone has any thoughts on this, including other potential options, I would love to hear them. Thanks!
NATing from one lan subnet to another is available, its called Virtual Network Mapping, but to do that both ways around subnet-subnet is a lot of complexity to introduce (and will, underneath that, still require inter-VLAN routing to be enabled).
In that scenario you might be better off moving the printers to a new “printer” vlan and allowing interVLAN routing to that vlan from all vlans.
or use something like Printix to do print management that doesn’t require the endpoints to see the printers directly at all (it proxies the print jobs via an agent who can see it, so the print jobs to each other vlan would be proxied via printix to the right vlan).
Thank you for the reply. I hadn’t realized you could use Virtual Network Mapping locally. I thought that was to translate entire subnets when using an SFC connection to a remote network to resolve conflicts when remote subnets have the same address as local subnets. I did not know you could also map a single IP to another (or multiple) subnet(s). I have to look into it.
The other solution you mention, to put the Printer on a standalone VLAN of its own is probably simpler indeed. I guess I would have to enable Inter VLAN routing on all VLANs. My understanding is that even responses to established sessions would be dropped if Inter-VLAN routing is not enabled on the printer VLAN, correct?
I could then put firewall rules to by default block all cross VLAN routing (I already have those in place) and add additional rules before that to enable traffic from VLANs to the printer IP address. It does not seem I need a rule to allow TCP traffic from the printer to VLANs since it does not initiate traffic. My understanding is that the internal firewall is stateful and only intervenes on new sessions being created, so once a session is established, return traffic from the printer will be allowed even without a specific allow rule, right? The only other things I might need to do is enable some UDP relays from the printer LAN to the other LANs, and an allow rule for UDP from the printer to the VLANs to allow the various discovery protocols to work, correct?
What I like about your approach is that I only have to let people/devices know about that printer subnet and not about the others.
Printix, looks interesting but it is really overkill for that small location. I’ll keep it in mind if the network complexity grows, especially if I start connecting other remote sites and/or more clients.
Thank you for putting me on track
For inter-vlan routing, yes it would have to be enabled for all vlans involved, if its disabled you would not be able to route in or out of the vlan.
For discovery (like airprint), you can use bonjour forwarding (which is in incontrol2 under network settings-> lan network settings → bonjour forwarding).
