How to AirPrint from iPhone to a USB Printer on Windows Across Subnets

Using a USB laser printer that just works¹, I want to print Chrome web pages and other documents from my iPhone on one subnet to a shared Windows printer on a different, more secure subnet.

I’m using a simple laser printer bought in 2022 but manufactured in 2015 for some reason. It uses a Microsoft print driver and just works—no need for a Wi-Fi printer, Wi-Fi print server, or an Apple AirPort add-on.

This guide is a reminder of what I did to get AirPrint on Windows working in 2022.

Requirements

1. USB-wired printer
2. Windows 10+ machine
3. AirPrint third-party service
4. Windows registry tweak
5. pfSense router
6. Avahi daemon
7. avahi-utils utility (optional)
8. An iPhone

Instructions

This is a guide for myself because it took too much trial and error to get it right, and I’m in danger of forgetting what finally worked.

1. Install Avahi in pfSense

Open up pfSense and head to System > Package Manager. Install Avahi. This allows mDNS/Bonjour broadcasts to 224.0.0.0:5353 and ff02::fb to be repeated across all participating subnets—normally not allowed by the 2003 Bonjour protocol spec. This sidesteps that limitation nicely:

2. Share the Windows USB Printer

Press the Windows key and type “printers.” Click on “Printers & Scanners.” Select your USB printer. Enable sharing like so:

3. Install Bonjour from Apple

I won’t install iTunes on my Windows machine. Since that heavy, system-altering software isn’t installed, we need Apple’s Bonjour “zero-config” mDNS broadcast service on the Windows machine with the USB printer. This service announces the printer to all subnets.

Google “apple bonjour windows” and install Bonjour Print Services for Windows. It was last updated in 2010—so let’s hope it still works for a while. Download it like so:

Install it. Defaults are fine, as far as I remember.

4. Install a 3rd-Party, Port 631 IPP AirPrint Service Daemon

I Googled around, and most people seem to recommend free software from Elpamsoft. I gave it a try—and it (mostly) works great. The Elpamsoft homepage no longer hosts a download link, but you can search around for a mirror. I imagine there’s some trademark issue around AirPrint, or maybe one of the paid AirPrint driver vendors bought the IP. Who knows? This is a free and effective AirPrint driver. Just make sure you don’t get roped into a monthly AirPrint software subscription that includes ink discounts!

Verify the security details match what you expect—this software was released in 2010 and should not have changed.

Install using Windows User Authentication. This is the only option that works reliably. The Bonjour driver and this utility are from 2010, and who knows if there’s an exploit under Guest or with a blank password. (Well, I do.)

For what it’s worth, there isn’t much in Exploit DB for Elpamsoft, AirPrint, or Bonjour—so rest a little easier:

5. Registry Tweak for Windows 10+

I was stuck after completing all the steps on this page—until I applied this registry tweak. A lot of older guides predate the need for this, so without it, tools like nmap, dig, dns-sd, avahi-browse, Wireshark, and even pfSense’s packet capture won’t help. I originally found this tweak buried in a ZIP file from some sketchy filelocker I can’t recall, but here it is in plain text for the 64-bit version of Windows. (If you’re running 32-bit Windows, press Alt+F4 now—and thank you for reading.)

Here’s the plain text of the registry file. Save it with a .reg extension (e.g., airprint.reg), then double-click to merge it into your Windows Registry:

6. pfSense Firewall Rules

I’ve added Floating rules because they supersede any LAN or VLAN rules, as well as default Deny rules such as “Deny IPv6.” It turns out that link-local addresses need IPv6 enabled, and Bonjour uses IPv6. I have experimented with IPv6 completely disabled and blocked: AirPrint will work, but it takes ages for the IPv6 packets to time out and fall back to IPv4 to find the printer.

I still have IPv6 disabled globally but allow IPv6 on UDP port 5353. Here are the rules:

We might as well set the IPP/AirPrint rule while we’re here. I have an alias called Trusted_wireless that includes the IPs of devices I allow to access the printer. As for the source of packets to Bonjour on port 5353, this can be restricted or set to any. Too many devices make Bonjour or mDNS broadcasts, so we can go with the flow.

7. Enable Avahi’s Multi-Interface Bonjour Rebroadcast

This is straightforward. Head to pfSense’s Services > Avahi and select the interfaces to “bridge”—the ones connecting to the iPhone and the Windows machine. In step 4 below, you can leave the field blank to rebroadcast (or reflect) all services. But using dig, I’ve found that _ipp._tcp.local is the service name for IPP (IP Printing) or AirPrint.

8. Verify AirPrint Works

From a Linux box on one of the two above interface subnets, run avahi-browse -a -v -r to see what services are available on the LANs.

Here is a successful nmap scan confirming that the relevant UDP and TCP ports are open:

You can also scan the network from an iPhone using a free app called Discovery to verify the Windows USB printer is discoverable.

And here it is:

Let’s print something.

Conclusion

Bonjour and mDNS do not work across subnets by design—for example, to keep printers isolated to one company department on one subnet. At home, more sophisticated personal networks may have VLANs or multiple LANs so a Wi-Fi light bulb, when hacked, is confined to its own restricted network. You might also have a VLAN for guests on Wi-Fi. In my case, I have a LAN for Wi-Fi devices and another for wired devices.

• I need a way to AirPrint from my iPhone on one LAN to another LAN: that is solved with pfSense and Avahi.
• I also need to AirPrint to a non-Wi-Fi, non-Apple device on a Windows machine: that is solved with Bonjour for Windows and an AirPrint driver.
• Finally, I want to secure the printer against unauthorized access: that is solved with Windows User Authentication and firewall rules.