I need some additional advice on network security for a wi-fi printer. Back in 2017, a very useful “Guide to setting up VLANs for Printing with Firewall isolation” (12427) was posted and I have set up my home Balance 20x router accordingly. The only difference is my home printer is wi-fi enabled and resides on its own VLAN that is assigned an ssid. Bonjour Service is enabled between my untagged LAN and the printer VLAN with inter-VLAN routing enabled for both. Everything works fine. My questions follow. By employing wi-fi printing and enabling Bonjour Service with inter-VLAN, have I basically negated some network security? Would it be simpler and just as secure to simply put the wi-fi printer on my untagged network and employ outbound and inbound firewall rules per the 2017 “Guide”?
Thanks for your consideration.
1 Like
Hey @Lindsey_Wess !
In short, having your printer on a separate VLAN is good. Printers are a somewhat common attack vector. Having mDNS (Bonjour) from your private/secure VLAN to your printer VLAN is fine.
Let’s assume for a second that wifi is inherently secure. What you have done is fine and dandy, but the security issue actually sits in the statement you made, “with inter-VLAN routing enabled for both.” Inter-VLAN routing allows your printer to communicate back to your untagged VLAN at any time for any reason. You would need to disable inter-vlan routing on your printer VLAN and be sure to allow only required ports. If you’re printing via Wifi using Bonjour, I’m going to assume you’re using AirPrint (i.e., you have a mac or iphone). If so, the only ports required will be UDP 5353 (this you have already enabled via Bonjour forwarding) and TCP 631 for Internet Printing Protocol (IPP). This should be all you need to enable printing from your untagged VLAN to your printer VLAN while Bonjour forwarding is enabled and inter-VLAN routing is disabled 
Hope this helps!
2 Likes
Hi Christopher.
Thanks for the prompt reply. I have tried and have not been able to print across VLANs without enabling Inter-VLAN routing on both source and client networks. Can you please step me through your recommendation for enabling TCP 631 and UDP 5353 ports after disabling Inter-VLAN routing? My expertise is limited here and I don’t understand how this would work.
Just to reiterate my earlier post, Dowling’s 2017 instructions (12427) enable Inter-VLAN routing and then employs firewall rules to restrict all outbound and internal traffic on the printer VLAN. When these rules are in place, the printer VLAN has no access to the Internet nor can the printer VLAN access my untagged VLAN. I don’t know the intricacies of Inter-VLAN routing and Layer 3 protocol on the Peplink router as it relates to security in general and firewall rules in particular.
Thanks, Christopher.
Apologies, I made a mistake and you are correct! Inter-VLAN routing is required here, but you do need to allow TCP 631 and then deny all after that to keep your vlans separated
1 Like
Thanks again, Christopher.