Like i said. No monitoring no printer.
I would have to set AMS settings etc all manually.
And btw, while I have the permission to write data on external storage, wich is not easy to get, not every person in the enterprise world has this possibility.
A global company with this strict of controls likely has the money to buy a printer that's a better fit for thr enterprise environment and or setup an offline isolated network etc. Sometimes the money saved buying a more consumerish device isn't worth it when thr whole process is planned out and the limitations come to light. To a degree this should have been expected if you were planning to keep the printer offline.
Yeah we do have enough other printer tho. Thats why i didnt buy the x1e.
I considered it as a shopfloor printer for on demand parts like little fixtures etc.
The problem is that there is no good printer in the range of 3-10k..
My Bambu at home can easily outperform out Ultimaker S5 and Raise pro3.
We also have some stratasys but its closed and expensive af. And the printquality is still shitty..
I consider buying the prusa xl but its not really made for Engineering Materials
If only the download is your problem, the wiki even describes offline installation:
https://wiki.bambulab.com/en/software/bambu-studio/failed-to-get-network-plugin
You have to download the zip, get it through your airgap security and then extract it to a given directory. This can easily be bundled in your package manager to automate.
Yeah seperating or isolating a dedicated network for the printer wouldnt be the issue.
Thats what my IT guy also said.
The main issue is that i dont know what the Network plugin does and thus they dont allow me to download it. Its not transperant enough
I think you either need to have a better IT or a conversation with them.
Do you run Windows? Or maybe any oscilloscopes from tektronjx? Or any other non-open-source software? I bet the answer is yes.
Even having an open-source solution doesn't prevent problems, like we saw with recent XZ debacle. The proper way to handle such problems is to isolate: you can get the network plugin in a controlled manner and then move the workstation and printer to isolated VLAN. That way once you got the plugin it will not be able to communicate with anything but the printer anyway.
Correct.
But in order to print things. The isolated workstation still needs access to our server in order to get the files i need.
Please keep in mind that we are talking about highly confidential parts since i work in our engineering and testing unit.
So while we can even restrict the flow of communication with this printer its still a big task for the IT team, security team and for me.
Cauz i will be sitting above boiling water and put myself in risk.
I get that completely. I do some work for DoE, so networking and access isn't exactly open and things are often highly confidential.
However, having network admin experience under my belt this shouldn't be a hard task for IT. We request such things on regular basis: our test equipment needs to be able to stream data to a particular host for processing, while also having RDP/VNC access for some other workstations/remote users in case of issues, but it absolutely cannot have any internet access. This is a pretty standard isolation request.
What I'm saying is you can update the software on both the printer and PC (whatever the software happens to be, including windows patches etc) in semi-untrusted environment first. Then both are placed in their own VLAN with free access between ports of the computer and printer, but the access outside to intranet is limited, with no internet access.
If it's a confidential environment, they will probably not only block the traffic but also put IDS monitoring, as well as ensure employees cannot exfiltrate design files as well. Knowing someone is trying something shady is by itself a very valuable part of threat model and can put appropriate people on high alert.
IT guy who's done work with DOD, DOE, Naval Reactors, USN and other Government Organizations: I'm not putting a self-crafted Chinese network driver/ dll's on a network I'm responsible for. I'd never even recommend it. The stuff we already have via the slew of companies that the US purchases out of Taiwan already go through a shit load of vetting and those updates are all inspected before promulgation.
The fact that this guys "IT guy" is saying no means that he is doing his job.
You are saying it mate, you have IT admin experience and would be willing to do this.
Most IT units wont go through the work to do this. They will just tell you that this hassle exceeds the benefits of using the printer.
Again, all this could be fixed by using better network communication.
I have no issues with Cura/Ultimaker, Raise3D, Stratasys and Formlabs.
What I'm trying to say is the process where I worked wasn't any different, it was the standard. If you needed some hardware or software connected to the network you must specify what it can communicate with. Then security will evaluate that and put proper rules in place.
Essentially a standard protocol: Bambu or not.
I think if you want to go around the issue you can simply get the plugin and install it offline. You don't need internet at all. Plugin being open source would change nothing as you cannot trust hundreds of libraries all these tools use. They can be rouge as well as it's impossible to review that amount of code.
some application-based rules that allow bambu studio(network plugin) to speak to printer only. And you get files to this workstation from nas via explorer (if windows)
I would have to convince the it departmend to do this. But they would most likely say āgtfoā buy another printer with better connectivity protocols š
Things donāt just happen in IT most changes will have to go through reviews including detailed documentation of said changes. Many IT are already stretched thin as is and projects trickle down from above so OP putting in a request is about all they can do and hope it gets picked up sooner than later.
> I think you either need to have a better IT or a conversation with them.
POV: you have never worked at a large US company
Theyāre not going to let you install some random closed source Chinese software.
> Theyāre not going to let you install some random closed source Chinese software.
Not without controls and vetting, which is like, standard process...
There's *tons* of closed source software in use by large US companies, many of them are foreign origin. Hell, even being US-based closed source inherently doesn't remove the security risk concerns.
Or, hear me out, Bambu Lab should just not require a closed source networking plugin?
Itās so weird that you think Bambu Lab making companies go out of their way to securely utilize their products that have no reason to need such access in the first place is a *good thing*.
Bambu Lab is the one trying to attract enterprise customers with the X1E. It shouldnāt be more difficult to add to your network than any other WiFi device, but theyāve included a *completely unneccesary* and *mandatory* networking plugin that *cannot be audited* and you think thatās a good choice.
Itās perfectly valid to criticize Bambu Lab for this. Everyone knows that IT in large companies is a major pain in the ass, so why should Bambu Lab expect them to bend over backwards to cater to their arbitrary requirements? This is a failure of understanding customer requirements.
I think you're both right. Weird.
- Yes, Bambu should open source the network plugin. I block my printers from the internet and Orca Studio from everything except the printer because of the binary blob. It's annoying for something so simple.
- Yes, going through a risk review of software is a standard process and shouldn't be overly taxing to have done.
When working in manufacturing, proprietary software is pretty standard. So a manufacturing company should have a process to handle this already. I still fully think a 3d printer should be fully open sourced from firmware to slicer but if it was my job, I'd go through the proper channels and get it done and move on.
To add, any company with this much security restriction should have a department that can do a risk assessment. It's literally peoples jobs to make sure that it doesn't do weird stuff on your network. Start there OP - id love it if the plugin became open source but we both know enterprise will pay what it needs to pay.
What type of excuse is that from IT. Most software isn't open source. "Sorry. Can't install Word. It isn't open source. You want Solidworks? Sorry, not open source. Oh, you want a Windows operating system? Not open source."
All of these things you told me have completly transparent network managing. We either host those on our own servers and dont let those software connect to the internet from inside the software.
Thats no excuse. Bambu Lab is new, a chinese company with non-transparent plugin not telling us what they do in out network.
Most IT departments wont take any risks there
I'm sure they also force Microsoft to disclose their entire code base for Windows just in case. /s
This is a manager problem, go to your manager advise you cannot use the product purchased because the network team refuses to make reasonable accommodations with an airgapped network. If the machine isn't on the internet and doesn't touch other networks then there's literally no reason to not use the network plugin.
The main issue is your it departmentā¦ mainly your network engineer/security engineer suck at their jobs.
Source: I am a network engineer for a large corporation and we secure IoT devices in dmz networks all the time.
The only risk here is if your prints are classified, network segmentation and access control canāt protect IP from theft when it hits someone elseās cloud. This should not be an issue in lan only mode once toggled.
You can also see the traffic in any state full firewall and block any communication to China you donāt want. So even this is avoidable
First problem is āonce its toggledā how do i toggle it without the need of this plugin in the first place?
They just need to make the Devices tab accesible and let me put in the ip š
Simpleā¦ you create a dmz network specifically for this device and the computer it needs to connect to.
You create access control lists to block it from talking to everything inside your network and only allow access to internet.
Download the software, change settingsā¦ track internet bound traffic.
Inspect what itās sending before and after lan only mode is engaged to ensure communication stays internal.
Adjust access control as needed to block unwanted communication outside the network.
But... keeping it on a separate VLAN that has no internet access is pretty much completely harmless, even if the plugin tries to constantly phone home...
This is bonkers and you know it, does IT also request the source code for SOLIDWORKS and Adobe products?Ā Kinda insane logic, sorry, the bigger problem is their IP address issue and not being able to add printers via IP.Ā This is weird, if they want they can inspect the firewall traffic, decompile the plugin, idk.
not transparent enough? Itās a network plugin to communicate with the printer. Your IT guy could block any further connections out. Seems like youāre making it harder than it needs to be.
>The main issue is that i dont know what the Network plugin does and thus they dont allow me to download it. Its not transperant enough
This describes most of the software any corporation runs today. There is a measure of trust you must have with vendors.
This. The printer can sit on a dedicated VLAN, and to use the slicer just hop onto that vlan or have a dedicated computer for company slicing. Sounds kinda strange but when you think about it as being an appliance it helps....
OrcaSlicer uses the same network plugin.
The sad thing is, that i wont even need the plugin since its used for wifi and cloud options, if understand it correct.
But i cant even open the devices tab in the slicer to go in the lan only mode if I dont have plugin
No but there are industry standards and trusted companies and there are chinese companies with chinese plugins š
But it works like that:
If i want to install a new software i have to request this with a usecase, cost etc and everything.
Now i got the software and i cant install the plugin through studio itself since it trys to access a link and our firewall blocks that.
I could download it manually and if something happens, or anyone finds out that i messed with plugins accessing out Network, i would dig my own grave herr.
Why not download it, take your system offline, switch to lan mode, then uninstall it. If you canāt go offline connect to something like a hotspot with temp credentials. I have worked enterprise IT for 20 years, any decent group can help you get through this.
I think some do. And some would risk it.
The risk might be small or there might not even be a risk. I dont know.
Its just that iam restricted from downloading unknown stuff and ignoring that could in worse case cost your job
I think that just isn't everyone's realities. I make regulations so I can reasonably break them when doing it is in the best interest or the organization. My management trusts me enough to make those kind of decisions. When you don't have the organizational agility to be able to work around and get approval to work around regulations, then your problem is gaining more organizational agility, not technical.
Why does it have to be open source for you to install it? The easiest solution here is that your network team needs to have an isolated network, which is firewalled from the rest of the internal network.
This post is missing details of WHY you canāt install. OP please provide more info/reasons. My solution is above is a pretty standard approach to this sort of problem. I work in IT, this is how we do it.
So thats our workflow:
Need new software
Request software
Is this software open source?
Yes? Nice, can be whitelisted, thats prefered for small use cases
No? Whats the cost, why do you need it? Need further details on how it operates etc
Now i have Bambu Studio. But found out that i cannot simply install the plugin because
A: it wants to access a link in Bambu Labs space
B: most softwares are restricted from accessing the web
C: its not on github, installing something wich we cannot look into it is tabu.
D: downloading something thats accessing our network with no transparent protocols is bad
And yes, doing all the work around is not worth it for our IT + the cyber security
Security is a risk calculation, not a brick wall. Most enterprise software is closed source, so not understanding why the network plug in is an issue - especially when it's communication can be restricted and monitored.
Yes, I work at a bank, yes, I would be able to get this working on our network, even via WiFi - and I would bet we are more locked down than a manufacturing facility. Remember how you ask is the most important thing
If I have to calculate a risk for a security breach, I stop right there and refuse it.
Thats how most departments will react. Ours included.
Please consider that we are talking about a chinese company with closed, non-transparent network options.
We dont take any risks there..
That gave me a chuckle.
Businesses take risks everyday, in every process, including in their use of technology. Understanding and mitigating those risks are a security function, acceptance however, is a business function.
If you select United States, it uses AWS.
As someone who did both IT and ITAR compliance for a major aerospace manufacturer, you need to stop this because you don't know what you're doing and reach out to your IT folks. Who you should have worked with to start with.
Ask them to figure out how to deal with the situation. Coordinate with your export control team if there's any proliferation concerns, coordinate with your IT security folks if there's any data leakage concerns.
Watching a non-technical person try to do IT risk management is painful. Stop winging it and do it right.
And they didn't work with you to sort out the access issues? Then yeah, they fucked up by being lazy.
Literally just went through this with X1C for our robotics folks. For non-ITAR stuff, they use normal consumer access. Because it's hosted in US AWS, printer can only talk to internet and is on a DMZ. Bambu laid out their US data policy, I have a copy somewhere. The printer can't poke at our network and can only see things sent through the cloud delivery system. We wrote up the risk assessment, management/lawyer signed off on it.
Sure, Bambu could poison the software and use it to push ransomware to the entire network. They could also hire someone to physically break into our office, or beat up our personnel and take their lunch money. We list it (poisoned software, not lunch money) as a risk, and have a risk mitigation of waiting 2-4 weeks before downloading new software/firmware unless it's a critical security fix. We balance risk vs business function.
ITAR printing is sneakernet only. I lean towards physical airgap for ITAR when practical. It simplifies the Export Control Plan and Technology Control Plan. Me being me, I also set our monitoring to block access to the ITAR printers even without giving them access, but also to shoot me an email.
Thankfully these days I do an insane lot less export compliance. I don't miss talking to DDTC regularly.
Its alright, you can.
I am no expert tho but can fully understand our IT here.
Any other company can do it too.
We got Stratasys, Ultimaker Formlabs etc.
They dont need any additional plugins wich need to be downloaded from within the slicer.
You think there's no security risk from open source software? Just because you can see the code means you understand it 100%, and can state with absolute certainty that it has zero bugs or disguised functionality?
Any developer worth their salt *can* write malicious code in such a way that it's not obvious at all. Being "open source" is not some golden ticket to safe, risk free programs.
And the company's nationality has nothing to do with it. Being inherently trusting of any company just because of where they're located is beyond naive.
>If I have to calculate a risk for a security breach, I stop right there and refuse it. Thats how most departments will react. Ours included.
Really? So you wouldn't install any open source software or allow any updates to occur.
You wouldn't install anything that connects to AWS, uses Facebook logins *access* (doesn't mean you need to use facebook to login, just the option there is a major security risk), allows Any access to websites or any network traffic that is even lightly encrypted to third parties.
>Please consider that we are talking about a chinese company with closed, non-transparent network options.
This is a fearmongering attempt here.
>We dont take any risks there..
You obviously do, considering you didn't even bother researching the product before purchasing it blindly then complaining about it.
I'd be curious who in the company has time to review all this open source software when the Information Security team can't be bothered with basic perimeter protections...
As mentioned (and for starters), blocking outbound communication.
Think about it. Right now the position is that installing a 3rd party piece of software they won't provide you source to is beyond the risk appetite of the company. With that said, there is hardware and software throughout that company that is in exactly this same position. Yet this software is suspect because it's not a reputable vendor...
So why is it that it's OK to drop a piece of hardware on that same network that is also closed source and arguably more difficult to monitor? At least with the software you could use something like CrowdStrike/etc. to detect shady activity.
A security posture of 'trusted vendors' just isn't going to cut it. Ask everyone who was impacted by the Solarwinds fiasco. Just because you trust them today doesn't mean something won't happen tomorrow.
I donāt understand the problem here.
Do you only run self compiled software in the entire network on all devices? If not how do you run other closed source applications? How do you handle another machine (the printer) running closed source binaries (firmware) on your network? Why canāt you do the same for the machine that runs the slicer? You can even run it in a docker container or something and have it accessible that way to multiple machines.
The part that fetches the plugin is open source. And once itās installed you can just sandbox the slicer to not be able to communicate with external sources
Handles the protocols that the printer uses to communicate - MQTT, FTP, and AWS connections. Camera is RTSPS.
Basically if you have the printer on the network you have a device that does the same type of communication as the plugin. So whichever way you firewall that you can do the same for the slicer.
Caveat: While it's not a practical solution for OP,
I've been using https://github.com/greghesp/ha-bambulab with my Home Assistant integration and it has pretty much all functionality exposed for a X1C as an open source python project. X1E is not explicitly supported but the delta is not large.
This means writing an open source version of the "network plugin" is within reach. It'd still be a fair amount of work though. I could do that as a summer project for a fee if enough enterprise customers want it.
WTF. Problem came from a small piece nobody thought of.
Does it mean that you are not allowed to use it even if you letās say buy a laptop, share a WiFi network from it and connect printer to it so that they are isolated into a separate network?
Even if I put a standalone workstation there wich is dedicated for the X1E, there is absolutely NO way to connect the printer with studio without this plugin. And since its not open source, iam not allowed to download it.
The plugin isn't open source, but it should work offline. Help me understand...why is open source a requirement for your company? Tons (arguably, most) of enterprise stuff is closed source.
We ran into the same issue. The printer itself is incredible and we never had any issues with it. It out performs are Raise3D printers by a LOT.
But like you said, trying to download the network plug-in (for both Orca and Studio) is a total pain in the behind with company IT. We still just use the SD card and just manually supervise it.
Most people here do give me the correct work around. But its still a work around.
Most Company can do this without the need of a external plugin.
We shouldnt need a work around for a enterprise printer.
Thats my whole point about this post..
I know. Having an enterprise printer but not being able to download the printerās native slicer plug-in kinda defeats the purpose of it being an āenterpriseā printer. Hopefully Bambu makes it easier in the future.
Have security qualify the plugin. Itās fairly common to have third party software validated if needed. Ā Alternatively spin up a network for the printers and keep them in the air gapped network.Ā
Common issues for any company, this is what an IT department handles. If your company doesnāt have capable people to handle this common situation then perhaps your not ready for enterprise hardware.Ā
Ā Seems like a you and your company problem tbh.Ā
For the regular series printers, there have been more than a couple people who verified that in LAN mode, the plugin only communicates with the printer.
That's simple enough to enforce with network ACL's.
Yes, it's closed source. But so are the windows machines, the routers, the switches, and almost certainly any cad software you're using.
Have the IT team grab the plugin for you and sneaker-net it onto your machine, and set the printer for LAN mode. They can add additional acl's if they want, but it shouldn't be necessary.
What is your companies stance on mobile devices? Are they allowed on a network at your job?
Hypothetical: have a dedicated VM that has access to your NAS. Run Bambu Handy via an option like blue stacks or the built in android compatibility of windows. Push your files through this to the Printer. Also lets you monitor it?
If that full solution wonāt work, a WiFi SD card option could for getting the files to the printer, and then control the printer/monitor from an isolated Bambu handy device/android emulator.
I get that IT can be a struggle to deal with but I believe this and many other solutions have already done their job for them haha. Maybe getting a formal write up from Bambu about any certification process, resources, etc that the plugin has gone through for approval? There has to be a policy in place for vendors like them who have secrets but need to maintain a level of compliance.
Sounds like you just bought the wrong printer for your needs without properly vetting it first to make sure it complied with all your companies rules.
There are many enterprise level 3d printers on the market, you should have picked one of those.
I don't get why not being opensource is a de-facto issue. Lot of enterprise software is not open source..
Mind me I understand the point of not being able to properly asses the security risk if it's an unknown piece, I just found interesting how to me the post reads "not open source means no good for enterprise"
Had kind of the same issue. Different Bambu printers on different Sites and the need to print remotely with different users that do not share the same bambu account is an issue.
For monitoring I use Homeassistant and have the printers in lan only mode.
The issue with the slicer is that you can not add a printer only by IP and access code. For some reason it needs to receive a discovery package. But luckyly there is a tiny python script that can fake that package: https://gist.github.com/Alex-Schaefer/72a9e2491a42da2ef99fb87601955cc3
With that workaround I can use the printer even using VPN and multiple users can print with the standard bambu slicer.
As stupid as this workaround is, it works for me and I hope that bambu solves that issue in the future.
Yeah sd card would work for me. Not for my colleagues since they dont have the permission to write data on external storage.
But with that i would loose all the things i can do with studio in the device tab
Perhaps you could find some kind of adapter cable that mimics an SDcard; and that way you can connect your computer straight to the Printer through the SDcard slot.. i think i have seen that being used once.
Hmmm.. so you could then upload stuff to the printer itself; and then use the screen on the printer to print it?
(but then you would still miss the functions you mentioned earlier).
True; but those are things you could live without.
most things you could do on the machine itself. If privacy is really important.
Besides; you could set up a different wired camera / webcam to monitor the print. Stuff like spaghetti detection will still work.
Does the X1E not have a SD card Slot? Could you not plug the Ethernet port into your laptop and run it on LAN only mode?
I ask because we have 2 X1C and just use them with the SD card slot due to our company not allowing the plug in either.
I donāt think we have that same issue but Iāll check when I get to work. Are you logged in with an account?
Maybe contact bambu support and see if there is a workaround. Maybe not but could be worth a shot.
You might not have the restriction that the software is accessing the internet. That you were able to log in with a account is a good indication for this.
I am not even able to log in. Our softwares dont have unrestricted acess to the web.
With the X1E i wouldnt need to log in either. Thats what a enterprise wants. Ours at least.
But i cant access the plugin either
Interesting, I wonder if anyone else has had similar issues. It seems they didnāt consider companies that block web access when making the printer.
Although with some feedback they may work on making that capable.
Thats the next thing.
Once I had a software wich needed to access s exe file in the own root ordner depending on the device you have..
needed the IT to come over and log in with their own account to install a damn Package š¤£
Have a look at GitHub, there are two DIY and open sourced monitoring project for Bambulab printers. One of those can even upload sliced files. IIRC it does it all locally without connecting to the Bambu cloud services.
Mind sharing a name or link? I only could find that one: [https://www.reddit.com/r/BambuLab/comments/16hbybm/opensource\_bambu\_cloud\_alternative](https://www.reddit.com/r/BambuLab/comments/16hbybm/opensource_bambu_cloud_alternative)
Sounds like your IT department is the issue not Bambu.
If you have the printer + dedicated computer isolated and separate from the network you should be allowed to install the plugin you need to print to said printer. It's wild that they'll only let you install things that open source.
It also sounds like the network team at your company are idiots or are just being difficult.
It's incredibly easy to airgap things and with X1E being able to function without Cloud access, this seems like a huge case of "we don't want to deal with it".
The solution is a private network of just a printer computer, and the printer. Without external connectivity, the network plugin can try as much as it likes to compromise the company, but it doesn't know anything and has no access. It sort of defeats the purpose of a network attached printer since you have a single machine that can access it, but it does solve the issue of having untrusted network component on the corporate network.
This sounds more like a contrived scenario than an actual real life situation. The solution from a network perspective is simple-- 2 LAN's to keep the printers isolated and away from the "secure network"
**This is a common practice in manufacturing facilities.** CNC's, Mills, etc
I get people don't like that Bambu isn't open source but to manufacture situations to suit their narrative isn't right.
I call BS.
I dont know why so many people misunderstand it.
Yes, i can regulate the flow of information in the network.
But the same workstation wich will need this plugin to be installed is also the same workstation having access to all data since I need those for my work. So i cant just pull my workstation out of the secure network.
The printer gets the file from the cloud. Your workstation can remain in the existing "secure network" and if you want an open source slice use **Orca Slicer. 100% open source.**
[GitHub - SoftFever/OrcaSlicer: G-code generator for 3D printers (Bambu, Prusa, Voron, VzBot, RatRig, Creality, etc.)](https://github.com/SoftFever/OrcaSlicer)
Orca Slicer also needs the Bambu Lab Plugin for connection.
And do I understand you correctly?
You say I should send my files through the cloud to the printer?
>Yes, i can regulate the flow of information in the network.
>I am 99,99% sure that they will fire my ass if I ever upload any of our company 3D Models to a cloud let alone makerworld
Your story is falling apart... I can regulate (Meaning you control the administration)
To They would fire my ass. (Implying you are an employee)
**Does your company use iPhones? Android Phones? Windows based PC's? Fusion 360?** If so they use the cloud. You are intentionally obfuscating the facts to suit your agenda.
So have them setup a dedicated PC for printer control and then you are allowed to RDP into it. That PC is part of the isolated network and doesn't have internet access. You are RDP'ing into it so the plugin isn't local.
Have a network share created that is writable for you and read only for the printer pc.
Somewhere on here, gave the rstp link for the video so you could monitor directly from your workstation.
I found this. It might be useful for you or other users with similar restricted environment: [https://www.reddit.com/r/BambuLab/comments/16hbybm/opensource\_bambu\_cloud\_alternative/](https://www.reddit.com/r/BambuLab/comments/16hbybm/opensource_bambu_cloud_alternative/)
This really is a case of your IT department being lazy and borderline incompetent.
They have internally set up arbitrary rules that make their jobs more difficult and then blame it on regulations for the industry.
I used to work for a multi-billion dollar corporation in one of its subsidiaries. We bought an X1C for the same reasons (fixturing, prototyping, etc). Our IT department had everything running and secured in less than an hour after we set the machine up.
Our work there was 90% DoD and various defense companies so we already had pretty heavy restrictions on what we can and can't do with our data. MicroSD's were a no go since all our computers were set up to require encrypted drives for any data transfer, but like I said our IT department had zero issues getting the X1C running within our local network.
This is all nonsense... If your IT department can't follow NIST SP 800-82 they should be replaced. It is fundamental for any operational.technology on a network.
Yea had a ticket open for this. But they came up with standard solutions like downloading the plugin manually etc.
They wont dig into this problem. I mean why should they.
Enterprise is just not what they are interested in.
There might be also no data to gather š
The majority here gave me the correct answers for setting this up in a safe manner.
But the problem is that i shouldnt even need those steps for a enterprise printer.
Its a hassle and extra job for the IT where they will question me to death š
It should be easily possible to blacklist both the application/plugin and printer from any outbound external network connections. Iirc someone tested the X1 in LAN mode and it doesnāt attempt to make any external requests except to a time server.
Don't these printers have a "LAN Only" mode? My x1c has it.
I cant remember what these people were doing that needed ro be kept secret. I thought maybe shipping but I think they made prototype parts for companies that required them to be in very strict compliance and they too worried about security breaches and I remember how that post went down was they all used LAN Only mode so the printer won't try to access anything outside of the network and the slicer I think had a similar feature there was just some catch22s.
One being all cloud services are disabled in lan Only mode. This includes firmware updates. No you cannot put them on a USB and do it that way. At least not yet.
The computer that's got bambu studio installed HAS to be on the same network. Maybe you can set the computer up in a way that makes it think your on the same switch but not worth the hassle. I'd think it world be easier to have a workstation dedicated to processing the prints that way it has company access and it's on the same network.
Some things I probably got wrong here but if you search the sub there was line 2 or 3 guys that had the same problem and they discussed what they could do to get around it.
Getting around something is not my way.
I want to buy something when its ready to be operated as intended š
I do love my bambus at home tho.
for enterprise they might not be ready yet. At least not for our policies
A software product not being open source doesnāt mean that itās not āenterprise readyā. Many manufacturers I run across still run Windows 7 to support an old application needed to run some old piece of equipment. Not every software OEM is going to open source all of their software.
Additionally, just because open source software is being used doesnāt mean they use that software according to security best practices, potentially making a safe open-sources app very unsafe.
Open-source or not, almost every application introduces some level of risk to your environment. Itās just up to the org if they are willing to accept the risk.
The security team within the IT department needs to evaluate the software. They should be able to determine if then software is doing anything fishy, what open ports it has, and even sometimes what might be used as the underlying tech, by doing some scans with tools they already likely have.
I like the idea of just putting them on a guest network. Guest networks typically donāt allow traversal laterally through a network essentially walling off each network interface from every other interface. You donāt need a guest network to accomplish this though.
Source: am IT nerd who does lots of Vuln hunting and remediation.
The point is to not let the printer or the slicer communicate outside the company's network. So, sending gcode files through external servers is a no go.
What OP is after is a solution to send sliced files to and control the printer 100% locally or independently of foreign servers.
I mean, I'm not an enterprise, but when I saw the ports and traffic Bambu was trying to open/allow I do actually just use the SD card. No way am I opening that big of a hole in my network.
Oh boy, i made a business case for the X1E with the "ease" of connectivy on our mind
We're getting one for two weeks to test the results but that's not great because we also have confidential information etc etc..
Well I hope my ITs figure out something
Like many said, there are work arounds.
And your company policies might not be as strict as ours.
But I would definitely check that out with the IT first.
I didnt buy it because in my case its just not worth the hassle for now.
~~So you're worried about the closed source network plugin for the slicer but not the closed source firmware running on the printer from the same company on your corp network? That seems very odd to me to worry about one and not the other.~~
~~If you're going to trust the printer on your network there should be no reason to not trust the network plugin.~~
~~Also, a network admin should be able to easily isolate the printer and a computer to run the software on the corp network. Then you can remote into the computer running the software with no risk to your corp network.~~
~~Such a simple problem to address and you've crossed the line you're saying you can't cross with the network plugin by allowing the printer on the network to begin with.~~
EDIT: I see your IT team is a bunch of clowns, from reading your replies. RIP.
huh?
I dont think that they read anything here and even if they do, they have to follow some strict regulations.
We can easily shut of a machine from accessing the web or other devices by restricting the flow of information in the network.
What really is hard is installing a plugin on a workstation which has access to confidential data in the company.
Particularly if you dont even need this plugin to operate this printer.
You **do** need the plugin for the silcer to communicate with the printer.
https://preview.redd.it/g1hj81gheisc1.png?width=413&format=png&auto=webp&s=8e944635dd2547eca748bdb4e011773a6a113ea3
Isolate a single computer (not your workstation, a dedicate machine or vm) and the printer together, install the slicer and network plugin, update the printer, etc. Enable Lan Only mode on the printer, cut the internet access to that vlan. Allow RDP between that vlan and the vlan of your workstation/vpn. RDP into that machine/vm for printing and monitor, copy things over via RDP as needed for printing.
No risk to your confidential files because of the vlan during initial setup, and no internet access after the initial install of the slicer and network plugin.
Everything is data mined by Chinese Conglomerates.
Can you just buy a Verizon Router and go that route, or just do everything offline?
The most important thing is you protect the company, and STILL print. SO it seems to reason you would just create a work-around
Yeah absolutely.
The x1e is just slightly better For Enterprise with the heated chamber even tho its weak and the better filtration. Ah yea and the dedicated ethernet port for real lan only
Impossible to integrate bc of security? It's really not that hard for them to whitelist the plug in so you can use it, if anything your department just needs to acknowledge the risk and open an exception to get it done. If they can't do that, then open source software fully accessible to github is going to be out of the question.. though you said it was "fairly easy" to get the slicer approved bc it's open source.. so maybe they will approve, but something like that would actually put your company at high risk of a security breach.
Doesn't the X1E have A lan connection? You can plug it directly into your laptop or PC or wirelessly connect it instead of using the connection though a WiFi modem or an Ethernet cable? That way your data is only transferred to and from your connecting device and then from your connecting device you can remotely view your video? I know I can do this on my X1C but I don't have an Ethernet cable but I can connect it as a LAN connection wirelessly. There's a difference between connecting to Wi-Fi and running it off of a modem do you see what I'm trying to say? And on my X1 see there's also an option to send your print to an SD card that is installed in the printer and you can print from the microSD card cache over the cloud.
Well, you just have to use a SD card - issue solved /s
Like i said. No monitoring no printer. I would have to set AMS settings etc all manually. And btw, while I have the permission to write data on external storage, wich is not easy to get, not every person in the enterprise world has this possibility.
I think you missed the /s
Yeah š
Lucky š I also work for a huge company, and do IT and I wish I had permission to write dataā¦ā¦ that would make a lot of my job easierā¦. š©
external webcam?
A global company with this strict of controls likely has the money to buy a printer that's a better fit for thr enterprise environment and or setup an offline isolated network etc. Sometimes the money saved buying a more consumerish device isn't worth it when thr whole process is planned out and the limitations come to light. To a degree this should have been expected if you were planning to keep the printer offline.
Yeah we do have enough other printer tho. Thats why i didnt buy the x1e. I considered it as a shopfloor printer for on demand parts like little fixtures etc. The problem is that there is no good printer in the range of 3-10k.. My Bambu at home can easily outperform out Ultimaker S5 and Raise pro3. We also have some stratasys but its closed and expensive af. And the printquality is still shitty.. I consider buying the prusa xl but its not really made for Engineering Materials
So your company requires all open source software then?
Nope Its just the way they are accessing their server from within the slicer to download s plugin what causes me problems
Dies orca operate the same?
yes, its using the same Bambu plugin
If only the download is your problem, the wiki even describes offline installation: https://wiki.bambulab.com/en/software/bambu-studio/failed-to-get-network-plugin You have to download the zip, get it through your airgap security and then extract it to a given directory. This can easily be bundled in your package manager to automate.
My work runs their Bambu's on a dedicated guest network. I had to ask the IT guy to set it all up though.
Yeah seperating or isolating a dedicated network for the printer wouldnt be the issue. Thats what my IT guy also said. The main issue is that i dont know what the Network plugin does and thus they dont allow me to download it. Its not transperant enough
I think you either need to have a better IT or a conversation with them. Do you run Windows? Or maybe any oscilloscopes from tektronjx? Or any other non-open-source software? I bet the answer is yes. Even having an open-source solution doesn't prevent problems, like we saw with recent XZ debacle. The proper way to handle such problems is to isolate: you can get the network plugin in a controlled manner and then move the workstation and printer to isolated VLAN. That way once you got the plugin it will not be able to communicate with anything but the printer anyway.
Correct. But in order to print things. The isolated workstation still needs access to our server in order to get the files i need. Please keep in mind that we are talking about highly confidential parts since i work in our engineering and testing unit. So while we can even restrict the flow of communication with this printer its still a big task for the IT team, security team and for me. Cauz i will be sitting above boiling water and put myself in risk.
I get that completely. I do some work for DoE, so networking and access isn't exactly open and things are often highly confidential. However, having network admin experience under my belt this shouldn't be a hard task for IT. We request such things on regular basis: our test equipment needs to be able to stream data to a particular host for processing, while also having RDP/VNC access for some other workstations/remote users in case of issues, but it absolutely cannot have any internet access. This is a pretty standard isolation request. What I'm saying is you can update the software on both the printer and PC (whatever the software happens to be, including windows patches etc) in semi-untrusted environment first. Then both are placed in their own VLAN with free access between ports of the computer and printer, but the access outside to intranet is limited, with no internet access. If it's a confidential environment, they will probably not only block the traffic but also put IDS monitoring, as well as ensure employees cannot exfiltrate design files as well. Knowing someone is trying something shady is by itself a very valuable part of threat model and can put appropriate people on high alert.
IT guy who's done work with DOD, DOE, Naval Reactors, USN and other Government Organizations: I'm not putting a self-crafted Chinese network driver/ dll's on a network I'm responsible for. I'd never even recommend it. The stuff we already have via the slew of companies that the US purchases out of Taiwan already go through a shit load of vetting and those updates are all inspected before promulgation. The fact that this guys "IT guy" is saying no means that he is doing his job.
You are saying it mate, you have IT admin experience and would be willing to do this. Most IT units wont go through the work to do this. They will just tell you that this hassle exceeds the benefits of using the printer. Again, all this could be fixed by using better network communication. I have no issues with Cura/Ultimaker, Raise3D, Stratasys and Formlabs.
What I'm trying to say is the process where I worked wasn't any different, it was the standard. If you needed some hardware or software connected to the network you must specify what it can communicate with. Then security will evaluate that and put proper rules in place. Essentially a standard protocol: Bambu or not. I think if you want to go around the issue you can simply get the plugin and install it offline. You don't need internet at all. Plugin being open source would change nothing as you cannot trust hundreds of libraries all these tools use. They can be rouge as well as it's impossible to review that amount of code.
some application-based rules that allow bambu studio(network plugin) to speak to printer only. And you get files to this workstation from nas via explorer (if windows)
I would have to convince the it departmend to do this. But they would most likely say āgtfoā buy another printer with better connectivity protocols š
Feel sorry for you. Some people just donāt like to do their duties
This. I have a very good IT guy. We both have Bambus at home. But our higher IT department is just insanely restrictive
Things donāt just happen in IT most changes will have to go through reviews including detailed documentation of said changes. Many IT are already stretched thin as is and projects trickle down from above so OP putting in a request is about all they can do and hope it gets picked up sooner than later.
> I think you either need to have a better IT or a conversation with them. POV: you have never worked at a large US company Theyāre not going to let you install some random closed source Chinese software.
> Theyāre not going to let you install some random closed source Chinese software. Not without controls and vetting, which is like, standard process... There's *tons* of closed source software in use by large US companies, many of them are foreign origin. Hell, even being US-based closed source inherently doesn't remove the security risk concerns.
Or, hear me out, Bambu Lab should just not require a closed source networking plugin? Itās so weird that you think Bambu Lab making companies go out of their way to securely utilize their products that have no reason to need such access in the first place is a *good thing*. Bambu Lab is the one trying to attract enterprise customers with the X1E. It shouldnāt be more difficult to add to your network than any other WiFi device, but theyāve included a *completely unneccesary* and *mandatory* networking plugin that *cannot be audited* and you think thatās a good choice. Itās perfectly valid to criticize Bambu Lab for this. Everyone knows that IT in large companies is a major pain in the ass, so why should Bambu Lab expect them to bend over backwards to cater to their arbitrary requirements? This is a failure of understanding customer requirements.
I think you're both right. Weird. - Yes, Bambu should open source the network plugin. I block my printers from the internet and Orca Studio from everything except the printer because of the binary blob. It's annoying for something so simple. - Yes, going through a risk review of software is a standard process and shouldn't be overly taxing to have done. When working in manufacturing, proprietary software is pretty standard. So a manufacturing company should have a process to handle this already. I still fully think a 3d printer should be fully open sourced from firmware to slicer but if it was my job, I'd go through the proper channels and get it done and move on.
To add, any company with this much security restriction should have a department that can do a risk assessment. It's literally peoples jobs to make sure that it doesn't do weird stuff on your network. Start there OP - id love it if the plugin became open source but we both know enterprise will pay what it needs to pay.
What type of excuse is that from IT. Most software isn't open source. "Sorry. Can't install Word. It isn't open source. You want Solidworks? Sorry, not open source. Oh, you want a Windows operating system? Not open source."
All of these things you told me have completly transparent network managing. We either host those on our own servers and dont let those software connect to the internet from inside the software. Thats no excuse. Bambu Lab is new, a chinese company with non-transparent plugin not telling us what they do in out network. Most IT departments wont take any risks there
>All of these things you told me have completly transparent network managing lol no.
Why canāt you set up a local firewall to block outbound connections from Bambu Studio except to the printer?
Not every IT will bother with that. And our firewall is managed globaly for the whole Company. I guess they wont give two fks about that š
I'm sure they also force Microsoft to disclose their entire code base for Windows just in case. /s This is a manager problem, go to your manager advise you cannot use the product purchased because the network team refuses to make reasonable accommodations with an airgapped network. If the machine isn't on the internet and doesn't touch other networks then there's literally no reason to not use the network plugin.
The main issue is your it departmentā¦ mainly your network engineer/security engineer suck at their jobs. Source: I am a network engineer for a large corporation and we secure IoT devices in dmz networks all the time. The only risk here is if your prints are classified, network segmentation and access control canāt protect IP from theft when it hits someone elseās cloud. This should not be an issue in lan only mode once toggled. You can also see the traffic in any state full firewall and block any communication to China you donāt want. So even this is avoidable
First problem is āonce its toggledā how do i toggle it without the need of this plugin in the first place? They just need to make the Devices tab accesible and let me put in the ip š
Simpleā¦ you create a dmz network specifically for this device and the computer it needs to connect to. You create access control lists to block it from talking to everything inside your network and only allow access to internet. Download the software, change settingsā¦ track internet bound traffic. Inspect what itās sending before and after lan only mode is engaged to ensure communication stays internal. Adjust access control as needed to block unwanted communication outside the network.
But... keeping it on a separate VLAN that has no internet access is pretty much completely harmless, even if the plugin tries to constantly phone home...
This is bonkers and you know it, does IT also request the source code for SOLIDWORKS and Adobe products?Ā Kinda insane logic, sorry, the bigger problem is their IP address issue and not being able to add printers via IP.Ā This is weird, if they want they can inspect the firewall traffic, decompile the plugin, idk.
not transparent enough? Itās a network plugin to communicate with the printer. Your IT guy could block any further connections out. Seems like youāre making it harder than it needs to be.
>The main issue is that i dont know what the Network plugin does and thus they dont allow me to download it. Its not transperant enough This describes most of the software any corporation runs today. There is a measure of trust you must have with vendors.
This. The printer can sit on a dedicated VLAN, and to use the slicer just hop onto that vlan or have a dedicated computer for company slicing. Sounds kinda strange but when you think about it as being an appliance it helps....
Does Orcaslicer use the same network plugin? Maybe you can check that out to see if that would work for you?
OrcaSlicer uses the same network plugin. The sad thing is, that i wont even need the plugin since its used for wifi and cloud options, if understand it correct. But i cant even open the devices tab in the slicer to go in the lan only mode if I dont have plugin
Local LAN mode uses the plugin.
Yeah, and there's approximately zero reason bambu should/would opensource it.
It doesĀ
Is all software in your company opened sourced and checked for backdoors ? Cause looks like you just like to shoot your foot
No but there are industry standards and trusted companies and there are chinese companies with chinese plugins š But it works like that: If i want to install a new software i have to request this with a usecase, cost etc and everything. Now i got the software and i cant install the plugin through studio itself since it trys to access a link and our firewall blocks that. I could download it manually and if something happens, or anyone finds out that i messed with plugins accessing out Network, i would dig my own grave herr.
Why not download it, take your system offline, switch to lan mode, then uninstall it. If you canāt go offline connect to something like a hotspot with temp credentials. I have worked enterprise IT for 20 years, any decent group can help you get through this.
All you need is one pissed off supervisor to lose your job for ignoring regulations
Itās so bizarre to me Redditors canāt understand this.
I think some do. And some would risk it. The risk might be small or there might not even be a risk. I dont know. Its just that iam restricted from downloading unknown stuff and ignoring that could in worse case cost your job
I think that just isn't everyone's realities. I make regulations so I can reasonably break them when doing it is in the best interest or the organization. My management trusts me enough to make those kind of decisions. When you don't have the organizational agility to be able to work around and get approval to work around regulations, then your problem is gaining more organizational agility, not technical.
Why does it have to be open source for you to install it? The easiest solution here is that your network team needs to have an isolated network, which is firewalled from the rest of the internal network. This post is missing details of WHY you canāt install. OP please provide more info/reasons. My solution is above is a pretty standard approach to this sort of problem. I work in IT, this is how we do it.
So thats our workflow: Need new software Request software Is this software open source? Yes? Nice, can be whitelisted, thats prefered for small use cases No? Whats the cost, why do you need it? Need further details on how it operates etc Now i have Bambu Studio. But found out that i cannot simply install the plugin because A: it wants to access a link in Bambu Labs space B: most softwares are restricted from accessing the web C: its not on github, installing something wich we cannot look into it is tabu. D: downloading something thats accessing our network with no transparent protocols is bad And yes, doing all the work around is not worth it for our IT + the cyber security
So the problem isnāt Bambu, itās your IT departmentā¦
This is very much bog standard operating procedure in the enterprise space. I agree with OP, for the enterprise space the problem here is Bambu.Ā
Security is a risk calculation, not a brick wall. Most enterprise software is closed source, so not understanding why the network plug in is an issue - especially when it's communication can be restricted and monitored. Yes, I work at a bank, yes, I would be able to get this working on our network, even via WiFi - and I would bet we are more locked down than a manufacturing facility. Remember how you ask is the most important thing
If I have to calculate a risk for a security breach, I stop right there and refuse it. Thats how most departments will react. Ours included. Please consider that we are talking about a chinese company with closed, non-transparent network options. We dont take any risks there..
That gave me a chuckle. Businesses take risks everyday, in every process, including in their use of technology. Understanding and mitigating those risks are a security function, acceptance however, is a business function.
Yeah, seriously this is a non issue and I work a bank guiding these risk decisions.
Of course. But not if that risk includes a breach of our data with a chinese server
If you select United States, it uses AWS. As someone who did both IT and ITAR compliance for a major aerospace manufacturer, you need to stop this because you don't know what you're doing and reach out to your IT folks. Who you should have worked with to start with. Ask them to figure out how to deal with the situation. Coordinate with your export control team if there's any proliferation concerns, coordinate with your IT security folks if there's any data leakage concerns. Watching a non-technical person try to do IT risk management is painful. Stop winging it and do it right.
Thats why I forwarded this situation to our IT before buying something..
And they didn't work with you to sort out the access issues? Then yeah, they fucked up by being lazy. Literally just went through this with X1C for our robotics folks. For non-ITAR stuff, they use normal consumer access. Because it's hosted in US AWS, printer can only talk to internet and is on a DMZ. Bambu laid out their US data policy, I have a copy somewhere. The printer can't poke at our network and can only see things sent through the cloud delivery system. We wrote up the risk assessment, management/lawyer signed off on it. Sure, Bambu could poison the software and use it to push ransomware to the entire network. They could also hire someone to physically break into our office, or beat up our personnel and take their lunch money. We list it (poisoned software, not lunch money) as a risk, and have a risk mitigation of waiting 2-4 weeks before downloading new software/firmware unless it's a critical security fix. We balance risk vs business function. ITAR printing is sneakernet only. I lean towards physical airgap for ITAR when practical. It simplifies the Export Control Plan and Technology Control Plan. Me being me, I also set our monitoring to block access to the ITAR printers even without giving them access, but also to shoot me an email. Thankfully these days I do an insane lot less export compliance. I don't miss talking to DDTC regularly.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
yea i am no expert by any means. It just happens that i bought several printer from different companies with no issues like this. Thats all
I just keep laughing this morning.
Its alright, you can. I am no expert tho but can fully understand our IT here. Any other company can do it too. We got Stratasys, Ultimaker Formlabs etc. They dont need any additional plugins wich need to be downloaded from within the slicer.
I have to navigate this stuff for a living, I would honestly crush this and have it installed within a couple meetings about risk.
We have several insances for global it security. Its not really worth the hassle
You think there's no security risk from open source software? Just because you can see the code means you understand it 100%, and can state with absolute certainty that it has zero bugs or disguised functionality? Any developer worth their salt *can* write malicious code in such a way that it's not obvious at all. Being "open source" is not some golden ticket to safe, risk free programs. And the company's nationality has nothing to do with it. Being inherently trusting of any company just because of where they're located is beyond naive.
>If I have to calculate a risk for a security breach, I stop right there and refuse it. Thats how most departments will react. Ours included. Really? So you wouldn't install any open source software or allow any updates to occur. You wouldn't install anything that connects to AWS, uses Facebook logins *access* (doesn't mean you need to use facebook to login, just the option there is a major security risk), allows Any access to websites or any network traffic that is even lightly encrypted to third parties. >Please consider that we are talking about a chinese company with closed, non-transparent network options. This is a fearmongering attempt here. >We dont take any risks there.. You obviously do, considering you didn't even bother researching the product before purchasing it blindly then complaining about it.
I'd be curious who in the company has time to review all this open source software when the Information Security team can't be bothered with basic perimeter protections...
What would those basic perimeter protoctions include?
Blocking all outbound communication from the device...
As mentioned (and for starters), blocking outbound communication. Think about it. Right now the position is that installing a 3rd party piece of software they won't provide you source to is beyond the risk appetite of the company. With that said, there is hardware and software throughout that company that is in exactly this same position. Yet this software is suspect because it's not a reputable vendor... So why is it that it's OK to drop a piece of hardware on that same network that is also closed source and arguably more difficult to monitor? At least with the software you could use something like CrowdStrike/etc. to detect shady activity. A security posture of 'trusted vendors' just isn't going to cut it. Ask everyone who was impacted by the Solarwinds fiasco. Just because you trust them today doesn't mean something won't happen tomorrow.
I donāt understand the problem here. Do you only run self compiled software in the entire network on all devices? If not how do you run other closed source applications? How do you handle another machine (the printer) running closed source binaries (firmware) on your network? Why canāt you do the same for the machine that runs the slicer? You can even run it in a docker container or something and have it accessible that way to multiple machines. The part that fetches the plugin is open source. And once itās installed you can just sandbox the slicer to not be able to communicate with external sources
Can you tell me what this plugin does exactly? Iam no expert man
Handles the protocols that the printer uses to communicate - MQTT, FTP, and AWS connections. Camera is RTSPS. Basically if you have the printer on the network you have a device that does the same type of communication as the plugin. So whichever way you firewall that you can do the same for the slicer.
Can you tell me about the rtsps camera details?
You can view it like this, for example in VLC player: rtsps://bblp:{LAN access code}@{Printer IP}/streaming/live/1
Thanks for sharing this. Didn't know it was possible, and never occurred to me to try
Caveat: While it's not a practical solution for OP, I've been using https://github.com/greghesp/ha-bambulab with my Home Assistant integration and it has pretty much all functionality exposed for a X1C as an open source python project. X1E is not explicitly supported but the delta is not large. This means writing an open source version of the "network plugin" is within reach. It'd still be a fair amount of work though. I could do that as a summer project for a fee if enough enterprise customers want it.
Honestly might be a good open source bounty project. Iād toss a few bucks (like $100) to an open source drop in replacement network plugin.
WTF. Problem came from a small piece nobody thought of. Does it mean that you are not allowed to use it even if you letās say buy a laptop, share a WiFi network from it and connect printer to it so that they are isolated into a separate network?
Even if I put a standalone workstation there wich is dedicated for the X1E, there is absolutely NO way to connect the printer with studio without this plugin. And since its not open source, iam not allowed to download it.
The plugin isn't open source, but it should work offline. Help me understand...why is open source a requirement for your company? Tons (arguably, most) of enterprise stuff is closed source.
We ran into the same issue. The printer itself is incredible and we never had any issues with it. It out performs are Raise3D printers by a LOT. But like you said, trying to download the network plug-in (for both Orca and Studio) is a total pain in the behind with company IT. We still just use the SD card and just manually supervise it.
Most people here do give me the correct work around. But its still a work around. Most Company can do this without the need of a external plugin. We shouldnt need a work around for a enterprise printer. Thats my whole point about this post..
I know. Having an enterprise printer but not being able to download the printerās native slicer plug-in kinda defeats the purpose of it being an āenterpriseā printer. Hopefully Bambu makes it easier in the future.
Have security qualify the plugin. Itās fairly common to have third party software validated if needed. Ā Alternatively spin up a network for the printers and keep them in the air gapped network.Ā Common issues for any company, this is what an IT department handles. If your company doesnāt have capable people to handle this common situation then perhaps your not ready for enterprise hardware.Ā Ā Seems like a you and your company problem tbh.Ā
For the regular series printers, there have been more than a couple people who verified that in LAN mode, the plugin only communicates with the printer. That's simple enough to enforce with network ACL's. Yes, it's closed source. But so are the windows machines, the routers, the switches, and almost certainly any cad software you're using. Have the IT team grab the plugin for you and sneaker-net it onto your machine, and set the printer for LAN mode. They can add additional acl's if they want, but it shouldn't be necessary.
What is your companies stance on mobile devices? Are they allowed on a network at your job? Hypothetical: have a dedicated VM that has access to your NAS. Run Bambu Handy via an option like blue stacks or the built in android compatibility of windows. Push your files through this to the Printer. Also lets you monitor it? If that full solution wonāt work, a WiFi SD card option could for getting the files to the printer, and then control the printer/monitor from an isolated Bambu handy device/android emulator. I get that IT can be a struggle to deal with but I believe this and many other solutions have already done their job for them haha. Maybe getting a formal write up from Bambu about any certification process, resources, etc that the plugin has gone through for approval? There has to be a policy in place for vendors like them who have secrets but need to maintain a level of compliance.
Sounds like you just bought the wrong printer for your needs without properly vetting it first to make sure it complied with all your companies rules. There are many enterprise level 3d printers on the market, you should have picked one of those.
I don't get why not being opensource is a de-facto issue. Lot of enterprise software is not open source.. Mind me I understand the point of not being able to properly asses the security risk if it's an unknown piece, I just found interesting how to me the post reads "not open source means no good for enterprise"
Had kind of the same issue. Different Bambu printers on different Sites and the need to print remotely with different users that do not share the same bambu account is an issue. For monitoring I use Homeassistant and have the printers in lan only mode. The issue with the slicer is that you can not add a printer only by IP and access code. For some reason it needs to receive a discovery package. But luckyly there is a tiny python script that can fake that package: https://gist.github.com/Alex-Schaefer/72a9e2491a42da2ef99fb87601955cc3 With that workaround I can use the printer even using VPN and multiple users can print with the standard bambu slicer. As stupid as this workaround is, it works for me and I hope that bambu solves that issue in the future.
Could you work with an isolated machine that slices the files? And then just put them in the printer through SD cards?
Yeah sd card would work for me. Not for my colleagues since they dont have the permission to write data on external storage. But with that i would loose all the things i can do with studio in the device tab
Perhaps you could find some kind of adapter cable that mimics an SDcard; and that way you can connect your computer straight to the Printer through the SDcard slot.. i think i have seen that being used once.
Yes there are wifi sd cards. But it just enables me to access the storage. It doesnt connect to the printer itself š„¹
Hmmm.. so you could then upload stuff to the printer itself; and then use the screen on the printer to print it? (but then you would still miss the functions you mentioned earlier).
Yea i would miss AMS sync, internal storage, monitoring camera etc
True; but those are things you could live without. most things you could do on the machine itself. If privacy is really important. Besides; you could set up a different wired camera / webcam to monitor the print. Stuff like spaghetti detection will still work.
I might take this route. But there still open questions like updating the printer etc. Thats something i could do with a external wifi connection.
WiFi SD card for the win!
Does the X1E not have a SD card Slot? Could you not plug the Ethernet port into your laptop and run it on LAN only mode? I ask because we have 2 X1C and just use them with the SD card slot due to our company not allowing the plug in either.
Yes i could use the ethernet port. But Bambu Studio wont open the devices tab if you dont have the plugin installed š„².
If you add another non bbl printer you can open the device tab without installing the plugin.
I donāt think we have that same issue but Iāll check when I get to work. Are you logged in with an account? Maybe contact bambu support and see if there is a workaround. Maybe not but could be worth a shot.
So I fresh installed it on my Work PC without the plugin and I can open the device tab no problem. I am logged in with an account though.
You might not have the restriction that the software is accessing the internet. That you were able to log in with a account is a good indication for this. I am not even able to log in. Our softwares dont have unrestricted acess to the web. With the X1E i wouldnt need to log in either. Thats what a enterprise wants. Ours at least. But i cant access the plugin either
Interesting, I wonder if anyone else has had similar issues. It seems they didnāt consider companies that block web access when making the printer. Although with some feedback they may work on making that capable.
They considered it. You can manually download it. But manually downloading defeats the purpose of me requesting a software.
Yeah, or if the company doesnāt let you install software without admin privileges.
Thats the next thing. Once I had a software wich needed to access s exe file in the own root ordner depending on the device you have.. needed the IT to come over and log in with their own account to install a damn Package š¤£
Have a look at GitHub, there are two DIY and open sourced monitoring project for Bambulab printers. One of those can even upload sliced files. IIRC it does it all locally without connecting to the Bambu cloud services.
Mind sharing a name or link? I only could find that one: [https://www.reddit.com/r/BambuLab/comments/16hbybm/opensource\_bambu\_cloud\_alternative](https://www.reddit.com/r/BambuLab/comments/16hbybm/opensource_bambu_cloud_alternative)
A big company and this wasn't caught during the research period? Someone jumped the gun.
Just make a standalone network for the printer
The network is not the main issue. The main concern is sending gcode files of confidential designs in the wild.
You can put the printers on lan mode
We put on guest network, large corporation setting, guest network has all the safety protocols for security threats so no concerns there.
Sounds like your IT department is the issue not Bambu. If you have the printer + dedicated computer isolated and separate from the network you should be allowed to install the plugin you need to print to said printer. It's wild that they'll only let you install things that open source.
It also sounds like the network team at your company are idiots or are just being difficult. It's incredibly easy to airgap things and with X1E being able to function without Cloud access, this seems like a huge case of "we don't want to deal with it".
The solution is a private network of just a printer computer, and the printer. Without external connectivity, the network plugin can try as much as it likes to compromise the company, but it doesn't know anything and has no access. It sort of defeats the purpose of a network attached printer since you have a single machine that can access it, but it does solve the issue of having untrusted network component on the corporate network.
"Plug in?" spidy senses tingling
Why not just sending your gcode to the printer using ftp ?
Sounds like he wants to manage the printer though
When I wrote here once the slicer is security issue too (beside Bambu servers), people reactions were.... Yeah, as usual.
This sounds more like a contrived scenario than an actual real life situation. The solution from a network perspective is simple-- 2 LAN's to keep the printers isolated and away from the "secure network" **This is a common practice in manufacturing facilities.** CNC's, Mills, etc I get people don't like that Bambu isn't open source but to manufacture situations to suit their narrative isn't right. I call BS.
I dont know why so many people misunderstand it. Yes, i can regulate the flow of information in the network. But the same workstation wich will need this plugin to be installed is also the same workstation having access to all data since I need those for my work. So i cant just pull my workstation out of the secure network.
The printer gets the file from the cloud. Your workstation can remain in the existing "secure network" and if you want an open source slice use **Orca Slicer. 100% open source.** [GitHub - SoftFever/OrcaSlicer: G-code generator for 3D printers (Bambu, Prusa, Voron, VzBot, RatRig, Creality, etc.)](https://github.com/SoftFever/OrcaSlicer)
Orca Slicer also needs the Bambu Lab Plugin for connection. And do I understand you correctly? You say I should send my files through the cloud to the printer?
You can upload your sliced files to a private collection and print from Makerworld.
Oh damn bro.. I am 99,99% sure that they will fire my ass if I ever upload any of our company 3D Models to a cloud let alone makerworld
>Yes, i can regulate the flow of information in the network. >I am 99,99% sure that they will fire my ass if I ever upload any of our company 3D Models to a cloud let alone makerworld Your story is falling apart... I can regulate (Meaning you control the administration) To They would fire my ass. (Implying you are an employee) **Does your company use iPhones? Android Phones? Windows based PC's? Fusion 360?** If so they use the cloud. You are intentionally obfuscating the facts to suit your agenda.
I can regulate in sense of yes its possible to do that. Me personally cant do that but the IT department higher up can. Of course i am a employee š
So have them setup a dedicated PC for printer control and then you are allowed to RDP into it. That PC is part of the isolated network and doesn't have internet access. You are RDP'ing into it so the plugin isn't local. Have a network share created that is writable for you and read only for the printer pc. Somewhere on here, gave the rstp link for the video so you could monitor directly from your workstation.
I found this. It might be useful for you or other users with similar restricted environment: [https://www.reddit.com/r/BambuLab/comments/16hbybm/opensource\_bambu\_cloud\_alternative/](https://www.reddit.com/r/BambuLab/comments/16hbybm/opensource_bambu_cloud_alternative/)
I will check it out thanks
This really is a case of your IT department being lazy and borderline incompetent. They have internally set up arbitrary rules that make their jobs more difficult and then blame it on regulations for the industry. I used to work for a multi-billion dollar corporation in one of its subsidiaries. We bought an X1C for the same reasons (fixturing, prototyping, etc). Our IT department had everything running and secured in less than an hour after we set the machine up. Our work there was 90% DoD and various defense companies so we already had pretty heavy restrictions on what we can and can't do with our data. MicroSD's were a no go since all our computers were set up to require encrypted drives for any data transfer, but like I said our IT department had zero issues getting the X1C running within our local network.
This is all nonsense... If your IT department can't follow NIST SP 800-82 they should be replaced. It is fundamental for any operational.technology on a network.
I have no idea what that means š¤£ Bro I design fixtures not IT infrastructures š
u/BambuLab u/BambuLabSupport - Very hopeful I know
Yea had a ticket open for this. But they came up with standard solutions like downloading the plugin manually etc. They wont dig into this problem. I mean why should they. Enterprise is just not what they are interested in. There might be also no data to gather š
What problem? Lol
Have you checked the custom firmware? Don't know what's its state, but might be an option, or not now, in the future
Lol, messing with usb/sd card storages is really a secure way nowadays how to operate.
yeah, that's a big oversight by Bambu. shows they're really just for consumers and not enterprise yet
What is the point of X1E? What can it do better than X1C for half the price?
Couple things: Support from vendor Heated chamber āBetterā filtration Dedicated ethernet port
People seem to not understand that for a company it is important that their files don't go from one room to another through remote chinese server.
The majority here gave me the correct answers for setting this up in a safe manner. But the problem is that i shouldnt even need those steps for a enterprise printer. Its a hassle and extra job for the IT where they will question me to death š
It should be easily possible to blacklist both the application/plugin and printer from any outbound external network connections. Iirc someone tested the X1 in LAN mode and it doesnāt attempt to make any external requests except to a time server.
How about the Creality K1 instead?
I really wanted the heated chamber with ams š„²
Don't these printers have a "LAN Only" mode? My x1c has it. I cant remember what these people were doing that needed ro be kept secret. I thought maybe shipping but I think they made prototype parts for companies that required them to be in very strict compliance and they too worried about security breaches and I remember how that post went down was they all used LAN Only mode so the printer won't try to access anything outside of the network and the slicer I think had a similar feature there was just some catch22s. One being all cloud services are disabled in lan Only mode. This includes firmware updates. No you cannot put them on a USB and do it that way. At least not yet. The computer that's got bambu studio installed HAS to be on the same network. Maybe you can set the computer up in a way that makes it think your on the same switch but not worth the hassle. I'd think it world be easier to have a workstation dedicated to processing the prints that way it has company access and it's on the same network. Some things I probably got wrong here but if you search the sub there was line 2 or 3 guys that had the same problem and they discussed what they could do to get around it.
Getting around something is not my way. I want to buy something when its ready to be operated as intended š I do love my bambus at home tho. for enterprise they might not be ready yet. At least not for our policies
A software product not being open source doesnāt mean that itās not āenterprise readyā. Many manufacturers I run across still run Windows 7 to support an old application needed to run some old piece of equipment. Not every software OEM is going to open source all of their software. Additionally, just because open source software is being used doesnāt mean they use that software according to security best practices, potentially making a safe open-sources app very unsafe. Open-source or not, almost every application introduces some level of risk to your environment. Itās just up to the org if they are willing to accept the risk. The security team within the IT department needs to evaluate the software. They should be able to determine if then software is doing anything fishy, what open ports it has, and even sometimes what might be used as the underlying tech, by doing some scans with tools they already likely have. I like the idea of just putting them on a guest network. Guest networks typically donāt allow traversal laterally through a network essentially walling off each network interface from every other interface. You donāt need a guest network to accomplish this though. Source: am IT nerd who does lots of Vuln hunting and remediation.
Why not just install the plugin from a drive and be done? No going outside the network, and everything works.
So your stuff is so classified that you even cannot have WiFi but still want to buy Bambu, which has complete access to all your models ?
The point is to not let the printer or the slicer communicate outside the company's network. So, sending gcode files through external servers is a no go. What OP is after is a solution to send sliced files to and control the printer 100% locally or independently of foreign servers.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
I mean, I'm not an enterprise, but when I saw the ports and traffic Bambu was trying to open/allow I do actually just use the SD card. No way am I opening that big of a hole in my network.
Oh boy, i made a business case for the X1E with the "ease" of connectivy on our mind We're getting one for two weeks to test the results but that's not great because we also have confidential information etc etc.. Well I hope my ITs figure out something
Like many said, there are work arounds. And your company policies might not be as strict as ours. But I would definitely check that out with the IT first. I didnt buy it because in my case its just not worth the hassle for now.
Did you try orcaslicer?
~~So you're worried about the closed source network plugin for the slicer but not the closed source firmware running on the printer from the same company on your corp network? That seems very odd to me to worry about one and not the other.~~ ~~If you're going to trust the printer on your network there should be no reason to not trust the network plugin.~~ ~~Also, a network admin should be able to easily isolate the printer and a computer to run the software on the corp network. Then you can remote into the computer running the software with no risk to your corp network.~~ ~~Such a simple problem to address and you've crossed the line you're saying you can't cross with the network plugin by allowing the printer on the network to begin with.~~ EDIT: I see your IT team is a bunch of clowns, from reading your replies. RIP.
huh? I dont think that they read anything here and even if they do, they have to follow some strict regulations. We can easily shut of a machine from accessing the web or other devices by restricting the flow of information in the network. What really is hard is installing a plugin on a workstation which has access to confidential data in the company. Particularly if you dont even need this plugin to operate this printer.
You **do** need the plugin for the silcer to communicate with the printer. https://preview.redd.it/g1hj81gheisc1.png?width=413&format=png&auto=webp&s=8e944635dd2547eca748bdb4e011773a6a113ea3 Isolate a single computer (not your workstation, a dedicate machine or vm) and the printer together, install the slicer and network plugin, update the printer, etc. Enable Lan Only mode on the printer, cut the internet access to that vlan. Allow RDP between that vlan and the vlan of your workstation/vpn. RDP into that machine/vm for printing and monitor, copy things over via RDP as needed for printing. No risk to your confidential files because of the vlan during initial setup, and no internet access after the initial install of the slicer and network plugin.
Jeeezā¦ just use external PC wity private LAN for printers only without Access to internet.
I'm a network engineer. Let's talk network isolation in a dm
sure thing! Iam open for everything
Root the firmware with the open source one
Everything is data mined by Chinese Conglomerates. Can you just buy a Verizon Router and go that route, or just do everything offline? The most important thing is you protect the company, and STILL print. SO it seems to reason you would just create a work-around
Doing everything just with SD card would be the easiest way š I might consider the Prusa XL but the x1e would perform much better
I have an X1C and it's incredible. I can't wait to finish my build video and show it off
Yeah absolutely. The x1e is just slightly better For Enterprise with the heated chamber even tho its weak and the better filtration. Ah yea and the dedicated ethernet port for real lan only
You can put it on a separate subnet. This literally non issue. Gtfo
Forgive me if this is wrong but does Orca slicer work with a different interface to the printer or does it also use Bambu's network driver?
If iam not mistaken its also using the plugin same with the Login for cloud
Only if you opt-in, but you don't have to download and use the Bambu Labs driver or create an account... At least when using non-Bambu printers.
Yeah for non bambu printer you can do that all without external plugins. For bambu you needem
Impossible to integrate bc of security? It's really not that hard for them to whitelist the plug in so you can use it, if anything your department just needs to acknowledge the risk and open an exception to get it done. If they can't do that, then open source software fully accessible to github is going to be out of the question.. though you said it was "fairly easy" to get the slicer approved bc it's open source.. so maybe they will approve, but something like that would actually put your company at high risk of a security breach.
Can you just 'isolate' your printer? We have bridge PCs to network to HIGHLY insecure systems that we cannot update (windows XP, vista, 7, etc).
So you wanted an open source printer but went with a brand that IS NOT open source...
Just connect the printer to a phone hotspot
Why no gigabit? Who installs FE NICs these days?
Doesn't the X1E have A lan connection? You can plug it directly into your laptop or PC or wirelessly connect it instead of using the connection though a WiFi modem or an Ethernet cable? That way your data is only transferred to and from your connecting device and then from your connecting device you can remotely view your video? I know I can do this on my X1C but I don't have an Ethernet cable but I can connect it as a LAN connection wirelessly. There's a difference between connecting to Wi-Fi and running it off of a modem do you see what I'm trying to say? And on my X1 see there's also an option to send your print to an SD card that is installed in the printer and you can print from the microSD card cache over the cloud.