Having ziti mobile edge active on android prevents network printers from being visible while on wifi.
I have also noticed that this prevents things like "private DNS" on android from resolving/connecting.
Regarding printing, I also created a service that forwards a number of ports to a network printer, but it always shows the printer as offline.
To be certain, I forwarded a port range of 1-65535, and allowed TCP and UDP.
can you elaborate on your setup? What Android Print Service do you use?
maybe a screenshot of your Settings/Print Service with and without tunneler active?
Sure!
I am using the default print service.
Here is a screenshot without the tunneler active:
Here is a screenshot with the tunneler active:
I created the service with these commands:
ziti edge create config printer-intercept-config intercept.v1 '{"protocols":["tcp", "udp"], "addresses":["printer.domain.com"], "portRanges":[{"low":80, "high":80}, {"low":443, "high":443}, {"low":8080, "high":8080}, {"low":9100, "high":9100}, {"low":515, "high":515}, {"low":631, "high":631}, {"low":161, "high":161}, {"low":137, "high":139}, {"low":445, "high":445}, {"low":25, "high":445}]}'
ziti edge create config printer-host-config host.v1 '{"address":"xxx.xxx.xxx.xxx","forwardProtocol":true,"forwardPort":true,"allowedProtocols":["tcp", "udp"],"allowedPortRanges":[{"low":80, "high":80}, {"low":443, "high":443}, {"low":8080, "high":8080}, {"low":9100, "high":9100}, {"low":515, "high":515}, {"low":631, "high":631}, {"low":161, "high":161}, {"low":137, "high":139}, {"low":445, "high":445}, {"low":25, "high":445}]}'
ziti edge create service printer --configs printer-intercept-config,printer-host-config
ziti edge create service-policy printer-dial-policy Dial --semantic AnyOf --service-roles @printer-id-goes-here --identity-roles '#all-services'
ziti edge create service-policy printer-bind-policy Bind --semantic AnyOf --service-roles @printer-id-goes-here --identity-roles @router-id-goes-here
I did try this with wireguard, and it fails to find the printer there as well.
what version of ZME are you running?
I am running version 0.12.2 
so, as far as I can tell, you have two unrelated issues:
re (1) - I've tried several devices I have and all of them (including development emulators) did not have any issues with my local printer discovery
re (2) I have not tried to setup a printer service
Edit: what happens if you try to add printer by IP address while ZME is running?
Edit2: make sure you don't have a service that might intercept local traffic
Backing up a little, do you have any relevant service/host/intercept configurations so that you can access 192.168.33.222?
If I have Ziti active, for about 1/16th of a second, I see the printer information, but then immediately goes back to "Searching for printers".
Regarding adding the printer via IP address with Ziti active, it instantly says, "No printer found at this address".
If I try adding it via the hostname defined in the Ziti printer service, it successfully adds the printer.
However, if I open a document, and then do Share -> Print, and then select the printer, it shows the error, "This printer isn't available right now."
Also, do you have any thoughts on why DNS-over-HTTPS is not working through Ziti?
this deserves its own thread 
I was able to setup my home printer for over-ziti-access:
print-host (host.v1):{
"address": "192.168.33.222",
"forwardProtocol": true,
"forwardPort": true,
"allowedPortRanges": [
{
"low": 0,
"high": 65535
}
],
"allowedProtocols": [
"tcp",
"udp"
],
"httpChecks": [],
"portChecks": []
}
print-intercept: (intercept.v1):
{
"portRanges": [
{
"low": 0,
"high": 65535
}
],
"addresses": [
"printer.ek"
],
"protocols": [
"tcp",
"udp"
]
}
It might be worth assigning a specific IP address on the intercept side since android print services seem to prefer IPs over DNS names. I would pick an IP outside of local LAN (192.168.x.x) and Ziti CNAT (100.64.x.x)
On the intercept.v1, I added a hostname and the LAN IP address
When I do Share -> Print, it hangs on "Searching for printers", even though the printer is saved
I can access the web interface of the printer, so it obviously can connect.
Do you have any thoughts on what could be preventing the discovery?
Is the "LAN IP" you added distinct from the directly attached subnets representing your LAN and Ziti's DNS intercepts?
Have you identified which printer discovery protocol you're attempting to tunnel? It may be using multicast (224.0.0.0/4, FF00::/8), and I assume Ziti will ignore that range. Some of these printer-related apps don't make it obvious how they magically discover printers. I'm pretty sure the traffic must be unicast to be intercepted, not multicast or broadcast.
It is not. It is on a standard 192.168.1.xxx subnet.
Why are you thinking it would need to be on a different subnet?
There are no services that intercept local traffic on that address.
For reference, here is the intercept:
{
"name": "printer-intercept-config",
"data": {
"portRanges": [
{
"low": 1,
"high": 65535
}
],
"addresses": [
"printer.domain.com",
"192.168.1.xxx"
],
"protocols": [
"tcp",
"udp"
]
},
"tags": {}
}
and the host:
{
"name": "printer-host-config",
"data": {
"address": "192.168.1.xxx",
"forwardProtocol": true,
"forwardPort": true,
"allowedPortRanges": [
{
"low": 1,
"high": 65535
}
],
"allowedProtocols": [
"tcp",
"udp"
],
"httpChecks": [],
"portChecks": []
},
"tags": {}
}
As for the method, android primarily uses multicast.
I noticed that when I add the printer manually, it says that it connects to ipp://printer.domain.com:631/ipp/printer.
The confusing thing is, it obviously connects, but then when I try to actually print something, it sees it as offline.
So there must be some other sort of probe going on.
I meant to verify that the intercept config addresses are not colliding with your LAN. For example, if your directly-attached subnet is 192.168.1.0/24, you can't use any address in that CIDR for a Ziti intercept address, or you'll have an ambiguous route. I expect most devices will prefer the directly attached subnet and ignore any intercept in that range since its route has a lower precedence.
I expect multicast-based discovery protocols will function normally when you're on the same LAN as the printer, irrespective of Ziti tunnel enablement, because I don't expect Ziti to intercept multicast addresses.
It should be possible to tunnel the unicast address of the printer assuming your Ziti service provides the necessary port and protocol, e.g. TCP, and you're able to bypass discovery and manually configure the printer's address in the driver software.