Brother ADS-2400N Scanner — Setup Documentation
Scanner: Brother ADS-2400N
MAC: b4:22:00:22:b8:fe
IP: 10.69.50.10 (static DHCP, IOT VLAN)
Target: Paperless-ngx at 10.69.20.72 via SFTP
Overview
The scanner is placed in the IOT VLAN (50) and uploads scans directly to the Paperless-ngx consume directory on the Paperless server (10.69.20.72) via SFTP using public key authentication. Internet access is blocked. A dedicated chrooted SFTP user restricts the scanner to the consume directory only.
1. VyOS — Network & Firewall
Static DHCP Mapping
Added to the IOT DHCP pool:
set service dhcp-server shared-network-name IOT subnet 10.69.50.0/24 static-mapping brother-ads2400n mac-address b4:22:00:22:b8:fe
set service dhcp-server shared-network-name IOT subnet 10.69.50.0/24 static-mapping brother-ads2400n ip-address 10.69.50.10
Block Internet Access
Added rule 25 to ALLOW-INTERNET (before the default accept) to block the scanner from reaching the internet while leaving all other IOT devices unaffected:
set firewall name ALLOW-INTERNET rule 25 action drop
set firewall name ALLOW-INTERNET rule 25 description "Block scanner internet access"
set firewall name ALLOW-INTERNET rule 25 source address 10.69.50.10
IOT → SERVERS Firewall Policy
The default IOT→SERVERS policy (ALLOW-EST) only allows return traffic. A new named policy IOT-SERVERS was created to additionally allow the scanner to initiate SFTP to Paperless:
set firewall name IOT-SERVERS default-action drop
set firewall name IOT-SERVERS rule 10 action accept
set firewall name IOT-SERVERS rule 10 state established enable
set firewall name IOT-SERVERS rule 10 state related enable
set firewall name IOT-SERVERS rule 20 action drop
set firewall name IOT-SERVERS rule 20 state invalid enable
set firewall name IOT-SERVERS rule 100 action accept
set firewall name IOT-SERVERS rule 100 description "Scanner SFTP to paperless"
set firewall name IOT-SERVERS rule 100 source address 10.69.50.10
set firewall name IOT-SERVERS rule 100 destination address 10.69.20.72
set firewall name IOT-SERVERS rule 100 destination port 22
set firewall name IOT-SERVERS rule 100 protocol tcp
set zone-policy zone SERVERS from IOT firewall name IOT-SERVERS
2. Paperless Server (10.69.20.72)
System User
useradd -m -s /usr/bin/nologin scanner
The scanner authenticates via public key — no password needed.
Group Membership
The consume directory (/HDD/paperless/consume) is owned by marko:marko (UID/GID 1000, matching USERMAP_UID=1000 in the Paperless container config). The scanner user was added to the marko group to allow writes:
usermod -aG marko scanner
chmod 775 /HDD/paperless/consume
Chroot Directory Ownership
OpenSSH requires the ChrootDirectory and all its parent path components to be owned by root and not group/world writable. Both /HDD and /HDD/paperless must be root-owned:
chown root:root /HDD
chown root:root /HDD/paperless
/HDD/paperless/consumestays owned bymarko:markoso the Paperless container (UID 1000) and the scanner user (via group membership) can both access it.
SSH Key Pair
The ADS-2400N only supports RSA keys. A 2048-bit is generated directly on the Brother-ADS:
mkdir -p /home/scanner/.ssh
chown -R scanner:scanner /home/scanner/.ssh
chmod 700 /home/scanner/.ssh
touch /home/scanner/.ssh/authorized_keys
chmod 600 /home/scanner/.ssh/authorized_keys
The server host public key (/etc/ssh/ssh_host_rsa_key.pub) was uploaded to the scanner under Server Public Key.
sshd_config Changes
The ADS-2400N uses a legacy SSH client that requires deprecated algorithms. These must be re-enabled globally (HostKeyAlgorithms and KexAlgorithms are not permitted inside Match blocks):
# Added globally
HostKeyAlgorithms +ssh-rsa
KexAlgorithms +diffie-hellman-group14-sha1
# Match block for scanner user
Match User scanner
ChrootDirectory /HDD/paperless
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
PubkeyAcceptedAlgorithms +ssh-rsa
Security note: The deprecated algorithms are acceptable here because the scanner user is chrooted, SFTP-only, with no shell access and no TCP forwarding.
3. Scanner Web UI Configuration
Settings applied under Scan → SFTP Profile:
| Setting | Value |
|---|---|
| Host Address | 10.69.20.72 |
| Port | 22 |
| Username | scanner |
| Auth Method | Public Key |
| Client Key Pair | scanner (uploaded RSA private key) |
| Server Public Key | paperless.pub (server host RSA public key) |
| Store Directory | consume |
| File Type | PDF Multi-Page |
| Quality | Color 300 dpi |
| File Size | Large (less compression, better OCR quality) |
Scanning Recommendations
| Document type | Mode |
|---|---|
| Letters, invoices, contracts | Grayscale or Black & White |
| Receipts, color documents | Color |
- 300 DPI is optimal for Paperless/Tesseract OCR — higher DPI increases file size with no OCR benefit
- PDF Multi-Page ensures multi-page documents are uploaded as a single file
- File Size: Large = lower compression = better OCR accuracy
4. Paperless-ngx Consume
The Paperless container has the consume directory bind-mounted:
Volume=/HDD/paperless/consume:/usr/src/paperless/consume
Files uploaded by the scanner to /HDD/paperless/consume are automatically picked up by Paperless via inotify (no polling interval configuration needed).