Hello - I hope someone can help? I have a very simple pfsense setup with my main PC on its own lan (“ADMIN”) and all my IOT and other wireless devices (including an Epson printer) on two different lans (subnets).
(My old router as a WIFI access point, did not support vlans, hence segregating using separate subnets).
I am blocking all traffic from the wifi and IOT lans to my PC since that’s what I want to keep as secure as possible.
The strange problem I have is that if I try to print from the PC, it works, but it takes AGES. LIke a 2 minute delay before it starts to print. But it does work. The PC can “see” the printer and shows it as online. (This is in itself, odd. How does the PC know if the printer is online if the traffic from the printer to the PC is blocked???)
Also, I can navigate to the printer IP address and pull up the admin page, instantly. The printer is a multifunction device with scanner and I can also scan, instantly, no problem. It is only the printing which hangs for a while.
Any ideas what’s going on and why the 2 minute pause? I have tried enabling Installing the avahi package and ticking/enabling “Repeat mdns packets across subnets”… but it makes no difference.
Deal with the problem, buy a different printer, or put it on the same network because in reality printers are an extremely unlikely culprit as the source of a network security incident (feel free to provide more information if you think I am incorrect about that).
Based on your rule, traffic originating from the printer to the ADMIN vlan is blocked, but traffic originated from your PC to the printer is not. That’s why you can get to the printer interface. The slowness you are seeing could be the traffic type it initially tries when sending a print job. Do you have Bonjour or LLTD configured? If so I would turn it all off and see if you get a different result. Another option would be to do a packet capture and see what is happening. I would use Wireshark on the PC and tcpdump on the pfSense. Once you understand the type of traffic the printer is using you might be able to address it.
Thanks both for your answers. I could put the printer on the same lan but that would mean swapping the switch for one with more ports and that means (a) buying it, and (b) taking the network down, and yes I know not a huge deal but I was just looking for a quick software/config change if poss.
@FredFerrell I like your idea about disabling Bonjour and LLTD - both of which I can see are enabled on the printer. I’ll try that next!
EDIT: Tried it, didn’t work. I think this is wasting too much of everyone’s time and I will have to bite the bullet and just reconfigure the network.
Does it work better with any → any rules on the firewall? Might as well start the easy way and make sure traffic is flowing properly. If it doesn’t work with the firewall effectively bypassed, then something else is wrong.
Also make sure ipv6 is turned on, I recently installed a piece of equipment at work that required ipv6 for remote connections. Doubtful on a printer, but worth a try if you have it turned off.
Only other thing you could maybe do is buy a some computer and set it up as a print server.
