Printing from firewall DMZ to internal LAN IP printer??

[dbota]

I want to set up a computer as a dedicated firewall with 3 NICs (external internet, internal LAN and a DMZ for a Guest wifi router) small office network. Will probably use free Untangle Firewall software software or such on the dedicated firewall computer.

What I am trying to do is figure out the firewall's topology, IP ranges and rules / forwarding that would allow untrusted laptops visiting the office to connect to the wifi router (& the internet) in the DMZ and to print to the networked HP printer on the internal network without giving the visiting laptops access to anything else on the internal network.

That way non trusted laptops can visit the office, get internet connectivity and printing to the LAN's networked HP printer without potentially attacking trusted office computers and server also on the internal LAN

I imagine have to do this via creating appropriate ranges and possibly rules or exclusions or port forwarding on the firewall but I have little experience at the particulars of this.

I would appreciate if anyone could advise me at to the topology, steps and particulars of getting the DMZ > LAN printing working or refer me to detailed info on the subject.

I would think it would be a common need for small offices but can't find much material on the subject.

I do understand that such would slightly weaken the firewall but feel that I would gain more security overall.

thanks in advance,

dbota

 

[KrisseZ]

I believe what you are looking for is not DMZ but rather two different lan networks.

You have a router / firewall with three nics.

NIC1 is attached to the ISP
NIC2 is attached to LAN1 = main lan
NIC3 is attached to LAN2 = for guest wlan clients

Now there would be NAT happening right? You NAT both LANs 1 & 2 to the internet.

Then you would restrict access from LAN2 -> LAN1 and vice versa with firewall rules. For example explicit deny. Then you would make a rule above the default deny that printer traffic can go through both ways.

Correct me if this is not what you are seeking?

 

[dbota]

I don't really know the technical difference between a firewall with a LAN & DMZ and a firewall with two LANs but I am interested in any configuration that will protect trusted cabled assets on an internal LAN from untrusted laptops that connect via wifi and come and go but need ability to print on site.

It's a small office with 8 computers and two laptops and I was trying to avoid buying a separate IP printer for the laptops.... which would solve the issue

I was hoping to figure out a firewall configuration that would give the laptops, connecting in a DMZ or seperate LAN, printing capability on the office's large HP IP printer located on the trusted internal LAN.

I suppose if the large HP printer had wifi printing capability built in, the laptops could connect in that way across the zones but it does not.

All ideas will be appreciated.

db

It seems to me that most all offices would have this need and problem... but it doesn't seem to be addressed much anywhere...

 

[Fwenk]

KrisseZ's setup works (that's the setup I'm using). You want 2 LANs because a DMZ would leave the visitors unprotected from the internet (not behind a firewall).

Just make sure your printer has a static IP (either static in the printer's config or better yet, a reservation in your main LAN DHCP) and just allow trafic to and from that IP to your guest LAN.

Also, your 2 LANs will be on separate subnets, each with their own DHCP.