Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Pazzeo1
New Contributor

Created on ‎09-05-2025 05:13 AM

Allow Foward broadcast from the same interface

Hello,

 

I'm using Fortigate 201E firmware version 6.4.4.

I have a traffic received from the port3 which needs to be translate to the broadcast address of port3. It means that the traffic needs to go from the same interface (ingress = outgress). 

So, I did the following configuration:

 

In the port3 I have disable the anti-spoofing and enable the broadcast forward.

    edit "port3"
        set vdom "root"
        set ip 192.168.1.126 255.255.255.128
        set allowaccess ping
        set broadcast-forward enable
        set vlanforward enable
        set type physical
        set src-check disable
        set alias "SERVICE"
        set security-mode captive-portal
        set security-exempt-list "port3-exempt-list"
        set role lan
        set snmp-index 11

Then, I have create the VIP like this

    edit "DNAT_SERVICE"
        set uuid 14e3dde2-8a4d-51f0-58aa-109e4a3fac68
        set extip 192.168.1.126
        set mappedip "192.168.1.127"
        set extintf "port3"
        set portforward enable
        set protocol udp
        set extport 445
        set mappedport 445
    next

Then, I have the following policy:

        set name "SERVICE TRANSLATE"
        set uuid eee66168-88cc-51f0-8f68-3c1e08e4e818
        set srcintf "port3"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "DNAT_SERVICE"
        set action accept
        set schedule "always"
        set service "SERVICE_UDP"
        set anti-replay disable

However, I have the following errors:

id=20085 trace_id=1433 func=print_pkt_detail line=5700 msg="vd-root:0 received a packet(proto=17, 10.10.22.1:47689->192.168.1.126:445) from port3. "
id=20085 trace_id=1433 func=init_ip_session_common line=5871 msg="allocate a new session-042afdcf"
id=20085 trace_id=1433 func=iprope_dnat_check line=5005 msg="in-[port3], out-[]"
id=20085 trace_id=1433 func=iprope_dnat_tree_check line=833 msg="len=1"
id=20085 trace_id=1433 func=__iprope_check_one_dnat_policy line=4878 msg="checking gnum-100000 policy-3"
id=20085 trace_id=1433 func=get_new_addr line=1167 msg="find DNAT: IP-192.168.1.127, port-445"
id=20085 trace_id=1433 func=__iprope_check_one_dnat_policy line=4961 msg="matched policy-3, act=accept, vip=3, flag=100, sflag=2000000"
id=20085 trace_id=1433 func=iprope_dnat_check line=5018 msg="result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=1433 func=fw_pre_route_handler line=182 msg="VIP-192.168.1.127:445, outdev-port3"
id=20085 trace_id=1433 func=__ip_session_run_tuple line=3492 msg="DNAT 192.168.1.126:445->192.168.1.127:445"
id=20085 trace_id=1433 func=vf_ip_route_input_common line=2584 msg="find a route: flag=90000000 gw-192.168.1.127 via root"
id=20085 trace_id=1433 func=iprope_in_check line=421 msg="in-[port3], out-[], skb_flags-020000c0, vid-3"
id=20085 trace_id=1433 func=__iprope_check line=2164 msg="gnum-100011, check-ffffffffa002a7c0"
id=20085 trace_id=1433 func=iprope_policy_group_check line=4450 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=20085 trace_id=1433 func=__iprope_check line=2164 msg="gnum-100001, check-ffffffffa00288e0"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-100001 policy-1, ret-matched, act-accept"
id=20085 trace_id=1433 func=__iprope_check line=2183 msg="gnum-100001 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=1433 func=iprope_policy_group_check line=4450 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=1433 func=__iprope_check line=2164 msg="gnum-10000e, check-ffffffffa00288e0"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000e policy-4294967295, ret-matched, act-accept"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=2135 msg="policy-4294967295 is matched, act-drop"
id=20085 trace_id=1433 func=__iprope_check line=2183 msg="gnum-10000e check result: ret-matched, act-drop, flag-00000001, flag2-00000000"
id=20085 trace_id=1433 func=iprope_policy_group_check line=4450 msg="after check: ret-matched, act-drop, flag-00000001, flag2-00000000"
id=20085 trace_id=1433 func=__iprope_check line=2164 msg="gnum-10000f, check-ffffffffa00288e0"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=1920 msg="checked gnum-10000f policy-4294967295, ret-matched, act-accept"
id=20085 trace_id=1433 func=__iprope_check_one_policy line=2135 msg="policy-4294967295 is matched, act-drop"
id=20085 trace_id=1433 func=__iprope_check line=2183 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000001, flag2-00000000"
id=20085 trace_id=1433 func=iprope_policy_group_check line=4450 msg="after check: ret-matched, act-drop, flag-00000001, flag2-00000000"
id=20085 trace_id=1433 func=fw_local_in_handler line=431 msg="iprope_in_check() check failed on policy 0, drop

I don't understand why the system is droping the packet. 

Checking the routing table for 192.168.1.127 seems to be ok:

Routing table for VRF=0
Routing entry for 192.168.1.0/25
  Known via "connected", distance 0, metric 0, best
  * is directly connected, port3 distance 0

 

Can anyone help me please?

Thanks

Paz

Labels:
63
0 Kudos
1 REPLY 1
Anthony_E
Community Manager
Community Manager

Created on ‎09-07-2025 09:59 PM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
18
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.