Description

This article describes how to block mDNS traffic with firewall policies for a specific subnet or SSID user profile. This is useful when users still want to allow mDNS at a global level but only want to block mDNS for some specific subnet/user profile when it generates lots of traffic. 

Scope

FortiGate.

Solution

Many devices and services use multicast IPs; hence, FortiGate has default multicast addresses configured. mDNS uses multicast IP 224.0.0.251, which is configured in the FortiGate as multicast address Bonjour. To allow mDNS traffic globally and yet block for specific user groups or subnets, follow the below method.

Create a Firewall policy using the multicast IP address as the destination and define the source subnet and user group. Select service as port 5353.

• Add a rule to deny Any service with Destination IP 224.0.0.251 for IPv4 mDNS.
• Add another rule to deny Any service with Destination IP ff02::fb for IPv6 mDNS.

Creating custom service in CLI console.

config firewall service custom
    edit "mDNS"
        set tcp-portrange 5353
    next
end

GUI output:

Firewall Policy in CLI console:

config firewall policy
    edit 1
        set name "mDNS_block"
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "AP_User_Range"
        set dstaddr "mDNS_multicast_address"
        set schedule "always"
        set service "mDNS"
        set logtraffic all
        set groups "Wifi_guest"
    next
end

Firewall policy in GUI: