Troubleshooting how to Restrict Printer Access per Subnet

KB Home   |   Troubleshooting how to Restrict Printer Access per Subnet

This was originally written by Aaron Pouliot on the PaperCut Support team, but you should know all of these steps have been incorporated into the Mobility Print Help Center. Eventually, this page may be retired or redirected to the new article in the Help Center.

“Help! We’re using Mobility Print and we want to restrict printer access per subnet but we’re running into trouble! What should we check?”

Troubleshooting Restricting Printer Access with Mobility Print

With PaperCut Mobility Print it’s possible to configure which printers users can see depending on what subnet they are connecting from. The steps to implement this are documented in this article, Restrict Printer Access per Subnet. However, what should you check if things aren’t going as expected?

Editing the printer.conf.toml file doesn’t seem to do anything

  • Did you remember to restart the Mobility Print service? Changes should be visible immediately when you look in the Mobility Web Interface, subnets will be listed below each printer.

“There was an error reading the printer config file” after editing printer.conf.toml

  • Does the printer.conf.toml revert back to the template every time you restart the Mobility Print server? Double check that rules follow the correct formatting and syntax (including spaces!). If there is any error in formatting or syntax, then this file will be reverted back to the template.

My users can’t discover the printers

  • Before you begin, make sure that all of the printers are visible from that particular subnet before creating subnet filtering rules. If the printers are missing, then run through the steps here to get things working first.
  • For subnet filtering to work for all devices, you need the right type of DNS records. The DNS Setup guide in the web interface of the Mobility Print server will ask you for a list of subnets if you intend to restrict printer access per subnet. Make sure that you have entered your subnets here and then ran the DNSCMDs generated by the Mobility Print server. This will create the Reverse Lookup Zones and Conditional Forwarder needed for MacOS and iOS clients to work with Subnet Filtering. Check the knowledge base article with DNS Record Examples to see how this should look.
  • Do the subnets precisely match the subnets used by the clients on the network? If creating subnet filtering rules for two subnets like and, then cannot be used as a shortcut.
  • Remember, only users in subnets listed in the printer.conf.toml file will see printers.

Other Considerations

  • If you are having trouble, try adding only one rule at a time to test. After restarting the Mobility Print service, changes should be immediately visible in the web interface of the Mobility Print server.
  • If you wish to use Subnet Filtering with BIND DNS servers, then there is a different method for setting up the DNS records that requires setting up Reverse Lookup Zones. Let us know if this sounds like your situation and we can send you special instructions.

Still stuck?

Let us know! Leave a comment below or submit a support request. Send us a copy of your printer.conf.toml file along with a description of what you are trying to achieve and we’ll see what we can do to help.

For more information about Mobility Print, check out the Mobility Print Help Center.

Keywords: Mobility Print, Restrict Printer Access per Subnet, Subnet Filtering, Subnet Restriction, DNS, Secret Squirrel


Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on May 02, 2019, at 04:00 PM
Printable View   |   Article History   |   Edit Article