Dear colleagues, A printer doesn't need internet access, and that is why I can block the internet access. The printer on the white network a label printer that just works. The other printer is a laser printer connected by USB to an Ubuntu computer on the white network, because that was easier than getting it working on OpenBSD; the same goes for the scanner. If only I had the right plug for my matrix printer, then maybe I would not need such complexity. Alas, they don't make matrix printers and parallel ports like they used to.
Anyway, I return to my original inquiry. My barrier machine is indeed my primary gateway/firewall. I have configured the it in the way Brian and Nick recommended, except I added magic routes proposed by All, and it works as I want. I remain curious as to why it was necessary. Could someone explain my flaw in reasoning? Aside from setting those routes by DHCP, I am using vanila routes. In particular, the default route on the other computers is the barrier machine. With great humility, Ibsen
