OK to put a wireless printers on trusted "family" VLANs?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
M

Michael Stora

New Member
Aug 11, 2023
23
6
3
Should I put my wireless printers on my IoT VLAN with my thermostats, security cameras, and appliances which only communicate through a remote server, put it on a trusted VLAN, or create its own VLAN?

I'm going to want trusted folks (mostly wifi phones and laptops) to print. The upstairs printer will be close to a WiFi6 access point which is trusted only because it is not OpenWRT compatible (yet?). I can do a little LV3 switching for Guest, my personal/homelab, and Work (employer managed laptop) VLANS to print. My downstairs printers are going to be on a Pi running CUPS on trunk with all VLANs except IoT.
 
G

Gerhen

Member
Nov 29, 2023
44
7
8
Hi Michael,

My printer is old and connected with wire. The wireless is unreliable.

I have mine set up on my main vlan with routing rules in places to let folks on the guest network print if needed.

If I were running wireless I’d probably put it on the guest network. I don’t have people over very often so it makes sense to use guest for mixed use in my case.
 
T

TonyArrr

Active Member
Sep 22, 2021
170
86
28
Straylia
Howdy,

I’d personally pop them on a less trusted VLAN, guest or IoT, where if they get infected it’s something they can do minimal damage, and maybe set up a print server to be visible to your client devices and forward jobs on to them.

I don’t know if many printers that get frequent (or even infrequent) security updates, aside from when manufacturers what to stop you using third party ink…
And having a print server gives the added bonus of being able to hold jobs ready if the wifi is unreliable, like Gerhen mentions
 
M

MrGuvernment

Member
Nov 16, 2020
49
13
8
Print server is overkill and just add's overhead.

I would block internet access for said printer, just manually update firmware once in a blue moon when they release them. Me, i tend to be over the top, so wireless, guest wifi, wired, same lan most people would use it from and if any guest needs it, allow the access to the printer and specific ports and protocols it requires only.
 
S

sic0048

Active Member
Dec 24, 2018
182
143
43
A wifi printer will normally have access to the internet by default. Because of this, I would absolutely consider it an IOT device and treat it as such by putting it on my IOT VLAN. I would then allow devices on my "Trusted VLAN" to communicate with the printer's IP address in the IOT VLAN. Keep in mind that this traffic can only be initiated by the trusted VLAN. Should the printer be infected somehow, the fact that it's not on the trusted VLAN should help mitigate the exposure to my trusted devices and other VLANs.

Personally I have two IOT VLANs. One that has internet access and the other one does not. I'd place my network printers on the non-internet access VLAN which would prevent the device from communicating with the internet by default. If you only have one IOT VLAN, then you should take precautions to block the device from communicating with the internet.
 
S

sic0048

Active Member
Dec 24, 2018
182
143
43
jameswilliam said:
Hello, I'm hoping that some networking guru can answer a few questions about setting up VLANs in my home environment. I currently have a wired Ubiquiti EdgeRouter and an unmanaged switch, along with a Netgear Orbi wireless router set up as a wireless access point (connected to my unmanaged switch). Right now, it's just one big happy network. However, I would like to split it up via VLANs so that I have a completely separate guest wifi network, and a completely separate IOT network, with none of those devices being able to get to devices outside of their VLAN. My questions:
  • Can I set up the VLANs entirely within a managed switch, or will I need to also configure the router?
  • I see that you can configure the VLANs by switch port (all devices connected to that port are included on that VLAN), or by individual MAC addresses. For the guest wifi, I am thinking that I would need to connect an additional WAP to a port on the switch, and define that port as a VLAN. Is that the best way, or is there a better way to do it?
  • Once I get the VLANs set up, is there a way that a "master" workstation could have access to all devices, whether they are isolated on a VLAN or not?
  • Does each VLAN require it's own IP address range or subnet, or can all devices have IP addresses within the same subnet?
  • Does the switch only require one wired connection to the router, or does each VLAN require it's own wired connection between the switch and the router?
  • If only one wired connection to the router is required, wouldn't the router resolve connections between different VLANs? In other words, wouldn't the router ruin the isolation between VLANs?
I've tried to find some sort of "VLANs for Dummies" guide out on the internet, but I haven't been able to find anything out there yet that does a good job connecting the dots for a VLAN beginner like me.
Click to expand...
1 - you will have to set up VLANs in both the switches and your router. You'll also likely want to set them up in the wireless AP so that specific SSIDs are assigned to specific VLANs. (IE traffic from a "guest" SSID is assigned to the Guest VLAN, while traffic on the IOT wireless network is assigned to the IOT VLAN, etc).

2 - You can control a VLANs access to other VLANs. If you want a single device, or an entire VLAN to be able to access all other VLANs/devices, you can easily set this up using firewall rules.

3 - Yes. Each VLAN requires it's own network subnet, along with it's own DHCP server (unless you are not using DHCP on that VLAN for some reason - which would be fairly uncommon IMHO).

4 - You only "need" a single network connection from the switch to the router as long as your have configured that port to carry the traffic of all your VLANs. However it is possible to break this down further should you have some reason to.

5 - ALL interVLAN traffic (that's traffic traveling from one VLAN to another VLAN) MUST travel through and be routed by the router. Only traffic that is staying on the same VLAN can be handled at the "switch" level. This is normal. It's also why you want to design your VLANs to limit the amount of interVLAN traffic. For example, you'll want to put your data servers (backups, or media storage, etc) on the same VLAN as the devices that will most often need to access that material. You don't want your media players on one VLAN and your media server on another.

(Please note, my answers assume you are not going to set your switches up with true layer 3 functionality where the switch handles all of the roles/services normally handled by the router. Unless you are an IT professional, most home networks are not set up with switches set up for true layer 3 functionally. Long story short, if you are running a router on your network, your switches are not set up for layer 3 functionality).
 
You must log in or register to reply here.
Top Bottom