Complex Printer sharing

I’ve looked through several threads, and did not find anything that seems to relate directly to my problem. I’m a newbie to setting up firewalls, so I might have missed something.

I have three computers that are part of a workgroup and new corporate laptop that is part of a domain centered across the country. I just started using Comodo (2.4.18.184) and DSL with a wireless router and a hardware firewall as well.

I need to share printers with the three workgroup computers and this corporate laptop which is a member of a corporate domain. AFAIK, it can’t be both a member of the corporate domain and my little workgroup at the same time.

I’m not sure whether I can set a static IP address on the laptop because of corporate security constraints.

What do I do besides go back to my big name AV/Firewall?

I hope I’ve conveyed this without too much confusion. I certainly confused.

TIA

Welcome to the forums, tdh (:WAV)

I think we can help you out, but we will need some more info from you.

Regarding your local workgroup:

1. Are the printers local to the workgroup, or are they remotely located (ie, corporate)?
2. Are the computers in the workgroup networked together in some fashion?
3. Is CFP on all computers in the workgroup, or only your laptop?

LM

Thank you, it’s nice to be here.

1. The printers are connected to the main computer, which is a desktop.

2. The workgroup computer (a laptop and sometimes others) are connected via a wireless network.

3. CFP is only on the main computer right now. The home laptop uses Symantec and the corporate laptop uses something corporate for firewall/AV. I connect to the Internet using a connection to my 2wire connection point.

It looks something like this: P1-----Main —(wireless)-Home Laptop
P2-----Computer |(wireless)
| |
|----------------------Modem------- Corporate Laptop
|
Internet

P1 and P2 are two printers. P1 is connected via USB and P2 via parallel port.

I had no trouble with printing from any computer when using PC-Cillin’s firewall. I could go back, but don’t really want to.

Okay, so you’ve got something that controls your wireless network… presumably a router (your modem may have routing capabilities for multiple computers)? And it assigns IP addresses via DHCP within a given range (probably 192.168.1.1 - 192.168.255.255 or somesuch). You can check by going to Start/Run and typing “cmd” (no quotes) to open a DOS window. At the prompt, type “ipconfig /all” to get the entire subnet mask, DHCP and DNS servers, default gateway and so on.

My advice would be first to go into the Internet Connections (within Windows) for each computer and assign a sequential static IP (this is for your internal connection only; the modem will have the external IP address from your ISP), based on what the modem/router is assigning . On the corporate laptop you would set this up under the alternate IP configuration. This is simply for security; you can make it work without this extra step.

In CFP open Security/Tasks/Add a Zone. If you have defined static internal IP addresses on each machine, you will define the start/end aspects of the range to match (such as 192.168.1.2 - 192.168.1.6). If you have not defined static internal IPs, then you will need to select the entire subnet for the zone (which will be there by default). ** If you take this route, see pandlouk’s tutorial on securing your wifi within this thread https://forums.comodo.com/index.php/topic,6167.0.html to learn about controlling the # of computers than can join by setting the final octet of the subnet. **

Then open Security/Tasks/Define a New Trusted Network. Select the Zone you just added. This will place two rules in Network Monitor, at the top of the list (positions Rule ID 0 & 1); the first will Allow IP Out from Any to Zone and the second will Allow IP In from Zone to Any. This ensures freedom of communication in and out of the firewall, for every computer in that zone.

LM

Thanks. I’ll try all that and let you know.

The wireless modem is a 2wire router so it does handle wireless and 4 wired connections.

Is setting an alternate static IP address on the corporate computer likely to violate any security rules?

It shouldn’t, but it would probably be a good idea to let them know that you need to add an Alternate in order to be granted outbound access through your network firewall at home. Since it isn’t your computer and all…

The alternate IP configuration is found by opening Network Connections in Windows, right-click on your Network Interface & select Properties. Then highlight Internet Protocol (TCP/IP) then Properties. Go to the Alternate Configuration tab & click on User Configured - then fill in the information based on your network at home (which you have from the ipconfig /all command). This is available in Windows specifically for situations such as yours, and it would seem that corporate policy would expect a laptop to be used from alternate locations, which might require alternate connectivity policies on the computer.

LM

Oh well…

My ISP requires dynamic IP addresses, and it’s probably not a good idea to “upgrade” to allow static ones, for political reasons among others. It seems I can’t change the subnet mask either. >:(

I tried all the recommendations, but nothing worked. So for the moment, I am forced, for the sake of my marriage, to go back to PC-Cillin.

I will get Comodo working so that I can use it instead of their firewall, but it will take some further experimentation.

Thanks for your help and suggestions. As California’s Governator says, “I’ll be back!”

Regards (R)

The ISP’s dynamic address is the external one… it should have no impact on setting static internal IP addresses. Normally the router controls all IP addresses for computers on the LAN; all you would be doing is taking that DHCP Lease out of the loop, so to speak. Unless of course your router doesn’t do network address translation (which would be very odd…).

Tell me this - if you do the start/run, cmd, then ipconfig /all, you will see the internal network information. Do you see a difference between the IP address information given there, and the IP showing in your posts here (lower right corner of your posts)?

LM

Yes, there is a difference. My posts here show IP addresses of the form 71.135… while the ipconfig /all command gives IP addresses of the form 192.168.1…

From other checking I’ve done, the first IP address is the router IP address, while the latter ones are for the workgroup members.

I infer from your comments that the only dynamic IPs need to be the router, not the individual members.

There you go… the 71.x.x.x is the IP assigned by your ISP; it is the external one, the one the world sees.

The 192.168.x.x IPs are assigned by the router internally, for the computers on the LAN. These IPs are not seen by the world. These are the ones we’re talking about setting as static.

To give a brief explanation of what happens… with your ISP, you have only one IP address, one point of contact with the internet. But you’re connecting multiple computers, which would be problematic on just one IP address. Here’s where Network Address Translation (NAT) comes in; this is commonly what a router is used for. It assigns internal IP addresses to the resources on the Network, and serves as a “hub” for the single IP connection to the outside world. The world only sees the Untranslated IP address (ie, the 71.x.x.x) and the network only sees the Translated IP addresses (ie, the 192.x.x.x). If you want to learn more about it, Wikipedia is as good a place as any…

What I’m suggesting is to go (in Windows) to your Network Connections screen, and find the active connection’s icon (will say “Local Area Connection” or possibly “Wireless Network Connection” - not the “1394 Connection”). If you have multiples and you’re not sure which one, right-click and select Status on each - look for the one showing traffic…

Close the Status window, right-click the one you need and select Properties. It will show the Network Interface Card (NIC) you’re using, and a list of items that the connection uses. Scroll down to Internet Protocol (TCP/IP), highlight it, and click the Properties button. On the General tab, select “Use the following IP address” and fill the info in as we discussed earlier. You can leave the DNS server set to automatic. Then OK, and OK again. That’s it. (Remember, on your corporate laptop, you’ll be choosing the Alternate Configuration tab, instead of General.)

This way, your router won’t assign the internal IP address (which it does dynamically, meaning it could be anything in your entire subnet; not necessarily sequential), and your computers won’t be asking it to. This way, you KNOW what the IP addresses of each computer on your network will be, and you can use that to define the trusted zone/network within Comodo.

LM

PS: I hope none of this is too confusing… we’ll take you through it, so anything that doesn’t make sense, just ask.