I have given my duplex printer to family who operate on a different subnet. The subject printer has a dhcp connection to the lan.
The subnets all converge at the firewall router.
I am seeking advice on the simplest and most secure way to access the subject printer from my subnet without creating insecure connections between the subnets.
Please could somebody help me with this.
Budge
How was the printer connected before to your own computer?
Can you ping the printer on the different subnet?
Scanning for printers on a different subnet typically does not work, so you will need the IP address.
I think this page lists what should work: https://developers.hp.com/hp-linux-imaging-and-printing/install/step4/cups/net
Hi and thanks for the suggestions.
The printer which is an HP device had been connected on my subnet with a static IP and was used by various machines on my subnet.
Now it has been put on the office network it is used by all staff who use windoze and I am told it should be set for dhcp.
No I hope I cannot ping it. There is a firewall between the subnets.
I had been thinking along the lines of acl in firewall or even vpn. It may be that HP have an answer via wan but I was hoping something more parochial would be possible.
Will look at your HP thread and see how it works.
If it is a true firewall, then you can have different security “zones” . One zone could be “trust” with say the printer in it , another zone could be “untrust” with you computer in it. You can then create rules to allow your computer to print to the printer.
You could (depending on interfaces) even create a zone with dhcp and just the printer in it then create two other zones called private and business then create rules to allow them to print.
Hi and many thanks. I have been thinking along these lines but writing rules really stretches my abilities. I think the firewall device has gui to help but I am not sure how to sort out the dhcp part as I will not know what address it will use and this could change, although not likely. The device will have a name too so will keep working on this as the most direct route to a solution!
Thanks again,
Budge.
If you are lucky, the firewall is also acting as DHCP server and if so, it very likely can give a list an of the leases.
My firewall router has all the tools I needed so I had no difficulty creating a Host object, changing the address to a fixed address on the new subnet, using HP wizard in Yast to create the socket, connecting between subnets and printing from my laptop without touching the laptop firewall. The only issue was that the popup progress notices did not appear so I had no idea if anything had printed. (Printer in different building!)
Fired by success I went to my workstation to repeat the exercise. Alas no joy. I could ping the printer from my workstation but the HP connection wizard failed as it couldn’t see the host.
I turned off the firewall in my workstation but still the wizard didn’t work.
I tried using the tool suggested in the link above, hp-makeuri but this couldn’t see the printer either. I get
error: Device not found
Where am I going wrong please?
The difference between your laptop and workstation in your story is that the laptop is on the same subnet as the printer and the workstation not, right?
When runnning the HP connection wizard did you type in the IP address? If not, you should do that.
It could be that the router between your subnet and the subnet of the printer is blocking things.
If I understand correct, your requirements are:
- the printer should get it’s IP address, etc. from a DHCP server in it’s own LAN, which means that it may get a different IP addresses offered according to the DHCP servers whyms. That can be solved within that LAN by using zeroconf/avahi which will allow the printer clients to find the printerand I assume that is what the people in that LAN want.
- you want to print from another LAN to that printer, which requires a fixed IP address.
I doubt you can have both at the same time.
I tried this but fell at first fence. When I go to browser and the suggested address http://localhost:631 the result looks nothing like mine!
No opportunity to enter username and password here!
I did find this in the Administration tab but couldn’t get my userna,e and pw accepted. Will keep trying.
Now I am getting the hang of it but made a mistake and am now “unable to add a printer” under title Add Printer Error.
I think I used the wrong pw but cannot find out how to delete and start over.
If anybody could put me right I will try not to mess it up again!
Which username?
I wasn’t reading everything, but when you are trying to configure a printer, then that is typically a system task (imagine that avery user could confure, add, delete printers at will). Thus you need the password of root.
Hi Henk,
To recap, my objective is to be able to print from a printer which is connected on a different subnet. This printer has a static IP address within the reserved range on the remote subnet.
As far as our staff are concerned it is the office printer and they are not aware of my private subnet or the fact that I need to access it myself.
I have created a connection through the firewall between the subnets and I can ping the remote device.
On one laptop the HP connection wizard worked and created a socket connection to the printer and this worked after a fashion. The problem with it is that the status of the job is not fed back to my laptop so I have no idea if the has worked or not short of going to the remote building and checking the printer.
Both my second laptop and my workstation cannot even connect to the printer but I can ping it from both of these machines.
Using my laptop this morning it seems I can add a printer once more so I can select “Add Printer.” Before messing up again, my first popup asks for User Name and Password. Should I use my normal laptop login? It does not ask for root on this prompt.
Hi Marel,
It is possible that I have made a mistake at one stage as I juggle between laptops and workstation but in all laptop cases I believe I was connected to my own private subnet and entered the correct remote printer IP address which is on the other subnet.
To try and separate the issues when trying to sort this out I turned off the laptop firewall temporarily.
The firewall between the subnets has a connection created by me from my private network to the printer device which is configured as an Host object and the link has three protocols enabled, HP JetDirect, IPP and LPD. I do not know what other services or protocols should be enabled and have not access to the ports being used but I assume they are correct for the protocols mentioned.
Use root and root’s password as Henk already indicated.
Hi Deano,
It seems I am still locked out as I am still forbidden.
my cups error log has:-
E [04/Jun/2021:09:36:12 +0100] [CGI] CUPS-Get-Devices request failed with status 401: Forbidden
How do I unblock this?
Just to be sure, I tried to add a printer on a different laptop so starting from the outset and using my root login name and password I still get refused.
Could it be Mozilla browser messing me about? Will try another browser.
Can you show us the configured printer URI from the laptop?
lpstat -t
Conduct an nmap scan of the printer
nmap <printer IP>
Post the output here.
When you send a print job, what does /var/log/cups/error_log report? If necessary, put CUPS into debug mode for increased reporting verbosity
sudo cupsctl --debug-logging
then attempt to print and examine the error_log.
Hi Budgie2. How is the SystemGroup configured?
grep Sys /etc/cups/cups-files.conf
Hi Deano,
Here is the output of the first two commands
alastair@localhost:~> sudo lpstat -t
[sudo] password for root:
scheduler is running
no system default destination
device for CUPS-PDF: cups-pdf:/
device for HP_Color_LaserJet_2840: hp:/net/HP_Color_LaserJet_2840?ip=192.168.169.141
device for HP_LaserJet_600_M602: socket://10.110.169.8:9100
device for Photosmart_8700: hp:/net/Photosmart_8700_series?ip=192.168.169.142
CUPS-PDF accepting requests since Fri 19 Jun 2020 14:02:48 BST
HP_Color_LaserJet_2840 accepting requests since Mon 26 Apr 2021 09:40:03 BST
HP_LaserJet_600_M602 accepting requests since Thu 03 Jun 2021 13:04:17 BST
Photosmart_8700 accepting requests since Tue 26 May 2020 09:05:08 BST
printer CUPS-PDF is idle. enabled since Fri 19 Jun 2020 14:02:48 BST
printer HP_Color_LaserJet_2840 is idle. enabled since Mon 26 Apr 2021 09:40:03 BST
printer HP_LaserJet_600_M602 is idle. enabled since Thu 03 Jun 2021 13:04:17 BST
printer Photosmart_8700 is idle. enabled since Tue 26 May 2020 09:05:08 BST
alastair@localhost:~>
alastair@localhost:~>
alastair@localhost:~> nmap 10.110.168.8
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-04 10:26 BST
Nmap scan report for 10.110.168.8
Host is up (0.0051s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 4.58 seconds
alastair@localhost:~>
The printer in question is the HP LaserJet 600 at 10.110.169.8
I am not familiar with the debugging command or where the output will go. I have attached the last few lines of the /var/log/cups/error_log:-
[04/Jun/2021:10:27:34 +0100] Registering ICC color profiles for "Photosmart_8700".
D [04/Jun/2021:10:27:34 +0100] Calling CreateDevice(cups-Photosmart_8700,temp)
W [04/Jun/2021:10:27:34 +0100] CreateDevice failed: org.freedesktop.DBus.Error.ServiceUnknown:The name org.freedeskto
p.ColorManager was not provided by any .service files
E [04/Jun/2021:10:27:34 +0100] Unable to open listen socket for address [v1.::1]:631 - Cannot assign requested addres
s.
I [04/Jun/2021:10:27:34 +0100] Listening to 127.0.0.1:631 on fd 7...
I [04/Jun/2021:10:27:34 +0100] Listening to /run/cups/cups.sock on fd 3...
I [04/Jun/2021:10:27:34 +0100] Resuming new connection processing...
D [04/Jun/2021:10:27:34 +0100] cupsdSetBusyState: newbusy="Not busy", busy="Active clients"
D [04/Jun/2021:10:27:34 +0100] cupsdAddCert: Adding certificate for PID 0
D [04/Jun/2021:10:27:34 +0100] Notifier dbus started - PID = 14769
D [04/Jun/2021:10:27:34 +0100] cupsdMarkDirty(----S)
D [04/Jun/2021:10:27:34 +0100] cupsdSetBusyState: newbusy="Dirty files", busy="Not busy"
D [04/Jun/2021:10:27:34 +0100] cupsdSetBusyState: newbusy="Dirty files", busy="Dirty files"
D [04/Jun/2021:10:27:34 +0100] [Notifier] state=3
D [04/Jun/2021:10:27:34 +0100] Report: clients=0
D [04/Jun/2021:10:27:34 +0100] Report: jobs=140
D [04/Jun/2021:10:27:34 +0100] Report: jobs-active=0
D [04/Jun/2021:10:27:34 +0100] Report: printers=4
D [04/Jun/2021:10:27:34 +0100] Report: stringpool-string-count=29408
D [04/Jun/2021:10:27:34 +0100] Report: stringpool-alloc-bytes=15056
D [04/Jun/2021:10:27:34 +0100] Report: stringpool-total-bytes=549624
D [04/Jun/2021:10:27:34 +0100] [Notifier] Connected to D-BUS
D [04/Jun/2021:10:27:34 +0100] [Notifier] ServerStarted
D [04/Jun/2021:10:27:34 +0100] cupsdSetBusyState: newbusy="Active clients and dirty files", busy="Dirty files"
D [04/Jun/2021:10:27:34 +0100] [Client 1] Server address is "/run/cups/cups.sock".
D [04/Jun/2021:10:27:34 +0100] [Client 1] Accepted from localhost (Domain)
D [04/Jun/2021:10:27:34 +0100] [Client 1] Waiting for request.
D [04/Jun/2021:10:27:34 +0100] [Client 1] POST / HTTP/1.1
D [04/Jun/2021:10:27:34 +0100] cupsdSetBusyState: newbusy="Active clients and dirty files", busy="Active clients and
dirty files"
D [04/Jun/2021:10:27:34 +0100] [Client 1] Read: status=200, state=6
D [04/Jun/2021:10:27:34 +0100] [Client 1] No authentication data provided.
D [04/Jun/2021:10:27:34 +0100] [Client 1] 2.0 CUPS-Get-Printers 7
D [04/Jun/2021:10:27:34 +0100] CUPS-Get-Printers
D [04/Jun/2021:10:27:34 +0100] [Client 1] Returning IPP successful-ok for CUPS-Get-Printers (no URI) from localhost.
D [04/Jun/2021:10:27:34 +0100] [Client 1] Content-Length: 1601
D [04/Jun/2021:10:27:34 +0100] [Client 1] cupsdSendHeader: code=200, type="application/ipp", auth_type=0
D [04/Jun/2021:10:27:34 +0100] [Client 1] con->http=0x558646fbd180
D [04/Jun/2021:10:27:34 +0100] [Client 1] cupsdWriteClient error=0, used=0, state=HTTP_STATE_POST_SEND, data_encoding
=HTTP_ENCODING_LENGTH, data_remaining=1601, response=0x558646fb4f50(IPP_STATE_DATA), pipe_pid=0, file=-1
D [04/Jun/2021:10:27:34 +0100] [Client 1] Writing IPP response, ipp_state=IPP_STATE_DATA, old wused=0, new wused=0
D [04/Jun/2021:10:27:34 +0100] [Client 1] bytes=0, http_state=0, data_remaining=1601
D [04/Jun/2021:10:27:34 +0100] [Client 1] Flushing write buffer.
D [04/Jun/2021:10:27:34 +0100] [Client 1] New state is HTTP_STATE_WAITING
D [04/Jun/2021:10:27:34 +0100] [Client 1] Waiting for request.
D [04/Jun/2021:10:27:34 +0100] cupsdSetBusyState: newbusy="Dirty files", busy="Active clients and dirty files"
D [04/Jun/2021:10:27:34 +0100] [Client 1] POST / HTTP/1.1
D [04/Jun/2021:10:27:34 +0100] cupsdSetBusyState: newbusy="Active clients and dirty files", busy="Dirty files"
D [04/Jun/2021:10:27:34 +0100] [Client 1] Read: status=200, state=6
D [04/Jun/2021:10:27:34 +0100] [Client 1] No authentication data provided.
D [04/Jun/2021:10:27:34 +0100] [Client 1] 2.0 Get-Jobs 8
D [04/Jun/2021:10:27:34 +0100] Get-Jobs ipp://alastair@localhost:631/printers/
D [04/Jun/2021:10:27:34 +0100] [Client 1] Returning IPP successful-ok for Get-Jobs (ipp://alastair@localhost:631/prin
ters/) from localhost.
D [04/Jun/2021:10:27:34 +0100] [Client 1] Content-Length: 75
D [04/Jun/2021:10:27:34 +0100] [Client 1] cupsdSendHeader: code=200, type="application/ipp", auth_type=0
D [04/Jun/2021:10:27:34 +0100] [Client 1] con->http=0x558646fbd180
D [04/Jun/2021:10:27:34 +0100] [Client 1] cupsdWriteClient error=0, used=0, state=HTTP_STATE_POST_SEND, data_encoding
=HTTP_ENCODING_LENGTH, data_remaining=75, response=0x558646fca610(IPP_STATE_DATA), pipe_pid=0, file=-1
D [04/Jun/2021:10:27:34 +0100] [Client 1] Writing IPP response, ipp_state=IPP_STATE_DATA, old wused=0, new wused=0
D [04/Jun/2021:10:27:34 +0100] [Client 1] bytes=0, http_state=0, data_remaining=75
D [04/Jun/2021:10:27:34 +0100] [Client 1] Flushing write buffer.
D [04/Jun/2021:10:27:34 +0100] [Client 1] New state is HTTP_STATE_WAITING
D [04/Jun/2021:10:27:34 +0100] [Client 1] Waiting for request.
D [04/Jun/2021:10:27:34 +0100] cupsdSetBusyState: newbusy="Dirty files", busy="Active clients and dirty files"
D [04/Jun/2021:10:27:34 +0100] [Client 1] POST / HTTP/1.1
D [04/Jun/2021:10:27:34 +0100] cupsdSetBusyState: newbusy="Active clients and dirty files", busy="Dirty files"
D [04/Jun/2021:10:27:34 +0100] [Client 1] Read: status=200, state=6
D [04/Jun/2021:10:27:34 +0100] [Client 1] No authentication data provided.
D [04/Jun/2021:10:27:34 +0100] [Client 1] 2.0 Get-Jobs 9
D [04/Jun/2021:10:27:34 +0100] Get-Jobs ipp://alastair@localhost:631/printers/
D [04/Jun/2021:10:27:34 +0100] [Client 1] Returning IPP successful-ok for Get-Jobs (ipp://alastair@localhost:631/prin
ters/) from localhost.
D [04/Jun/2021:10:27:34 +0100] [Client 1] Content-Length: 75
D [04/Jun/2021:10:27:34 +0100] [Client 1] cupsdSendHeader: code=200, type="application/ipp", auth_type=0
D [04/Jun/2021:10:27:34 +0100] [Client 1] con->http=0x558646fbd180
D [04/Jun/2021:10:27:34 +0100] [Client 1] cupsdWriteClient error=0, used=0, state=HTTP_STATE_POST_SEND, data_encoding
=HTTP_ENCODING_LENGTH, data_remaining=75, response=0x558646fb4f50(IPP_STATE_DATA), pipe_pid=0, file=-1
D [04/Jun/2021:10:27:34 +0100] [Client 1] Writing IPP response, ipp_state=IPP_STATE_DATA, old wused=0, new wused=0
D [04/Jun/2021:10:27:34 +0100] [Client 1] bytes=0, http_state=0, data_remaining=75
D [04/Jun/2021:10:27:34 +0100] [Client 1] Flushing write buffer.
D [04/Jun/2021:10:27:34 +0100] [Client 1] New state is HTTP_STATE_WAITING
D [04/Jun/2021:10:27:34 +0100] [Client 1] Waiting for request.
D [04/Jun/2021:10:27:34 +0100] cupsdSetBusyState: newbusy="Dirty files", busy="Active clients and dirty files"
I [04/Jun/2021:10:27:35 +0100] Expiring subscriptions...
I [04/Jun/2021:10:28:05 +0100] Saving subscriptions.conf...
D [04/Jun/2021:10:28:05 +0100] cupsdSetBusyState: newbusy="Not busy", busy="Dirty files"
I [04/Jun/2021:10:28:05 +0100] Expiring subscriptions...
alastair@localhost:/var/log/cups>
Where do I find the debug output please?
FYI tried with Vivaldi on different laptop and was still refused!