RT6600ax Accessing a printer on the Primary Network, from a Custom network & VLAN.

Currently reading
RT6600ax Accessing a printer on the Primary Network, from a Custom network & VLAN.

27
6
NAS
DS1520+
Router
  1. MR2200ac
  2. RT6600ax
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
I've recently installed a RT6600AX as the main router, which is connected to an MR2600AC mesh router

via ethernet. I'm happy with performance and coverage so far. I live in a 1500 Sqft single-story house.

I have seen a full strength wifi signal sitting in the driveway, no complaints there.

I've updated the RT6600AX to SRM 1.3 as soon as It was powered up.



I have 4 networks on the mesh system

  1. I have the Primary Network (automatically created by the router), our computers, phones and tablets are connected here. The network printer is on the primary network, all devices on this network have no problems printing. Network Isolation is enabled.
  2. The Guest network (also automatically created by the router) is disabled.
  3. I have created the IOT network for all of the IOT gadgets, this is on its own VLAN, network isolation is enabled.
  4. I have created a Visitor network for people who are visiting, also on its own VLAN, network isolation is enabled.
Everything seems to be working well. Wifi speeds are almost half of ethernet speeds, I haven't seen any connection problems yet. I'm happy with the speeds.



The only thing I haven't been able to figure out is how to allow the Visitor network to access the network printer on the primary network. Tech support sent me this article, but it didn't help.

How can I block access between two local networks while allowing communication among certain devices? - Synology Knowledge Center

My situation is just the reverse, the printer is on the primary network, I want to access it from the custom (Visitor) network.

I've created the bottom firewall rule (attached) but I still cannot even ping the network printer when I use the SSID from the Visitor network. I've never created firewall rules before so I'm sure I'm doing something wrong.

I've also tried reversing the source/destination settings, nothing changed.
 

Attachments

  • firewall_rule.jpg
    firewall_rule.jpg
    46.4 KB · Views: 379
I've created the bottom firewall rule (attached) but I still cannot even ping the network printer when I use the SSID from the Visitor network. I've never created firewall rules before so I'm sure I'm doing something wrong.
You have to disable the network isolation to get it working with the firewall rules. It is described in online Synology tutorial.
 
You have to disable the network isolation to get it working with the firewall rules. It is described in online Synology tutorial.
Thanks. I've disabled the network isolation on the primary and visitor networks, and have reconfigured the
firewall rules per the article. I still cannot print from the visitor network.
(Note. my situation is reversed from that article. The printer is on the primary network, the Visitor network is trying to access that printer).
-- post merged: --

Yep, Network Isolation means that LAN cannot be accessed from or to other LANs. It overrides any firewall rules. I think the built in Help explains this.


MR2200ac? Or RT2600ac?
Thanks. I've disabled network Isolation on both networks, reconfigured my firewall per that article from Synology support.
I still cannot print from the visitor network. I've posted a screenshot of my current firewall rules in a previous message today.
 

Attachments

  • Screen Shot 2024-01-14 at 6.53.31 PM.png
    Screen Shot 2024-01-14 at 6.53.31 PM.png
    77.8 KB · Views: 11
How are you trying to access the printer? Using its LAN IP? Because Bonjour and other local network advertising/discovery won't be working outside the main LAN.

Though you can try this setting I doubt it will work:
View attachment 14387
Yes- using the printer’s IP address.
-- post merged: --

I will try enabling the multicast setting too.
Thanks
 
Looking at the firewall rules screenshot, are there any hits on these rules as the image shows none?

Some other info. you might ignore...

I think there's an implicit allow outbound LAN to WAN, unless you add one and then the auto-added port forwards will stop working :( So I have manually added port-forwards and then a deny all as my final rule.
There are also the rules at the bottom of the window, how are they set? These are mine:
1705338667943.png

I would also configure that the network isolation settings have actually been saved: not denying you did it, but it's a bit odd that that access isn't possible so it may still be enabled on one of the networks.

To test how the firewall is working I would consider stepping through the setup:
  1. Initially start out with two rules that allow visitor->main and main->visitor for all destination IPs and ports.
  2. Once that is seen to work I would then try making the vistor->main for a restricted destination (IP, and ports?), placing it first... to see which rule gets increased hits.
  3. When that is getting hit I would finally switch the vistor->main unrestricted to deny.
Noting that these rules are for UDP and TCP, you need other rules for ICMP (e.g. most notably used for pings).
 
Looking at the firewall rules screenshot, are there any hits on these rules as the image shows none?
No hits.
What's even more confusing is that I can ping the printer from the VIsitor network, even when the top rule is disabled.
It's starting to sound like their firmware is buggy
 
I would also configure that the network isolation settings have actually been saved: not denying you did it, but it's a bit odd that that access isn't possible so it may still be enabled on one of the networks.

I did explicitly verify that isolation is DISABLED for both networks.
 
No hits.
What's even more confusing is that I can ping the printer from the VIsitor network, even when the top rule is disabled.
It's starting to sound like their firmware is buggy
That's odd... the no hits. I'm thinking that the ping is working because there's probably an invisible LAN ICMP rule permitting this. You could test by creating explicit rules for ICMP and set to deny, they hopefully would get hits.

For a firewall to mediate connections it has to be in the path of the connections, obviously. So why aren't you getting any hits, if the firewall is in their path?
Do you have a switch in your setup? Just trying to think how the VLANs are routing and maybe an unmanaged switch is somehow allowing interaction between the VLANs.
 
Looking at the firewall rules screenshot, are there any hits on these rules as the image shows none?

Some other info. you might ignore...

I think there's an implicit allow outbound LAN to WAN, unless you add one and then the auto-added port forwards will stop working :( So I have manually added port-forwards and then a deny all as my final rule.
There are also the rules at the bottom of the window, how are they set? These are mine:

I would also configure that the network isolation settings have actually been saved: not denying you did it, but it's a bit odd that that access isn't possible so it may still be enabled on one of the networks.

To test how the firewall is working I would consider stepping through the setup:
  1. Initially start out with two rules that allow visitor->main and main->visitor for all destination IPs and ports.
  2. Once that is seen to work I would then try making the vistor->main for a restricted destination (IP, and ports?), placing it first... to see which rule gets increased hits.
  3. When that is getting hit I would finally switch the vistor->main unrestricted to deny.
Noting that these rules are for UDP and TCP, you need other rules for ICMP (e.g. most notably used for pings).

I don't see that screen in the router config.
"I think there's an implicit allow outbound LAN to WAN, unless you add one and then the auto-added port forwards will stop working :( So I have manually added port-forwards and then a deny all as my final rule."
 
I don't see that screen in the router config.
"I think there's an implicit allow outbound LAN to WAN, unless you add one and then the auto-added port forwards will stop working :( So I have manually added port-forwards and then a deny all as my final rule."
The four rules are reduced to one, depending on the right-hand up/down toggle.
1705343610205.png
 
That's odd... the no hits. I'm thinking that the ping is working because there's probably an invisible LAN ICMP rule permitting this. You could test by creating explicit rules for ICMP and set to deny, they hopefully would get hits.

For a firewall to mediate connections it has to be in the path of the connections, obviously. So why aren't you getting any hits, if the firewall is in their path?
Do you have a switch in your setup? Just trying to think how the VLANs are routing and maybe an unmanaged switch is somehow allowing interaction between the VLANs.
The is an unmanaged (Netgear GS105) switch on the network, but the printer is not connected to it.

The printer is connected directly to the LAN port on a MR2600AC.
I'll try to draw a simple diagram, take a picture of it, then post the picture.

The switch allows me to connect a Mac, Windows laptop, and DS1520+ to the primary network.
-- post merged: --

The four rules are reduced to one, depending on the right-hand up/down toggle.
View attachment 14393
Where is the LAN-WAN screen in the router config?
 
Where is the LAN-WAN screen in the router config?
Colapsed
1705344023441.png
; Open
1705344046451.png


The is an unmanaged (Netgear GS105) switch on the network, but the printer is not connected to it.

The printer is connected directly to the LAN port on a MR2600AC.
I'll try to draw a simple diagram, take a picture of it, then post the picture.

The switch allows me to connect a Mac, Windows laptop, and DS1520+ to the primary network.
OK. You would be better off using a managed switch in these situations as it recognises VLAN IDs, even if you only use if for VLAN ID 0 (default) for the main LAN. Something basic will work, I have used a TP-Link TL-SG108E 'smart' switch that was quite cheap and Netgear do something similar.

In your setup you could assign one of the RT6600ac's LAN port to be an Access port for VLAN ID 0 and then connect the unmanaged switch to it. All devices connected to the switch will be on this VLAN and the router will now handle them correctly. However, in a mesh the other routers, such as your MR2200ac, cannot have their ports assigned to different VLANs: their ports are always Trunk ports for all VLANs. I've tested this out on my mesh setup.

The Ethernet mesh uplink must be to a Trunk port on the RT6600ax, so that all VLANs can be connected between routers. You can use a managed switch in between the two routers, provided it's configure correctly :) Synology advise against this because, well I assume, it probably makes more support calls for them.

Can you try removing the unmanaged switch and seeing what happens.
 
For reference, here are the vlan & trunk/access port settings- in case I configured them wrong.
(FYI The guest network is disabled/not being used, but still has a Vid assigned.)
Screen Shot 2024-01-15 at 11.08.23 AM.png

-- post merged: --

Colapsed View attachment 14395; Open View attachment 14396


OK. You would be better off using a managed switch in these situations as it recognises VLAN IDs, even if you only use if for VLAN ID 0 (default) for the main LAN. Something basic will work, I have used a TP-Link TL-SG108E 'smart' switch that was quite cheap and Netgear do something similar.

In your setup you could assign one of the RT6600ac's LAN port to be an Access port for VLAN ID 0 and then connect the unmanaged switch to it. All devices connected to the switch will be on this VLAN and the router will now handle them correctly. However, in a mesh the other routers, such as your MR2200ac, cannot have their ports assigned to different VLANs: their ports are always Trunk ports for all VLANs. I've tested this out on my mesh setup.

The Ethernet mesh uplink must be to a Trunk port on the RT6600ax, so that all VLANs can be connected between routers. You can use a managed switch in between the two routers, provided it's configure correctly :) Synology advise against this because, well I assume, it probably makes more support calls for them.

Can you try removing the unmanaged switch and seeing what happens.

>However, in a mesh the other routers, such as your MR2200ac, cannot have their ports assigned to different VLANs: their ports are always Trunk ports for all VLANs.

I don't have any way to configure the MR2600. Once I connected it as a mesh device the RT6600 takes care of everything
-- post merged: --

Colapsed View attachment 14395; Open View attachment 14396


OK. You would be better off using a managed switch in these situations as it recognises VLAN IDs, even if you only use if for VLAN ID 0 (default) for the main LAN. Something basic will work, I have used a TP-Link TL-SG108E 'smart' switch that was quite cheap and Netgear do something similar.

In your setup you could assign one of the RT6600ac's LAN port to be an Access port for VLAN ID 0 and then connect the unmanaged switch to it. All devices connected to the switch will be on this VLAN and the router will now handle them correctly. However, in a mesh the other routers, such as your MR2200ac, cannot have their ports assigned to different VLANs: their ports are always Trunk ports for all VLANs. I've tested this out on my mesh setup.

The Ethernet mesh uplink must be to a Trunk port on the RT6600ax, so that all VLANs can be connected between routers. You can use a managed switch in between the two routers, provided it's configure correctly :) Synology advise against this because, well I assume, it probably makes more support calls for them.

Can you try removing the unmanaged switch and seeing what happens.
VLAN ID 0
Why is the VLAN ID significant? I just used the ones assigned by the router. I haven't used vlans before, the previous routers I've had didn't support them
-- post merged: --

Colapsed View attachment 14395; Open View attachment 14396


OK. You would be better off using a managed switch in these situations as it recognises VLAN IDs, even if you only use if for VLAN ID 0 (default) for the main LAN.
I would like to avoid connecting a managed switch, I'm up against my limit of networking knowledge and vlans.
 
@fredbert Your suggestion to enable Multicast DNS relay makes the printing work, even without firewall rules (I don't know if this is a good thing though- security wise).

I do have to disable network isolation though.


Thanks for all of your help!!



Screen Shot 2024-01-15 at 6.21.10 PM.png
 
Well there's something!

Just to cover off the other stuff, which seems to superfluous now...

Regarding the MR2200ac and configuring port (or anything else) when it's a member of a mesh: I was trying to say that this isn't possible when it's not the primary router. The point I was making was that the ports on mesh access points are set to be Trunk ports, so use VLAN tagging to distinguish between different packets on the various local networks.

VLAN tags are used to logically separate packets into different LANs when using the same physical hardware. The tag, or ID, is a number and each VLAN will have a different ID. These IDs have to be the same across all the physical devices that will be supporting VLANs. When considering a particular switch port it can support multiple VLANs, whereby you can set it to assume any untagged packets are assigned to one of the VLANs but all other VLANs' packets need to be tagged. However, when you connect an unmanaged switch it does none of the VLAN handling and different VLAN packets come to it and it doesn't know who do deal with them. It this case it is possible for a client device on the unmanaged switch to directly access devices on other VLANs, bypassing any central router. I tested this with SRM 1.2.5 and a switch acting between a RT2600ac and MR2200ac back haul, guest WiFi devices on the MR2200ac could access devices on the switch which were on the main LAN... without passing through the RT2600ac's firewall.

I would consider laying a second Ethernet cable from your RT6600ax to your unmanaged switch. Then connect this new cable to an Access port that is assigned to the main LAN.
 
What would the advantage to this be?
To make the unmanaged switch connect to an Access port for the main/primary LAN on the RT6600ax, rather than a Trunk port on the MR2200ac.

I posted the VLAN setup on my TL-SG108E that ensures a switch can be correctly connected to a mesh AP router's LAN port. I think you posted on that thread too.

I was wrong about the default VLAN ID, it is 1 not 0. The default Synology guest VLAN has ID 1733. The others can have whatever ID you like: I use 101 for my IOT LAN, as in room 101 :)
 
To make the unmanaged switch connect to an Access port for the main/primary LAN on the RT6600ax, rather than a Trunk port on the MR2200ac.
Using VLANS is new to me with this router, my previous routers did not support them.
So what is the advantage to connecting to the access port for the primary network over a trunk port?

(I've read several articles about Vlans, and watched some videos as well. They are mostly targeted for IT people who understand them better).

I actually have 2 CAT6E lines between the RT6600 and the location where the MR2600 & unmanaged switch are.
Prior to setting up the 6600 & 2600, I used 1 line to go directly to the NAS, the other line went to the switch - which feeds my work laptop & my Mac Mini.

I'll draw the current network diagram and post it later, to further discuss the Access port topic.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top