Enabling multicast forwarding
Multicast forwarding is enabled by default. In NAT mode you must use the multicast-forward
keyword of the system settings
CLI command to enable or disable multicast forwarding. When multicast-forward
is enabled, the FortiGate unit forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header will be reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add security policies to actually allow multicast packets through the FortiGate. In our example, the security policy allows multicast packets received by the internal interface to exit to the external interface.
Enabling multicast forwarding is only required if your FortiGate unit is operating in NAT mode. If your FortiGate unit is operating in transparent mode, adding a multicast policy enables multicast forwarding. |
Enter the following CLI command to enable multicast forwarding:
config system settings
set multicast-forward enable
end
If multicast forwarding is disabled and the FortiGate unit drops packets that have multicast source or destination addresses.
You can also use the multicast-ttl-notchange
keyword of the system settings
command so that the FortiGate unit does not increase the TTL value for forwarded multicast packets. You should use this option only if packets are expiring before reaching the multicast router.
config system settings
set multicast-ttl-notchange enable
end
In transparent mode, the FortiGate unit does not forward frames with multicast destination addresses. Multicast traffic such as the one used by routing protocols or streaming media may need to traverse the FortiGate unit, and should not be interfere with the communication. To avoid any issues during transmission, you can set up multicast security policies. These types of security policies can only be enabled using the CLI.
The CLI parameter multicast-skip-policy must be disabled when using multicast security policies. To disable enter the commandconfig system settings set multicast-skip-policy disable end |
In this simple example, no check is performed on the source or destination interfaces. A multicast packet received on an interface is flooded unconditionally to all interfaces on the forwarding domain, except the incoming interface.
To enable the multicast policy
config firewall multicast-policy
edit 1
set action accept
end
In this example, the multicast policy only applies to the source port of WAN1 and the destination port of Internal.
To enable the restrictive multicast policy
config firewall multicast-policy
edit 1
set srcintf wan1
set dstinf internal
set action accept
end
In this example, packets are allowed to flow from WAN1 to Internal, and sourced by the address 172.20.120.129, which is represented by the address object "example_addr-1".
To enable the restrictive multicast policy
config firewall multicast-policy
edit 1
set srcintf wan1
set srcaddr example_addr-1
set dstinf internal
set action accept
end
This example shows how to configure the multicast security policy required for the configuration shown. This policy accepts multicast packets that are sent from a PC with IP address 192.168.5.18 to destination address range 239.168.4.0. The policy allows the multicast packets to enter the internal interface and then exit the external interface. When the packets leave the external interface their source address is translated to 192.168.18.10
config firewall multicast-policy
edit 5
set srcaddr 192.168.5.18 255.255.255.255
set srcintf internal
set destaddr 239.168.4.0 255.255.255.0
set dstintf external
set nat 192.168.18.10
end
This example shows how to configure a multicast security policy so that the FortiGate unit forwards multicast packets from a multicast Server with an IP 10.10.10.10 is broadcasting to address 225.1.1.1. This Server is on the network connected to the FortiGate DMZ interface.
config firewall multicast-policy
edit 1
set srcintf DMZ
set srcaddr 10.10.10.10 255.255.255.255
set dstintf Internal
set dstaddr 225.1.1.1 255.255.255.255
set action accept
edit 2
set action deny
end