Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cgustave
Staff
Staff

Created on ‎05-27-2009 10:05 AM Edited on ‎09-19-2024 05:00 AM By Community Manager

Article Id 198103

Technical Tip: How to route Wake On Lan (WOL) 'magic packet' through a FortiGate in NAT/Route mode

Description


This article describes an example of how to configure the FortiGate to route 'Wake On Lan magic packet'. This example is based on the broadcast type of Wake On Lan 'magic packet'.

 

The idea of Wake On Lan (WOL) is to trigger the "wake up" (boot-up) of a device from the LAN via a specific Ethernet packet called 'Magic Packet'. This requires the PC network interface and BIOS to support WOL. There are different types of Magic Packets that can be used depending on the NIC manufacturer and driver. In some cases, a unicast destination IP can be used which makes the routing straight forward, however most generally the destination MAC of the magic packet must be a broadcast which causes a routing problem. This is the particular case which is discussed here.


Scope


All FortiGate units in NAT/Route mode.

 

Solution


Diagram:


****************
* PC to wakeup *
****************
    | .18  
    |
    |  10.199.3.0/28
    |
    | .17
(internal)
**********
* FWF60A *
**********
  (dmz)
    | .33
    |
    |  10.199.3.32/28
    |
    | .34
***********************************
* Server sending WOL Magic packet *
***********************************

Expectations, Requirements:

Expectations:

  • The 'Server' sends a Wake On Lan Magic Packet to 'PC to wake up'.
  • The WOL packet is received from the FortiGate DMZ and routed to 'PC to wakeup' as an Ethernet broadcast.
  • The packet is received from the 'PC to wake up' network interface and triggers the Wake on LAN startup.

Solution principle:

 

The main problem is to get the magic packet forwarded as a broadcast once routed, in order to get it recognized by the PC NIC. For this, use a different IP address for the magic packet to reach the PC than the main PC IP address (choose an IP address not used on the PC subnet). Forwarding the packet as a broadcast is achieved with a static ARP entry with mac FF:FF:FF:FF:FF:FF.

Note: using the PC IP (instead of another IP) in the static ARP entry would work to wake the PC up, but this may break other traffic destined to the PC.

Configuration:

 

FortiGate relevant configuration extract:

config system interface
    edit "internal"
        set vdom "root"
        set ip 10.199.3.17 255.255.255.240
        set allowaccess ping https ssh
        set type physical
    next
    edit "dmz"
        set vdom "root"
        set ip 10.199.3.33 255.255.255.240
        set allowaccess ping
        set type physical
    next
end

config firewall address
    edit "backup_server"
        set subnet 10.199.3.18 255.255.255.255
    next
    edit "NAS"
        set subnet 10.199.3.34 255.255.255.255
    next
    edit "wol-ip-backup-server"
        set associated-interface "internal"
        set subnet 10.199.3.19 255.255.255.255
    next
end

config firewall policy
    edit 31                                      #1
        set srcintf "dmz"
        set dstintf "internal"
            set srcaddr "NAS"
            set dstaddr "wol-ip-backup-server"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 28
        set srcintf "dmz"                       #2
        set dstintf "internal"
            set srcaddr "NAS"
            set dstaddr "backup_server"
        set action accept
        set schedule "always"
            set service "ANY"
    next
end

config system arp-table
    edit 1                                       #3
        set interface "internal"
        set ip 10.199.3.18
        set mac 00:11:d8:12:89:17
    next
    edit 2
        set interface "internal"
        set ip 10.199.3.19
        set mac ff:ff:ff:ff:ff:ff
    next
end


#1: Policy to allow the Wake On LAN 'magic packet' using its dedicated IP.
#2: Policy to allow general traffic to the PC.
#3: Static ARP entry to force destination MAC for the magic packet to be a broadcast.


Linux wakeonlan command line used in this example:

 

/usr/bin/wakeonlan -p 7 -i 10.199.3.19 17:89:12:d8:11:00

 

Note: In this example with 'wakeonlan', the MAC address required to build the magic packet has to be reversed compared to the PC real MAC address (00:11:d8:12:89:17).

For more information, see the Linux manual page

Verification:


Generate the magic packet from the server and the PC should wake up.


Troubleshooting:


Take a sniffer trace of  the magic packet on the FortiGate interfaces to make sure the packet is forwarded as a broadcast.

Internal interface sniffer trace:

diagnose sniffer packet internal '' 3
interfaces=[internal]
filters=[]
13.388587 10.199.3.34.32770 -> 10.199.3.19.7: udp 102
0x0000   ffff ffff ffff 0009 0f40 8c80 0800 4500        .........@....E.
0x0010   0082 0000 4000 3f11 1fa9 0ac7 0322 0ac7        ....@.?......"..
0x0020   0313 8002 0007 006e ad32 ffff ffff ffff        .......n.2......
0x0030   1789 12d8 1100 1789 12d8 1100 1789 12d8        ................
0x0040   1100 1789 12d8 1100 1789 12d8 1100 1789        ................
0x0050   12d8 1100 1789 12d8 1100 1789 12d8 1100        ................
0x0060   1789 12d8 1100 1789 12d8 1100 1789 12d8        ................
0x0070   1100 1789 12d8 1100 1789 12d8 1100 1789        ................
0x0080   12d8 1100 1789 12d8 1100 1789 12d8 1100        ................


See that the destination MAC address is a broadcast FFFF FFFF FFFF.

DMZ interface sniffer trace:

 

diagnose sniffer packet dmz '' 3
interfaces=[dmz]
filters=[]
9.388377 10.199.3.34.32770 -> 10.199.3.19.7: udp 102
0x0000   0009 0f40 8c81 0008 9bac a067 0800 4500        ...@.......g..E.
0x0010   0082 0000 4000 4011 1ea9 0ac7 0322 0ac7        ....@.@......"..
0x0020   0313 8002 0007 006e ad32 ffff ffff ffff        .......n.2......
0x0030   1789 12d8 1100 1789 12d8 1100 1789 12d8        ................
0x0040   1100 1789 12d8 1100 1789 12d8 1100 1789        ................
0x0050   12d8 1100 1789 12d8 1100 1789 12d8 1100        ................
0x0060   1789 12d8 1100 1789 12d8 1100 1789 12d8        ................
0x0070   1100 1789 12d8 1100 1789 12d8 1100 1789        ................
0x0080   12d8 1100 1789 12d8 1100 1789 12d8 1100        ................

 

Additional note: In cases where there is one windows server but many PCs to wake, in addition to installing and using a third party application, the following command must be enabled in FortiGate:

 

config system interface

edit <external_interface_name>

set broadcast-forward enable

end

96250
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.