Hello, I’m trying to use my Epson XP-200 printer/scanner with OpenSUSE Tumblweed.
- /etc/sane.d/dll.conf has the “epson2” line uncommented.
- /etc/sane.d/epson2.conf has “net autodiscovery” as its last line
- My user is part of the “lp” group, which seems to be required for finding printers/scanners
If I disable the firewall completely (using YaST2 firewall program), it works – the Skanlite software detects my scanner and connects to it. With the firewall enabled, however, Skanlite says SANE cannot find any scanners. I have tried allowing TCP and UDP ports 8610, 8612 (based on suggestions from https://wiki.debian.org/SaneOverNetwork), and 631 (for CUPS) in the “public” zone, and added the “sane” service to “Allowed” services (didn’t see a “cups” service option), but Skanlite still says SANE cannot find the scanner.
Is there a way for “net autodiscovery” to work without completely disabling my firewall? What ports/services should I allow? It seems the alternative is to manually specify the printer’s IP address in /etc/sane.d/epson2.conf instead of “net autodiscovery”, but I would prefer to not hardcode this.
Thank you in advance for any suggestions!
EDIT: Based on suggestions below, I turned on firewall logging with the instructions https://www.cyberciti.biz/faq/enable-firewalld-logging-for-denied-packets-on-linux/):
- sudo vi /etc/firewalld/firewalld.conf
- Set LogDenied=all
- sudo firewall-cmd --reload
To find lines related to my printer (known to be at 192.168.1.57):
- dmseg | grep 192.168.1.57
Here is a sample of the output (192.168.1.105 is my OpenSUSE computer):
[30974.673679] filter_IN_public_REJECT: IN=wlp0s20f0u3 OUT= MAC= SRC=192.168.1.57 DST=192.168.1.105 LEN=104 TOS=0x00 PREC=0x00 TTL=30 ID=37923 PROTO=UDP SPT=3289 DPT=48375 LEN=84 MARK=0x3214
[30976.299712] filter_IN_public_REJECT: IN=wlp0s20f0u3 OUT= MAC= SRC=192.168.1.57 DST=192.168.1.105 LEN=104 TOS=0x00 PREC=0x00 TTL=30 ID=37924 PROTO=UDP SPT=3289 DPT=52415 LEN=84 MARK=0x3214
[31139.093164] filter_IN_public_REJECT: IN=wlp0s20f0u3 OUT= MAC= SRC=192.168.1.57 DST=192.168.1.105 LEN=104 TOS=0x00 PREC=0x00 TTL=30 ID=38084 PROTO=UDP SPT=3289 DPT=46833 LEN=84 MARK=0x3214
Looks like 3289 UDP is the port of interest, and it shows up on an EPSON website (https://epson.com/faq/SPT_C11CG18201~faq-0000525-shared?faq_cat=faq-8796127635532). I tried adding it to “public” and “home” zones and it still doesn’t work. Is there a different zone I should be using?
Surely your firewall has an audit log for denied traffic.
Or, turn off the firewall and run Wireshark while you print something.
deleted by creator
As I understand this article ( https://linuxconfig.org/how-to-monitor-network-activity-on-a-linux-system ), you can disable firewall and run “sudo netstat -tulpen” to get a list of all connections and find which ports need to be forwarded.
Are you using Avahi for the auto discovery? If so you need to open port 5353 UDP.
No change with allowing 5353 UDP through the firewall, unfortunately. But thank you for the suggestion!
You may also need to allow multicast. Look into it a bit more.
You can also enable debugging on the firewall and see what exactly gets blocked.
Added some info to the post. Firewall is blocking 3289 UDP from my printer, so I added 3289 UDP to open ports for “home”, “public”, and “internal” zones. However, I’m still seeing filter_IN_public_REJECT entries in dmesg, so it seems the firewall is still blocking these. Is there a different way I should be telling it to allow requests on this port?
Firewall also allows mdns service (again, in “home”, “public”, and “internal” zones), but I also see entries like this:
[41951.119486] filter_IN_public_REJECT: IN=wlp0s20f0u3 OUT= MAC= SRC=192.168.1.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=10725 DF PROTO=2 MARK=0x3214
It sounds like 224.0.0.1 is related to mdns broadcasts, so it seems firewall is also still blocking these (despite mdns being allowed service).
Am I specifying these in the wrong place? (Per Connections - System Settings, my wifi is in Firewall zone “home”).
Is mdns allowed?
Added “mdns” service to allowed list for public zone, still get the SANE error. (Previously added 5353 UDP per another suggestion – sounds like this is the port for mDNS)
A quick scan through the services in Yast firewall revealed that there is a sane service too. Is that enabled?
Yes, “sane” service is already in the “Allowed” list.