Controllerless Networks

We are using IAP-105 access points and have a secondary wireless network with its own SSID and VLAN (VLAN2).  We would like to allow devices connected to VLAN2 to be able to print to a printer located on the default VLAN.  

We have added an Access Rule to the secondary network to "All any on server 10.10.2.30" (IP address for the desired printer) but this does not work.  

We also tried specifying TCP port 9100: "Allow 6:9100:9100 on server 10.10.2.30" but that did not work either.  

The current access rule list looks like this: 

     Assign to VLAN 2

     Allow 6:9100:9100 on server 10.10.2.30

     Allow any on server 10.10.2.30

     Deny any to network 10.10.2.0/255.255.255.0

     Allow any to all destinations

Any ideas why this isn't working?

Thanks,

Steve

Can you browse to the printer's management page from the client?

Yes, we are able to ping the printer and browse the printer management page but cannot print to the printer.  

Did you already add the printer to the wireless device?

Yes, the printer driver is installed on the laptop.  If we connect to the primary network we can print fine.  When we connect to the secondary we can ping the printer and access the printer management page but cannot print.

Is there any way to remove all the ACLs between the networks, to see if it is a port 9100 issue?

Are you sure it uses port 9100?

Yes, I am sure it uses TCP port 9100.

Moved the "Allow any to all destinations" rule to the top of the list.  I can still ping the printer and acess the printer management page but cannot print.  I also verified that I am able to access other devices on the 10.10.2.X network after this rule change but still cannot print.  

We moved the secondary network from VLAN2 to the default VLAN and it is printing correctly with the ACLs that were in place.  Isolation from all other 10.10.2.X devices is not working completely -- port scan still returns IPs, MAC addresses and Mfg/brand names but does not list open ports for devices that are being blocked by the ACL.  Eventhough access to the other devices is blocked I would much rather have the secondary network on it's own VLAN.

Any other ideas?

SteveD,

I would install wireshark on the host and see if there is any additional traffic that is required.  Some printer drivers would need to poll the printer via SNMP first to see if there was anything in the queue  http://community.spiceworks.com/topic/89870-snmp-settings-take-printer-offline

What is the routing device between the two VLANs?  What is the default gateway for the wireless users?

Colin,

The VLANs are being defined and handled by the IAP-105 access points.  When the secondary network is on VLAN2 the gateway is 172.31.98.1 ... when we have both on the default VLAN the gateway becomes 10.10.2.1.

SteveD,

I do not understand if the IAP is the default gateway of your clients, but:

If the default gateway for your clients is the IAP, your IAP could be Natting the traffic (magic VLAN) and could break your printer communication.  See if they could be placed on a "Network-Assigned" VLAN where something else does the routing, and avoid NAT.  If that does not work, I would open a case with TAC.