Using a USB laser printer that just works1 I’d like to print Chrome web pages and other documents from my iPhone on one subnet to my shared Windows printer on a different, more secure subnet.
I’m using a simple laser printer bought in 2022 but made in 2015 for some reason. It uses a Microsoft print driver, and it just works. No need to get a WiFi printer or a WiFi print server or an AirPort add-on from Apple.
This guide is a reminder of what I did to get AirPrint on Windows working in 2022.
- USB-wired printer
- Windows 10+ machine
- AirPrint 3rd-party service
- Windows registry tweak
- pfSense router
- Avahi daemon
- An iPhone
This is a guide for me because it took too much trial and error to get right and I’m in danger of forgetting what finally worked.
1. Install Avahi in pfSense
Open up pfSense and head to
Package Manager. Install Avahi. This allows mDNS/Bonjour broadcasts to
ff02::fb to be repeated across all participating subnets which is normally not allowed by the 2003 Bonjour protocol specification. Sidestep that roadblock nicely:
2. Share the Windows USB Printer
Hit the Windows key and type “printers”. Click on “Printers & Scanners”. Select the USB printer. Enable sharing like so:
3. Install Bonjour from Apple
I won’t install iTunes on my Windows machine. Since that heavy, everything-altering software is not installed, we need to install Apple’s Bonjour “zero-config” mDNS broadcast service in the Windows machine that has the USB printer to announce to the subnets that there is a printer. Google “apple bonjour windows” and install the Bonjour Print Services for Windows. It was last updated in 2010 so let’s hope it still works in a year or so as well. Download like so:
Install. Defaults are fine IIRC.
4. Install a 3rd-Party, Port 631 IPP AirPrint Service Daemon
I Googled around and most people seem to like this free software from Elpamsoft, so I gave that a try and it works (mostly) great. The Elpamsoft homepage does not have a download link anymore, but you can search around for some mirror. I imagine there is some trademark issue on AirPrint, or one of the paid AirPrint drivers bought their IP. Who knows? This is a free and effective AirPrint driver; certainly do not get roped into a monthly AirPrint software subscription that includes ink discounts!
Confirm the security details match these as this piece of software was also released in 2010 and should not have changed.
Windows User Authentication. This is the only option that works. The Bonjour driver and this software are from 2010 and who knows if there is an exploit under Guest or with a blank password. Well, I do.
FYI, there isn’t much on the Exploit DB for Elpamsoft, AirPrint, or Bonjour, so rest easier:
5. Registry Tweak for Windows 10+
I struggled after all the steps on this page without this registry tweak because a lot of guides predate the necessity of this tweak. Without this tweak,
avahi-browse, Wireshark, pfSense’s packet capture, and the like will not save you. I found this registry tweak on some page in some zip file from some filelocker that I cannot remember anymore, but here it is in plain text for the 64-bit version of Windows (if you have 32-bit Windows, press Alt+F4 now and thank you for reading).
Here is the plaintext registry file. Copy, save it to a new file ending with
.reg, and double-click and merge.
Windows Registry Editor Version 5.00
hex(2):43,00,...? I’ll tell you: Stripping off every second pair of
00leaves us with 433a5c50726f677261 … 73616c202d73 which converted from hex to ASCII gives us just an image path to:
C:\Program Files (x86)\AirPrint\airprint.exe -R _ipp._tcp,_universal -s
Please make sure the path of
airprint.exe is correct, but it is should be by default. Also,
hex(7):42,00,6f... is just “Bonjour Service”.
6. pfSense Firewall Rules
I’ve added Floating rules because they supersede any LAN or VLAN rules, as well as default Deny rules such as “Deny IPv6”. It turns out that link-local addresses need to be IPv6 enabled and Bonjour uses IPv6. I have experimented with IPv6 completely disabled and blocked: AirPrint will work, but it takes eons for the IPv6 packets to time out and fall back to IPv4 and find the printer.
I still have IPv6 disabled globally, but allow IPv6 on UDP port 5353. Here are the rules:
We might as well set the
IPP/AirPrint rule while we are here. I have an alias for
Trusted_wireless of the IPs of the devices I allow to access the printer. As for the source of packets to Bonjour on 5353, this can be restricted or set to
any. Too many devices make Bonjour or mDNS broadcasts so we can go with the flow.
7. Enable Avahi’s Multi-Interface Bonjour Rebroadcast
This is straightforward. Head to pfSense’s
Avahi and select the interfaces to “bridge” which connect to the iPhone and the Windows machine. In step 4 below, you can leave this blank to rebroadcast (or reflect) all services, but using
dig I’ve found that
_ipp._tcp.local is the service name for the IPP (IP Printing) or AirPrint service.
8. Verify AirPrint Works
From a Linux box on one of the two above interface subnets, you can run
avahi-browse -a -v -r to see what services are out there on the LANs.
Here is a successful
nmap scan to confirm the ports are open correctly with regard to UDP and TCP.
We can scan the network from an iPhone using a free app called Discovery to show the iPhone can find the Windows USB printer.
And here it is.
Let’s print something.
Bonjour and mDNS do not work across subnets by design, for example, to keep printers isolated to one company department on one subnet. At home, more savvy personal networks have VLANs or multiple LANs so a WiFi light bulb, when hacked, is limited to its own restricted network. You might also have a VLAN for guests on WiFi. In my case, I have a LAN for WiFi devices and another LAN for wired devices.
- I need a way to AirPrint from my iPhone from one LAN to another LAN: that is solved with pfSense and Avahi.
Next, I need to AirPrint to a non-WiFi, non-Apple device on a Windows machine: that is solved with Bonjour for Windows and an AirPrint driver.
Finally, I want to secure the printer against anyone printing: that is solved with Windows User Authentication and firewall rules.
- There is no WiFi, Bluetooth, all-in-one scanning, inkjets, coloured ink, heavy software, etc. so the printer just works. ↩