DMZ Advice for Printing

[Kevin K]

Two questions about using DMZ for printing: In both scenarios, I'm trying to make printer(s) accessible from inside and outside my ASUS/Merlin RT-AC88U.

• If I need to make one printer available to an inner network (LAN) and outer network (WAN), would DMZ be a good solution?
  • The config page says "all the inbounds packets will be redirected to the computer..." Would I still be able to use port forwarding in addition to DMZ; i.e. is DMZ going to send everything to the DMZ computer *instead* of port forwarding or in *addition* to port forwarding?
• If I need to make two printers available to both the LAN and WAN, where each printer has a separate IP address, can I do this without setting up a separate DMZ router? Or should I set up a single DMZ computer as a print server, and hang both printers off it?
• Bonus Points: One of the 'printers' also has a scan-to-FTP. Can I set up this printer to be able to reach a LAN computer via FTP?

Maybe I'm over-thinking this? If you had an AC88U, with some computers on the WAN side and some computers on the LAN side, what's the simplest way to let both sides share a printer, while otherwise keeping the outside computers away from the LAN?

 

[ColinTaylor]

Don't use the DMZ for a printer.

If you really need access to the printer from the internet use port forwarding if you have to, preferably restricting access by IP address. Most printers have their own method of remote printing built-in, usually using some form of cloud service. This provides some element of security, which at least is better than none at all which is what happens with port forwarding/DMZ.

EDIT: I'm assuming that the WAN-side is the internet. If it's just another LAN segment then maybe security is not a concern.

 

[ColinTaylor]

Re-reading your post and the subsequent edit you made it sounds like your "WAN" is not the internet but just another LAN. In which case the answer to your question is probably to use port forwarding for the specific ports required. But to be sure we'd need to know a lot more about how your 2 LAN segments are connected together (firewall, NAT, routing, subnets, etc.) and detailed information on the printers/scanners (USB or network attached, to what device, how they're currently accessed/addressed, etc.).

The scan to FTP function should be fairly straight forward. You just tell the scanner the name/IP address and logon details for an FTP server. That FTP server could be running on a PC, a server or even the router.

 

[Kevin K]

Don't use the DMZ for a printer.

EDIT: I'm assuming that the WAN-side is the internet. If it's just another LAN segment then maybe security is not a concern.

Thank you.

WAN is another LAN. My kids have reached an age where they are ready to manage their own PCs, but I want to protect family financial data from malware on their machines. I'm setting up 'rings' of security. Inner ring is machines with finance. Middle ring is general purpose. Outer ring is kids' computers and family guests. Outside that is Internet.

I could just put the printers on the outer ring, but scan-to-FTP is an essential function on one of those 'printers.' I might put the printers in the outer ring, and throw a Raspberry Pi on the outer ring as a temporary FTP drop.

 

[Kevin K]

Re-reading your post and the subsequent edit you made it sounds like your ...
The scan to FTP function should be fairly straight forward. You just tell the scanner the name/IP address and logon details for an FTP server. That FTP server could be running on a PC, a server or even the router.

I want to be careful to get this right, because it has to do with security...

If I enable the FTP server on my RT-AC88U, and I want to permit solely the scanner on the WAN side to have access (plus I want the LAN side to have access), how can I make that happen?

I see the option to enable WAN access to FTP, but that permits all WAN to reach the internal FTP server. If I ran FTP on a *computer* on the LAN side, I could set up an inbound port-forward to the FTP server. Is there a way to configure inbound access to the built-in FTP server for a single WAN IP via the GUI, or am I going to have to get into command-line config of ipchains?

Would I just set up a port forward to the internal IP of the router, and limit it to the remote IP of the scanner via the Firewall page?

 

[ColinTaylor]

There's no way that I can see in the GUI that will setup IP filtered access to the router's FTP server from the WAN side (it relies on user name and password instead). The port forwarding rules are for WAN to LAN, not WAN to router. (I tried setting the destination IP as the router's address and unsurprisingly it doesn't work). Additionally, FTP can be a bit of a pain in the a$$ when NAT is involved because it requires the use of a "helper".

So the best solution would be to create a simple /jffs/scripts/firewall-start script on the router instead. (Change the source IP address as required)

#!/bin/sh

# Delete the existing DROP at the end of the chain
iptables -D INPUT -j DROP

# Append our FTP rules
iptables -A INPUT -s 192.168.1.99 -p tcp -m tcp --dport 21 -j ACCEPT

# Don't forget to add the DROP at the end
iptables -A INPUT -j DROP

 

[Kevin K]

Thank you for the script. Saved me *hours*!