Description

This article describes how to block mDNS traffic with firewall policies for a specific subnet or SSID user profile. This is useful when users still want to allow mDNS at a global level but only want to block mDNS for some specific subnet/user profile when it generates lots of traffic. 

Scope

FortiGate.

Solution

Many devices and services use multicast IPs; hence, FortiGate has default multicast addresses configured. mDNS uses multicast IP 224.0.0.251, which is configured in the FortiGate as a multicast address. To allow mDNS traffic globally and yet block for specific user groups or subnets, follow the method below.

Create a Firewall policy using the multicast IP address as the destination and define the source subnet and user group. Select service as port 5353.

• Add a rule to deny any service with Destination IP 224.0.0.251 for IPv4 mDNS.
• Add another rule to deny any service with Destination IP ff02::fb for IPv6 mDNS.

Creating a custom service in the CLI console.

config firewall service custom
    edit "mDNS"
        set tcp-portrange 5353
    next
end

GUI output:

Firewall Policy in CLI console:

config firewall policy
    edit 1
        set name "mDNS_block"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "AP_User_Range"
        set dstaddr "mDNS_multicast_address"
        set schedule "always"
        set service "mDNS"
        set logtraffic all
        set groups "Wifi_guest"
    next
end

Firewall policy in GUI: