Description
This article describes how to block mDNS traffic with firewall policies for a specific subnet or SSID user profile. This is useful when users still want to allow mDNS at a global level but only want to block mDNS for some specific subnet/user profile when it generates lots of traffic.
Scope
FortiGate.
Solution
Many devices and services use multicast IPs; hence, FortiGate has default multicast addresses configured. mDNS uses multicast IP 224.0.0.251, which is configured in the FortiGate as multicast address Bonjour. To allow mDNS traffic globally and yet block for specific user groups or subnets, follow the below method.
Create a Firewall policy using the multicast IP address as the destination and define the source subnet and user group. Select service as port 5353.
- Add a rule to deny Any service with Destination IP 224.0.0.251 for IPv4 mDNS.
- Add another rule to deny Any service with Destination IP ff02::fb for IPv6 mDNS.
Creating custom service in CLI console.
config firewall service custom
edit "mDNS"
set tcp-portrange 5353
next
end
GUI output:
Firewall Policy in CLI console:
config firewall policy
edit 1
set name "mDNS_block"
set srcintf "port2"
set dstintf "port1"
set srcaddr "AP_User_Range"
set dstaddr "mDNS_multicast_address"
set schedule "always"
set service "mDNS"
set logtraffic all
set groups "Wifi_guest"
next
end
Firewall policy in GUI:
