Description
FortiGate firewall is an enterprise-based firewall that has started to make its way into households and home-office environments.
This raises a few questions related to usability in such environment, when it comes to screen-cast, sharing, miracast, and other protocols that are uncommon for regular communication in a business environment.
FortiGate is adapting to this demand, and starting with FortiOS 6.0 multicast forwarding is enabled by default.
Below are some workarounds for problems that one can encounter while using a Fortigate firewall in a home environment.
Details
The most important aspects one needs to consider are the protocols needed for communication by the devices connected to your network.
If this aspect can’t be identified from the producer’s website or help guides, one can attempt to identify the protocols by capturing the traffic exchanged by these devices.
How to capture packets in FortiGate in GUI , or in Command line (CLI) . Note that a more general capture may be needed (without an IP as filter).
1) Multicast - a common protocol that is frequently used by multi-room speaker systems.
For a start, make sure you have multicast enabled, and multicast policies in place between ports in question. However, a common case of multi-room speakers’ failure to communicate is their incompatibility (check their producer's website for compatibility or firmware issues, as well as required protocols used).
2) Broadcast – this is generally a Layer2 traffic (sent with destination mac ff:ff:ff:ff:ff:ff = to all devices on the network). Generally, this type of traffic takes much bandwidth, can cause disruptions, and must be limited within any network; it is done by limiting the size of the broadcast domain. This may be contrary to what is needed in order to allow local devices to communicate across the local network in a home environment. This article describes how broadcast can be controlled in a FortiGate.
3) Unicast
Described here
4) DIAL - Discovery and Launch protocol (Chromecast).
This protocol and its behavior over wifi connectivity is detailed in a dedicated article here. Discovery and communication of devices connected (via SSDP) to the same SSID is not a problem. Connecting WIFI to LAN, requires a bridged network (this way LAN devices can also connect to the WIFI-connected Chromecast).
5) RSTP (Real-Time Streaming Protocol)
Identified by traffic over ports 554, 770, or 8554. RSTP session-helper is called and needed to facilitate this communication. Make sure it is not deleted in "config system session-helper"
6) Airplay and AirPrint – setup described here
Related articles
Technical Note: FortiGate commands for DNS troubleshooting
