fw for network printer setup
yre...@riseup.net
"Open an AppVM (make sure it’s based on the template where you just
installed the printer, normally all AppVMs are based on the default
template), and test if printing works. If it doesn’t then probably the
AppVM doesn’t have networking access to the printer – in that case
adjust the firewall settings for that AppVM in Qubes Manager."
How exactly do I do this ? in 3.2 use the tab for firewall in the VM
manager , hit the + sign and choose ? "any" and what IP ? neither the
GW nor the AppVM IP seems to work
I did install the driver in a cloned template VM but it wouldn't print
from there , and I gave up , I also couldn't get anything to print
from my xubuntu HVM
awokd
> per the network printing docs it says to :
>
>
>
> "Open an AppVM (make sure it’s based on the template where you just
> installed the printer, normally all AppVMs are based on the default
> template), and test if printing works. If it doesn’t then probably the
> AppVM doesn’t have networking access to the printer – in that case
> adjust the firewall settings for that AppVM in Qubes Manager."
1. Install printer into cloned template, using its network IP
2. Shutdown template
3. Start AppVM based on the cloned template
If your AppVM is on sys-firewall with no custom firewall rules, you
shouldn't have to add the printer's IP anywhere (except possibly within
the AppVM) when you print for the first time.
> I also couldn't get anything to print from my
> xubuntu HVM
Qubed One
It wouldn't print from the template because the templates don't normally
have network access. See here:
https://www.qubes-os.org/doc/software-update-vm/
Network printing can be done multiple ways, so it depends on your setup.
For example, if you only want to print from a certain appvm, you would
choose "Deny all except...", then add a firewall rule in the firewall
tab to allow access to the IP of your printer. Assigning a static IP to
the printer will make things much easier (which would be done on the
printer itself if you're not sure).
Alternatively, if you're trying to both print from a certain appvm and
access the internet from that same appvm, you would choose "Allow all
except..." and then simply make sure that the appvm in question is not
behind a vpn or tor. No specific firewall rules for the printer would be
needed in this case.
Using a xubuntu HVM might be a little trickier, but if it already has
networking set up, the same concepts would apply.
yre...@riseup.net
> On Fri, March 2, 2018 12:20 am, yre...@riseup.net wrote:
>> per the network printing docs it says to :
>>
>>
>>
>> "Open an AppVM (make sure it’s based on the template where you just
>> installed the printer, normally all AppVMs are based on the default
>> template), and test if printing works. If it doesn’t then probably the
>> AppVM doesn’t have networking access to the printer – in that case
>> adjust the firewall settings for that AppVM in Qubes Manager."
>
> To break it down:
> 1. Install printer into cloned template, using its network IP
> 2. Shutdown template
> 3. Start AppVM based on the cloned template
Template ; however at the end it asks
---
When you see the message "Will you specify the DeviceURI ?",
For USB Users: Choose N(No)
For Network Users: Choose Y(Yes) and DeviceURI number.
---
So, I chose "yes" then it wanted something like the IPP:// address ; I
may have put in the gateway address and got nowhere
I guess your saying it doesn't matter if it didn't work in the Template
, but I'm not sure where and which IP address to put in the AppVM
>
> If your AppVM is on sys-firewall with no custom firewall rules, you
> shouldn't have to add the printer's IP anywhere (except possibly within
> the AppVM) when you print for the first time.
>
>> I also couldn't get anything to print from my
>> xubuntu HVM
>
And for the IP address of the printer in the AppVM use the gateway of
the AppVM ?
in system-config-printer there are various options in settings->
device URI: usb://dev/usblp0 is filled in , and in printer state it
say "waiting for printer to become available"
perhaps I DONT need to tweak the fw settings in the VM Manager, but
how or do I need to input the IP of the printer (I have a DDWRT router
fwiw, if I'm supposed to assign a static IP somehow, and if that is not
going to mess up the other computers using the network printer)
As a final option, I don't use sys-usb qubes, so maybe I could connect
the USB cable and try it that way instead ... sigh
yre...@riseup.net
then click "change" -> find network printer, and I input the gateway
for the AppVM and it doesn't find the printer , perhaps the printer has
a different IP ?
awokd
> When you see the message "Will you specify the DeviceURI ?",
>
>
> For USB Users: Choose N(No)
> For Network Users: Choose Y(Yes) and DeviceURI number.
> ---
>
>
> So, I chose "yes" then it wanted something like the IPP:// address ;
> I
> may have put in the gateway address and got nowhere I guess your saying it
> doesn't matter if it didn't work in the Template ,
> And for the IP address of the printer in the AppVM use the gateway of
> the AppVM ?
>
> in system-config-printer there are various options in settings-> device
> URI: usb://dev/usblp0 is filled in , and in printer state it
> say "waiting for printer to become available"
> perhaps I DONT need to tweak the fw settings in the VM Manager, but how
> or do I need to input the IP of the printer (I have a DDWRT router fwiw,
> if I'm supposed to assign a static IP somehow, and if that is not going to
> mess up the other computers using the network printer)
yre...@riseup.net
> On Fri, March 2, 2018 4:20 am, yre...@riseup.net wrote:
>> how to find my printer IP , and apparently it may change if it's not
>> static?
>
> Look in system-config-printer on one of your working systems. Yes, it
> might change if it's not static. How did you set up the other system?
>
>> I had been told that the gateway address Was the printer IP , but I've
>> really no idea
>
> That's usually incorrect, unless the printer is connected directly to your
> router by USB.
The working Linux Mint system says :
dnssd://Brother%20HL-L2360D%20series._ipp._tcp.local/
I pasted that into the AppVM as root with system-printer-config ->
settings-> change -> IPP (ipp)
and IPP (ipps) with no luck
I did notice when I launched system-printer-config in terminal I see:
Error creating proxy: The connection is closed (g-io-error-quark, 18)
doing a web search on it but not hopeful
1) does it matter is system-printer-config runs as root or user in AppVM
2) will re running the driver setup /cups etc tarball package conflict
with what I already did in the fedora-26-cloneprinter Template VM ?
3) I'm afraid static IPs are going to be a nonstarter for chronic
newb as myself https://dd-wrt.com/phpBB2/viewtopic.php?t=263998
4) so much for qubes printing is so easy posts I've seen ...... even
without a sys-usb :P
Yuraeitha
1) As memory serves, no root required. If it doesn't in a legitimate situation ask for root access, don't use it.
2) It might be better to just make a new template, this way you cut away clutter and you're sure you don't introduce new issues. As an alternative, you can make CUPS active in your AppVM instead of your Template, by editing this file /rw/config/rc.local which even has an example inside it for CUPS, all you need to do is remove the three # marks. But keep in mind that this will introduce additional exploit/attack surfaces to your AppVM, since CUPS management will stay permanent between AppVM reboots. But in contrast it will allow you easier management to printer changes, which may be important if you make frequent printer adjustments or use it as a remote printer server which requires server changes on the CUPS server. If you just need to install a printer rarely, then it might be better to keep CUPS in the template, and put the driver/IP-address in the template, so that the AppVM can find it.
3) Try see if your printer has a Network or System feature that allows you to print out a print of your printers status and information. Many modern printers, and many of a few years old printers too, have this feature today. It might tell you various good things, like for example a name such as DNS name you can use, which stays the same even if the IP changes dynamically.
4) Are you on Qubes 4? That might be why it's a bit more tricky now, since the template has no network access to verify if it works or not, while Qubes 3.2. templates had network access.
Another work-around, which is by no means official approach, is to disable your networks internet access and isolate or remove any other systems on your network (so only your printer, computer and maybe your router without an internet cable in it, is networked), and then "temporarily" give your template network access in your VM settings. Once the printer works, you can remove the internet access to the template again, and re-apply your network again. Be mindful this isn't a perfect solution though, but it might be a last solution to consider if everything else fails.
As for another mention, some USB devices do not work in dom0 when it comes to qvm-usb and qvm-block {typically advanced devices like printers/yubi-keys, but not keyboards/mouse/some-usb-hdd's (semi because of design, and semi because of a bug. A bug which will likely not get fixed since we're trying to move away from dom0 USB uses in Qubes 4 on-wards. It causes issues on some hardware though, I'm in a similar boat to you here as I have to keep USB controller in dom0 to have a working system as too much other essential hardware is internally bound to the USB controller).
Yuraeitha
Also as far as I know, Qubes firewall only acts as a NAT, which means it blocks in-coming network, but not out-bound network. So if you initiate the connection to the printer, it should then allow a full connection for the printer to reach back to the AppVM. Last time I did a printer VM, I didn't need anything fancy here, it just worked by putting the printers IP (or its DNS network name address). So I don't think you need to mess with firewall networking, I'm almost sure you only need the address, which the printer should be able to print out for you in its settings menu.
Unman
If I'm not mistaken CUPS is already active in default templates.
You can check this with 'qvm-service <qube> -e cups'
The issue seems to be that OP doesnt know the IP address of the printer.
On most brother systems you can find this from the printer itself by
printing a test page - (pressing GO 3 times will often do this). The test
page will show the IP address.
Even if the network uses DHCP the printer is likely to retain the same
address without allocating a static address.
yre...@riseup.net
connected to sys-net directly Not to sys-firewall ?
as of now it is working , I just made the Template the default for DVMs
and print documents from the "open in DVM"
I am using Q3.2 , yes.
awokd
> is there any harm in leaving Template fedora-26-clone-printer-only
> connected to sys-net directly Not to sys-firewall ?
to change it to sys-firewall, besides maybe shutting it down first.
> as of now it is working , I just made the Template the default for DVMs
> and print documents from the "open in DVM"