Isolating an AirPrinter in Vlan

[abailey]

Unfortunately not, there'll be no internet connection to the printer. Only the iPad with Cellular will have internet. Are you telling me I'm not going to be able to block AirPrint on certain VLANS?

You can certainly block AirPrint on certain VLANs. But it is possible that simply putting things in a separate VLAN may not stop them from seeing the printer. After setting up your VLANs you will need to put some filter rules in place to make sure the VLANS can't communicate if you do not wish them to. The default (I believe) action for Ubiquiti routers is to automatically route between VLANs unless you put in rules to stop it. You can also allow everything on one VLAN to see one thing on another VLAN (like your iPad) but not see anything else (like your printer). Use rules to block and allow what you want.

 

[sfx2000]

Two SSID's - one for the iPad and Printer, and another for clients that may attach.

Most routers that support Guest Networking should fit the bill - as many will actually do the VLAN's you're looking for.

 

[abailey]

Two SSID's - one for the iPad and Printer, and another for clients that may attach.

Most routers that support Guest Networking should fit the bill - as many will actually do the VLAN's you're looking for.

But the clients need to see the iPad without seeing the printer. Most consumer routers will not be able to do that. The Edgerouter can do that though.

 

[coxhaus]

I have a Cisco Sg300-28 switch running in layer 3 mode with controlled VLAN routing across VLANs. I have not been able to get iPads, AppleTV and iPhones to talk across VLANs. I have Bonjour running on all VLANs. The devices just don't seem to scan across networks. All my VLANs are separate networks. I guess I should add inter VLAN routing works fine between network VLANs. I believe this to be an Apple thing.

I am very interested in how to do this?

 

[degrub]

I understand that Apple devices expect a flat network ie all devices on the same subnet.

 

[sfx2000]

I understand that Apple devices expect a flat network ie all devices on the same subnet.

https://developer.apple.com/library...ocoa/Conceptual/NetServices/Articles/faq.html

Read it thru - Bonjour can operate across multiple subnets - done many times over in the enterprise space....

Here's more...

https://kb.acronis.com/sites/default/files/content/2013/01/39490/wanbonjour_1.pdf

And here's some more...

1. DNS SRV (RFC 2782) Service Types www.dns-sd.org/ServiceTypes.html
2. Using Bonjour Across Subnets http://www.grouplogic.com/Knowledge/PDFUpload/Info/WanBonjour_1.pdf
3. Apple Bonjour Printing Specification Version 1.2 https://developer.apple.com/bonjour/printing-specification/bonjourprinting-1.2.pdf
4. Network-wide AirPrint and easy printer configuration through DNS-SD http://philkomarny.com/?p=63
5. Bonjour and DNS Service Discovery http://dyn.com/support/bonjour-and-dns-discovery/
6. Manually Adding DNS-SD Service Discovery Records to an Existing Name Server http://dns-sd.org/ServerStaticSetup.html
7. iOS printing via CUPS http://hints.macworld.com/article.php?story=20101027080807322
8. About AirPrint and Bonjour http://thomas.dereyck.eu/wiki/Setting%20up%20inter-subnet%20AirPrint%20on%0any%0printer%20with%20CUPS%20and%20a%20regular%20DNS%20server

 

[coxhaus]

That stuff seems generic to me. I don't even own a MAC nor do I plan to. I just want the phones and AppleTV to work across networks.

So can you summarize it into a small paragraph as to what the key components are required?

 

[coxhaus]

In the old days in the Microsoft world to get around a single network you setup a WINS server to function for finding NETBIOS clients on other networks. No special networking was required as the Windows client was fed at DHCP time a WINS server IP address at boot up.

 

[abailey]

If you have a router that can be configured for Mulitcast Routing then that would be the best. Routers like pfSense, Edgerouters, Mikrotik, etc can do this. Unfortunately the steps to do it are router specific but just Google Mulitcast Routing for bonjour and put your router in the search and you should be able to find it.
If you don't have a router that can do multicast routing then it gets more involved as another good way to do it is with a proxy but that would probably require an additional outlay of funds.

 

[coxhaus]

I was kind of looking at Unicast DNS but it seems difficult since Apple does not support private IP addresses.

In terms of Multicast routing is it a lot different than multicast for video? Multicast for video is the only setup I have done on switches.

Proxy seems Apple specific.

Is anybody doing one of these setups?

 

[coxhaus]

I found this on the Cisco web site. Sounds like AppleTV does not use Bonjour. I just noticed it still looks like discovery is by Bonjour.

 

[sfx2000]

I found this on the Cisco web site. Sounds like AppleTV does not use Bonjour. I just noticed it still looks like discovery is by Bonjour.

ATV uses a hella amount of Bonjour - not just for AirPlay, but it can also act, like Airports and Macs, as a Bonjour Sleep Proxy...

 

[sfx2000]

Hmmm... just thinking about a side case - IGMP Snooping - and there things might break on some managed switches if enabled when using multiple VLAN's

 

[coxhaus]

I found this on Cisco's site. I think this pretty much shuts me down on trying to solve this problem.

 

[degrub]

I found this on Cisco's site. I think this pretty much shuts me down on trying to solve this problem.

View attachment 11482

There was at least one commercial solution available - originally free, so it is possible. Reading some of the links sfx2000 provided provides an approach if you have a router that supports or can set up a local DNS server.
i ended up using a wired/wireless printer (HP LJ 252dw) that also offers NFC and regular N (2.4GHz) for printing

 

[coxhaus]

The reason I am giving up based on the Cisco diagram above is the TTL=1 which means there is no way to route the traffic. You would have to encapsulate the traffic to get around TTL=1 which means high$$$ dollar Cisco equipment.

I think unicast DNS will probably work but will be a pain in the neck since Apple does not support private IP addressing for it.

Proxy would require a MAC gateway machine running 24/7 so this is out for me.

 

[abailey]

You can use a lightweight daemon on a Linux distro to do it. avahi-daemon works when running on an Edgerouter. You can also use something small like a Raspberry-pi. Though whatever you use does have to be on 24/7 like the MAC gateway option.

 

[coxhaus]

You can use a lightweight daemon on a Linux distro to do it. avahi-daemon works when running on an Edgerouter. You can also use something small like a Raspberry-pi. Though whatever you use does have to be on 24/7 like the MAC gateway option.

This would probably be a better solution than running a MAC. Does anybody have this running on an Edgerouter? How smooth is it?

 

[sfx2000]

You can use a lightweight daemon on a Linux distro to do it. avahi-daemon works when running on an Edgerouter. You can also use something small like a Raspberry-pi. Though whatever you use does have to be on 24/7 like the MAC gateway option.

Been thinking about this thread, and yes, a Pi would be a good choice - install avahi-daemon and avahi-utils, and it's a reasonable solution... install cups, and it can be an airprint enabler for non-Airprint printers as long as they're supported by cups.

Configure it up - don't forget to enable SSH if one intends to run it headless, and it would be fine. Raspbian is a full blown linux distribution with all the tools one could need, and like most debian oriented distro's, it's not that hard to set up.

 

[coxhaus]

Been thinking about this thread, and yes, a Pi would be a good choice - install avahi-daemon and avahi-utils, and it's a reasonable solution... install cups, and it can be an airprint enabler for non-Airprint printers as long as they're supported by cups.

Configure it up - don't forget to enable SSH if one intends to run it headless, and it would be fine. Raspbian is a full blown linux distribution with all the tools one could need, and like most debian oriented distro's, it's not that hard to set up.

Since nobody is running it. We still don't know how well it works. And it may be a high maintence service.