In my previous configuration, I used a CUPS server with multiple network interfaces to enable printing from computers on restricted networks onto the printer located in the admin network. However, after some research and exploration, I discovered a more efficient way to achieve this goal by utilizing VLANs for network segmentation.
Creating a Dedicated Printer VLAN
To start, I created a dedicated "printer" VLAN that can only communicate with the internet but is isolated from other VLANs. Networks from which I want to enable printing, are configured to allow creating connections to the printer VLAN. This ensures that printing traffic within the restricted networks cannot accidentally traverse to other parts of the network, while computers can print to the printer. The printer VLAN is now the primary focus for setting up the UDP proxy container.
Configuring the UDP Proxy Container
To enable printing across multiple networks, I created a Linux container, for a UDP proxy, with network interfaces on both the printer VLAN and any additional VLANs that need to support printing. In this setup, the UDP proxy container acts enable notifications of the printers on the printer VLAN to computers.
Here's an example of how to configure the UDP proxy relay using the udpbroadcastrelay command:
# Configure the first relay for NetBIOS
./udpbroadcastrelay --id 1 --port 137 --dev printer-vlan-interface --dev computer-vlan-interface -f
# Configure the second relay for NetBIOS
./udpbroadcastrelay --id 2 --port 138 --dev printer-vlan-interface --dev computer-vlan-interface -f
# Configure the third relay for SSDP
./udpbroadcastrelay --id 3 --port 1900 --dev printer-vlan-interface --dev computer-vlan-interface --multicast 239.255.255.250 -f
