Printing across VLAN not working

[Prophet4NO1]

So, I have a strange situation. I have a printer on a VLAN and am having communication issues. From the main network, I have the NAT box checked for that interface. But not on the VLAN interface. I do not want things on the VLAN talking to the primary LAN unless the communication comes from the primary LAN. Everything seems to work as intended, except my printer.

So, the printer can be seen and pinged from the primary network. NAT works and ping replies are coming back from the printer. The computer on the primary network can detect the printer and show it as connected. So, everything seems fine till I send a print to the printer. That seems to get blocked by the firewall. If I connect to the VLAN and send a print, works fine. So, the firewall is the issue.

I went through the event logs searching for the IP of the printer, nothing is showing up. I am still learning my way around this after moving off pfsense, so I may not be looking in the right places. Any pointers or ideas would be great. Not sure why I can ping the printer but not print to it.

[TirsoJRP]

So... you are using NAT between VLANs?

[Prophet4NO1]

Only from the secure side to the vlan but not the other way around. It is for managment purposes. This worked fine on pfsense. All outgoing connections to other local networks got blocked but i could connect into the vlan from outside it. Trying to setup the same thing on untangle. Seems everything on the vlan is blocked from the main network but i can connect from the main network to the vlan. Except the printer not printing.

This setup is mainly to isolate IoT and some other devices from the main core of the network.

[Prophet4NO1]

I guess i could make a firewall rule to just tunnel to the printer from the one machine on the ither network that needs it.

[TirsoJRP]

can you post a diagram?

[Prophet4NO1]

I can make something later. Not at home at the moment.

[sky-knight]

If you have a NAT tick box on an interior interface enabled, all communications into and out of that IP network are now impossible. It's not directional, it's an all or nothing gig. I know it seems like it shouldn't be... but it is and it causes all sorts of strange headaches.

If you want to poke a hole in the NAT you use a port forward, just like you do for Internet access to an interior service. And just like on the Internet, you need an IP address on Untangle you're forwarding that communication from because again devices outside the NAT boundary must be forwarded inward. Untangle will use its own addresses by default, but sometimes that's not good enough due to software firewalls built into IOT devices in particular that places special importance on the IP of the default gateway.

All of this creates a nightmare to troubleshoot mess, save your hair disable the NAT box and secure access into and out of that IP network with firewall rules like a sane person. Then you get logs, just beware... the firewall module like all other rack applications only processes TCP and UDP, so you can ping right through it. You can use filter rules if you want to stop all other protocols, but whatever you do save yourself the headache and control TCP and UDP with the firewall app. Your sanity will thank you for it. No more port forward rules and resulting translation headaches, just interior IP addresses and a nice easy to read log.