AirPrint to a Windows USB Printer Across Subnets

Using a USB laser printer that just works¹ I’d like to print Chrome web pages and other documents from my iPhone on one subnet to my shared Windows printer on a different, more secure subnet.

I’m using a simple laser printer bought in 2022 but made in 2015 for some reason. It uses a Microsoft print driver, and it just works. No need to get a WiFi printer or a WiFi print server or an AirPort add-on from Apple.

This guide is a reminder of what I did to get AirPrint on Windows working in 2022.

Requirements

1. USB-wired printer
2. Windows 10+ machine
3. AirPrint 3rd-party service
4. Windows registry tweak
5. pfSense router
6. Avahi daemon
7. avahi-utils utility (*optional)
8. An iPhone

Instructions

This is a guide for me because it took too much trial and error to get right and I’m in danger of forgetting what finally worked.

1. Install Avahi in pfSense

Open up pfSense and head to System > Package Manager. Install Avahi. This allows mDNS/Bonjour broadcasts to 224.0.0.0:5353 and ff02::fb to be repeated across all participating subnets which is normally not allowed by the 2003 Bonjour protocol specification. Sidestep that roadblock nicely:

2. Share the Windows USB Printer

Hit the Windows key and type “printers”. Click on “Printers & Scanners”. Select the USB printer. Enable sharing like so:

3. Install Bonjour from Apple

I won’t install iTunes on my Windows machine. Since that heavy, everything-altering software is not installed, we need to install Apple’s Bonjour “zero-config” mDNS broadcast service in the Windows machine that has the USB printer to announce to the subnets that there is a printer. Google “apple bonjour windows” and install the Bonjour Print Services for Windows. It was last updated in 2010 so let’s hope it still works in a year or so as well. Download like so:

Install. Defaults are fine IIRC.

4. Install a 3rd-Party, Port 631 IPP AirPrint Service Daemon

I Googled around and most people seem to like this free software from Elpamsoft, so I gave that a try and it works (mostly) great. The Elpamsoft homepage does not have a download link anymore, but you can search around for some mirror. I imagine there is some trademark issue on AirPrint, or one of the paid AirPrint drivers bought their IP. Who knows? This is a free and effective AirPrint driver; certainly do not get roped into a monthly AirPrint software subscription that includes ink discounts!

Confirm the security details match these as this piece of software was also released in 2010 and should not have changed.

Install with Windows User Authentication. This is the only option that works. The Bonjour driver and this software are from 2010 and who knows if there is an exploit under Guest or with a blank password. Well, I do.

FYI, there isn’t much on the Exploit DB for Elpamsoft, AirPrint, or Bonjour, so rest easier:

5. Registry Tweak for Windows 10+

I struggled after all the steps on this page without this registry tweak because a lot of guides predate the necessity of this tweak. Without this tweak, nmap, dig, dns-sd, avahi-browse, Wireshark, pfSense’s packet capture, and the like will not save you. I found this registry tweak on some page in some zip file from some filelocker that I cannot remember anymore, but here it is in plain text for the 64-bit version of Windows (if you have 32-bit Windows, press Alt+F4 now and thank you for reading).

Here is the plaintext registry file. Copy, save it to a new file ending with .reg, and double-click and merge.

6. pfSense Firewall Rules

I’ve added Floating rules because they supersede any LAN or VLAN rules, as well as default Deny rules such as “Deny IPv6”. It turns out that link-local addresses need to be IPv6 enabled and Bonjour uses IPv6. I have experimented with IPv6 completely disabled and blocked: AirPrint will work, but it takes eons for the IPv6 packets to time out and fall back to IPv4 and find the printer.

I still have IPv6 disabled globally, but allow IPv6 on UDP port 5353. Here are the rules:

We might as well set the IPP/AirPrint rule while we are here. I have an alias for Trusted_wireless of the IPs of the devices I allow to access the printer. As for the source of packets to Bonjour on 5353, this can be restricted or set to any. Too many devices make Bonjour or mDNS broadcasts so we can go with the flow.

7. Enable Avahi’s Multi-Interface Bonjour Rebroadcast

This is straightforward. Head to pfSense’s Services > Avahi and select the interfaces to “bridge” which connect to the iPhone and the Windows machine. In step 4 below, you can leave this blank to rebroadcast (or reflect) all services, but using dig I’ve found that _ipp._tcp.local is the service name for the IPP (IP Printing) or AirPrint service.

8. Verify AirPrint Works

From a Linux box on one of the two above interface subnets, you can run avahi-browse -a -v -r to see what services are out there on the LANs.

Here is a successful nmap scan to confirm the ports are open correctly with regard to UDP and TCP.

We can scan the network from an iPhone using a free app called Discovery to show the iPhone can find the Windows USB printer.

And here it is.

Let’s print something.

Conclusion

Bonjour and mDNS do not work across subnets by design, for example, to keep printers isolated to one company department on one subnet. At home, more savvy personal networks have VLANs or multiple LANs so a WiFi light bulb, when hacked, is limited to its own restricted network. You might also have a VLAN for guests on WiFi. In my case, I have a LAN for WiFi devices and another LAN for wired devices.

• I need a way to AirPrint from my iPhone from one LAN to another LAN: that is solved with pfSense and Avahi.

• Next, I need to AirPrint to a non-WiFi, non-Apple device on a Windows machine: that is solved with Bonjour for Windows and an AirPrint driver.

• Finally, I want to secure the printer against anyone printing: that is solved with Windows User Authentication and firewall rules.