Description
This article describes how to create multicast security policies to allow AirPlay communication between an iOS device and an Apple TV through a FortiGate unit.
Scope
FortiGate v5.0 and above.
Solution
Procedure.
Step 1: Enable Multicast options.
Enable multicast forwarding from the CLI using the following commands:
config system setting
set multicast-forward enable
set multicast-ttl-notchange enable
end
Step 2: Configure Multicast policies:
config firewall multicast-policy
edit 1
set status enable
set logtraffic enable
set srcintf "AppleTV interface"
set dstintf "DMZ"
set srcaddr "all"
set dstaddr "all"
set snat disable
set dnat 0.0.0.0
set action accept
set protocol 17
set auto-asic-offload enable
set start-port 1
set end-port 5353
next
edit 2
set status enable
set logtraffic enable
set srcintf "DMZ"
set dstintf "AppleTV interface"
set srcaddr "all"
set dstaddr "all"
set snat disable
set dnat 0.0.0.0
set action accept
set protocol 17
set auto-asic-offload enable
set start-port 1
set end-port 5353
edit 3
set status enable
set logtraffic enable
set srcintf "AppleTV interface"
set dstintf "Wan to internet interface"
set srcaddr "all"
set dstaddr "all"
set snat enable
set snat-ip 0.0.0.0
set dnat 0.0.0.0
set action accept
set protocol 17
set auto-asic-offload enable
set start-port 1
set end-port 5353
end
Step 3: Configure IPV4 policies:
config firewall policy
edit 1
set status enable
set logtraffic enable
set srcintf "AppleTV interface"
set dstintf "DMZ"
set srcaddr "all"
set dstaddr "all"
set snat disable
set action accept
edit 2
set status enable
set logtraffic enable
set srcintf "DMZ"
set dstintf "AppleTV interface"
set srcaddr "all"
set dstaddr "all"
set snat disable
set action accept
edit 3
set status enable
set logtraffic enable
set srcintf "AppleTV interface"
set dstintf "Wan to internet interface"
set srcaddr "all"
set dstaddr "all"
set action accept
set snat enable
end
Step 4: Disable multicast routing:
config router multicast
set multicast-routing disable
end
Troubleshooting:
Diagnose commands to check traffic:
Sniffer.
diagnose sniffer packet any 'host <ip_appletv>' 6 0 a
To stop sniffer, use Ctrl+C.
Debug Flow:
diagnose debug disable
diagnose debug reset
diagnose debug flow filter saddr <ipappletv>
diagnose debug flow show console enable
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug flow trace start 1000
diagnose debug enable
Multicast traffic example:
id=20085 trace_id=58 func=print_pkt_detail line=4471 msg="vd-root received a packet(proto=17, 172.16.7.77:5353->224.0.0.251:5353) from FAP-4. "
id=20085 trace_id=58 func=init_ip_session_common line=4624 msg="allocate a new session-00321386"
id=20085 trace_id=58 func=iprope_dnat_check line=4641 msg="in-[FAP-4], out-[]"
id=20085 trace_id=58 func=iprope_dnat_check line=4654 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=58 func=__iprope_check line=2051 msg="gnum-10000a, check-ffffffffa009768b"
id=20085 trace_id=58 func=__iprope_check_one_policy line=1841 msg="checked gnum-10000a policy-0, ret-matched, act-accept"
id=20085 trace_id=58 func=__iprope_check_one_policy line=2022 msg="policy-0 is matched, act-drop
Stop the above debugs using the following CLI commands:
diagnose debug disable
diagnose debug reset
Note:
It has been observed that the Airplay TV/server might not respond to TCP packets if the client that is trying to connect is in a different network than itself. While this is not a FortiGate issue, the FortiGate can facilitate the connection - enable NAT on the Firewall policy permitting the unicast traffic from the client to the TV/server.
