Configure NetVanta 3120 for HP C7280 beyond VPN LAN

 Networking  No Responses »
Nov 122008
 

Problem Introduction

I frequently use a workstation that sits behind an Adtran NetVanta 3120.  The NV3120 is powerful little box.  It provides secure VPN access back to corporate headquarters, but it also provides a 4-port switch, a highly configurable firewall, and generally more bells and whistles than you could ever want.

Recently, I added a Hewlett-Packard Photosmart C7280 to the network.  However, it sits beyond the NV3120’s LAN, so other workstations on the greater LAN can use it, like my Gentoo laptop.

The default printer configuration went great!  I was printing in no time from my workstation behind the NV3120.  However, scanning was another issue.

Apparently, when used in scan mode, the HP C7280 originates traffic on a non-established port, so it becomes blocked or is otherwise lost.  I knew everything else was working fine, because I could bypass the NV3120 and scanning would work great!  But, that was not going to be acceptable for frequent use.

Network Topology

Here is an ASCII representation of the relevant network subsection:

                                            Incoming Line
                                                  |
                                         [ Wireless Router ]
                                            192.168.1.1
                      /                           |                        \
               192.168.1.100                192.168.1.101              192.168.1.102
            [ NetVanta 3120 ]    [ HP C7280 Printer-Scanner-Fax ]    [ Workstation #3 ]
                10.10.0.110                                               Laptop
             /             \
    10.10.0.99           10.10.0.100
[ Workstation #1 ]   [ Workstation #2 ]
  Windows XP Pro           Linux

The critical path is highlighted in red.

Solution

Eventually, I called the Adtran tech support.  I was pleasantly surprised to receive a call back from a support engineer in short order.  He understood my problem very quickly, and he knew immediately what to do!  What follows are my scribbled notes for the steps he proscribed:  (Of course, your policy names and IP numbers may vary.)

  1. Backup NV3120 configuration, in case something goes wrong.  😉
  2. Configure NV3120 to grab static IP, not DHCP-based IP from wireless router:

    Click on:  System -> Public Interface -> IP SettingsComplete as follows:IP:  192.168.1.100
    MASK:  255.255.255.0
    DEF GW:  192.168.1.1

  3. Add UDP relay for NetBios broadcast by HP C7280 printer (192.168.1.101) to be encapsulated and relayed through NV3120 (192.168.1.100) to its LAN (10.10.0.X) and vice-versa:Click on:  Data -> UDP Relay -> IP Helper AddressAdd following addresses:

    10.10.0.99 – Public (eth0)
    10.10.0.100 – Public (eth0)
    192.168.1.101 – vlan1
    UDP Forward Protocol:  netbios (port 137)  [Press “Add”]

  4. Allow traffic between 10.10.0.X subdomain and and 192.168.1.X subdomain:Click on:  Data -> Firewall -> Security Zones -> Edit Security Zones -> Public
    Add Policy to Zone “Public”
    Type:  Allow
    Description:  Allow 192.168.1.X to 10.10.0.X
    Stateless Processing:  OFF
    Destination Security Zone:  <Any Security Zone>
    Source – Specified:  192.168.1.0 / 255.255.255.0
    Destination – Specified:  10.10.0.96 / 255.255.255.240
    Protocol:  any

    Use “arrows” to move new policy right below “VPN Selector” and before everything else.

  5. Allow traffic between 192.168.1.X subdomain and 10.10.0.X subdomain:Click on:  Data -> Firewall -> Security Zones -> Edit Security Zones -> Private

    Add Policy to Zone “Private”
    Type:  Allow
    Description:  Allow 10.10.0.X to 192.168.1.X
    Stateless Processing:  OFF
    Destination Security Zone:  <Any Security Zone>
    Source – Specified:  10.10.0.96 / 255.255.255.240
    Destination – Specified:  192.168.1.0 / 255.255.255.0
    Protocol:  any

    Use “arrows” to move new policy right above “NAT list wizard-ics” and below everything else.

  6. Create policy for UDP Relay:Click on:  Data -> Firewall -> Security Zones -> Edit Security Zones -> Public
    Add Policy to Zone “Public”
    Type:  Advanced
    Description:  Relay netbios
    Policy Action:  Allow
    Destination Security Zone:  <Self Bound>
    Stateless Processing:  OFF

    – Add New Traffic Selector –
    Type:  Permit
    Protocol:  UDP
    Source:  Any, Any
    Destination:  Any host, Port:  “Well Known” : 137 – netbios-ns

    Use “arrows” to move second from top, below “VPN selector”, but above recent “Allow 192.168.1.X to 10.10.0.X” policy.

  7. Reassign VPN Crypto Map – It occasionally gets lost during the above changes:Click on:  Data -> VPN -> VPN Peers -> Advanced VPN Policies -> Assign Crypto Maps to Interfaces:

    Public    VPN
    vlan1     none

  8. Save configuration changes and reboot NV3120 unit.  Backup configuration again, in case something goes wrong in the future.  😉
  9. On wireless router, add a “static route”, so traffic intended for the VPN subdomain (10.10.0.X) that leaves the printer (192.168.1.X) can find its way back to VPN subdomain and not onto global internet:

    On wireless router’s configuration page (not NV3120), click on:  Advanced -> Static Routes -> Add (Or, similar depending on brand and model):

    Name:  NV3120-VPN
    Private:  Off
    Active:  On
    Destination IP:  10.10.0.96
    Gateway IP:  192.168.1.100
    Metric:  2Beyond the destination and gateway IP’s, the exact settings and menu navigation path will vary depending on router’s brand and model.

Explanation

Admittedly, the solution is a bit complex, but the problem is a bit complex too.  Part of the complication comes from the fact that the printer broadcast various netbios-ns UDP packets to find computers on its domain.  However, the computer used in this case does not exist on that domain.  It exists on a private, VPN domain.  So, we have to not only configure the firewall to allow traffic, but we must also relay UDP broadcasts between the two domains.

Many thanks to the Adtran support engineer, who guided me through the above steps, including configuring the 3rd party router!

Share

Connect a Linux computer to an HP PhotoSmart C7280 Printer

 Gentoo  No Responses »
Oct 302008
 

HOWTO Connect a Linux computer to an HP PhotoSmart C7280 Printer

The HP PhotoSmart C7280 All-In-One printer contains a photo printer, scanner, and fax machine.  It can be setup as a wired Ethernet print server, wireless 802.11g print server, or a local USB printer.  It is very nice, and if you watch the NewEgg specials, you can often find one for a very good price every so often.  I have enjoyed using it from my Windows workstation; however, since I have the C7280 connected to my network through its Ethernet port (a wired print server), I would like to be able to use my Linux laptop to also print to it.

Fortunately, most HP printers are well supported in Linux.  So, I had high hopes!

As mentioned in other posts, my current favorite distribution of Linux is Gentoo, so my directions will be for Gentoo; however, you can probably adapt them to your favorite distro.

CUPS

CUPS is the modern Unix/Linux printing interface.  It provides both a server and client for the common printing tasks (lpr, lpq, lpstat, etc.).  Therefore, CUPS must be installed before you can do anything else.

I added a few extra USE flags to my CUPS install, although I don’t think these are necessary in general:

$ echo 'net-print/cups dbus ppds' >> /etc/portage/package.use

Beyond that, installation is simple:

$ emerge cups

Since we are connecting to the C7280 via the network, no configuration changes are required for CUPS.  However, you will have to fire up the CUPS daemon and add it to your start-up services:

$ /etc/init.d/cupsd start
$ rc-update add cupsd default

You can find more info on configuring CUPS to work on Gentoo with other setups here:

http://www.gentoo.org/doc/en/printing-howto.xml

HPLIP

The HP printer drivers are based on a standard HPLIP package, which is used with all modern HP printers, and a PPD file, which is specific to your printer model.  The latest HPLIP package can be installed in Gentoo, like so:

# For AMD64, Intel Core2, and newer x86 64-bit archs
$ echo 'net-print/hplip ~amd64' >>/etc/portage/package.keywords
# Install HPLIP
$ emerge hplip

The latest PPD file for the C7280 should be downloaded from the Linux Printing repository.  Currently, the C7200 model covers the C7280, and it’s PPD can be downloaded from here:

http://www.openprinting.org/show_printer.cgi?recnum=HP-PhotoSmart_C7200

On a Gentoo box, the PPD file should be saved in a certain location, and only root should have access to it:

mv <path_to_download>/HP-PhotoSmart_C7200-hpijs.ppd /usr/share/ppd/HP/
chown root:root /usr/share/ppd/HP/HP-PhotoSmart_C7200-hpijs.ppd

With that put in place, you are now ready to configure the HPLIP program, like so:

$ hp-setup

The wizard should make everything self-explanatory, except you may have to manually search for the PPD file, if the wizard cannot find it for you.  When I used the wizard, it was able to find the printer automatically and very quickly.  However, I had to locate the PPD file for it.

If everything goes smoothly, you will be done.  All that remains is to restart cups, like so:

$ /etc/init.d/cupsd restart

If things don’t go smoothly, you may have to add the printer manually through the CUPS interface or to the printers.conf file, as I had to do.

Manually Adding the C7280 to CUPS

Unfortunately, the HPLIP setup wizard was not working correctly, and I had to manually add the printer to CUPS.  I used the web interface to CUPS, which can be accessed using a web-browser on the Linux box at:

http://localhost:631

From here, I clicked on “Add Printer”, and manually entered the necessary information.  (You should know the IP address of the C7280 printer on your network.)  Most of it was obvious, except these two bits:  The device connection type was:

AppSocket/HP JetDirect

And, the “Device URI” was:

socket://192.168.0.11:9100

Of course, you will have to change the above IP address to match your needs.  … If you have already configured a Windows box to use the same printer, you can get some clues for the above info in the Windows’ printer’s properties.

The CUPS wizard may request a user id and password.  Any requested userid is referring to root and root’s login password.  These are needed near the end of the CUPS wizard, so it can edit the CUPS configuration files for you.

After entering the necessary info, pointing to the downloaded PPD file, and completing the web install, I was printing my first test page in no time!

If you prefer to work on the command line, and you are comfortable with CUPS, here are the modifications to my CUPS’ files:

/etc/cups/printers.conf

# Printer configuration file for CUPS v1.3.8
# Written by cupsd on 2008-10-30 17:37
<DefaultPrinter HP-PhotoSmart-C7280>
Info HP PhotoSmart C7280
Location My Office
DeviceURI socket://192.168.0.11:9100
State Idle
StateTime 1225405864
Accepting Yes
Shared Yes
JobSheets none none
QuotaPeriod 0
PageLimit 0
KLimit 0
OpPolicy default
ErrorPolicy stop-printer
</Printer>

That’s it!

And, for good measure, you should always restart CUPS after monkeying around with its files:

$ /etc/init.d/cupsd restart

Conclusion

Well, it took a little longer than I first hoped, but it was not so bad.  Now, I can print, scan, and fax from HP PhotoSmart C7280 using my Gentoo Linux laptop. 🙂

Share