Topic: 2 networks and 1 photocopier

[compsos]

Hi
2 separate networks sharing a common photocopier.

Has anyone managed to get this type of situation running?

I can get the 3rd NIC going and able to ping the required addresses but not transfer a file.

[sal1504]

compsos

I had the same problem see this post on the contribs forum --- Will SME work for this problem.

Sal

[compsos]

Thanks Sal
Yes I did see that thread but did Arne's concept work? It is not printing that we need to share but scanning output.
Cheers

[sal1504]

compsos

Since the security issue was so important to the law firms, I decided it was a situation that I didn't want to get involved with and passed the problem back to the company that sold them the photo-copier. I did try a couple of the suggestions and ran into problems but never pursued it pass the initial trial setup, Sorry.

[mercyh]

compsos,

There is no doubt it can be done if security between the two networks is not an issue. However, it obviously is an issue or you would have put both entities on the same subnet.

[Mat78]

Hi,
a lot of copier machine can scan to FTP, to SMB and to Email.

You can set the standard scan to SMB for one network and a scan to Email for the second one.

[mercyh]

Mat78,

That is an excellent idea. You could do the second network to scan to an FTP share. (If you can get the copier to jump through SME's FTP hoops.)

With this you do not have to make both networks "talk". You just need to make the copier talk to servers on both networks. Much easier and much more secure.

[sal1504]

compsos

If there is security involved be careful and verify that you are meeting the clients specified security needs. If they are needing to meet Sarsbane-Oxley requirements or HIPAA requirements, ftping and email may not work.

Sal

[compsos]

Thank you for the replies.

They are related but separate companies. I was planning on using 1 of the 2 spare NIC ports (Board has quad NIC interface). Emailing or FTP externally is not an option. As I said earlier, from a client (192.168.1.20) can ping 192.168.11.1 (smeserver), just need to understand where the block is for say FTP to the server and print to the copier. If we FTP scans to the server and chroot the ftp client, would that be satisfy separation?
Cheers

[mercyh]

If we FTP scans to the server and chroot the ftp client, would that be satisfy separation?

You will have to assess your risks. The question I would be asking is "why did I separate these networks in the first place?" and "will my solution to this problem maintain the level of separation I need?"

If I were doing this and could any way mitigate the risk with server based authentication (separate user groups, etc.), I would put the networks together.

[compsos]

Thanks Mercyh

It is not only 2 networks but also 2 IT firms brought together by the clients. So yes it would be easier to handle as 2 domains in one server. If it were not for clients!

Think we might try mounting a share on the other network (192.168.1.0) and the printer configured from the server (192.168.11.0) via the eth2 port.....

[axessit]

(If you can get the copier to jump through SME's FTP hoops.)

Just to add my experience with scanning to smb shares - Konica Minolta and Cannon (and quiet possibly others) will not scan to a windows 2003 server share. I didn't have SME on those sites, so not sure if this works with SME smb (iBay) share or not.

[electroman00]

Probable the least expensive approach would be to use a Daul-Wan router.

Connect each wan port to each network and config the printer on the multi-DMZ.

You would have to put the printer on the dmz of the router which would provide 1:1 NAT and would not conflict
with the NAT on each of the two networks.

Your networks would still be isolated and they could share the printer.

http://trendnet.com/products/proddetail.asp?prod=185_TW100-BRV324&cat=41

I've never tried it, but you should be able to get it to work providing share access to the printer and Network isolation.

Your other option is to use an open-source firewall like pfsense and run that on another PC or embedded system.
Probably very much of an over kill.

The router doesn't know it's on 2 LANs or 2 WAN's, an IP is an IP.
With the 4 port router you could effectively share 4 printers between the networks.

It's a dirty trick of a solution but should work fine.... 99.9% sure it will work.

You could also share a SME server on that router the same way as sharing the printer.
Then have SME serve as a share internal email server.

I see no other cost effective way of providing shared access to the printer and Network isolation.

You could always return the router if it doesn't work, worst case.

Pretty sure it's the best solution that will work.

If you try this...please let us know your results.

HTH

[mercyh]

electroman00,

I think that your idea would work. I had never thought of using that type of router in this manner. This is just a bit over my head but I would assume that you would have to write a 1:1 Nat map rule on the router as you stated above.


compsos,

If you choose to go with this solution and are unfamiliar with firewall rules, you need to read up on 1:1 Nat IP mapping and make sure that any router you purchase supports it (I think that most dual WAN routers would have this capability).

[electroman00]

When you port forward to a DMZ port you are in effect creating a 1:1 NAT (no rule needed).

When you port forward to a the LAN .....within the DHCP IP pool you are in effect creating a 1:~many NAT (thus double NAT issue).

Da...just thinking...

When you port forward to a the LAN outside the DHCP IP pool you need a static IP and you are in effect creating a 1:1 NAT (thus NO double NAT issue).

The more I tkink about this solution the more ideas I come up with, like I said I'm 99.9% sure it will work.

Only problem is, why I didn't think of it sooner, I did/do have some applications currently for it.

I think it's called a brain fart, smells pretty good though.

Right now I don't have any dual-wan routers in stock or I would test it.

I might point out there may be a problem with this, however it depends on the particular router rules.

That is if you PF both wans to a single IP will the be a route between the to wans.

A simple ping from one subnet to the other would test if that connection was made.

I would think the firewall rules would prevent that routing.