Description
This article describes how to configure Apple Airprint between two subnets configured on different interfaces.
Scope
FortiGate.
Solution
Configuration.
- Enable Multicast forwarding:
config system settings
set multicast-forward enable
end
- Interface configuration:
Two different interfaces have two different IP addresses assigned.
config system interface
edit "internal1"
set vdom "root"
set ip 192.168.1.1 255.255.255.0
set allowaccess ping https ssh snmp http fgfm ftm
set type physical
set device-identification enable
next
edit "internal7"
set vdom "root"
set ip 192.168.2.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set device-identification enable
next
end
-
Configuring Multicast Policies:
config firewall multicast-policy
edit 1
set logtraffic enable
set srcintf "internal1"
set dstintf "internal7"
set srcaddr "all"
set dstaddr "Bonjour" --> Bonjour is used by Apple, please configure this as per requirements
set protocol 17
set end-port 5353
next
edit 2
set logtraffic enable
set srcintf "internal7"
set dstintf "internal1"
set srcaddr "all"
set dstaddr "Bonjour"
set protocol 17
set end-port 5353
next
end
Multicast policies can also be configured via GUI by enabling it in the System -> Feature visibility -> Multicast Policy.
-
Check if multicast routing is enabled or not:
config router multicast
set multicast-routing disable
end
Note:
If multicast routing is enabled, the traffic is received on the internal1 interface but not forwarded out of the internal7 interface.
The reason is that the destination IP, with the packets received on FortiGate, is part of the 'Local Network Control Block' and by default, it is not forwarded out of the L3 interface.
It is also necessary to have a normal IPv4 firewall policy between these 2 different interfaces as once the device is detected the traffic becomes unicast traffic.
Related article:
Technical Note : Extending AirPlay and AirPrint communication
