Hi,
I have set up separate vlans with 3 requiring access to a Xerox Versalink printer on its own vlan.
I have followed all the port rules and added them into the portal but my print jobs don't arrive.
I can add the printer, ping the printer, ping the hostname of the printer but the jobs never arrive and puts up an error with no detail.
Ran wireshark and the packet capture on the MX but shows the ports i've already opened
Allowed ports 443, 8800, 8801, 8802, 9100, 515, 25 and 631 TCP
9807, 53 and 161 UDP
Can anyone advise please?
Solved! Go to solution.
Hi,
Looks like the issue is all down to DNS of the printer. We can ping it but can't ping the hostname. If you edit the host file on a laptop you can see the jobs appear on the printer but not if no host added. I would be great if this could be put into the meraki so that when users connect they get this info but it doesn't look like this is possible unless we put in a DNS server or manually add this to any clients that join the network however thats not possible for casual site visitors. The meraki cant ping the hostname either so now need to find a work around without manually adding the host file or a DNS server, any ideas?
We've streamlined the rules, whitelisting was added but didn't make a difference so now removed.
Cheers for advice everyone
Have you tried putting the print on allowed list?
Hi Alemabrahao,
Just added it to the whitelist and still the same. I'll upload the rules i've added later today to show whats been setup.
Thanks for the advise.
Hi,
Looks like the issue is all down to DNS of the printer. We can ping it but can't ping the hostname. If you edit the host file on a laptop you can see the jobs appear on the printer but not if no host added. I would be great if this could be put into the meraki so that when users connect they get this info but it doesn't look like this is possible unless we put in a DNS server or manually add this to any clients that join the network however thats not possible for casual site visitors. The meraki cant ping the hostname either so now need to find a work around without manually adding the host file or a DNS server, any ideas?
We've streamlined the rules, whitelisting was added but didn't make a difference so now removed.
Cheers for advice everyone
Why don't add printers by IP?
Or if don't want to create a DNS server just configure host file as you commented.
I do add the printer as an IP it just won’t send a job to the printer without knowing its hostname, rather a strange one. The only reason I didn’t want to add a host file is it’s a mixture of visitor and permanent staff across the 3 vlans and maintaining that would be tough.
All the rules are nice and secure and we didn’t need to whitelist any device. Just need to find an easy solution to the hostname scenario but thanks for everyone’s input so far
The best solution is using a DNS server, the "easy" solution is adding the information on host file.
Check the event log for L7 rule matches.
Temporarily change the printer L3 rule to any to verify whether additional ports are required to be open
If he tested with a allow list, it doesn't make sense.
Allow List
Applies the following settings to a client:
Is exempt from all firewall rules, both Layer 3 and Layer 7 (Applies to both the MX Security Appliance and the MR Access Points)
Bypasses AMP
Bypasses a Click-through Splash page
Bypasses a Billing (paid access) Splash page and access the network on an SSID without paying or authenticating
Bypasses a Sign-on Splash page without authenticating (Applies to both the MX Security Appliance and the MR Access Points)
Is exempt from Per-client bandwidth limit (Applies to both the MX Security Appliance and the MR Access Points)
Is exempt from Traffic shaping rules (Applies to both the MX Security Appliance and the MR Access Points)
Bypasses Content filtering on MX Security Appliance
It still depends which device is whitelisted. If the printer is whitelisted but the client sending the print job is not, it could still not work.
So, it's very simple to test, just put the client in an allow list to. 😉
What OS are you using that won't allow you to print via IP and only FQDN?
Both windows and MacOS will allow either unless your Windows devices have some GPO thats forbidding it.
I see you have opened the ports for IPP, LPD/LPR and HTTP printing, which protocol are you actually using?
Windows 10 pro and it looks like 515 and 9100 tcp seem to be the main ones. I've narrowed down the ports to the ones below just to cover myself in case that was an issue. Even did an ip any any and still had the same problem.
Just to recap
From the three VLANS, 80,443,515, 9100 and 631 TCP, 161, 53 and 5353 udp
from the printer 9807 udp and 8800 plus 25 tcp
I add the printer either via the Xerox smart tool or add printer,(add using tcp/ip etc) and all looks good. just no host file on the laptop then not a single job will appear in the printer queue.
The printer is a Xerox Versalink 7030
Cheers
Is IP filtering enabled on the printer?
Can't access the printer at the moment as someone on site has switched it off but from what i recall the following ports were enabled.
Ftp, http, ipp ,lpd, 9100, sftp, smb, smtp, snmp, soap, and wsd
switched off were ipsec, ldap, s/mime and sntp
Bonjour, AirPrint, Google Print and Mopria are off but plan to put the first two on
Managed to get someone to put the printer on and its not enabled and nor is domain filtering
Cheers