Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dkochhar
Staff
Staff

Created on ‎09-26-2023 10:54 AM Edited on ‎03-12-2025 06:15 AM By Moderator

Article Id 276093

Technical Tip: Multicast over GRE tunnel with PIM dense mode

Description This article describes how to setup multicast over a GRE tunnel with PIM dense mode.
Scope FortiGate.
Solution

This article demonstrates an example of multicast over a GRE tunnel with PIM dense mode.


The following topology is used:
(Sending Multicast traffic) Machine:192.168.1.10 ---FortiGate 1 ---(GRE Tunnel)---FortiGate 2---Machine:  192.168.3.1 (Receiving Multicast  traffic).
                                                                                                                                                                             
Configuration on FortiGate 1:

For the GRE tunnel:

 

config system gre-tunnel

    edit "GRE_TUNNEL"

        set interface "port1"

        set remote-gw 5.6.7.8 <- The remote side IP.

        set local-gw 1.2.3.4

end

 

Assigning IP to tunnel interface to establish PIM neighborship:

 

config system interface

    edit "GRE_TUNNEL"

        set ip 10.1.1.1 255.255.255.255       <- The tunnel interface IP.

        set type tunnel

        set remote-ip 10.1.1.2 255.255.255.0  <- The remote side tunnel interface IP.

        set interface "port1"

end

 

Since multicast routing is being used, multicast forwarding should be disabled as follows:

config system settings
    set multicast-forward disable
end

 

For Multicast configuration:  


Note: Both interfaces have to take part in multicast neighborship (incoming interface and outgoing interface).


config router multicast

    set multicast-routing enable

        config interface

            edit "port3"  <- Local Interface.

                set pim-mode dense-mode

            next

            edit "GRE_TUNNEL"  <- Tunnel Interface.

                set pim-mode dense-mode

            next

        end

end

 

Screenshot from the GUI:

Multicast.png

Creating multicast policies:

 

config firewall multicast-policy

    edit 1

        set name "Multicast_Outbound" <- Outbound policy.
        set srcintf "port3"
        set dstintf "GRE_TUNNEL"   
        set srcaddr "all"
        set dstaddr "all"

    next

end

 

config firewall multicast-policy

    edit 2

        set name "Multicast_Inbound" <- Inbound policy.
        set srcintf "GRE_TUNNEL"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"

    next

end

 

Configuration on FortiGate 2:

 

config system gre-tunnel

    edit "GRE_TUNNEL"

        set interface "port1"

        set remote-gw 1.2.3.4 <- Remote side IP.

        set local-gw 5.6.7.8

end

 

Assigning an IP to the tunnel interface to establish PIM neighborship:

 

config system interface

    edit "GRE_TUNNEL"

        set ip 10.1.1.2 255.255.255.255       <- Tunnel Interface IP.

        set type tunnel

        set remote-ip 10.1.1.1 255.255.255.0  <- Remote Side tunnel interface IP.

        set interface "port1"

end

 

Since multicast routing is being used, multicast forwarding should again be disabled as follows:

config system settings

    set multicast-forward disable

end

 

For multicast configuration:  


Note: Both interfaces must take part in multicast neighborship (Incoming interface and outgoing interface).

 

config router multicast

    set multicast-routing enable

        config interface

            edit "GRE_TUNNEL" <- Tunnel interface.

                set pim-mode dense-mode

            next

            edit "port3" <- Local interface.

                set pim-mode dense-mode

            next

        end

end

 

Screenshot from the GUI:

 

Multicast.png

 

Multicast firewall policy:

 

config firewall multicast-policy

    edit 2

        set name "Multicast_Inbound"

        set srcintf "GRE_TUNNEL"

        set dstintf "port3"

        set srcaddr "all"

        set dstaddr "all"

    next

end

 

Static route to route the traffic via the GRE tunnel (if dynamic routing is not used or is used to route the traffic via the underlay IPsec tunnel if the GRE tunnel was configured via the IPsec tunnel):

 

config router static

    edit 1

        set device GRE_TUNNEL

        set dst 192.168.1.10 255.255.255.255  --> 192.168.3.1 for the other side.

    next

    edit 2

        set device GRE_TUNNEL

        set dst 1.2.3.4 255.255.255.255

    next

end

 

Command to see if neighborship is active or not:

 

get router info multicast pim dense-mode neighbour

 

Neighbor.png

 

Once neighborship is up, multicast traffic should be passing through the GRE tunnel:

 

2023-09-26 13:14:52.200146 port3 in 192.168.1.10.55254 -> 224.2.2.2.8910: udp 1000
2023-09-26 13:14:52.200180 GRE_TUNNEL out 192.168.1.10.55254 -> 224.2.2.2.8910: udp 1000
2023-09-26 13:14:57.280430 port3 in 192.168.1.10.55254 -> 224.2.2.2.8910: udp 1000
2023-09-26 13:14:57.280466 GRE_TUNNEL out 192.168.1.10.55254 -> 224.2.2.2.8910: udp 1000
1624
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.