LAN 1: 192.168.2.1
LAN 2: 192.168.1.1
Printers:
Brother HL 192.168.1.115
Brother MFC 192.168.1.127
With Untangle, I could set up a rule to allow traffic from LAN1 to LAN2 only in that direction.  I'm trying to figure out the OPNSense way. Thanks
			
			
			
				A FW rule on LAN1 with in direction (perspective of the FW) and destination of "LAN2 net" (or alias including printers) will do just that.
With regards to protocol and ports used, you could observe the FW live view as you try to print.
			
			
			
				Thanks Eric.  I swear I tried that and it didn't work.
I'm going to start a new thread that I hope you can answer as quickly. I don't want to cloud this thread.
Thanks again.
			
			
			
				You might want to share a screenshot of the rule.
Note that this should be sufficient to allow printing once the PC has been configured with the printers.
If printer discovery is also needed, then it is more complicated because discovery is by default constrained to the subnet of the source...
			
			
			
				Here's an update.  The HL was set up as WSD and always worked from the 2.1 LAN.  The MFC was set up as TC/IP and didn't/doesn't work.  I removed the MFC and reinstalled it at WSD and it works. The only blocks that exist our the auto generated ones.  This is what I have for rules in the 2.1 LAN.  Originally, I had source blank.  Should I leave them as WSD or figure out what is blocking them as TC/IP?  Thanks
			
			
			
				The first rule is a superset of the other two, but you probably know that.
That means rule 2 and 3 are never used...
If you're troubleshooting, you should probably enable logging.
Only you can decide whether WSD is sufficient for your use case.
It's possible you're losing some functionality compared to using the proprietary driver over TCP.
Your call.
As indicated in my previous reply, discovery (find my printer) is a different beast.
That typically does NOT work across VLANs (PC in one, printer in another) without additional configuration.
I don't know much about WSD but most discovery protocols use some form of broadcast that's confined to a VLAN (one reason for using VLANs is to make smaller broadcast domains).
The additional configuration needed comes is form of a broadcast relay (there's a plug-in for that).
You can typically setup the printer by typing the IP address (available from the printer menus or from the DHCP logs).
Another option might be to temporarily use the PC in the same VLAN as the printer (for discovery), then setup the printer.
Once setup, move the PC back in its intended VLAN. Assuming the proper FW rules are in place, now that the PC knows where the target is, it might just work.
If you want to see artifacts of the communication in the FW logs, you need to enable logging for the rules you expect to be used.
			
			
			
				So I was told that I needed that first rule in all my interfaces in order to get access to the internet.  If I read your response properly, I've granted full access to all the LAN's using that rule.  What is the correct rule that I should be using for LAN2 and LAN3 to give them access to the Internet? Or should I be adding rules to block access to the other LANs?  
I have logging enabled in Firewall but the printer activity never showed up.
Thanks Eric.
			
			
			
				Your own rules are not set to log (grey i)...
FW > Settings > Advanced also has a logging section.
* is any. As a destination, any destination...
Create an alias (RFC1918_networks or private_networks) that contains either all private network ranges or at least the ones you use.
In the first rule, change the destination to that alias and invert it.
You'll need a rule to allow DNS at the interface gateway though.
Screenshot 2025-04-12 133549 OPN Test rules.png
			
			
			
				When I go to FW -> Alias, there is an entry for this. I may have set that up from a video. After thinking about it, it should contain my subnets, right?
Thanks Eric
			
			
			
				That looks appropriate.