How to access an IP printer upstream through a firewall router?

[John B]

"Upstream" means "against the firewall." "Downstream" is easy, and would
have the printer on the UNPROTECTED side of the firewall in question:

Routers like Linksys BEFSX41 have been offering firewall for years and
years. Typically this involves NAT. Unsolicited upstream communications
are considered hostile, and are blocked.

There is provision in such firewall router for "opening a hole" in said
firewall; i.e., "port forwarding" of a specific TCP port number, to a
specific IP host address on the protected side of the firewall router.
Settings are made under "Applications & Gaming" when accessing the router
internals with internet browser software. Yes, this type of setting is
frequently needed, for games (like my teenage son plays) and remote access
software (like UltraVNC). Yes, sometimes we want to allow "outsiders" to
hit IP targets inside a protected IP network.

Question:
Is there a comparable "hole" that I can open in a firewall for a PRINTER
that lies on the IP network on the protected side of the firewall router?
Said printer has a PRINT SERVER with a specific static IP address. I'd like
to be able to have users on the unprotected side of this BEFSX41 router, to
be able to print accordingly.

Topology shows two IP networks at this geographical location, each regulated
by a router firewall. The outer firewall connects to the internet. Two "
IP networks" means two distinct IP network addresses, not like XP's ICS
where all parties are on the same net. Let's assume they're 192.168.1.0 and
192.168.2.0 with net mask of 255.255.255.0.

Thanks
John

 

[Anteaus]

Yes, you just need to forward the port appropriate to the printing protocol
in use, similarly to forwarding a gaming port or the like.

LPR= 515
TCP/IP=9100, and sometimes 9101/2/3/..

The thing I _wouldn't_ do is to directly forward the Windows File and
Printer Sharing ports (137-9 & 445) as this exposes far too many
vulnerabilities. If you must forward these ports, then you should do so via a
tunneling protocol such as ssh or Zebedee.

The easier option is to setup an LPR printserver on port 515.

Bear in mind that you still might need to restrict the IP ranges which can
use the forwarded port, otherwise Tom, Dick and Harry on the 'net will be
able to use your printer.

:

 

[Jack \(MVP-Networking\).]

Hi
It can be done if you set local VPN or SSH.
The security protocol uses a specific port that can be opened to carry the
printing information.
Jack (MVP-Networking).

 

[John B]

Thank you for this extensive response.
In this case, Tom, Dick and Harry will be blocked by the outer router. But
I have other ideas where your admonition is absolutely warranted.

So I'll first pursue the LPR approach, by forwarding any missive that
arrives at "port 515" to the IP address of the print server that interfaces
to my printer.

Here's my concern over that approach (though I will now experiment with
great pleasure):
Since I have a Windows environment here, I would like computers in the outer
network to see the aforementioned print server. I don't suppose it has to
be "shared," does it? Nah. Seems not. I am looking in "My Network Places"
right now and the printer, which is in actuality ready, willing, and able,
does not show up as a "share" anywhere.

 

[John B]

I'll read up on SSH and VPN.
Thank you for this response.

 

[John B]

I have attempted the LPR approach without success. I'd appreciate any help
you might offer in finding my error.

I got into the BEFSX41 (inner) router, at the "Applications & Gaming" page,
and set the following "port range forwarding" provisions:
Application Start End TCP UDP IP Address Enabled
LPR 515 515 both 192.168.3.80
yes

192.168.3.80 is the IP address of the printer. The inner network is
192.168.3.0.

At a Linux computer that is connected to the outer network (192.168.1.0) I
established a printer resource with the appropriate driver to 192.168.1.40,
which is the IP address of the uplink side of the BEFSX41 (inner) router.
Printing a test page did not work. A similar attempt failed, when the
printer resource was directed to 192.168.3.80. Then again, how should the
outer-net computer be able to communicate with 192.168.3.80? Any missive so
directed would likely go to the internet, as the routing tables should be
commensurate with that. So I reason that a printing missive directed at the
uplink side of the BEFSX41 router should work. The router should see the
LPR, port 515 nature of that missive, and route it to the printer. But is
didn't work.

Your advice would be greatly appreciated.
I must be gone for a few hours, so I'll check this thread upon my return.

Thanks.
John

 

[Jack \(MVP-Networking\).]

Hi
I did not asked you why you have two Routers that are set to form segregated
network.
If you set it deliberately for security purposes, then all that said above
has to be dealt with.
If it is Not set deliberately, then the second Router can be set as
described bellow, and all the computers would be on the same network.
Wireless Cable/DSL Router as a Switch with an Access Point -
http://www.ezlan.net/router_AP.html
Jack (MVP-Networking).

 

[John B]

It's a security experiment.
I want to have separate networks. So no "access point."
Thanks again.

 

[Anteaus]

To setup LPR printing, you need to install "Other network file and print
services" in the Windows Components section of Add/Remove Programs.

Then, you tell the print driver to print to a 'local port' (might seem
strange, but...) and make this the IP of the router which maps the port -
Note, NOT the IP of the printer itself, but that of the router, since the
client cannot 'see' the printer's IP directly. The portname, if asked, is
usually "raw" - and only matters on multiple-printer units.

I assume you're using a printer or printserver box with LPR capability; if
not, then it's possible to add an LPR server-process to a Windows
workstation. This doesn't exist by default, though.

On the client, you won't find LPR printers in "Network Places" since
"Network Places" is a bespoke Microsoft environment. As far as the client is
concerned the LPR printer behaves more like one connected to a local port.
You should be able to find it on a Linux box though, since this is right in
its own element.

I wouldn't advise the VPN route, since this is overcomplex, and will in any
case remove the security you're trying to create, by effectively making the
'outside' print client part of the 'inside' network, and therefore able to
access any service on it, not just printing.

You can use ssh, but a pitfall to beware of is that out-of-box this grants
unrestricted telnet and FTP access to all clients. If you don't block these
options in the ssh server settings, then you might find you have a vastly
bigger security hole than you started-out with!

 

[John B]

SUCCESS.
Thank you. Your advice was dead-on accurate.
I installed LPR printing into a brand-new XP-Home computer, which
coincidentally was available. That LPR resource was NOT installed by
default.
Printing did NOT work if I established a "printer" in this outer-net XP
computer along the lines of "network printer" ...
Printing DID work when I established the printer as "local" within the XP
computer. Yes, this is classic contra-intuitive Microsoft interface, but
what the heck. Why argue with success?

Meanwhile, I have re-established all sorts of firewall obstacles in the
inner router that defines the inner network. I am still able to print,
thanks to the 515 port forwarding.

And our Linux computer, positioned topologically side-by-side with the XP
computer, in the outer network, mirrored the success and failure of the XP
computer quite exactly. It was necessary to pursue proper LPR printing, not
just remote printing to http://routeraddress/lp1