I know some of you are using dd-wrt. I have a client using a vendor that needs to remotely address a printer in their office. They don't use vpn, so it's an open inbound connection. (Ick!)

Their current device is failing, and I was wondering if dd-wrt could easily handle filtering from several IP subnets and a single tcp port. If anyone could let me know if that's a feasible implementation (especially without getting into linux command line stuff), I'd very much appreciate it!

thanks,

-jk

How is the remote access being done currently? Direct fixed IP inbound on a specific port number? Dynamic DNS?

Does the router need to understand the inbound protocol?

It's a barely contained security nightmare: My client currently has a static IP. The vendor sends printer traffic to the IP address. All traffic on the printer's tcp port from the vendor's three IP ranges passes on to the NAT'ed printer. Everything else is binned. (I think - I hope - their printer won't accept unacknowledged/spoofed packets. Or at least not enough to do more than hurl a tray of paper.)

At the firewall level, there's no inspection, no proxies - no nothin' but sourced port traffic.

This appalls me enough; I really don't want to open them up to more open inbound traffic. They're locked into the vendor. And I haven't been able to effectively shame their vendor yet. I just want to keep source/port filters in place.

-jk

So which end do you want DD-WRT on? Both?

You haven't really told us what you want it to look like. Well I can't quite get it. Currently they port forward from their external IP to the printer?

Do you want DD-WRT at the printer end and users connect to that?

I would recommend a VPN of some description at best, however you could set it up so it *only* allowed port forwarding from specific IPs/ranges to the printer to provide *some* element of security.

Sorry if I've not been clear. The dd-wrt would go in my client's office to replace an old, failing firewall. I have nothing to do with his vendor's kit (other than vent).

Currently, my client's firewall port-forwards his vendor's three subnets to my client's printer so he can print locally from his online app. My client's vendor doesn't support vpns, and I want to minimize how many people can get to his printer from the interwebs, hence the ip range/port filters. I'm trying to find the best value to manage the traffic, and none of the "home/soho" routers I've found filter on both IP and port; it's either port forward everything or nothing, or go after enterprise level stuff - and he's a very small business not prepared to shell out thousands. (Of course, if someone knows of a nice soho box that does it out of the box I'm all ears! Linksys, Netgear and Buffalo apparently don't, though Buffalo offers a dd-wrt version which got me on this tangent.)

My client's vendor frustrates me no end. And, no, he really can't change.

-jk

You can do this with a Mikrotik router, the relatively low end RB750 model is still significantly more configurable than any other router I have found. Forward $random_port to $printer_port for certain IP address only type rule is quite straightforward.

It is a shame your vendor does not support Google Cloud Print to avoid this madness. I'm sure there is an API for that.

Thanks!

My client is a hair stylist/salon owner. His vendor is a former stylist/salon owner who is trying to just-make-it-work. "I don't care about that techy stuff!"

Insert favorite "Dumb Blonde" joke... <sigh>

-jk

dd-wrt can do anything, including what you want (it is Linux underneath, after all). Dunno if they provided a GUI for this specifically, though. I use Tomato here, and it also can do this with a simple custom script.

http://store.netgate.com/APU4.aspx with pfSense will walk it in and provide a reasonably powerful system for the price - $350 or $499 with pfSense pre-installed and ready to go.

Or buy direct from pcengines (will require some DIY building and seem out of stock for a couple of months ):
http://www.pcengines.ch/order1.php?c=4

and install pfSense.

The Alix boards would be capable too.

Any DD-WRT capable router will be capable (and cheaper). As mentioned it might just need some scripting.

The GUI for OpenWRT (at least the version I currently have running -- I must upgrade at some point) only allows inbound filtering by specific-IP and port. In other words, no ranges. Of course, as you say, it's Linux underneath, so no biggy to drop down a level and use vi instead of the GUI.

Thanks, everyone!

-jk