Skip to main content
Pazzeo1
Pazzeo1
New Member
September 5, 2025
Question

Allow Foward broadcast from the same interface

  • September 5, 2025
  • 2 replies
  • 324 views

Hello,

 

I'm using Fortigate 201E firmware version 6.4.4.

I have a traffic received from the port3 which needs to be translate to the broadcast address of port3. It means that the traffic needs to go from the same interface (ingress = outgress). 

So, I did the following configuration:

 

In the port3 I have disable the anti-spoofing and enable the broadcast forward.

    edit "port3"         set vdom "root"         set ip 192.168.1.126 255.255.255.128         set allowaccess ping         set broadcast-forward enable         set vlanforward enable         set type physical         set src-check disable         set alias "SERVICE"         set security-mode captive-portal         set security-exempt-list "port3-exempt-list"         set role lan         set snmp-index 11

Then, I have create the VIP like this

    edit "DNAT_SERVICE"         set uuid 14e3dde2-8a4d-51f0-58aa-109e4a3fac68         set extip 192.168.1.126         set mappedip "192.168.1.127"         set extintf "port3"         set portforward enable         set protocol udp         set extport 445         set mappedport 445     next

Then, I have the following policy:

        set name "SERVICE TRANSLATE"         set uuid eee66168-88cc-51f0-8f68-3c1e08e4e818         set srcintf "port3"         set dstintf "port3"         set srcaddr "all"         set dstaddr "DNAT_SERVICE"         set action accept         set schedule "always"         set service "SERVICE_UDP"         set anti-replay disable

However, I have the following errors:

id=20085 trace_id=1433 func=print_pkt_detail line=5700 msg="vd-root:0 received a packet(proto=17, 10.10.22.1:47689->192.168.1.126:445) from port3. " id=20085 trace_id=1433 func=init_ip_session_common line=5871 msg="allocate a new session-042afdcf" id=20085 trace_id=1433 func=iprope_dnat_check line=5005 msg="in-[port3], out-[]" id=20085 trace_id=1433 func=iprope_dnat_tree_check line=833 msg="len=1" id=20085 trace_id=1433 func=__iprope_check_one_dnat_policy line=4878 msg="checking gnum-100000 policy-3" id=20085 trace_id=1433 func=get_new_addr line=1167 msg="find DNAT: IP-192.168.1.127, port-445" id=20085 trace_id=1433 func=__iprope_check_one_dnat_policy line=4961 msg="matched policy-3, act=accept, vip=3, flag=100, sflag=2000000" id=20085 trace_id=1433 func=iprope_dnat_check line=5018 msg="result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000100" id=20085 trace_id=1433 func=fw_pre_route_handler line=182 msg="VIP-192.168.1.127:445, outdev-port3" id=20085 trace_id=1433 func=__ip_session_run_tuple line=3492 msg="DNAT 192.168.1.126:445->192.168.1.127:445" id=20085 trace_id=1433 func=vf_ip_route_input_common line=2584 msg="find a route: flag=90000000 gw-192.168.1.127 via root" id=20085 trace_id=1433 func=iprope_in_check line=421 msg="in-[port3], out-[], skb_flags-020000c0, vid-3" id=20085 trace_id=1433 func=__iprope_check line=2164 msg="gnum-100011, check-ffffffffa002a7c0" id=20085 trace_id=1433 func=iprope_policy_group_check line=4450 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000" id=20085 trace_id=1433 func=__iprope_check line=2164 msg="gnum-100001, check-ffffffffa00288e0" id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-100001 policy-1, ret-matched, act-accept" id=20085 trace_id=1433 func=__iprope_check line=2183 msg="gnum-100001 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=20085 trace_id=1433 func=iprope_policy_group_check line=4450 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=20085 trace_id=1433 func=__iprope_check line=2164 msg="gnum-10000e, check-ffffffffa00288e0" id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept" id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept" id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept" id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept" id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept" id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept" id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000e policy-4294967295, ret-matched, act-accept" id=20085 trace_id=1433 func=__iprope_check_one_policy line=2135 msg="policy-4294967295 is matched, act-drop" id=20085 trace_id=1433 func=__iprope_check line=2183 msg="gnum-10000e check result: ret-matched, act-drop, flag-00000001, flag2-00000000" id=20085 trace_id=1433 func=iprope_policy_group_check line=4450 msg="after check: ret-matched, act-drop, flag-00000001, flag2-00000000" id=20085 trace_id=1433 func=__iprope_check line=2164 msg="gnum-10000f, check-ffffffffa00288e0" id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept" id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept" id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept" id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept" id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept" id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept" id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000f policy-4294967295, ret-matched, act-accept" id=20085 trace_id=1433 func=__iprope_check_one_policy line=2135 msg="policy-4294967295 is matched, act-drop" id=20085 trace_id=1433 func=__iprope_check line=2183 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000001, flag2-00000000" id=20085 trace_id=1433 func=iprope_policy_group_check line=4450 msg="after check: ret-matched, act-drop, flag-00000001, flag2-00000000" id=20085 trace_id=1433 func=fw_local_in_handler line=431 msg="iprope_in_check() check failed on policy 0, drop

I don't understand why the system is droping the packet. 

Checking the routing table for 192.168.1.127 seems to be ok:

Routing table for VRF=0 Routing entry for 192.168.1.0/25   Known via "connected", distance 0, metric 0, best   * is directly connected, port3 distance 0

 

Can anyone help me please?

Thanks

Paz

2 replies

Anthony_E
Staff
Anthony_E
Staff
September 8, 2025

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
AEK
SuperUser
AEK
SuperUser
September 9, 2025

Hi Paz

I personally didn't know this can be possible. Do you have any tech tip describing this possibility.

On the other hand I only know a technique to forward broadcast (from broadcast) via VIP.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Forwarding-IP-broadcast-to-a-different-network/ta-p/215005

 

AEK
    Terms & ConditionsAccessibility statement