Epson Printer

[ellison64]

Ive been trying to get my wireless epson printer to work with my laptop and router ,and looknstop.It seemed the UDP:any other udp packet rule was blocking it .Anyhow ive clicked "make rule " on a few of the blocked logs to try and get the printer to work.Its working now but im not sure if allowing the UDP is safe? and also where to place the rules.They are currently at the top (the first 4 udp rules).Ive also added the epson core process module application (see log pic).Can anyone comment whether these rules are ok ,and if not what rules to use?.I am useless at rulemaking ,and other firewalls ive tried just seem to let my printer work ,whereas this one doesnt ?? .
ellison

[ktango]

Hi ellison64,

Please try to create a rule as follows.

[ellison64]

Hi Katango...
Ive deleted the UDP rules i made and just put yours in at the top of the rules ,however the printer wont work and Im getting communication error see pics of printer error and logs.

[ellison64]

Well I seem to have narrowed it down to allowing two udp rules allow udp port 161 and udp port 3289.I can get it to work any other way.

[act8192]

Disclaimer - I don't know your printer. I don't know LnS
According to
http://www.iana.org/assignments/port-numbers
enpc 3289/tcp ENPC
enpc 3289/udp ENPC
# SEIKO EPSON <Ishida.Hitoshi&exc.epson.co.jp>

snmp 161/tcp SNMP
snmp 161/udp SNMP

For starters, I'd make a rule to allow broadcast on the LAN to remote port 3289 as that's what it seems to want and can't find. I'd add TCP rule for 3289 connection. And in the four rules you made from the log, I'd add on each some way to make it stay home, on the LAN. Either enter printer's IP on the right side of the rules or your private network range of IPs. Not sure if you really need those UpNP or SSDP port 1900. 161 is how the printer is likely trying to send messages. Might not be needed either. But if it is, also restrict it home.

I think you can have these rules up top over the standard rules. That's where I put my printer stuff just yesterday and it seems ok.

When I right click a log entry and use LOOK, I get a better picture of direction and exact IPs to enter. Just learning here. This is a difficult firewall for me!

[ellison64]

Good find
Now all I have to do is try your other suggestions ,which Im finding difficult.Ive made some screenshots of addresses for my lan and printer etc i think i need to enter in the rules though im not sure exactly where to enter them ?.

[act8192]

Don't forget - I'm in learning mode.
Also I'm on XP where local ports range is different.

There seem to be two ways to skin this cat and I haven't come to grips with it yet.
(1) In the application rules, double click on the epson application and under the UDP ports enter 161 and 3289, and for IP under UDP enter your printer IP which is, based on your screen shots, 192.168.0.7 then comma or semicolon and add on the same line broadcast address 255.255.255.255. I think that app restrictions mean outbound connection, but LnS will allow up and down packets. My screen shot is for printer 192.168.54.56, port 8611


(2) Instead of (1), you already have rules for 161 and 3289 by UDP. So I think you know how to add. On the Internet rules is an add button(**), and also Application restriction button. So all you have to do is fill in the rest. My screen shot is for printer 192.168.54.56, port 8611 and just for spool server which uses the printer driver. Also fill in your application ports where my XP range is 1029-5000, I could've had 1024-5000 since it's a LAN printer.


Just edit both your rules and where my printer IP and port are, enter your 192.168.0.7 and 161 in one rule. Duplicate the rule, and enter 3289 for the second rule.
(**)edited: I forgot to mention - an easier way than Add is to make a rule from the log entry. Right click a rule, pick client, not server, option for the printer and when LnS adds a rule for you, just fill in few things. That's what I did.(end of edit)

I'm not sure about the left side IP. There's an equal@ which might mean my computer IP which clearly is the source, but I don't understand the meaning of it, and the printer prints just fine without it. Also I'm not entering MAC addresses (ethernet text box), not sure if I should or not and why.

Hope this helps in the mechanics. But as I said, I'm learning and watching the logs like you just did, because is very rough sledding for me.

[Stem]

Hello ellison64,

Quote:

Originally Posted by ellison64

i think i need to enter in the rules though im not sure exactly where to enter them ?.

Which part is causing problems? If it is a specific area, please state. Or is it a general problem of understanding the rules creation process?

I will post info once I know what you need.

- Stem

[ellison64]

Thanks for the help guys..
@act8192
Ive copied your second alternative ,and put my ip address as suggested.It seems to work fine.I don't know what the application ports range is or how to find out?,so i ive left that for now.
@stem
Basically i have a general problem understanding the rule making ,and where to put the information that i have from the logs into the rule.I wasn't sure whether to chose "equals" or "equals my @" or "in range" etc.I don't understand any of it really.I just wanted to allow those two udp ports so that my printer works ,but as act8192 suggested ,tighten them up a bit .I now have this rule..screenshot (the second changed to reflect 3289)
thanks
ellison

[Stem]

Hi ellison,

Quote:

Originally Posted by ellison64

Basically i have a general problem understanding the rule making

OK, I will put together a basic guide, but it will be tomorrow before I can find time.

Quote:

....wasn't sure whether to chose "equals" or "equals my @" or "in range" etc.

Some of it is a little unclear, certainly when you come to such as "Local in" / "Local out", as I think they are mixed about.
I do have a tendency to add as much info into a rule as I can, although it could be said it is not always needed.

As for your rule, I would at least add:- "Equals my @" (equals my address) to the local MAC/IP and "Local in" for the port range (check that it adds the correct range: for Xp it is 1025-5000, for vista/win7 it should be 49152–65535). I would also add the printer MAC address to the destination.



- Stem

[ellison64]

hi Stem..
Thanks for the recommendations in the rule.Ill try that later.Don't go to too much trouble making that guide.....its the weekend you know .....though I'm sure that there's loads of folks here that would appreciate and benefit from it
ellison

[act8192]

Quote:

Originally Posted by ellison64

hi Stem..Don't go to too much trouble making that guide.....its the weekend you know .....though I'm sure that there's loads of folks here that would appreciate and benefit from it
ellison

I second that. Much needed, PLEASE, Stem, do it. And thank you for being here and answering ellison's questions. Very helpful to me as well.

And if I may, could you also add few answers, all likely related to ellison's setup
> When to use Application and when Internet rules, or both? In post#7 I wrote that these might be alternatives. Are they? What's the best to do, when, and why?
> In the packet rules, is it ok to enter just the MAC address of the printer and skip IP in case router issues a different IP if, perhaps, powerup sequence of devices changes.
> In Kerio, I always included broadcasts to 255.255.255.255 and 192.168.54.255 (I allow NetBIOS on the LAN). Seems like it's not needed here (and might not be in Kerio). Packets are blocked but printer prints fine and issues information about low ink or paper status. Comments?

[ellison64]

Well thanks to stem and act8192 here,s my two rules.I had to mess for ages with the 3289 one by adding the 255 thing which was showing in the logs, but it seems to work now.If i put the printer mac in the 3289 rule it gives a communication error for some reason so Ive left it as "all"

[act8192]

Can you make a separate rule for broadcast?
Because broadcast is to all on this side of the router. Ergo no specific MAC. See your 1st pic in post6.
I think the rule still should have that destination 3289 port included, so that only printer would answer. 'cause when I had a b'cast rule in Kerio it worked like that. Hope Stem helps here
I think that might eliminate the error, and then you could put printer MAC back into that rule. Just a wild guess of course.

[ellison64]

Quote:

Originally Posted by act8192

Can you make a separate rule for broadcast?
Because broadcast is to all on this side of the router. Ergo no specific MAC. See your 1st pic in post6.
I think the rule still should have that destination 3289 port included, so that only printer would answer. 'cause when I had a b'cast rule in Kerio it worked like that. Hope Stem helps here
I think that might eliminate the error, and then you could put printer MAC back into that rule. Just a wild guess of course.

Ive tried to make a rule based on the 1st pic in post 6 but to no avail,Whether i ve set the rule up correctly i dont know ,but it doesnt work and i get communication error.

[act8192]

I'd put FF:FF:FF:FF:FF:FF on the right side, as that's what broadcasts send it to = all
See your Packet content window in post#6 first picture.

[Stem]

Quote:

Originally Posted by ellison64

Ive tried to make a rule based on the 1st pic in post 6 but to no avail,Whether i ve set the rule up correctly i dont know ,but it doesnt work and i get communication error.

Hi ellison,

The address 255.255.255.255 is a broadcast, not to any specific IP, so it would be the broadcast MAC address used, as act8192 states:- Destination MAC: FF.FF.FF.FF.FF.FF. or, you can just leave it blank/all.

- Stem

[ellison64]

Ok after much headache ive got these three rules.
1. broadcast
2.port 161 ,which i had to alter.It was originally 192.168.0.7 on the right hand side but that seems to have changed to 192.168.0.6 this morning?.Ive now put in an ip range (i think?) 192.168.0.0 >192.168.07.
3.Ive done the same as above for port 3289 in case the ip changes.
Printers working.I hope these rules are ok,as im not finding it simple.I alter or add one thing and something else changes

[Stem]

Quote:

Originally Posted by ellison64

I alter or add one thing and something else changes

In what way?



- Stem

[act8192]

Re: IP change from .7 to .6
I think it's related to what I asked in the second ">" in post 12.
IP range should work, but I still wonder if MAC would be sufficient.

[Stem]

Quote:

Originally Posted by act8192

IP range should work, but I still wonder if MAC would be sufficient.

For a node within an home LAN, not really a problem. You can (if wanted) just enter the MAC address and leave the IP as all.


- Stem

[Stem]

Hi ellison,

Quote:

Originally Posted by ellison64

Don't go to too much trouble making that guide.....its the weekend you know

I was just about to start making a basic guide, then remembered I had some questions myself about L`n`S. So am now running some tests on the firewall to answer those questions before I make the guide.

- Stem

[ellison64]

Quote:

Originally Posted by Stem

In what way?



- Stem

Well i think everything is ok and then the ip changes from .07 to .06.As i mentioned im used to just using firewalls(avast and outpost) that say allow and that's the last i hear from it.

[ellison64]

Quote:

Originally Posted by act8192

Re: IP change from .7 to .6
I think it's related to what I asked in the second ">" in post 12.
IP range should work, but I still wonder if MAC would be sufficient.

I don't know.Ive spent far too long trying to allow my printer to work,and it works with those rules so im not gonna alter them anymore unless those rules are totally rubbish (which they could well be because im sorta feeling in the dark) .I really think it should be some sort of preset as in other firewalls.I do like the speed and "simplicity" of looknstop ,but for joe bloggs running this ,he wouldn't stand a chance im afraid.Looknstop is not an easy firewall for the masses.Its for the knowledgeable (imo).I do look forward to a simple guide though
ellison

[ellison64]

Ive recently put in phantoms rule set ,and added my epson printer rules at the top ,but now it just wont work ,and im getting communication error again grrrrr.Can anyone check my three rules and see where im going wrong?.There doesn't appear to be anything showing as blocked in logs.