Brother MFC-J680DW scanner only works when printing

Hello everyone,

I’ve switched from Solus Linux to EndeavourOS and have a problem with my multi-function device (printer/scanner) which is a Brother MFC-J680DW. This model works very well with Solus Linux, though I did have to manually convert the DEB package to install on Solus..

I use simple-scan application (which worked fine in Solus) but the behavior is erratic. The application always detects the scanner, but only works when I have recently printed. What I mean is:

  • If the printer is idle (haven’t printed anything in last 5 minutes) the scanner does not respond. It shows up in the application (detected) but when I click on the “Scan” button, it fails (nothing happens other than the scan button turning to a red “stop” button and showing the circle-arrow animation to indicate it is working). After about 30 seconds of waiting, I just get a “Failed to scan” dialogue box with no reaction from the printer/scanner.

  • If I PRINT something (even a test page) and then try to scan concurrently, the scanner works! In fact, if I am scanning many pages from the ADF, the scan may “PAUSE” in the middle of the work (with a page half-scanned) and I have to quickly print another test page for the scan to resume (it does continue)! Interestingly, even if I CANCEL the print-out (to not waste paper) the scanner continues to work for the next 2-3 minutes then stops again. So it’s like the scanner is active for like 2-3 minutes after a print has started and then shuts down.

It’s as if the connection to the device only “opens” when I am printing and “closes” a bit after printing stops, but will not “open” if I am just scanning (it stays “disconnected” or something). This is very annoying and causes me to waste paper when scanning (if I’m not fast enough to cancel the prints I send to “open the connection”).

To install things I did:

yay -Sy brother-mfc-j680dw brscan4
sudo brsaneconfig4 -a name=mfc-j680dw model=MFC-J680DW ip=

During system-config-printer I used “Find printer” and entered which is the IP the device uses and was prompted to select from:

  • JetDirect (results in socket://… url)
  • IPP (results in ipp://… url)
  • Brother MFC-J80DW (results in lpd://… url)

I created queues for all 3 but only the first two work and produce print-outs (LPD does not work). For the scanner, see the brsaneconfig4 command above and also:

[user@host ~]$ brsaneconfig4 -q
* *            []  Brother-MFC-J680DW

I’ve though a bit about what may have changed and the ONLY DIFFERENCE between back when I used Solus and now is that I am on a different subnet than the printer (computer is in 192.168.42.x whereas printer is in 192.168.9.x). Note however that when the scanner fails to scan (because no print is active) I have an open terminal pinging the device and it replies fine, so this is not a networking issue…

EDIT: I am going to create a Solus VM to test this and see if it works fine.

Do you have local hostname resolution enabled?
read here under:

I found some permission issues for scanning with my Brother (7060D) and at first needed to ‘connect’ it with sudo. Then discovered that I needed instead to be a member of the scanner group for no-fuss operation. Have you tried that yet?

but could be hostname resolution issue in localnetwork…


I use pfsense for my home router. On the EndeavourOS machine I have:

[user@host ~]$ cat /etc/resolv.conf 
# Generated by NetworkManager
search home.lan
[user@host ~]$ nslookup	name = brother.home.lan.

[user@host ~]$ nslookup brother.home.lan

Name:	brother.home.lan

For the machine itself though:

[user@host etc]$ nslookup	name = host.home.lan.

[user@host etc]$ nslookup host.home.lan

Name:	host.home.lan

[user@host etc]$ hostname

[user@host etc]$ cat /etc/hosts
# Host addresses  localhost  host
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters

EDIT: I edited the actual host name and replaced with “host” but it’s the one correct ID.

I read the link you provided and the only thing I was missing was the mdns_minimal [NOTFOUND=return] which I added now:

[user@host ~]$ grep hosts /etc/nsswitch.conf 
#hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns
hosts: mymachines mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] files myhostname dns

The only thing that has change is that I can now ping my host name as “ping host.local” but everything else is the same.

Please note that the printing actually works fine, it is the scanning that does not work. Is there a way to debug what SANE is doing when applications try to scan? That is what would be interesting…

So, I added myself to the group and logged out and back in:

[user@host ~]$ id
uid=1000(user) gid=1001(user) groups=1001(user),3(sys),**96(scanner)**,982(rfkill),984(users),998(wheel),1000(autologin)

Unfortunately it has not made a difference…

Here is the output from the console:

[+0.05s] DEBUG: scanner.vala:1616: sane_init () -> SANE_STATUS_GOOD
[+0.05s] DEBUG: scanner.vala:1622: SANE version 1.1.1
[+0.05s] DEBUG: scanner.vala:1683: Requesting redetection of scan devices
[+0.05s] DEBUG: scanner.vala:859: Processing request
[+0.50s] DEBUG: app-window.vala:2079: Saving state to /home/user/.cache/simple-scan/state
[+7.38s] DEBUG: scanner.vala:348: sane_get_devices () -> SANE_STATUS_GOOD
[+7.38s] DEBUG: scanner.vala:370: Device: name="brother4:net1;dev0" vendor="Brother" model="*Brother-MFC-J680DW" type=""
[+9.66s] DEBUG: app-window.vala:2079: Saving state to /home/user/.cache/simple-scan/state
[+9.67s] DEBUG: simple-scan.vala:1819: Requesting scan at 300 dpi from device 'brother4:net1;dev0'
[+9.67s] DEBUG: scanner.vala:1774: Scanner.scan ("brother4:net1;dev0", dpi=300, scan_mode=ScanMode.COLOR, depth=8, type=adf, side=both, paper_width=2100, paper_height=2970, brightness=0, contrast=0, delay=0ms)
[+9.67s] DEBUG: scanner.vala:859: Processing request
[+9.99s] DEBUG: app-window.vala:2079: Saving state to /home/user/.cache/simple-scan/state
[+55.73s] DEBUG: scanner.vala:920: sane_open ("brother4:net1;dev0") -> SANE_STATUS_INVAL
[+55.73s] WARNING: scanner.vala:924: Unable to open device: Invalid argument

From Arch SANE wiki:

With systemd, the scanner and lp groups are deprecated. No need to add your user to those groups. See Users and groups#Pre-systemd groups for detail.

May not be needed, but for me it worked :grin: Sorry if I misled anyone…

cat /lib/udev/rules.d/65-sane.rules | eos-sendlog


Hello @joekamprad

Here is the output of your command.

I did not know it is that easy to paste something and get a short URL for posting on forums. This post was worth creating just because of your last reply. Thanks for providing this useful tidbit of knowledge.

Please don’t waste your time though. I now have a strong indication that it is network-related. When opening simple-scan I see a lot of TCP connections stuck with SYN_SENT:

simple-sc 20524 user      25u  IPv4 477485      0t0  TCP> (SYN_SENT)
simple-sc 20524 user      26u  IPv4 477516      0t0  TCP> (SYN_SENT)
simple-sc 20524 user      27u  IPv4 477519      0t0  TCP> (SYN_SENT)
simple-sc 20524 user      28u  IPv4 477538      0t0  TCP> (SYN_SENT)

This is not normal. When I click on the scan button I see (in addition to the 3 above) another stuck connection to port 54921:

simple-sc 20524 user      36u  IPv4 477550      0t0  TCP> (SYN_SENT)

So it seems to me my pfsense router or a firewall may be blocking some ports? Does EndeavourOS have a firewall? I don’t recall installing one myself.

I looked up the ports and they indicate they are scanning-related:

6566 is the SANE control port

This Brother support article mentions exactly my problem with regard to the 54921 port:

Your security software blocks your machine’s access to the network. / * Network scanning (Brother iPrint&Scan) Port number 54921/Protocol TCP

I will reach out to reddit’s pfsense/proxmo forums to see if it’s the router or proxmox that has some firewall prevents non-admin ports (e.g. 80/631 work because they are <1024 so printing works). It still does not explain why I can scan while printing though. I sent a print test page and when scanning I saw:

simple-sc 36297 user      25u  IPv4 636213      0t0  TCP> (SYN_SENT)
simple-sc 36297 user      36u  IPv4 683846      0t0  TCP> (ESTABLISHED)

So this is really-really weird…

I need to review my proxmox network configuration, my pfsense configuration, and my EndeavourOS networking configuration to see why this is happening…

This is going to be a huge pain to resolve…

It isn’t if you don’t use all those things. :wink:

1 Like

@ricklinux Hehe, correction:

This is going to be huge FUN to resolve…

It’s not fun if you’re not messing with everything you can get your hands on! :wink:

So, to close this out: the problem is asymmetric routing: this causes the pfsense firewall to fail to establish proper state as it witnesses only part of the TCP handshake.

The linked documentation explains the issue, how to manually set rules to fix it, as well as the easy solution (if like me you’re a home with a simple subnet structure and no need to have internal rules) which is to enable “Bypass firewall rules for traffic on the same interface” in System/Advanced/Firewall&NAT.

1 Like

In other word why use it if you have to bypass it to make it work. :laughing:

@ricklinux So, the bypass is for SAME interface only, which is anyway what you want when using pfSense as a home router.

To give some more context: 99% of the time you don’t need any of this because there’s the router with the WAN (public) IP on one side and a single subnet on the other (LAN) side. The router filters all traffic going through it, but on the LAN side everything is on the same subnet talking to each other directly (so they bypass the router).

Now in my case, I have this subnet for Proxmox and even that is a special case: 99% of people doing that will use bridged mode in Proxmox and thus still have ONE subnet (the VMs share the host NIC and the same subnet). However, bridged mode does not work well with WLAN and in my home the desktop is in an area without wired connectivity so I am forced to use routed mode.

Now, once you end up with TWO internal subnets (for whatever reason) routing between them becomes a thing. By default pfSense would STILL work if everyone routed properly, going via pfSense only to talk to external (Internet) hosts, but what happens here is:

  • I have a DHCP setting (option 121) that tells DHCP clients in subnet that they do NOT need to go via pfSense ( to talk to hosts on the subnet, and that they should instead go to (the proxmox host) which can relay to that subnet.

  • Almost all my hosts (laptop, NAS, etc) in understand this so when they talk to DHCP server they add a static route for it.

  • Normally if host A in the main subnet wanted to talk to host B which is a VM, the conversation would be direct via proxmox host X. The route is A → X → B → X → A (A sends via X and B replies via X).

  • The Brother printer P, unfortunately does NOT understand option 121. Therefore the printer P does NOT know that it can simply reply directly via proxmox host X and uses the default gateway which is the pfSense host F (which has firewall rules). So conversation between B and P is like: B → X → P → F (!) → X → B. Notice here that the printer does not go directly to X but the default gateway F which knows to relay via X, but then applies its rules…

Now you can set rules to tell pfsense “don’t worry about filtering traffic between and because they are both internal subnets, so I trust them both”. You need to let it know it can treat all hosts on both subnets as if they were one internal subnet with stuff you own and want to talk to each other unhindered. But you need to explicitly state that as pfSense doesn’t know this for a fact, and t would be insecure to assume that.

You normally WANT to bypass the firewall in this case and the easy way to do it is to tick that box in pfsense that reads “Bypass firewall rules for traffic on the same interface”. Basically what this tells pfSense is “look, I’m not a corp with a complicated intranet, so I don’t want to bother with explicit rules: you have 2 interfaces WAN and LAN, treat all traffic that does not cross one side to another as OK to pass”.

Therefore if something comes from the LAN (in this case the Brother printer’s response) and moves on to the LAN (in this case the Proxmox host) don’t apply any filtering.

Just putting this here to make it clear it’s OK to do this if you’re just a home setup with a couple of subnets (instead of one).

And once again, I would remind that if EVERYTHING at home was on one subnet ( which is the case for 99.9% of people, then even this would not be needed. The only reason I came across it was the fact that my Proxmox has to talk via WLAN and therefore has to work in routed (two separate subnets) instead of bridged (same subnet as the host for VMs) mode, AND the silly printer does not understand DHCP option 121 so does not have a direct static route to the VMs bypassing pfsense…

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.