Skip to main content
nalexiou
Staff & Editor
nalexiou
Staff & Editor
January 9, 2025

Technical Tip: Difference between multicast forwarding and multicast routing

  • January 9, 2025
  • 0 replies
  • 2802 views
Description This article describes the difference in multicast policy configuration when using multicast forwarding versus multicast routing.
Scope FortiGate configured with multicast forwarding or multicast routing.
Solution

Multicast forwarding:

Multicast forwarding is a feature that enables multicast packets to be efficiently distributed directly between multicast routers and receivers connected to the FortiGate. Once a multicast forwarding policy is configured, the FortiGate sends an IGMP Membership Query, which enables it to receive IGMP Membership Reports. IGMP Membership Reports are sent by the hosts that want to receive the multicast traffic (multicast receivers).

Multicast forwarding is enabled by default, and it only requires a multicast policy to allow the traffic. The policy direction is from the interface facing the receiver to the interface facing the source, with the source IP being the receiver IP. Multicast forwarding is useful with simple setups where the multicast source and receiver are directly connected to the same FortiGate, and a multicast routing protocol is not used.

 

Untitled Diagram - 01.drawio.png

 

Multicast forwarding policy configuration:

 

config system settings

    set multicast-forward enable

end

 

config router multicast

    set multicast-routing disable

end

 

config firewall multicast-policy
    edit 1
        set name "multicast_forwarding"
        set srcintf "port1" <-- Receiver facing interface
        set dstintf "port2" <-- Source facing interface
        set srcaddr "PC1"
        set dstaddr "multicast_group"
    next

end

 

Note:

If the destination is all, it means all multicast addresses in the range 224.0.0.0-239.255.255.255.
If both interface and addr are set to any or all in the multicast-policy, flooding can occur on all interfaces except the receiving interface.

Be aware that flooding can increase sessions and resources.


Multicast routing:

Multicast routing involves multicast routing protocols such as PIM sparse-mode and PIM dense-mode. This feature allows more control over multicast traffic, which is useful in more complex setups. Enabling multicast routing will automatically disable multicast forwarding even if it was enabled in the settings.

Multicast routing policies differ from multicast forwarding policies in policy direction and source address, as seen in the example below. To verify the multicast forwarding status, the command diagnose sys vd list can be used. The example configuration below is for PIM dense-mode. The multicast policy configuration is the same for PIM sparse-mode.

 

Untitled Diagram - 02.drawio.png

 

Multicast routing policy configuration (FGT-01):

 

config system settings

    set multicast-forward disable

end

 

config router multicast

    set multicast-routing enable

        config interface

            edit "port1"

                set pim-mode dense-mode

                set passive enable

            next

            edit "port2"

                set pim-mode dense-mode

            next

        end

end

 

config firewall multicast-policy
    edit 1
        set name "multicast_routing"
        set srcintf "port2" <-- Source facing interface
        set dstintf "port1" <-- Receiver facing interface
        set srcaddr "PC2"
        set dstaddr "multicast_group"
    next

end

 

Multicast routing policy configuration (FGT-02):

 

config system settings

    set multicast-forward disable

end

 

config router multicast

    set multicast-routing enable

        config interface

            edit "port1"

                set pim-mode dense-mode

            next

            edit "port2"

                set pim-mode dense-mode

                set passive enable

            next

        end

end

 

config firewall multicast-policy
    edit 1
        set name "multicast_routing"
        set srcintf "port2" <-- Source facing interface
        set dstintf "port1" <-- Receiver facing interface
        set srcaddr "PC2"
        set dstaddr "multicast_group"
    next

end

 

To verify the multicast forwarding status:

 

FGT-01 # diagnose sys vd list
system fib version=154
list virtual firewall info:
name=root/root index=0 enabled fib_ver=0 rpdb_ver=0 use=35 rt_num=9 asym_rt=0 sip_helper=0, sip_nat_trace=1, mc_fwd=0, mc_ttl_nc=0, tpmc_sk_pl=0
ecmp=source-ip-based, ecmp6=source-ip-based asym_rt6=0 rt6_num=10 strict_src_check=0 dns_log=1 ses_num=14 ses6_num=1 pkt_num=8939167
tree_flag=1 tree6_flag=1 traffic_log=1 extended_traffic_log=0
deny_tcp_with_icmp=0 ses_denied_traffic=no mc_ses_denied_traffic=no tcp_no_syn_check=0 central_nat=0 policy_mode_ngfw=0 block_land_attack=0 link_check_local_in=0
gtp_asym_fgsp=no
fw_session_hairpin=no keep-PRP-trailer=0 auxiliary_ses=0 dup_num=2
ipv4_rate=0, ipv6_rate=0, mcast6-PMTU=0, allow_linkdown_path=0
per_policy_disclaimer=0 pcp=0
    Terms & ConditionsAccessibility statement