Meraki

Community

Laptop (vlan 4) can't Scan Wireless in MFP (vlan 5)

Bears
Here to help
‎May 5 2025 4:09 AM
‎May 5 2025 4:09 AM

Laptop (vlan 4) can't Scan Wireless in MFP (vlan 5)

Device MX67W-HW

Firmware: MX 18.211.5

Mode: Routed

 

We setup firewall Outbound Rules, all seems ok if hosts are in same VLAN, but when we segregated it like clients and printers, the clients could not use the HP Scan app to the printer that is in Printer VLAN

 

Client VLAN 4 (Wireless/ MX Wifi)

Printer VLAN 5 (Wired/ Eth5)

 

The traffic seems not hitting the rules. What could be wrong?

Screenshot 2025-05-05 at 19.06.52.png

0 Kudos
14 Replies 14
alemabrahao
Kind of a big deal
‎May 5 2025 4:12 AM
‎May 5 2025 4:12 AM

Are you allowing Local LAN in the SSID firewall configuration?

alemabrahao_0-1746443536975.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Bears
Here to help
‎May 5 2025 4:23 AM
‎May 5 2025 4:23 AM

I can't see this in my view, Where is this specifically?

0 Kudos
In response to Bears
alemabrahao
Kind of a big deal
‎May 5 2025 4:31 AM
‎May 5 2025 4:31 AM

The 'Deny Local LAN' function located under Wireless> Configure > Firewall & traffic shaping 

 

https://documentation.meraki.com/MR/Firewall_and_Traffic_Shaping/'Deny_Local_LAN'_settings_in_Cisco_...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to Bears
alemabrahao
Kind of a big deal
‎May 5 2025 4:33 AM
‎May 5 2025 4:33 AM

Now that I realize, you are using an MX wifi.

This may be a version bug, I have had this problem in the past. I advise you to open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Bears
Here to help
‎May 5 2025 5:15 AM
‎May 5 2025 5:15 AM

yes im using the MX Wifi. Thanks for the efforts in sharing solutions. I'll open a case then. Cheers!

0 Kudos
In response to Bears
alemabrahao
Kind of a big deal
‎May 5 2025 4:37 AM
‎May 5 2025 4:37 AM

Some scanning applications use multicast or broadcast traffic, which may need to be allowed between VLANs, but I still suggest you do packet capture anyway and also open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
‎May 5 2025 4:16 AM
‎May 5 2025 4:16 AM

I also recommend that you capture traffic on both VLAN interfaces to see if packets are being sent and received correctly.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Main10ence
Meraki Employee
Meraki Employee
‎May 5 2025 5:23 AM
‎May 5 2025 5:23 AM

I agree with @alemabrahao. I would start with Wireshark packet capture to follow and investigate the traffic between VLANs.

 

Is VLAN 4 able to ping users in VLAN 5? What about vice versa?

.ılı.ılı. Cisco Meraki
Network Support Engineer

"The future favors the bold."
0 Kudos
In response to Main10ence
Bears
Here to help
‎May 5 2025 5:31 AM
‎May 5 2025 5:31 AM

yes the clients can ping the printers. i'll try to run a packet capture.

0 Kudos
In response to Bears
alemabrahao
Kind of a big deal
‎May 5 2025 5:44 AM
‎May 5 2025 5:44 AM

What @ww suggested is a good try to.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to Bears
Main10ence
Meraki Employee
Meraki Employee
‎May 5 2025 6:55 AM
‎May 5 2025 6:55 AM

As a workaround, we can try using the private IP of the printer when configuring on the client device.

 

When searching through the Wireshark packet capture, we are looking for mDNS and if it's being broadcast on either VLAN. 

.ılı.ılı. Cisco Meraki
Network Support Engineer

"The future favors the bold."
0 Kudos
ww
Kind of a big deal
Kind of a big deal
‎May 5 2025 5:18 AM
‎May 5 2025 5:18 AM

You could try enabling this between the vlans.  

 

 

https://documentation.meraki.com/MX/Other_Topics/Configuring_Bonjour_forwarding_for_the_MX_Security_...

 

0 Kudos
In response to ww
Bears
Here to help
‎May 5 2025 6:03 AM
‎May 5 2025 6:03 AM

thanks bro but it doesn't worked. i tested multiple options but still failed.

0 Kudos
Brash
Kind of a big deal
Kind of a big deal
‎May 5 2025 4:27 PM
‎May 5 2025 4:27 PM

The app is most likely using multicast to perform discovery and initial connection to the printer.

As @ww mentioned, bonjour forwarding can be used to send multicast across VLANs (although in my experience it's not always quick/reliable).

Opening a support case and using packet captures is probably the best way to confirm.

If VLAN segmentation between clients and the printer is required, you might be better off either:

 - Pointing the clients directly to the printer (if it's just a single printer)

 - Setting up a print server to manage the printers, and pointing the clients to that (if you have multiple printers)

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.