Business Community > Gateways > Creating an ACL to allow access to a printer that is on one VLAN in the EAP...
< Gateways

Creating an ACL to allow access to a printer that is on one VLAN in the EAP...

Creating an ACL to allow access to a printer that is on one VLAN in the EAP...

Creating an ACL to allow access to a printer that is on one VLAN in the EAP...
Creating an ACL to allow access to a printer that is on one VLAN in the EAP...
Saturday - last edited 23 hours ago
Tags: #ACL #Gateway
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.3.0 Build 20250826 Rel.41004

Hope you're all well.

 

I have several VLANs on my EAP with different subnets. I need a VLAN belonging to a Wi-Fi printer to be accessed by another VLAN where the clients are located.

 

Printer VLAN = 2.4GHz
Client VLAN = 5.0GHz

 

I created an ACL on the client network for printer access. I can ping it, but it won't print.

I created an additional ACL on the printer network for client access. I ran the same test, but nothing.

I can only print when I connect the client to the same network as the printer.

 

If I'm pinging, the ACL is allowing it; I should be printing. I only see the printer going offline.

 

What am I doing wrong?


 

ADDITIONAL DETAILS - 1

 

The networks have some peculiarities.

 

[ SSID - 2G Printer ]
Guest Network = Disable
LAN = 192.168.10.0 / 29
Prohibit Wi-Fi Sharing = Enable
WPA Mode = WPA2-PSK / AES

VLAN: 71

 

[ SSID - 5G Client ]
Guest Network = Enable
LAN = 192.168.5.0 / 28
Prohibit Wi-Fi Sharing = Enable
WPA Mode = WPA2-PSK/WPA3-SAE / AES

VLAN: 70

 

[ ACL - VLAN 70 - Deny LAN to LAN ]

Type: Gateway

Direction: LAN -> LAN

Policy: Deny

Protocols: All

Source: VLAN 70

Destination: Others, except 71.

 

[ ACL - VLAN 71 - Deny LAN to LAN ]

Type: Gateway

Direction: LAN -> LAN

Policy: Deny

Protocols: All

Source: VLAN 71

Destination: VLAN 70 and others.

 

[ ACL - Allow VLAN 70 to Printer ]

Type: EAP

Policy: Permit

Protocols: All

Source: VLAN 70

Destination: IPgroup Printer. <- Create this to IP Printer - 192.168.5.4

 

I remembered something that happened to me, even before updating to the new firmware version of the controller and even the router.

I remember an IoT device couldn't work with the 192.168.7.0 / 29 network. I couldn't understand the limitation and couldn't find an explanation anywhere else. When I changed it to 192.168.7.0 / 28, the device was able to use the SSID - IoT.

 

I haven't tested it yet, but if anyone has any information, it would be helpful.

 

 

ADDITIONAL DETAILS - 2

 

I also tried disabling the Guest Network on the client VLAN, but the result was the same.

And in response to my friend, I also tried creating a Group to only report the printer's IP address.

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:Creating an ACL to allow access to a printer that is on one VLAN in the EAP...-Solution
23 hours ago - last edited 23 hours ago

  @Artur.Aragao 

Thank you for your post. You can try configuring mDNS to see if it resolves the issue. Please add all networks as both Service Network and Client Network. Here is the configuration guide for your reference:How to configure mDNS via Omada Controller

Wishing you a joyful life and smooth internet! Get the Latest Firmware Releases for Omada Routers Here - Subscribe for Updates
Recommended Solution
  0  
  0  
#2
Options
2 Reply
Re:Creating an ACL to allow access to a printer that is on one VLAN in the EAP...-Solution
23 hours ago - last edited 23 hours ago

  @Artur.Aragao 

Thank you for your post. You can try configuring mDNS to see if it resolves the issue. Please add all networks as both Service Network and Client Network. Here is the configuration guide for your reference:How to configure mDNS via Omada Controller

Wishing you a joyful life and smooth internet! Get the Latest Firmware Releases for Omada Routers Here - Subscribe for Updates
Recommended Solution
  0  
  0  
#2
Options
Re:Creating an ACL to allow access to a printer that is on one VLAN in the EAP...
17 hours ago - last edited 4 hours ago

  @Ethan-TP

 

 

My dear.

Thank you for your kindness.
I'd like a more comprehensive explanation, if that's not too much trouble.

In my logic, if I'm enabling communication between the media (VLANs), no additional services would be necessary, since tunneling between them is functional.

 

One additional point.

I've been trying to understand more about mDNS, and this has caused me concern.
Some say it's just the mDNS reflector, and it's not working properly. Unfortunately, I haven't tested it yet because I had a busy day. I'm sorry I didn't answer this adequately.

And I saw in some posts on Reddit that enabling mDNS as a reflector activates it on all interfaces, including the WAN, and that would be quite bad. Could you confirm this?

Another detail: they say the best way to use mDNS is as a repeater, but then it would be applied on a separate server.

I'll try to run these tests later, but I'm VERY concerned about having to enable this on the WAN interfaces.

  0  
  0  
#3
Options

Information

Helpful: 0

Views: 91

Replies: 2

Tags

ACL
Gateway
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.