Description
This article describes how to configure FortiGate forward broadcast. In FortiGate, broadcast traffic is handled by a multicast policy instead of a normal firewall policy.
Scope
FortiGate.
Solution
By default, there is only a multicast address in 'config firewall multicast-address'. To allow a broadcast to pass through the FortiGate, configure a broadcast address and apply it to the multicast-policy.
config firewall multicast-address
edit "all"
set start-ip 224.0.0.0
set end-ip 239.255.255.255
next
end
Configuration:
- Configure broadcast forwarding on interface:
config system interface
edit internal
set broadcast-forward enable
next
edit wan1
set broadcast-forward enable
end
- Configure broadcast address:
config firewall multicast-address
edit "allbroadcast"
set type broadcastmask
set subnet 255.255.255.255 255.255.255.255
end
- Configure multicast policy:
config firewall multicast-policy
edit 1
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set dstaddr "allbroadcast"
next
end
It is important to know that on some broadcast services, the server will send the reply on a broadcast IP.
The above policy will allow both sessions:
- The one from the client to the broadcast IP. For example:
DMZ_in 10.44.5.23.57 -> 255.255.255.255.57: udp 20
Broad_out 10.44.5.23.57 -> 255.255.255.255.57: udp 20
- The other one for the server reply with a broadcast packet:
Broad_in 10.56.5.5.57 -> 255.255.255.255.57: udp 20
DMZ_out 10.56.5.5.57 -> 255.255.255.255.57: udp 20
Enable logging on the multicast policy to see the traffic logs under Log & Report -> Multicast Traffic.
