{"id":19855,"date":"2024-12-19T13:12:45","date_gmt":"2024-12-19T18:12:45","guid":{"rendered":"https:\/\/nuxx.net\/blog\/?p=19855"},"modified":"2025-03-08T09:12:30","modified_gmt":"2025-03-08T14:12:30","slug":"bambu-lab-p1s-on-iot-vlan","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2024\/12\/19\/bambu-lab-p1s-on-iot-vlan\/","title":{"rendered":"Bambu Lab P1S on IoT VLAN"},"content":{"rendered":"
\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n

I recently picked up a Bambu Lab P1S 3D Printer<\/a> for around the house. After staying away from 3D printing for years, the combination of a friend’s experience with this printer (thanks, @make_with_jake<\/a>!), holiday sales, looking for a hobby, wanting some one-off tools, and a handful of projects where it’d be useful finally got me to buy one. Having done half a dozen prints, thus far I’m pretty satisfied with the output and think it’ll be a nice addition to the house.<\/p>\n\n\n\n

This printer, like many other modern devices, is an Internet of Things (IoT)<\/a> device; something smart which uses a network to communicate. Unfortunately, these can come with a bunch of security risks, and is best isolated to a less-trusted place on a home network. In my case, a separate network,or VLAN<\/a>, called IoT<\/code>.<\/p>\n\n\n\n

Beyond the typical good-practice of isolating IoT devices to a separate network, I’m also wary of cloud-connected devices because of the possibility of remote exploit or bugs. For example, back in 2023 Bambu Lab themselves had an issue which resulted in old print jobs being started on cloud-connected printers<\/a>. Since these printers get hot and move without detecting if they are in a completely safe and ready-to-go state, this was bad. I’d rather avoid the chance of this. And really, when am I going to want to submit a print job from my phone or anywhere other than my home network?<\/p>\n\n\n\n

Bambu Lab has a LAN Mode<\/a> available for their printers which ostensibly disconnects it from the cloud, but unfortunately it still expects everything to be on the same network.<\/p>\n\n\n\n

I was unable to find clear info on working around this in a simple fashion without extra utilities, but digging into and solving this kind of stuff is something I like to do. So this post documents how I put a Bambu Lab P1S<\/em> on a separate VLAN from the house’s main network, getting it to work otherwise normally.<\/p>\n\n\n\n

The network here uses OPNsense<\/a>, a pretty typical open source firewall, so all the configuration mentioned revolves around it. pfSense<\/a> is similar enough that everything likely applies there as well, and the basic technical info can also be used to make this work on numerous other firewalls.<\/p>\n\n\n\n

As of this writing (2024-Dec-19), this works with Bambu Studio<\/a> v1.10.1.50 and firmware v01.07.00.00 on the P1S printer. This also works with OrcaSlicer<\/a> v2.2.0<\/a> and whatever version of the Bambu Network Plug-in<\/em> it installs. I suspect this works for other Bambu Lab<\/em> printers, as the P1S<\/em> has all the same features as the higher end ones (eg: camera) but I can’t test to say for sure. Also, everything here covers the P1S<\/em> running in LAN Mode<\/em>. It’s possible that things would work differently with cloud connectivity, but I did not explore this. So, insert the standard disclaimer here about past performance and future results…<\/p>\n\n\n\n

Why can’t I just point the software at the printer?<\/h2>\n\n\n\n

To start, the release notes for Bambu Studio v1.10.0<\/a> have a section that says a printer can be added with just it’s IP, allowing it to cross networks:<\/p>\n\n\n\n

\n

Subnet binding support: Users can now bind printers across different subnets by directly entering the printer’s IP address and Access Code<\/em><\/p>\n<\/blockquote>\n\n\n\n

This sounds like it’d solve the problem, and is a typical way for printers to work, but no… it just doesn’t work.<\/p>\n\n\n\n

Despite having the required Studio<\/em> and printer firmware versions I just couldn’t make it work. When trying this feature I’d see Bambu Studio<\/em> trying to connect to the printer on 3002\/tcp<\/code>, but the printer would only respond with a RST<\/code> as if that port wasn’t listening. Something’s broken with this feature, probably in the printer firmware. Maybe this’ll work in the future, but for now we needed another way…<\/p>\n\n\n\n

Atypical SSDP?<\/h2>\n\n\n\n

On a single network the printer sends out Simple Service Discovery Protocol (SSDP)<\/a>-ish messages detailing its specs, Studio<\/em> receives these and lists the printer. But, SSDP is based on UDP broadcasts, so these don’t cross over to the other VLAN (subnet).<\/p>\n\n\n\n

The SSDP part of a packet looks similar to:<\/p>\n\n\n\n

NOTIFY * HTTP\/1.1\\r\\n\nHOST: 239.255.255.250:1900\\r\\n\nServer: UPnP\/1.0\\r\\n\nLocation: 192.168.1.105\\r\\n\nNT: urn:bambulab-com:device:3dprinter:1\\r\\n\nUSN: xxxxxxxxxxxxxxx\\r\\n\nCache-Control: max-age=1800\\r\\n\nDevModel.bambu.com: C12\\r\\n\nDevName.bambu.com: Bambu Lab P1S\\r\\n\nDevSignal.bambu.com: -30\\r\\n\nDevConnect.bambu.com: lan\\r\\n\nDevBind.bambu.com: free\\r\\n\nDevseclink.bambu.com: secure\\r\\n\nDevVersion.bambu.com: 01.07.00.00\\r\\n\nDevCap.bambu.com: 1\\r\\n\n\\r\\n<\/code><\/pre>\n\n\n\n
When Bambu Studio<\/em> receives this packet it gets the address (Location:<\/code>) of the printer from the Location section, connects, and all works. But in a multi-VLAN environment we have different networks and different broadcast domains and a firewall in between, so we need two things to work around this: getting the SSDP broadcasts shared across networks, and firewall rules to allow the requisite communication.<\/p>\n\n\n\n
These also don’t seem to be normal SSDP packets, as they are sent to destination port 1910\/udp<\/code> or 2021\/udp<\/code>. It’s all just kinda weird… And this thread on the Bambu Lab Community Forum<\/a> makes it seem even stranger and like it might vary between printer models?<\/p>\n\n\n\n
Regardless, here’s how I made this work with the P1S<\/em>.<\/p>\n\n\n\n
Static IP<\/h2>\n\n\n\n
The P1S<\/em> (and I presume other Bambu Lab<\/em> printers) have very little on-device network configuration, receiving network addressing from DHCP. I suggest that you set a DHCP reservation for your printer so that it always receives the same (static) IP address. This will make firewall rules much easier to manage.<\/p>\n\n\n\n
SSDP Broadcast Relay<\/h2>\n\n\n\n
To get the SSDP broadcasts passed between VLANs a bridge or relay is needed, and marjohn56\/udpbroadcastrelay<\/a> works great. This is available as a plugin in OPNsense<\/em> under System<\/em> \u2192 Firmware<\/em> \u2192 Plugins<\/em> \u2192 os-udpbroadcastrelay<\/em>, is also available in pfSense<\/em>, or could be run standalone if you use something else.<\/p>\n\n\n\n
After installing, on OPNsense<\/em> go to Services<\/em> \u2192 UDP Broadcast Relay<\/em> and create a new entry with the following settings:<\/p>\n\n\n\n