You have two offices. You have a VPN. You have printers. And somehow, printing behaves like a ghost story:
half the time it works, then someone changes nothing and it breaks until Tuesday. The CFO prints a contract,
the job “disappears,” and everyone starts looking at the firewall like it personally insulted them.
Cross-site printing is easy to make work. It’s harder to make boringly reliable.
Reliability comes from making the network path predictable, picking sane print protocols, centralizing the right parts,
and diagnosing the failure domain quickly when (not if) something drifts.
The reliability model: what “stable printing” actually means
Most teams treat printing like a side quest. That’s the first mistake. Printing is a distributed system:
clients, drivers, spoolers, directory services, name resolution, a VPN tunnel, routing, QoS, and a device
whose idea of telemetry is a blinking LED and a web UI from 2009.
“Stable cross-site printing” has three properties:
-
Predictable path: the print traffic always traverses the same routing and policy,
without surprise NAT, asymmetric routing, or split tunneling inconsistencies. -
Deterministic addressing: printers aren’t found by “hope-based networking” (multicast discovery,
changing DHCP leases, random DNS suffixes). They’re found by stable names and stable IPs. -
Spooling boundaries you control: you decide where jobs are queued, retried, and transformed.
If the WAN is flaky, you want the queue on the side that can handle retries without user drama.
The most reliable pattern for cross-site printing is usually:
local print server per site (Windows or CUPS), printers stay local, and the VPN is used for
management and occasional cross-site exceptions — not as the primary data path for every print job.
When you must print across sites (executives, centralized mailroom, etc.), you do it via
IPP(S) to a server, not by pointing every laptop directly at a printer over the tunnel.
One “print job failed” can mean a dozen different failure modes. Your job is to shrink that space.
Design so failures are obvious, localized, and recoverable.
Interesting facts and short history that explains today’s mess
-
Fact 1: LPD/LPR printing dates back to early BSD Unix days. It’s simple and durable,
and it also predates modern authentication expectations by roughly a lifetime. -
Fact 2: “RAW 9100” (JetDirect-style) became popular because it was dead simple:
open TCP/9100 and stream bytes. It’s also wonderfully indifferent to job accounting and user identity. -
Fact 3: IPP (Internet Printing Protocol) was designed to replace older printing transports
with a richer model: capabilities, attributes, better status, and later TLS via IPPS. -
Fact 4: Many offices still rely on multicast discovery (mDNS/Bonjour) because it feels magical
on a single LAN. VPNs and routed networks famously do not do “magical multicast” unless you build plumbing for it. -
Fact 5: Windows “Point and Print” became a de facto standard workflow for years,
but security hardening (especially around driver installation) changed the ergonomics. Printing got safer and noisier. -
Fact 6: SMB printing (shared printer on a Windows server) is often reliable on a LAN,
but across a WAN it inherits every latency hiccup and authentication edge case SMB can offer. -
Fact 7: Printer drivers have historically been a rich source of kernel- and spooler-level problems.
That’s one reason “driverless” approaches (IPP Everywhere, AirPrint) became a thing. -
Fact 8: “Universal” drivers exist because fleets are mixed and vendor drivers vary wildly in quality.
Universal drivers are less feature-rich and more predictable — which is usually a trade worth making over a VPN.
Architectures that work (and why)
Option A (recommended): print server per site, printers stay local
Put a print server in each office. Clients in that office print to their local server over the LAN.
The server talks to local printers. The VPN is not in the hot path for most jobs.
If you need centralized management, you manage the servers over the VPN.
Why it works: it respects physics. WAN latency and packet loss are the enemy of “stream this blob and
don’t hiccup.” Local spooling contains the blast radius. If the VPN drops for 10 seconds, the office can still print.
Option B: centralized print server, remote sites print to it via IPPS
A single print server (Windows or CUPS) in HQ. Remote sites submit jobs over the VPN to that server.
The server forwards to printers (either in HQ or in branches).
This can be stable if and only if:
you use a modern protocol (IPP/IPPS), you tune timeouts, you have predictable routing, and the server is sized to spool
jobs without choking. It’s still more fragile than local servers because all printing depends on the tunnel and that server.
Option C (avoid for most offices): clients print directly to remote printers over the VPN
This is where “random failures” are born. Every laptop becomes its own print server, including all driver weirdness,
session state, and personal firewall rules. You’re also sending print payloads over the tunnel from every client,
which amplifies VPN jitter into user pain.
Direct-to-printer over VPN is acceptable for a few power users if you lock it down:
static IPs, explicit DNS, IPP/9100 as appropriate, and you validate the path with monitoring.
But as a default office posture? No.
Option D: cloud printing
Cloud printing can work well, but it’s an architecture change: identity, connectors/agents, and sometimes
replacing legacy printers. If your goal is “make VPN printing reliable,” cloud printing might be the correct long-term
answer, but it’s not a patch. Treat it like a migration.
Opinionated takeaway: if you have more than one site and you value your weekends, deploy a print server per site
unless there’s a strong business reason not to.
Protocols: IPP, RAW 9100, LPD, SMB — pick your poison on purpose
IPP/IPPS (preferred)
IPP is chatty but capable. Over a VPN, “chatty” can be okay if latency is stable and MTU is correct.
IPPS (IPP over TLS) gives you encryption and better identity handling than the older protocols.
It’s also the foundation of driverless printing (IPP Everywhere).
What goes wrong: TLS interception or broken certificates, mis-sized MTU causing fragmentation and stalls,
and printers with half-baked IPP implementations. Yes, some devices claim IPP and then panic when asked basic questions.
RAW TCP/9100 (simple, sometimes too simple)
TCP/9100 is “open socket, stream bytes.” It tends to be resilient to vendor nonsense, but it gives you poor status
and weak job semantics. Across a VPN, it’s vulnerable to idle timeouts and session resets. If your firewall or VPN
drops long-lived idle connections, large print jobs will feel like coin flips.
LPD/LPR (old, still alive)
LPD is surprisingly durable and often easy to traverse networks, but it’s an antique.
If you need authentication, auditing, or modern security controls, LPD is a bad starting point.
If you just need a warehouse to print labels reliably from a controlled system, LPD can be fine.
SMB shared printer (Windows print server)
In Microsoft shops, this is common: connect to \\printserver\PrinterShare and let Windows handle it.
On a LAN, it’s often stable. Over a VPN, SMB adds sensitivity to latency, authentication timing,
and name resolution. SMB also tends to attract “helpful” middleboxes and security products.
If you run Windows print servers, keep them patched and keep driver distribution strict.
Use a universal driver unless you have a specific feature requirement.
Dry truth: printers are the last place you want “clever.” Pick one primary protocol per environment and standardize.
Heterogeneity is how you end up debugging four protocols at 4 p.m. on a Friday.
VPN and routing: the boring plumbing that decides your fate
Make routing symmetric and explicit
Cross-site printing loves stable, symmetric routing. If print traffic goes client → VPN → printer, the return path
must also go printer → VPN → client (or printer → server). Asymmetric routing produces “sometimes it works”
in the most demoralizing way: TCP handshakes succeed, then large payloads stall or reset.
If you NAT one side of the VPN and not the other, be extremely deliberate. NAT can hide addressing sins,
but it can also break printer ACLs, logging, and any protocol that embeds IPs or expects stable peer identity.
MTU and MSS clamping: the silent killer
VPN encapsulation reduces effective MTU. If you don’t clamp MSS or tune MTU, you get fragmentation or black-holed
fragments. Printing is perfect at exposing this because print payloads are large and often bursty.
Symptoms: small jobs work, large PDFs fail, or jobs hang at “processing.”
Idle timeouts and session tracking
Many printers will pause mid-job for rendering, stapling, or waiting on internal buffers.
Meanwhile, stateful firewalls and VPN devices may decide the flow is “idle” and kill it.
TCP/9100 suffers here. IPP can too, depending on implementation and how the client streams data.
QoS: don’t starve printing, don’t let it starve everything else
Printing is not real-time, but users perceive it as interactive. Meanwhile, a giant print job can saturate a small
tunnel and make VoIP miserable. If you have limited bandwidth, classify and shape.
You don’t need perfection; you need “printing doesn’t DoS the office.”
Name resolution: DNS beats discovery
mDNS across VPN is a trap unless you knowingly deploy an mDNS gateway/reflector and accept the operational overhead.
Better: give printers stable DNS names (or the print servers stable names), ensure both sites resolve them consistently,
and keep reverse DNS sane enough for logs and ACLs.
One quote worth keeping around, because it’s the whole game in ops:
Hope is not a strategy.
— James Cameron
Joke #1: A printer is a computer that has achieved enlightenment: it communicates only through cryptic blinking lights and silent judgment.
Fast diagnosis playbook
When printing fails across a VPN, your goal is not “stare at the printer UI.” Your goal is to locate the bottleneck
in three checks: path, protocol, spooler.
First: confirm the network path is intact (L3/L4)
-
Can you reach the printer/print server IP from the client subnet?
If ICMP is blocked, test TCP to the actual print port. -
Is routing symmetric?
If only one direction is routed through the VPN, you’ll see intermittent TCP resets or stalls. -
Is MTU/MSS sane?
Large jobs failing but small ones working is a classic MTU symptom.
Second: confirm the protocol endpoint is correct
-
Is the client printing to a server or directly to the printer?
If it’s direct, expect more failure modes. -
Is the port open end-to-end?
IPP typically 631/tcp, IPPS 443 or 631 with TLS depending on device, RAW 9100/tcp, LPD 515/tcp, SMB 445/tcp. -
Is name resolution stable?
If DNS flips between local and remote IPs, you’ll get “works for some users.”
Third: check the spooler and queue behavior
-
Is the job stuck in the client spooler, server queue, or printer queue?
The fix depends on where it stops. -
Are drivers and filters stable?
A broken driver can look like a network issue. -
Are there retries/timeouts?
If the spooler gives up too quickly for a high-latency path, tune it or move the spooling boundary.
Hands-on tasks: commands, outputs, and decisions (12+)
These are practical checks you can run from a Linux admin box (or a Linux print server) while debugging.
The point is not the command; the point is what the output tells you and what decision you make next.
Task 1: Verify VPN interface and routes
cr0x@server:~$ ip -brief addr show
lo UNKNOWN 127.0.0.1/8 ::1/128
eth0 UP 10.10.10.20/24 fe80::a00:27ff:fe12:3456/64
wg0 UP 10.99.0.1/24
cr0x@server:~$ ip route
default via 10.10.10.1 dev eth0
10.10.10.0/24 dev eth0 proto kernel scope link src 10.10.10.20
10.20.20.0/24 via 10.99.0.2 dev wg0
10.99.0.0/24 dev wg0 proto kernel scope link src 10.99.0.1
What it means: you have a tunnel (wg0) and a route to the remote office subnet (10.20.20.0/24) through it.
Decision: if the remote printer subnet isn’t routed via the VPN interface, fix routing before touching printing.
Task 2: Confirm you can reach the remote print endpoint (TCP check)
cr0x@server:~$ nc -vz 10.20.20.50 631
Connection to 10.20.20.50 631 port [tcp/ipp] succeeded!
What it means: TCP/631 is reachable end-to-end; basic firewalling and routing are likely fine.
Decision: move on to protocol-level checks (IPP responses, TLS, auth).
Task 3: Identify if MTU is likely broken (ping with DF)
cr0x@server:~$ ping -M do -s 1360 10.20.20.50 -c 3
PING 10.20.20.50 (10.20.20.50) 1360(1388) bytes of data.
1368 bytes from 10.20.20.50: icmp_seq=1 ttl=63 time=28.4 ms
1368 bytes from 10.20.20.50: icmp_seq=2 ttl=63 time=28.0 ms
1368 bytes from 10.20.20.50: icmp_seq=3 ttl=63 time=28.2 ms
--- 10.20.20.50 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
What it means: at least 1360-byte payload with DF works; MTU might be okay at this size.
Decision: if this fails with “Frag needed,” clamp MSS on the VPN/firewall or lower MTU on the tunnel.
Task 4: Trace the route to catch asymmetry or wrong gateways
cr0x@server:~$ traceroute -n 10.20.20.50
traceroute to 10.20.20.50 (10.20.20.50), 30 hops max, 60 byte packets
1 10.99.0.2 2.114 ms 2.022 ms 2.009 ms
2 10.20.20.50 28.901 ms 28.744 ms 28.701 ms
What it means: traffic goes through the VPN peer then to the printer. Short and clean.
Decision: if you see a hop via the internet router or a different tunnel, fix route preferences.
Task 5: DNS sanity check (forward and reverse)
cr0x@server:~$ getent hosts prn-branch-1.office.example
10.20.20.50 prn-branch-1.office.example
cr0x@server:~$ dig +short -x 10.20.20.50
prn-branch-1.office.example.
What it means: stable forward and reverse mapping.
Decision: if reverse DNS points somewhere else or forward DNS returns multiple IPs, fix DNS before blaming printers.
Task 6: Confirm which protocol the queue uses (CUPS)
cr0x@server:~$ lpstat -v
device for Branch_HP_Color: ipp://prn-branch-1.office.example/ipp/print
device for HQ_Laser: socket://10.10.10.80:9100
What it means: Branch printer uses IPP, HQ uses RAW 9100.
Decision: prioritize fixing IPP/TLS/auth for the branch queue; different queues, different failure modes.
Task 7: Submit a tiny test job and watch where it sticks
cr0x@server:~$ echo "test page $(date)" | lp -d Branch_HP_Color
request id is Branch_HP_Color-381 (1 file(s))
cr0x@server:~$ lpstat -o
Branch_HP_Color-381 cr0x 1024 Sat 27 Dec 2025 02:11:49 PM UTC
What it means: job is queued in CUPS.
Decision: if it never leaves the queue, inspect CUPS logs and backend connectivity; if it leaves but doesn’t print, inspect printer-side logs.
Task 8: Inspect CUPS error logs for backend timeouts
cr0x@server:~$ sudo tail -n 30 /var/log/cups/error_log
E [27/Dec/2025:14:11:52 +0000] [Job 381] Unable to connect to printer; will retry in 30 seconds
E [27/Dec/2025:14:12:22 +0000] [Job 381] Connection timed out
W [27/Dec/2025:14:12:22 +0000] [Job 381] Retrying job due to previous error; attempt 2 of 5
What it means: the spooler can’t maintain a connection to the endpoint.
Decision: check firewall idle timeouts, MTU, and packet loss; also confirm printer isn’t sleeping/offline on the far end.
Task 9: Packet capture on the print server (prove resets vs stalls)
cr0x@server:~$ sudo tcpdump -ni wg0 host 10.20.20.50 and tcp port 631 -c 12
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg0, link-type RAW (Raw IP), snapshot length 262144 bytes
14:12:01.012345 IP 10.99.0.1.49122 > 10.20.20.50.631: Flags [S], seq 123456789, win 64240, options [mss 1380,sackOK,TS val 111 ecr 0], length 0
14:12:01.041002 IP 10.20.20.50.631 > 10.99.0.1.49122: Flags [S.], seq 987654321, ack 123456790, win 65535, options [mss 1380,sackOK,TS val 222 ecr 111], length 0
14:12:01.041100 IP 10.99.0.1.49122 > 10.20.20.50.631: Flags [.], ack 1, win 64240, options [TS val 111 ecr 222], length 0
14:12:31.044512 IP 10.99.0.1.49122 > 10.20.20.50.631: Flags [F.], seq 1, ack 1, win 64240, options [TS val 333 ecr 222], length 0
What it means: handshake succeeds; then nothing for ~30 seconds; then the client closes.
This looks like an application stall or a middlebox dropping packets silently.
Decision: verify MTU/fragmentation and check printer sleep/energy-saving settings; consider forcing IPPS or using a local spooler at the branch.
Task 10: Validate IPP endpoint behavior (quick HTTP check)
cr0x@server:~$ curl -I http://prn-branch-1.office.example:631/
HTTP/1.1 200 OK
Server: CUPS/2.4
Content-Type: text/html; charset=utf-8
What it means: port 631 answers HTTP; could be a printer’s embedded IPP server or a CUPS instance.
Decision: if you expect a printer but see “CUPS,” you might be hitting the wrong host/IP via DNS or NAT.
Task 11: Check whether the printer is reachable on RAW 9100 (if used)
cr0x@server:~$ nc -vz 10.20.20.50 9100
Connection to 10.20.20.50 9100 port [tcp/*] succeeded!
What it means: the classic port is open.
Decision: if 9100 is open but IPP isn’t, choose one protocol and standardize; don’t let clients “auto-switch” during outages.
Task 12: Confirm CUPS sees the printer as accepting jobs
cr0x@server:~$ lpstat -p Branch_HP_Color -l
printer Branch_HP_Color is idle. enabled since Sat 27 Dec 2025 01:40:02 PM UTC
Form mounted:
Content types: any
Printer types: unknown
Description: Branch HP Color
Alerts: none
Location: Branch Office
Connection: ipp://prn-branch-1.office.example/ipp/print
What it means: queue is enabled and idle at the server side.
Decision: if it’s “stopped,” run a controlled restart of the queue and inspect why it stopped (auth, backend error).
Task 13: Restart the queue cleanly (don’t reboot the world)
cr0x@server:~$ sudo cupsdisable Branch_HP_Color
cr0x@server:~$ sudo cupsenable Branch_HP_Color
cr0x@server:~$ sudo cupsaccept Branch_HP_Color
What it means: you reset acceptance/enabled state without restarting the entire printing subsystem.
Decision: if disabling/enabling clears stuck jobs repeatedly, the underlying issue is still there; gather logs and fix the root cause.
Task 14: On systemd systems, check CUPS health and recent errors
cr0x@server:~$ systemctl status cups --no-pager
● cups.service - CUPS Scheduler
Loaded: loaded (/lib/systemd/system/cups.service; enabled; preset: enabled)
Active: active (running) since Sat 2025-12-27 13:10:03 UTC; 1h 5min ago
TriggeredBy: ● cups.socket
Docs: man:cupsd(8)
Main PID: 1240 (cupsd)
Tasks: 3
Memory: 12.4M
CPU: 2.131s
CGroup: /system.slice/cups.service
└─1240 /usr/sbin/cupsd -l
cr0x@server:~$ journalctl -u cups -n 20 --no-pager
Dec 27 14:12:22 server cupsd[1240]: [Job 381] Connection timed out
Dec 27 14:12:22 server cupsd[1240]: [Job 381] Retrying job due to previous error
What it means: CUPS is alive; the failure is connectivity/backend, not the daemon crashing.
Decision: stop “restart everything” reflexes; focus on network path and device behavior.
Task 15: Measure packet loss and jitter quickly (mtr)
cr0x@server:~$ mtr -rwzbc 50 10.20.20.50
Start: 2025-12-27T14:14:01+0000
HOST: server Loss% Snt Last Avg Best Wrst StDev
1.|-- 10.99.0.2 0.0% 50 2.1 2.2 1.8 3.4 0.3
2.|-- 10.20.20.50 6.0% 50 29.0 31.4 27.9 88.2 10.7
What it means: 6% loss to the printer is awful for print protocols that expect steady TCP delivery.
Decision: fix the VPN underlay (ISP, Wi-Fi, weak link), or move spooling local so job submission survives loss.
Task 16: Confirm firewall policy counters (nftables example)
cr0x@server:~$ sudo nft list ruleset | sed -n '1,120p'
table inet filter {
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
iifname "wg0" oifname "eth0" ip daddr 10.10.10.0/24 accept
iifname "eth0" oifname "wg0" ip daddr 10.20.20.0/24 tcp dport { 631, 9100 } accept
}
}
What it means: you explicitly allow printing ports from HQ to branch.
Decision: if your allow rules are missing 631/9100/515/445 as needed, add them explicitly and log drops for visibility.
Common mistakes: symptoms → root cause → fix
1) “Small jobs print, large PDFs fail or hang”
Root cause: MTU/MSS mismatch across the VPN; fragmented packets dropped; PMTUD blocked.
Fix: clamp TCP MSS on the tunnel/firewall, or set lower MTU on the VPN interface.
Validate with ping -M do and a packet capture showing retransmits/black holes.
2) “It works for hours, then stops until someone clears the queue”
Root cause: stateful firewall idle timeouts killing long-lived TCP/9100 sessions, or printer sleep mode closing sockets.
Fix: prefer IPP with proper spooling, reduce reliance on raw streams, or increase idle timeouts for print flows.
Also disable aggressive sleep on the printer NIC if it’s causing connection churn.
3) “Some users can print, others can’t; same office”
Root cause: split DNS, multiple DNS suffixes, or clients resolving printer names to different IPs (local vs remote).
Fix: standardize DNS resolution (one source of truth), use stable names, and avoid mDNS-based discovery for routed sites.
4) “Jobs leave the client but never show up on the printer”
Root cause: jobs are stuck at the server spooler, or the printer rejects the job due to driver/PCL/PS mismatch.
Fix: check server queue logs; switch to a universal driver or driverless IPP Everywhere.
Confirm printer language compatibility (PCL6 vs PostScript).
5) “Everything broke after we ‘optimized’ the VPN”
Root cause: changed MTU, enabled compression, turned on aggressive UDP encapsulation settings,
or added traffic shaping without considering long-lived TCP flows.
Fix: roll back and reintroduce changes one at a time with measurements.
Treat printing as a canary workload because it’s sensitive to jitter and loss.
6) “Printer discovery is flaky across sites”
Root cause: mDNS/Bonjour and broadcast-based discovery doesn’t traverse routed VPNs by default.
Fix: stop relying on discovery; publish printers via DNS and managed queues (GPO for Windows, profiles/MDM for macOS).
7) “Windows clients keep prompting to install drivers or get blocked”
Root cause: Point-and-Print hardening, driver signing policies, or mismatched driver packages on the server.
Fix: use vendor-supported packaged drivers or universal drivers, pre-stage via endpoint management, and keep print servers patched.
8) “The VPN is up, but printing fails intermittently during peak hours”
Root cause: congestion on the underlay; tunnel saturation; lack of QoS; bufferbloat.
Fix: implement shaping, reserve capacity for interactive traffic, and keep printing from monopolizing the tunnel.
Consider moving spooling local so the WAN carries smaller control flows.
Three corporate mini-stories from the trenches
Mini-story 1: The incident caused by a wrong assumption
A mid-sized company merged two offices and connected them with a shiny new site-to-site VPN. The helpdesk ticket volume
spiked immediately: “Printing to the other office fails randomly.” The network team insisted the VPN was stable because
“pings are fine.”
The wrong assumption was subtle: they assumed ICMP success meant TCP sessions would behave. In reality, the VPN link was
fine for tiny packets, but the effective MTU had dropped after encapsulation. PMTUD was blocked by a firewall rule that
“nobody remembers adding,” so fragments got black-holed.
Users could print a one-page Word doc, but multi-page PDFs would hang mid-stream. The spooler would eventually time out,
users would retry, and the printer would later spit out partial pages like it was auditioning for modern art.
The fix was boring and immediate: clamp TCP MSS on the tunnel interface and allow the necessary ICMP “fragmentation needed”
messages. After that, large jobs behaved. The helpdesk stopped treating printers like cursed objects.
The lasting lesson: never accept “ping works” as proof that a WAN path is healthy for bulk TCP payloads.
Printing is a surprisingly effective MTU test harness.
Mini-story 2: The optimization that backfired
Another org had stable printing for years using a branch Windows print server. Someone decided that a local server was “technical debt”
and replaced it with direct printing: every workstation mapped directly to each printer over the VPN. Fewer servers, fewer patches, fewer problems.
That was the pitch.
The backfire came in three waves. First wave: inconsistent drivers. Some laptops had vendor drivers, some had a universal driver,
some had whatever Windows Update handed them. Print output varied: missing stapling, wrong trays, rotated labels.
Not catastrophic, just embarrassing.
Second wave: VPN load. Morning peak created dozens of simultaneous direct TCP/9100 streams across the tunnel. VoIP quality dipped,
and the “VPN is slow” complaints started, even for users not printing. The network team responded by tightening idle timeouts
to keep the state table small. That’s where the third wave arrived.
Third wave: random mid-job failures. Long jobs stalled. Users retried. The tunnel carried even more duplicated traffic. The team started rebooting printers,
which temporarily “fixed” the symptom by clearing sockets. It became a ritual: if printing fails, sacrifice ten minutes to the printer gods.
They ultimately went back to a branch print server. A single spooler per site made retries sane and reduced WAN chatter.
The “optimization” was real—fewer servers—but it outsourced reliability to hundreds of endpoints and a VPN that didn’t sign up for the job.
Mini-story 3: The boring but correct practice that saved the day
A distributed firm had printers in five offices and an always-on IPsec mesh. They didn’t treat printing as special;
they treated it like any other production service. Printers had static DHCP reservations, DNS names, and a small internal standard:
IPP where possible, otherwise RAW 9100 behind a local print server. Nothing fancy.
Once a quarter, someone ran a maintenance checklist: confirm firmware versions, export printer configs, verify print server queues,
and run a controlled test print across each site. They also had simple monitoring: TCP port checks and a synthetic “submit job to queue”
test that didn’t actually waste paper (it targeted a virtual queue or held job).
One Monday, a branch office changed ISPs. The VPN came up, email worked, web apps worked. Printing failed for that branch.
Instead of flailing, they ran the same playbook: mtr showed intermittent loss and spikes; tcpdump showed retransmits; CUPS logs showed timeouts.
Not a printer issue.
They handed the ISP a clean packet-loss report and kept the branch printing locally while the ISP fixed the underlay.
Nobody touched drivers. Nobody rebooted printers in anger. The practice was boring, and it prevented chaos.
Joke #2: Printing over a VPN is like transporting a couch through a revolving door; it’s possible, but you’d better measure first.
Checklists / step-by-step plan
Step-by-step plan for stable cross-site printing
-
Pick your architecture.
Default: local print server per site. Only centralize if you can justify the dependency on the WAN. -
Standardize protocol and drivers.
Prefer IPP/IPPS and driverless or universal drivers where possible.
Avoid mixing “some queues are IPP, some are SMB, some are RAW” unless you enjoy debugging. -
Lock down addressing.
DHCP reservations for printers, stable DNS names, consistent DNS views across sites. -
Make routing explicit.
Ensure both sides route printer subnets symmetrically over the tunnel. Avoid surprise NAT. -
Fix MTU/MSS before rollout.
Validate with DF pings and a few large test jobs. If you don’t test this, users will. -
Set firewall rules intentionally.
Allow only needed ports between print servers and printers. Log drops for print subnets. -
Tune timeouts for WAN reality.
VPN links have more latency than LANs; don’t let spoolers give up too early. -
Stop relying on multicast discovery across sites.
Publish printers via managed queues. If you must use mDNS, deploy a reflector knowingly and monitor it. -
Build a minimal monitoring loop.
Port checks to printers, queue health checks on servers, and a periodic synthetic job submission. -
Document the “print path.”
For each site: client → server → printer, including protocol and ports. This is your incident map.
Operational checklist for change windows (VPN, firewall, ISP)
- Before: run MTU DF ping tests between print servers and remote printers; record the max working size.
- Before: capture current routes and firewall rules relevant to printer subnets.
- During: validate TCP connectivity on the actual printing ports (631/9100/515/445 as applicable).
- During: run a test job from each site to each critical printer queue; watch spooler logs in real time.
- After: confirm monitoring is green and queue backlog is normal.
- If problems: roll back network changes before “reinstalling drivers.” Drivers are rarely the first domino.
Security checklist that won’t ruin reliability
- Prefer IPPS where supported; avoid exposing printer admin UIs broadly across the VPN.
- Segment printers into dedicated VLANs and restrict who can talk to them (usually print servers only).
- Keep printer firmware updated on a schedule; printers ship with security bugs like anything else.
- Disable legacy protocols you don’t use (old SMB versions, telnet, FTP) to reduce attack surface.
- Log print server authentication and administrative actions; don’t pretend printers are “not real systems.”
FAQ
1) Should we print directly to remote printers over the VPN?
Only for limited exceptions. For normal office printing, use a local print server per site.
Direct-to-printer multiplies driver inconsistency and makes VPN jitter a user-facing outage.
2) Which protocol is best over a VPN: IPP, RAW 9100, LPD, or SMB?
Prefer IPP/IPPS when printers support it well. RAW 9100 is simple but brittle with idle timeouts and gives weak status.
SMB is fine inside a Windows-centric LAN, but across a VPN it’s more sensitive to latency and auth issues.
LPD is old and often works, but it’s not a modern security posture.
3) Why does printer discovery work in one office but not across the VPN?
Because discovery often relies on multicast (mDNS/Bonjour) and broadcast, which routed VPNs don’t carry by default.
Use DNS and managed queues instead of discovery for cross-site setups.
4) Jobs queue but never print. Is it the printer or the VPN?
Find where the job stops: client spooler, server queue, or printer.
If CUPS/print server logs show connection timeouts, suspect network path (loss/MTU/timeouts).
If the connection is stable but jobs error out, suspect driver/PDL mismatch or printer-side limits.
5) Why do large PDFs fail more than small documents?
MTU issues and packet loss show up as size-dependent failures.
Fix MTU/MSS and verify PMTUD isn’t blocked. Also check tunnel congestion and shaping.
6) Do we need QoS for printing?
If your tunnel has ample bandwidth, maybe not. If it’s constrained, yes.
Printing can saturate small links and cause “everything is slow.” Shape it so printing is steady but not dominant.
7) How do we avoid driver chaos across sites?
Standardize on universal or driverless printing where possible, and distribute queues via central management
(GPO/MDM). Avoid letting users “Add printer” ad hoc from discovery menus.
8) Is a single central print server a bad idea?
Not inherently. It’s a trade: simpler management, but bigger dependency on the WAN and one server.
If you centralize, use IPPS, tune timeouts, and make the server robust (disk space for spools, monitoring, patching).
9) We already have a site-to-site VPN. Why do we need to change anything?
Because “VPN up” doesn’t mean “VPN good for bulk TCP with long-lived flows.”
Printing is sensitive to MTU, loss, timeouts, and name resolution. Make those explicit and measured.
10) What’s the quickest reliable workaround during an outage?
Move spooling local: print to a local server in the same site as the printer, then let that server retry.
If you don’t have local servers, temporarily deploy one (even a small VM) and re-point the most critical queues.
Conclusion: next steps you can do this week
If you want stable printing between offices, stop treating printers like mystical appliances and start treating them
like endpoints in a routed network with a brittle application layer. Your best move is architectural: local spooling
near printers, consistent protocols, stable naming, and measured VPN behavior.
- Draw the print path for each office (client → server → printer) and write down protocol/port.
- Pick one standard (IPP/IPPS preferred) and migrate the weird queues first.
- Fix MTU/MSS and validate with DF pings and a couple of intentionally large print jobs.
- Replace discovery with DNS + managed queues. Discovery is for cafes, not corporate WANs.
- Add two monitors: port reachability and queue health. You want to know it’s broken before the CFO does.
Do those, and “random printing failures” turns into “a predictable ticket with a short fix,” which is about as close
to happiness as printing allows.