Hi all!
I need to block printer discovery from VLAN to LAN. I've set a rule that blocks all traffic from VLAN5 net to LAN net that is working. But if I try to add a printer using wizard in Win10 PC from VLAN5, it shows a printer in LAN and I can print.
How can I do?
Thanks in advance!
Try to block from any to any UDP port 5353 in on VLAN5.
Same problem, printer is still there
Please show the list of all rules on VLAN5.
1.
Action: Block
Interface: VLAN5
Direction: in
TCP/IP version: IPv4+6
Protocol: any
Source: VLAN5 net
Destination: LAN net
2.
Action: Pass
Interface: VLAN5
Direction: in
TCP/IP version: IPv4+6
Protocol: any
Source: VLAN5 net
Destination: any
The mdns responder that "Patrick M. Hausen" is referring to runs on the VLAN5 interface itself. Your first block rule blocks traffic towards LAN segment, not the firewall interface in VLAN5 where the service is running (which you allow in the second rule). Add a rule between the two you have with source VLAN5 network and destination VLAN5 interface port 5353.
You need to block with destination any, because mDNS does not have destination LAN net.
I wrote what exactly to block in my last post.
Added between them or as first rule, same problem.
1.
Action: Block
Interface: VLAN5
Direction: in
TCP/IP version: IPv4+6
Protocol: UDP
Source: any
Destination: any
Destination port range: 5353 - 5353
Packet capture:
IPv4, length 76: 192.168.110.116.5353 > 224.0.0.251.5353: UDP, length 34
Live view:
action: [pass]
dir: [out]
dst: 192.168.110.116
dstport: 5353
interface_name: VLAN5
ipversion: 4
label: let out anything from firewall host itself
protoname: udp
reason: match
src: 192.168.199.76
srcport: 5353
This is probably the reason why it doesn't apply the rule from my previous post, because a pass rule is already set among the "Automatically generated rules". How can I block it?
Are you running the UDP broadcast relay or the mDNS repeater on that VLAN5 interface?
None of them, they are not installed...
Quote from: Patrick M. Hausen on September 30, 2023, 07:07:58 PM
You need to block with destination any, because mDNS does not have destination LAN net.
I'm sorry for the confusion, assumed OP was running a mdns responder, either way "my" rule would never match....
But, printer discovery is in most cases broadcast or mdns (multicast) based, the former will never leave the subnet, for the latter you need to have some multicast routing in place. So it's weird you see the printer in the first place, and even if you did magicly discovered it, actually printing to it would match the VLAN to LAN block rule.
But this could not be the default behavior... How can I block it?
Disable mDNS Repeater on the VLAN5 interface.
mDNS repeater is not installed.
Without mDND repeater or UDP broadcast relay a multicast packet cannot cross interfaces. Even with "permit all" it cannot. You have something weird about your wiring.
Please provide a diagram of your network.
I've tried on a fresh install on different hardware, same problem.
WAN - LAN - VLAN5
VLAN5 with only one rule that blocks all traffic to LAN
Printer discovered by WSD on Win10.
Can someone explain why this happens?
VLAN5 on the same physical interface as LAN? LAN untagged? Don't mix tagged and untagged on the same port.
If not, please provide a diagram if your network. OPNsense, switch, clients, ...
In Interfaces - Other types - VLAN5 I've set LAN as Parent interface and 5 as VLAN tag. Next I've set a static IP in the newly created interface VLAN5 in Interface Assignments. And lastly there is the LAN-block rule.
Connected at this port there is a trunk port of a managed switch. It has a 802.1Q VLAN configuration with some ports PVID1 and others PVID5 and another one set to trunk connected to an access point multi SSID.
What is wrong in this configuration?