In light of recent developments with Bambu’s Authorization system, I thought I’d share what has worked for me to keep my printer secure in my network, and control any updates to either the printer’s firmware or to Bambu Studio.
First, I have my printer set in LAN mode and connected on a separate VLAN which has all outbound Internet traffic blocked. This is setup on my router/firewall PC running pfSense. My desktop PC running Bambu Studio is on my normal usage VLAN which does have Internet access. In order to discover the printer in the separate VLAN, I use a package in pfSense called “UDP Broadcast Relay”, and set it up to rebroadcast between the two VLAN’s anything on port 2021 which is what the printer uses to advertise itself on the network. Keep the spoof source set as ‘Original’ address. As long as my desktop PC’s VLAN has access inbound into the printer’s locked down VLAN, bambu studio will be able to connect to the printer once it sees the advertisements. If you don’t run pfSense or something similar, and your printer is on your same network, check your router to see if it has a built in firewall. You might be able to set a static IP for your printer, and then block that IP’s outbound traffic.
EDITED TO ADD: Depending on how locked down you have your printer’s VLAN, you’ll likely need to create an outbound rule in the printer’s vlan allowing UDP traffic from your printer’s IP as the source, to the destination ip and port of 255.255.255.255:2021 so that the UDP Broadcast Relay package will see the broadcast advertisement.
Secondly, to lock down Bambu Studio, I’ve created two rules in windows firewall. The first one is inbound, which is set to allow only traffic to the bambustudio.exe program from my local networks. The other one is an outbound rule to block all traffic from the program, except for my two local networks (the two VLANs). If you have any existing inbound rules for BambuStudio, which you likely do from when windows first asked you if you wanted to allow the program to connect to the internet, disable them. This will still allow connection to the printer, but block any accidental or sneaky updates that you weren’t aware of, or accidentally clicked to update when you didn’t mean to. This also blocks any access to maker’s world community models from within the program, but you can still go there in your browser. In fact if you can still see the models online on the home page of the program, you didn’t get your firewall rules setup right. These rules will also block your browsers ability to open files from makers world directly into bambu studio if that’s what you’re used to, but you can download the 3mf file and then open it as an extra step.
If I ever decided I do want to apply an update, I can temporarily disable the firewall rules. However, in the past I really only updated to get the profiles for new bambu filaments in both the studio and the AMS. This is moot now, as I don’t plan on ever buying Bambu materials again unless they reverse course.
Hope this helps someone
You must log in or register to comment.
This is moot now, as I don’t plan on ever buying Bambu materials again unless they reverse course.
These things don’t end if and when they reverse course. They just wait another 5 years as they gain more market share and then try again. You should cut them off forever.
Thing is if you remain so inflexible then the company will simply not care. You’re never going to give them money again so they arent even gunna try to make better decisions. Good choices and options should be rewarded, to an extent
The company isn’t going to care regardless.
Some do some dont. It does make the choice essier if they dont though!
Also, if you agree that this change by Bambu is ridiculous, make sure to let them know how you feel at contact@bambulab.com
It’s better to setup ACLs instead of VLANs, VLANS can accomplish the goal, but that’s not what they are meant for, whereas that is exactly what ACLs are meant for. I do this with all of my IoT devices. Not a single IoT device has access to WAN, yet I can still remotely access and control them all with a WireGuard tunnel that my phone autoconnects to as soon as I lose access to my WiFi.
It’s crazy when you have to protect a device that you purchased from the manufacturer so you can use it the way you want. I’m in a similar situation with my Firesticks where I block them from updates. I have removed the shitty ad-infested default dashboard/launcher and put my own clean launcher on it. But Amazon began resetting it with updates and started blocking the ability to change it. The solution was to block the update servers domains to those devices on my network, I lose Prime Video and some other Amazon specific stuff, but it’s worth it. I don’t have a dogshit dashboard… I have a clean dashboard iwth only the apps I want: Kodi clients for my NAS, jellfyin client for my NAS, S0undTV, TiviMate, SmartTube… that’s all I need, and all I want to see.
ACL’s can accomplish it if that’s your only goal, but there are other benefits of vlans for security and privacy. For example an ACL works at layer 3, so it won’t block other nosy devices on your network from seeing everything else via layer 2 and then reporting back what it finds. VLANs also make it easy to use different security policies for each network if you do any sort of IDS/IPS as I do.
Dang thanks for this, I have vlans and use opnsense but I couldn’t figure out how to connect to the printer from bambu studio. Ive installed the udpbroadcastrelay plugin on opnsense but it still doesn’t seem to connect. Do you mind posting a screenshot of your pfsense config?
Thanks for posting this!
I’ve edited the post to add a note about an outbound rule possibly needed in the printer VLAN. If the printer VLAN is locked down, it could be blocking the advertisement before the UDP Relay gets a chance to see it. This should fix that. See if works for you
Is there a good article link or other explanation of this that could be shown to people considering buying one of these devices?
Yeah sorry I wish I had time to really expand this out into a nice guide, but unfortunately I don’t right now. There aren’t any comprehensive guides that I’ve found, but it’s still worth a look. Everybody’s network is a little different in terms of setup and equipment. Hopefully with the basic ideas I’ve shared it can point someone in the right direction to figure out a working solution in their environment.
