iptables rules for HP printing, scanning & ePrint app

runswithascript

I have a Netgear Nighthawk R7000 flashed with DD-WRT, and we have a guest Wi-Fi virtual SSID wl0.1 configured for guests but mainly business laptops and printers in our home. This wl0.1 network is isolated from the rest of our network, namely our two petsonal Wi-Fi networks (ac and b/g/n) and LAN. On wl0.1 we have a business printer connected with a static IP of 192.168.2.2.

I would like our own personal devices on our personal LAN and Wi-Fi networks to be able to use the printer as if they were on the same network. I am to do this using the following IP tables rules, which seem to allow printing and scanning from all devices:

iptables -I FORWARD -i br0 -o wl0.1 -d 192.168.2.2 -p tcp --dport 1:65535 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o wl0.1 -d 192.168.2.2 -p udp --dport 1:65535 -m state --state NEW -j ACCEPT

Although I would rather limit the ports that are forwarded.

From http://h30434.www3.hp.com/t5/Inkjet-Printing/Incoming-and-Outgoing-Printer-Ports/td-p/2617955

Incoming ports (UDP) are destination ports on the computer while outgoing ports (TCP) are destination ports on the HP printer.

• Incoming (UDP) ports: 137, 138, 161, 427

• Outgoing (TCP) ports: 137, 139, 427, 9100, 9220, 9500

The ports are used for the following functions:

Printing - UDP ports: 427, 137, 161, TCP port: 9100

Photo card upload - UDP ports: 137, 138, 427, TCP port: 139

Scanning - UDP port: 427, TCP ports: 9220, 9500

HP device status - UDP port: 161

Faxing - UDP port: 427, TCP port: 9220

HP device installation - UDP port: 427

Web Services Ports - UDP and TCP: 80, 443, 5222, and 5223

Bonjour Ports - UDP and TCP: 5353, 5297, and 5298

From http://h30434.www3.hp.com/t5/HP-Connected-Mobile-Printing-and-Cloud-Printing/What-ports-to-open-on-ADSL-router-for-ePrint/td-p/457327

You will need to enable the following 2 ports:

5222 (for XMPP protocol)

443 (for HTTPS protocol)

Using those ports I replaced the two iptables rules from earlier with the following:

iptables -I FORWARD -i br0 -o wl0.1 -d 192.168.2.2 -p udp -m multiport --dports 80,137,138,161,427,443,5222,5223,5297,5298,5353 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o wl0.1 -d 192.168.2.2 -p tcp -m multiport --dports 80,137,139,427,443,5222,5223,5297,5298,5353,9100,9220,9500 -m state --state NEW -j ACCEPT

These work, for the most part. I can print fine using Ubuntu and Windows from my desktop on the LAN, and the HP ePrint app on Android works fine once I specify the IP address of the printer. Unfortunately scanning does not work from my desktop, and HP ePrint needs the IP address input constantly, and even at that works only intermittently.

Any ideas how I can limit the ports forwarded, but still allow full access to printing and scanning?

runswithascript

I also have the following startup command saved in DD-WRT, <MAC> being the actual MAC address of the printer:

arp -s 192.168.2.2 <MAC>

ED E

Detection works over L2 bcast normally, this won't transit across VLANs.

runswithascript

ED E wrote: »

Detection works over L2 bcast normally, this won't transit across VLANs.

I can live with the IP not being detected unless specified - I just need the IP to hold in IOS HP ePrint, and scanning to work. Like I said, this works when I use the rules with the port ranges, I would just like not to have to forward every possible port.