Running USB Transparently over IP

SamirD

Supreme [H]ardness
Joined
Mar 22, 2015
Messages
7,276
This is definitely one of those odd-ball scenarios where there just may not be a way to do it, but I thought I'd put it out there and see what the ideas are.

So I have a printer that is connected to a very expensive point of sale system that runs windows embedded, but that can't be touched because proprietary/pci compliance/you name it. This laser print chews through at least 30 pages each night printing reports. About every 10 days it needs the tray refilled. The problem is, I can't get there every 10 days.

The printouts will spool to a certain extent and there's a printer buffer to a certain extent, but it's not bulletproof. And then I waste hours having to go through reports and reprint stuff, which again isn't technically the original since it says 'reprint' on it.

It would be really nice if I could just relocate this usb connected printer to wherever I am via some sort of transparent set of 'usb over tcp/ip' boxes. Something that I can plug into the computer on one end and the printer on the other and can have any sort of IP network in between.

Blackbox and Startech both seem to make such devices, but their limitation is that they only work within a single subnet/switch. It seems they use igmp snooping or igmp broadcast to communicate between the boxes. I would think that if you can enable igmp between networks, maybe these devices will be able to work, but am not certain enough to try it at this point since these boxes aren't cheap to begin with and testing this setup will take probably a month because the printer will more than likely be 2000+ miles away from the POS unit.

I can't touch the printer. I can't touch the computer. I can do anything I want to the network. Any ideas?
 
can't the machine print to PDF and you have the PDF printed on a higher capacity printer?
 
can't the machine print to PDF and you have the PDF printed on a higher capacity printer?
That part : And then I waste hours having to go through reports and reprint stuff, which again isn't technically the original since it says 'reprint' on it.

Make it sound that direct from printer to paper is really important and controlled.
 
can't the machine print to PDF and you have the PDF printed on a higher capacity printer?
Nope. Can't adjust anything or install any type of drivers (closed and locked down system). Ironically, I end up scanning all the documents to pdf.

I am working with a company called Red Titan on a solution that will capture the pcl directly, but the pandemic slowed down our whole process. So I'm looking for other means in the meantime.
 
That part : And then I waste hours having to go through reports and reprint stuff, which again isn't technically the original since it says 'reprint' on it.

Make it sound that direct from printer to paper is really important and controlled.
It's actually not that important except that these reports when they're printed originally are the 'original'. Kind of like how your printed bank statement you get in the mail is still more official than anything you download since it can be altered. It's just being particular, but this stuff is important in financial processes when stuff goes wrong.
 
The fact that you can't touch either device puts handcuffs on what you can do. There are lots of ways to do ethernet print hubs that are IP based, but that requires you to switch the computer from using a USB port to a standard TCP/IP port.

If you could put software on the pc then you could use something like this Digi USBAnywhere to relocate the device.

https://www.digi.com/products/models/aw02-g300

Realistically as soon as you dump that USB traffic onto the network, someone could probably scrutinize that traffic. (I can't imagine you'd be passing PCI compliance if you send that unencrypted data over the internet) That said you certainly you should be able to configure a VPN to just extend a layer 2 network by bridging it, so it's definitely possible to keep the traffic isolated to a single subnet and use one of the blackbox devices. Whether or not you should is a question your organization will have to answer.
 
Yeah I know. :( Not my circus so not my monkeys, lol. There's a lot of relocation products out there that use the host pc, but unfortunately I can't install software so I need one that is hardware and completely transparent. Using another device like a pi or pc in between is perfectly acceptable, but I can't touch the machine that the usb device attaches to.

I have an ipsec tunnel already running to where I want the traffic to go to, so that part is locked down already. (y) Just got to figure out how to get usb to traverse over IP like this.

Startech makes some models that are designed for transmitting hdmi over IP that also runs usb along with it, but like most of the other transparent devices I've seen like the ones from blackbox, it is using broadcast traffic and will not traverse a single subnet:
https://www.startech.com/en-us/audio-video-products/st12mhdlanu
 
It's actually not that important except that these reports when they're printed originally are the 'original'. Kind of like how your printed bank statement you get in the mail is still more official than anything you download since it can be altered. It's just being particular, but this stuff is important in financial processes when stuff goes wrong.

First let me say I get it. Now that said, it seems to me that what you are trying to do, regardless of how transparently you do it, would be considered interfering with the data. You say the network is yours to control but the USB connection between the pc and the printer is not the network and you are proposing to put something in that link that will alter the data. I'm fairly confident a lawyer would have a field day with this court should it ever come to play. Has a lawyer even been consulted? I can also tell you that if this is a PCI situation, as you implied, you will absolutely need to document the change and show that this device is in place.
 
First let me say I get it. Now that said, it seems to me that what you are trying to do, regardless of how transparently you do it, would be considered interfering with the data. You say the network is yours to control but the USB connection between the pc and the printer is not the network and you are proposing to put something in that link that will alter the data. I'm fairly confident a lawyer would have a field day with this court should it ever come to play. Has a lawyer even been consulted? I can also tell you that if this is a PCI situation, as you implied, you will absolutely need to document the change and show that this device is in place.
So the type of things that others do with their systems blatantly and clearly violate pci compliance (connecting unauthorized devices like phones, installing unauthorized applications) and there's not one F given by anyone anywhere. I'm sure the biggest question of my successful setup would be, "Why do you even print all those records? I never print any of them and throw everything away. Seems like a bunch of work for nothing." :meh: Of course they don't want a paper trail--you can't have one when you're skimming cash from your business. :whistle:
 
So the type of things that others do with their systems blatantly and clearly violate pci compliance (connecting unauthorized devices like phones, installing unauthorized applications) and there's not one F given by anyone anywhere.
As in all things it's all fun and games until you get caught. That said, it seems to me that you're trying to solve a process with a technical solution. The easiest solution is to have someone that is present fill the tray every Wednesday. Any idiot can fill a paper tray. As for the computer being PCI compliant so what? I deal with PCI crap all the time and most of it just requires that everything is documented and the documents are maintained . It's the deviations that cause the problem with the audits. Make the changes you need to run your business document them forward and backwards and give that to your auditor.
 
Does it need to physically print? I havent done anything with PCI compliance things, but I had an old customer that printed reports for public water wells each night and we setup a PDF printer that the PC would print to.
 
The printer can't even be replaced? Without knowing the exact details on the situation(but having fairly extensive experience with PCI Compliance) I'm surprised by a situation that would prevent replacing the printer if it was a similar USB printer. If you could replace the printer(with another USB printer) you could get a high capacity tray printer and only have to add paper every couple months @ 30 pages a day usage. Would it be possible to retrofit a larger paper tray on the existing printer?
 
As in all things it's all fun and games until you get caught. That said, it seems to me that you're trying to solve a process with a technical solution. The easiest solution is to have someone that is present fill the tray every Wednesday. Any idiot can fill a paper tray. As for the computer being PCI compliant so what? I deal with PCI crap all the time and most of it just requires that everything is documented and the documents are maintained . It's the deviations that cause the problem with the audits. Make the changes you need to run your business document them forward and backwards and give that to your auditor.
I don't think I've ever heard of anyone auditing this industry for pci compliance--which honestly to me is absurd, but not my call. The solution I'm looking for wouldn't really affect pci compliance in any way since it is simply the out put of a print process being put onto a private lan and pushed out somewhere else.

Yeah, idiots are cheap--but the mistakes they make are expensive. I've dealt with enough idiots to know that it is worth spending more money a technical solution than solving it with a person that is cheaper in the short run and more expensive in the long run.
 
Does it need to physically print? I havent done anything with PCI compliance things, but I had an old customer that printed reports for public water wells each night and we setup a PDF printer that the PC would print to.
I can't install anything on the source system. So I'm trying to figure out a way to transparently tunnel the usb connection to where I am so I can feed the printer all the paper it wants. :)
 
The printer can't even be replaced? Without knowing the exact details on the situation(but having fairly extensive experience with PCI Compliance) I'm surprised by a situation that would prevent replacing the printer if it was a similar USB printer. If you could replace the printer(with another USB printer) you could get a high capacity tray printer and only have to add paper every couple months @ 30 pages a day usage. Would it be possible to retrofit a larger paper tray on the existing printer?
I looked into a expansion paper tray that most units can accommodate, but because this printer is at the bottom of the lineup, it does't have one available. :(

The printer can't be replaced since a replacement would probably use a different driver/show up as a different printer, which won't work since I can't change anything on the computer. Otherwise there would be a lot more options that way.

The real permanent answer is the box from RedTitan:
https://pclviewer.com/resources/capture/print2usb.html

I'm actually working with the US division of the company to come up with a solution, but covid put our development to a halt for now. Hence I'm trying to figure out other temporary solutions.
 
I don't think you are going to find anything that works well. The reason that the things like Startech only work over a single switch is because USB wasn't designed with the idea of high latency and retransmission in mind, which of course you could face over an IP network. So even if you did get something working, it would probably fail all the time and have issues.

If you want to try it, really the only option I see is to get one of those boxes and see how it works with a layer-2 tunnel. PFSense can handle that for you, if you don't already have networking stuff that can, and will truly do a layer-2 tunnel over IP and make it look as though you are on a switched network. I imagine that would work, but I could see it ending up having tons of issues. Only way to know would be to buy the stuff and see.
 
Yeah, the latency would be a big problem with two way communications, but I'm thinking for printing it may not be so bad since it's just an acknowledgement from the printer on the job status, etc.

I really don't want to try a band-aid solution at all, but having to baby sit this site is just one on the endless list of things that keeps me on site working and away from my wife. And that wouldn't be an issue if the site wasn't 2000mi away from home. I haven't seen her in over 2 months now, and that's hard on us.

The redtitan solution solves everything as the pcl can be captured raw and just saved. It can even be converted to pdf simultaneously and saved right along with it--no more printing needed at all. But since redtitan has to do some on site work to do before we can test a solution (need to figure out the identity of the printer and program the redtitan box to emulated it 100%, but that requires coordination with the UK development team), it's going to be a few months at the least. I want this problem off my back so I can deal with the other hundred or so that I've got. I was hoping there was a solution out there that someone has tried successfully. Besides the latency factor, encapsulating usb and running it over IP can't be that hard from a technical standpoint as it is already being done with hdmi.
 
Like I said, a Layer-2 tunnel. You put a PFSense (or other) firewall on both ends doing layer-2 tunneling and you can have the same subnet on both ends.
Ah yes, been a while since I checked the thread and forgot you mentioned this.

I actually have the equipment to try this, and what's even more interesting is that the l2tp tunnel would actually be inside the ipsec tunnel. But honestly, I just need to get the redtitan solution to work and then be done with this once and for all as the usb extension still has be dealing with paper, printing, and scanning.
 
Ah yes, been a while since I checked the thread and forgot you mentioned this.

I actually have the equipment to try this, and what's even more interesting is that the l2tp tunnel would actually be inside the ipsec tunnel. But honestly, I just need to get the redtitan solution to work and then be done with this once and for all as the usb extension still has be dealing with paper, printing, and scanning.
Yep you can run it over IPSec and usually do because L2TP isn't encrypted. Actually if you use PFSense doing OpenVPN layer 2 is probably easier than IPSec. Either way you tunnel layer 2 and it is a switch that passes through a VPN. Everything, including ARPs, pass right through. Only issue you may have is the latency, I would presume that's why they won't allow it to span subnets is to try and make sure people don't use it over a high latency link.
 
Yep you can run it over IPSec and usually do because L2TP isn't encrypted. Actually if you use PFSense doing OpenVPN layer 2 is probably easier than IPSec. Either way you tunnel layer 2 and it is a switch that passes through a VPN. Everything, including ARPs, pass right through. Only issue you may have is the latency, I would presume that's why they won't allow it to span subnets is to try and make sure people don't use it over a high latency link.
Interesting, I haven't played with l2tp enough yet but always thought is supported encryption as well. Won't be using pfsense as I've got hardware that supports an l2tp server as well as an l2tp client. And I have the client on this end and the server on the remote end, so everything is actually in place. Just A LOT of configuration for what essentially will be a temporary 1-2 month bandaid until I get the redtitan solution fully working, so I guess I can endure it all for now, considering the cost of the usb boxes.
 
Back
Top