I have the problem that when I want to print something from an Android mobile device, I have to re-register the printer every time so that it can be found.
I’m sorry, I don’t know german, so I cannot tell you what’s missing on your rule.
For your printer, I’d go with this route.
Set a static IP address on the printer; documentation of the printer is the best information source on how to do that.
If for any reason you prefer a dynamic iP address configured on the printer, configure a reservation into DHCP server of your IPFire; it’s called “Fixed leases”. Keep tracking of reserved IP address and the macaddress
Configure a host into firewall groups for the IP you fixed leased for your printer.
Then configure the firewall rule, from blue segment to that host. As first try put into the top of the firewall rules, but if it works could be lowered several times for reduce the unnecessary rules processed.. Don’t forget to enable the log option and consider a broader access before (allowing ping, for instance) then reduce the openness of the connection (using, SNMP, http/s and IPP only as allowed services; you can group services into a service group for easier rule config)
Still not working?
Check the ipfire log; if you’re not finding any trace of the connection (refused or granted) probably traffic is processed before your “new” rule.
Check the documentation of your printer. Sometimes, as safety measure, devices do not allow printing from other subnets but that behaviour might change from model to model, or from firmware revision to others.
Try to understand what is necessary to that component of Android to work. More services? More ports? MacAddress Identification?
I don’t want to offend you, but try to remember this. Firewalls are stupid: they do exactly what you config, not what you wish they would do.
So you being “stupid enough” to follow all the small steps is in my opinion one of the best ways to troubleshoot a not working situation.
As troubleshooting a lots of persons try as first option to change the rules, but the biggest step is read and understand the logs. So "more logs” might be a bit time consuming at start, however filtering is a efficient way to “lower noise”.
As you suggested, I created a corresponding host and set up the following firewall rule.
I can ping the printer from a Linux laptop that is also connected to the WLAN (blue network).
I have an Epson WorkForce Printer also. I have set it up this way: For strict access I set the IP of my smartphone in Source → Source address. The rest of your rules are the same as mine Then you take a printing app for Android like Mopria and set up the printing device there. For Epson printers there is a dedicated Epson App in the PlayStore. I set up the printer connection there. It does work for me that way without setting up the printer each time.
Yes, I can install my Epson printer from my Linux laptop on the Blue network.
My mobile device also recognizes the printer as “ipp://192.168.200.19:631/ipp/print,” but I can only print once.
In the meantime, I have come to the conclusion that it is due to the Android printer service, which recognizes that the printer is on a different network and does not even search for it.
As @gremlin writes, he uses the Mopria printer app. I installed Mopria on my mobile device and Mopria kept finding the printer. Mopria would be a possible solution.
I also tested some Epson printing apps, but they cannot find the printer at all.
As I’m always a bit suspicious of new apps and prefer to use familiar ones, I would like to stick with the standard Android printer app.
I’ve been considering installing the ipfire add-ons avahi or mDNS repeater for further testing. But I’m still not sure if these add-ons compromise the security of the firewall.
A completely different alternative is to activate WiFi Direct on the printer. Then I just have to go to the printer in the printer’s range.
So, one solution is to install the mDNS repeater, and it appears to me that /etc/rc.d/init.d/mdns-repeater automatically finds Green and Blue interfaces? That’s it?
Is there any need for a firewall rule to accept mDNS to dest 224.0.0.251:5353 on Blue ? The example of a firewall rule ( www.ipfire.org - mDNS repeater ) is from endpoint to endpoint, not the multicast address. OpenWrt gives an example of a required firewall rule to the multicast address. Even though it’s a WAN in that example, I suspect it’s required in this case too: openwrt DOT org/docs/guide-developer/mdns
As I mentioned in my last post, I installed an mDNS service this morning for further testing. I decided to go with Avahi for testing purposes. After installing Avahi and the firewall rule I had already set up, the printer can now be found by my mobile phone and the other mobile phones of the family. So that solves the problem for me.