Printer on 2 networks

A

alexsmith2709

Well-Known Member
Reaction score
357
Location
UK
Firstly, im not sure if what i want to do is possible but i hope i can word it in a way people will understand!
In my shop we do a lot of printing for customers, so they'll send us the documents by email and we will print and its ok most of the time, but there are a few websites that dont allow saving of a PDF for things like tickets, only a print option and many customers dont seem to be able to copy our email address correctly despite it being written in front of them.

What i would like to do is connect our printer to our customer WiFi (using an ethernet connection) but also keep it on our private network at the same time. That way people can use Airprint/print plugins for other phones and tablets instead of emailing us first. This will save time and make it easier for me to charge customers for reprints because their bad explanations of what they want wont be my fault!
I thought about using HP ePrint as we have an HP printer but that also prints out the actual email, not just the attachment with no way to customise (at least there wasnt when i last looked).

Currently my customer WiFi is just a different SSID from the same router with "Internet Only" no LAN access. Is there a way to have the printer, which is connected by ethernet to this router to be accessible from both SSID's?
 
Last edited:
It's certainly possible to allow both the private and public networks to access the printer but how to do it will depend on the router/firewall you're using. You could create a separate subnet/VLAN and routing/firewall rules to enable only packets between the printer (on the private subnet) and the public subnet to be routed. Or, you could simply keep everything on one subnet and use firewall rules to disallow connections between the public IP address range to the range of IP addresses reserved for private use.
 
The catch is you'll have to be able have the printer "advertise" it's services, ala Bonjour and whatever other mechanisms are used. From what I remember you can't specify a printer IP address on an iPhone. Not sure about Droid.
 
Moltuae said:
It's certainly possible to allow both the private and public networks to access the printer but how to do it will depend on the router/firewall you're using. You could create a separate subnet/VLAN and routing/firewall rules to enable only packets between the printer (on the private subnet) and the public subnet to be routed. Or, you could simply keep everything on one subnet and use firewall rules to disallow connections between the public IP address range to the range of IP addresses reserved for private use.
Click to expand...

Yup...depends on what equip you have. For example, with Ubiquiti Unifi...you can have a "guest" network (such as your customer wifi)..and in the Unifi controller there's a section where you can pre-authorize IPs on your default LAN, to be available to the guest network. Such as a printer!
 
Moltuae said:
It's certainly possible to allow both the private and public networks to access the printer but how to do it will depend on the router/firewall you're using. You could create a separate subnet/VLAN and routing/firewall rules to enable only packets between the printer (on the private subnet) and the public subnet to be routed. Or, you could simply keep everything on one subnet and use firewall rules to disallow connections between the public IP address range to the range of IP addresses reserved for private use.
Click to expand...
I like where you’re headed with this, my only addition would be to put the printer on it’s own VLAN with DMZ-esk to it to make it more organized and it will always default to the nature of networking principles. I’ll explain what I mean by this while i explain how I’d set it up.

Three vlans (inside, clients, printers)
- inside can access inside, printers, and outside that way you can still print, and your internal network can still operate as an internal network and you’ll still have internet access
- clients can access printers and outside (if you want). This way clients will NEVER touch your inside net, and if for some crazy reason your printer changes IPs or you mess up your DHCP allocation your client net won’t have access to anything on your inside net

Also, unless you have a reason for it, I would be blocking client machines from accessing other client machines. For example: client A is on client vlan and clientB is on client network, but A cannot talk to B or vise versa.
Say one of your clients has a worm, would you want that to spread across all of your other client machines?

Finally, printers would only have access to the outside, and I would lock down to only some of the ports, DNS, Discovery, and update protocols.

But I think if you were unsure of how to print to a pdf, you should probably sub it to a networking guy. So it’s done correctly. Don’t ever feel like you have to do everything. Ask for help, know your capabilities, and leave something that’s far out of your comfort zone to someone whos niche it is.

It’s just my .02 take it for what it’s worth. That wasn’t meant to offend you in anyway, that’s just my honest opinion as an outsider looking in based on what was posted. You may be a stellar network tech and just had a brain fart, I don’t know [emoji1744]‍[emoji3603]
 
Completely agree with Mark here... why bother with replacing equipment, configuring vlans, futzing with GooglePrint or HP ePrint... just buy a customer printer...
 
Thanks for all the suggestions. A couple of them are definitely possibilities.
@Tech Savvy i know how to print to a PDF, what i meant by websites not allowing to save a PDF is certain ticketing/travel websites dont have a downloadable PDF option, only to print. Explaining to customers how to print to PDF and then attach that to an email when using a phone (particularly iphone pre iOS that had a file browser) is more difficult than you can imagine! My aim of this exercise is to minimise the amount of work i have to do during a print job.
While i am not as experienced in networking as other areas i know some basics and really just getting an idea of whether this type of setup is possible and what equipment may be needed. No offence taken by your comments.

Getting another printer is not an option, my printer is high spec and worth £4000 when i bought it a few years ago and it it used from everything from 1 of prints to print jobs with multiple thousand pages.
 
OK - I think @Tech Savvy nailed the VLAN approach.

But maybe your printer has WiFi direct? Or maybe it has Google Printing options (although it sounds like you might be printing more complex jobs, in which case GPrint may not be appropriate). Can you printer support both wireless and wired connections simultaneously?

We don't know what networking equipment you have (or even what $5k printer you have), and @YeOldeStonecat mentioned a nice setting in the Ubiquiti line-up (which also supports multiple VLANs in a single unit).

If you want to track customer print jobs, I am not sure how you are going to accomplish this with iOS AirPrint and direct-to-printer printing.

Do you have a print server on-premise? There might be some options there worth exploring.

[adding]

If you connect a Mac to the network (private) and add the printer to that Mac and then enable a HotSpot on the Mac w/ Printer Sharing enabled, the customer could connect to the "Mac WiFi" hotspot, and then AirPrint through that connection to the one and only shared printer. They wouldn't have access to the rest of your private network as you would have file sharing etc. turned off.
 
Last edited:
@Mainstay The printer does not currently have WiFi, only ethernet and USB, but there is a WiFi module i can buy if needed.
Currently only have a cheap Asus router (DSL N10 B1) but this is changing soon as im switching to fibre broadband. I have the HP M775F printer. I do not have a print server.
I dont need to keep tracking of the printing so this is not an issue. No Macs on the private network.
The Ubiquiti option is looking like my preferable option at the moment as i was looking to boost the signal to the customer WiFi at some point too so this might kill two birds with one stone.
 
Sorry to bring this up again, i allowed this to go to the back burner but now i have a new printer and looking to sort this again.
@YeOldeStonecat what Ubiquiti Unifi device would you recommend? I have a small shop (a few hundred sq ft), currently running with the stock Virgin Media router which is a Hitron CGNV4-FX4 router but happy to put this in modem mode and buy a better router if needed. If there is a decent unifi device that would work without changing router this is better for my wallet! I have a couple switches installed to give me extra ethernet ports.
I would like to start selling unifi devices as i've heard lots of good things and i think getting one would allow me to learn about them before hand.

To clarify what i am trying to achieve:
3 x windows 10 computers all need to be connected to this printer
Obviously all our other equipment to be allowed printer access and internet access
Customers need to connect to this printer
Customers should not be allowed to connect to our private LAN
Customers should be allowed access to the outside internet
Customer laptops etc that we are fixing to be allowed internet access but not to our private network or eachother (although unlikely these days but to protect against malware spreading through the network).
 
alexsmith2709 said:
currently running with the stock Virgin Media router which is a Hitron CGNV4-FX4 router but happy to put this in modem mode and buy a better router if needed
Click to expand...
I'd certainly start by replacing that with a decent business-grade router. My personal preference would be a DrayTek.

With a DrayTek router you just need to ...
  • Create the public and private subnets
  • Assign separate physical network ports on the router for the 2 subnets
  • Enable inter-LAN routing between the 2 subnets
  • Create a block ('if no further match') rule in the firewall to block all traffic between the subnets by default
  • Create 'allow' rules between subnets/IP ranges and the printer as required*
*You can actually just create a one-way firewall rule at this point if you want to keep it simple. You just allow all traffic 'from' the private subnet 'to' the public subnet, which will continue to block any traffic from public to private that was not initiated by (ie not replying to) a device on the private subnet.
 
Last edited:
OK, i think i understand, but im not a networking guy and i've never dealt with this sort of stuff so i dont really know what im doing!
Do you have any recommendations for a draytek router that will do wired and wireless? I have virgin media fibre.
From what i understand each switch im using will have to be on a separate subnet? For example, can i have device A, connected to switch A, device B connect to switch B, device C connected to switch B, but have device A and C on the same subnet and device B on another?
Can i have a wireless network on my public subnet and another wireless network on my private subnet?
 
Any of the cheaper DrayTek units will do. Perhaps the Vigor 2862ac if you're going to use the router for wireless. For a more sophisticated setup and wider WiFi coverage, personally I'd throw in some UniFi wireless APs, but DrayTek routers are very capable and do have good wireless range.

You can actually use a single network switch IF you either use managed switches and VLANs, OR you disable DHCP on all but one of the subnets. In the latter case, you can assign both/all subnets to one/all DrayTek ports, send everything through one switch and turn DHCP on for the public network (only). To access the private network, you would configure static IPs (on the private subnet) for any device that needs to connect to it. The downside of this approach is the security risk that someone who knows the private subnet address range could do the same.

So, if you want to keep it simple, yes, one switch for each subnet will work, with an uplink from separate physical router ports. I do this all the time with DrayTek routers, usually with separate subnets, ports and switches for CCTV, IP Phones, etc.

Here's a Vigor 2862ac I've been working on recently. Bit of a work-in-progress, but it's mostly complete ...


Here I have a number of subnets, some of which are assigned to different physical ports (for isolation and to allow DHCP to be enabled). So LAN1 is the main (private) subnet, LAN2 is currently reserved/unused, LAN3 is for IP phones, LAN4 is for CCTV, LAN5 is for device management (network switches, server LOM, etc), LAN6 is for admin VPN access, LAN7 is for user VPN access and LAN8 is for public WiFi.

DrayTek-LAN-General.PNG


Here's what the physical port assignment looks like (physical ports are P1 to P4). Don't let the VLAN name put you off; you don't have to understand VLANs or configure any VLAN settings on your switches to use this. Note that VLAN7 (LAN8) is what connects the public WiFi to the public subnet.


DrayTek-VLAN.PNG

Once you've done this you would then configure firewall rules. The DrayTek way is to initially allow the subnets to communicate (using the inter-LAN) settings above, then you create a default firewall rule to block them again. Once you've done that, you simply create exception rules (that take priority over the default block rules) to allow access as needed.
 
Last edited:
Thanks, I think that all makes sense. The screenshots definitely help. I might order the Vigor 2862ac next week if my supplier still has them in stock.
This also seems like a good experience for me and to gain knowledge of setting things up like this.
 
alexsmith2709 said:
This also seems like a good experience for me and to gain knowledge of setting things up like this.
Click to expand...
DrayTek routers are perfect for that, IMO, in that the learning curve is quite small for basic configurations, yet there are lots of advanced features if you really want to get your hands dirty. And they don't hide away the advanced stuff behind nice graphical wizards either. I love modern interfaces as much as the next man but they can be severely restrictive and they don't teach you anything about networking. DrayTek routers have a few wizards but in general they're much more old school. That's not to say they're difficult to work with, just that they have a lot more advanced features than most, if you choose to use them. I work with DrayTek routers every day and I'm very familiar with them so shout if you get stuck.
 
Moltuae said:
DrayTek routers are perfect for that, IMO, in that the learning curve is quite small for basic configurations, yet there are lots of advanced features if you really want to get your hands dirty. And they don't hide away the advanced stuff behind nice graphical wizards either. I love modern interfaces as much as the next man but they can be severely restrictive and they don't teach you anything about networking. DrayTek routers have a few wizards but in general they're much more old school. That's not to say they're difficult to work with, just that they have a lot more advanced features than most, if you choose to use them. I work with DrayTek routers every day and I'm very familiar with them so shout if you get stuck.
Click to expand...
I appreciate that. My only supplier that stocks draytek had one in stock yesterday but this morning its gone so hopefully they'll restock soon, if not, what is a close alternative to that model? Having never even looked at Draytek before i have no idea!
 
BroadbandBuyer are pretty competitive and have plenty of stock:

DrayTek Vigor 2862AC Quad-WAN Dual-Band ADSL2+/VDSL2 WiFi 5 Router w/ Load Balancing, VPN & 3G/4G LTE Support (2033Mbps AC)

www.broadbandbuyer.com www.broadbandbuyer.com

Alternatively, there's the more expensive 2862LAC model, if your supplier has that? The 2862LAC is the same as the 2862AC but with the added benefit of a built-in LTE modem (which is useful for setting up fail-over to mobile broadband).

There's also the 2926/7 range, but they're Ethernet WAN only (no ADSL/VDSL). The full range is here:

Firewalls

DrayTek - Routers, Switches, Access Points, Central Management, 4G/5G, Firewalls and VPN
www.draytek.co.uk www.draytek.co.uk
 
You must log in or register to reply here.

Similar threads

DRPCNZ
Scanning to email from Printer
Replies
17
Views
484
DRPCNZ
DRPCNZ
YeOldeStonecat
Print a file such as DOCX out of New Outlook, 404 error.
Replies
5
Views
109
britechguy
britechguy
Appletax
[REQUEST] Need a printer rec. for a 90 year old businessman
Replies
12
Views
484
britechguy
britechguy
Appletax
Questions about Canon printer including how to access Remote UI
Replies
5
Views
1K
frase
frase
HCHTech
Email authentication help
Replies
7
Views
303
Sky-Knight
Sky-Knight
Back
Top