FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable
Article Id 193690

Description

 

This article describes how to use AirPlay and AirPrint when a FortiWiFi unit separates client and server AirPlay and AirPrint devices.

 

Scope

 

FortiGate.


Solution

 
To configure the FortiWiFi unit to allow printing to an AirPrint-compatible printer, the network topology determines the solution. For example, if an iPhone and an AirPrint-compatible printer both use WiFi to connect to the same FortiWiFi wireless access point on the same subnet, no FortiWiFi configuration changes are required as long as intra-SSID traffic is not blocked. The iPhone and the printer can communicate directly.

If the iPhone and the AirPrint-compatible printer are on different networks separated by a FortiWiFi unit, use the information below to set all AirPrint communication through the FortiWiFi unit.
 
Check the following if issues are encountered:
 
  • Check if multicast routing is enabled or not.


config router multicast
    set multicast-routing disable
end

 

  • If multicast routing is enabled, the traffic is received on the incoming interface but not forwarded via the outgoing interface.
  • The reason is that the destination IP, with the packets received on FortiGate, is part of the 'Local Network Control Block', and by default, it is not forwarded out of the L3 interface.
  • It is also necessary to have a regular IPv4 firewall policy (already explained in the attached document) between 2 different interfaces, as once the device is detected, the traffic becomes unicast traffic.
  • Enabling multicast forwarding allows the FortiGate to forward multicast IP packets to all interfaces except the receiving interface, with the TTL reduced by 1.
  • Configuring multicast policy to allow multicast packets to pass from one interface to another. Refer to this document for more information: Configuring multicast forwarding.

To enable multicast forwarding:

config system settings
    set multicast-forward enable
end

 

  • It is common for multicast packets to have a TTL of 1; if this is the case, the FortiGate will reduce the TTL to 0 when it forwards the packet. To avoid this issue, enable the 'multicast-ttl-notchange' setting. When 'multicast-ttl-notchange' is enabled, the FortiGate is prevented from reducing the TTL of the multicast packet.

 

To enable 'multicast-ttl-notchange':

 

config system settings
    set multicast-ttl-notchange enable
end

 

  • Multicast forwarding is not supported on enhanced MAC VLAN interfaces.