Options

Print to Local Printer with VPN connection ON

Joao_ManuelJoao_Manuel
in Firebox - VPN Mobile User

Hi there! its my first message on the board regarding a matter with my Watchguard M370, please advise. I have a M370 with VPN Mobile with SSL. The connection works great, everything is going well... however, when i am connected to the VPN i am unable to print to my local printer. I can only print to my local printer if i disconnect the vpn. I have "routed VPN traffic", will this work with routed VPN traffic or i have to select to Bridge VPN traffic? When i try to select Bridge i get this error: "You must configure at least one bridge interface before you can select the 'Bridge VPN traffic' option. For instructions, click the Help link at the top of this page."
many thanks in advance

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Joao_Manuel
    If you're in routed mode and your local/remote networks don't overlap, the SSLVPN should allow access to your local network.

    If your local network and remote network are the same IP range (like 192.168.1.x) then please change one of the sides to be a different subnet -- without the conflict, you should be able to access your local network.

    -James Carson
    WatchGuard Customer Support

  • Options
    Bruce_BriggsBruce_Briggs

    If you have the "Force all client traffic through tunnel", then this will prevent local printing when the tunnel is up.

    You would need to unselect this option on the SSLVPN setup, and identify all subnets that you want to access via the SSLVPN tunnel and add those to the SSLVPN setup, or select "Allow access to all Trusted, Optional, and Custom networks".
    Internet access will now be direct from your PC and will not go via the firewall.
    This is called a split tunnel, and is considered a possible security risk as you are connected to the Internet and to your firewall trusted resources at the same time via separate paths.

  • Options
    Joao_ManuelJoao_Manuel

    Hi there! Thank you so much for your replies. It's strange, my local network is 192.168.1.X and my vpn network is 192.168.113.X ... so they don't overlap. My guess is that this should work. Also, i dont have "force all client traffic through tunnel" enabled and i have "allow access to all trusted, optional, and custom networks" enabled. However... when i try to print to a local printer i cant, only with vpn disconnected. what am i doing wrong? thanks in advance guys. attached a picture of the config.

  • Options
    Bruce_BriggsBruce_Briggs
    edited July 2023

    What are the subnets on your firewall for Trusted, Optional & Custom networks?
    Any of those 192.168.1.X ?

  • Options
    Joao_ManuelJoao_Manuel

    Hi @Bruce_Briggs ! Thank you for your reply, i've been battling against this in the last few days but i cant succeed.
    I only have one trusted network that is 192.168.1.1/24
    Then, the vpn users have the 192.168.113.0 that where they connect.

    the local network of the vpn user is for example, 192.168.1.254. And the printers gateway is set with 192.168.1.254. With the vpn connection offline printer works fine. As soon as the user connects the vpn, printer vanishes.
    what to doooooooooooo?
    im getting grey hair on this :hushed:

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Joao_Manuel

    Your trusted network and the user's home network are the same subnet (192.168.1.0/24.) The SSLVPN is taking that subnet over because that is the route to the trusted network on the firewall. In order for this to work, either the customer's home network needs to be changed, or your trusted network needs to be changed.

    -James Carson
    WatchGuard Customer Support

  • Options
    Joao_ManuelJoao_Manuel

    Hi @james.carson , thank you for your reply. Can you tell me which is the easiest and quickest way to do this? Should i change the home network or the trusted network on the firewall?
    When you mean the same subnet, it's the 255.255.255.0, right?
    thanks.

  • Options
    Bruce_BriggsBruce_Briggs

    No, that is a subnet MASK, which is the same a /24.

    The subnet is 192.168.1.0/24

    Which is easier - the end with less IP addrs to change, which normally is the home setup.

    However, we recommend not using common subnets, such as 192.168.1.0/24 on your firewall internal interfaces.

  • Options
    Joao_ManuelJoao_Manuel

    Ah! Roger, ok.
    For example, my internal interface is configured with 192.168.1.1 (thats my firewall ip).

    So you're saying that my client network should have IPs and Gateway something like:
    Gateway: 192.168.50.1
    Clients: 192.168.50.0

    Right?
    Thanks!

  • Options
    Bruce_BriggsBruce_Briggs

    Yes

  • Options
    Bruce_BriggsBruce_Briggs

    Note that this will require changing the IP addrs all devices at that site, including the firewall trusted interface, the PCs and the printer

Sign In to comment.