Forwarding broadcasts in transprent mode

Alexis__y · ‎08-15-2014

Hi everyone, Setting up some FortiGates 60D in transparent mode, I came across an issue in which DHCP Discover broadcasts were blocked by the FortiGate. Here' s the architecture : DHCP Client <- internal : FortiGate 60D : wan1 -> DHCP Server (192.168.1.1) I ran some tests but the interesting thing I believe is the following : To allow DHCP Discover broadcast to go through, the only way I have figured out is to allow traffic that goes to the DHCP server to also reach 255.255.255.255 via udp 67 68 ports in the policy. I am not sure if it' s a no go or not, seems ok, but in the meantime I have not found out the purpose of " broadcast-forward enable" option. Was it suppose to do the trick as according to the manual " to forward other IP broadcasts than ARP" ? Or did I miss something ?

If anyone has an idea ? Thanks for the help :)

emnoc · ‎08-15-2014

You need to do something like this; config firewall multicast-policy edit 1 set dstintf " wan1" set srcintf " lan" next

PCNSE

NSE

StrongSwan

Alexis__y · ‎08-16-2014

Hi ! thank for the tip :) I have tested it, along with the ' multicast-skip-policy enable' option, but these options forward multicast packets, means up to 239.255.255.255 only. If enable broadcast-forward option does not do the trick for DHCP broadcast it' s ok because allowing 255.255.255.255 to be reached via DHCP service is not a problem and would fit in just one rule. I am more worried about adding broadcast address of each subnet involved, like 192.168.1.255, to allow NetBIOS for example. Is there any other way to allow broadcast to go through in transparent mode ? Or the fact that there are no forwarding domains configured could be the cause of this option being ineffective ?

emnoc · ‎08-17-2014

If you have a policy for example, that allows the broadcast thru, you will need a wan1 ---to---> lan policy to allow the response back. so using the dhcp server that you have earlier, you would need a policy to allow the clients on internel out to wan1 ( where I assume the dhcp server is at ) and then you will need policy from wan1 ( dhcp-server service dhcp/bootp ) back to internal. I would think you would need todo the same for any thing similar. Have you ran a diag debug sniffer or diag debug flow for the traffic that' s being dopped?

PCNSE

NSE

StrongSwan

Alexis__y · ‎08-17-2014

Yeah, got you! Ok I just did, I should do more often because it' s speaking. With this policy applied (test 5) and broadcast-forward enabled on both wan1 & internal :

I get this messege from from debug console :

It seems that it just drop the broadcast

Alexis__y · ‎08-17-2014

Maybe another option needs to be activated, there is that l2forward option which I think I had tried already even if it is not suppose to match what' s needed. Here' s internal interface configuration, which is identical to wan1, in case I missed to enable something obvious :

And well, thanks again for the suggestions :)

Alexis__y · ‎08-17-2014

As there seems to be a specific ' denied by forward policy check' message when something not allowed is being blocked, that ' drop broadcast' message seems to relate to something internal:

emnoc · ‎08-17-2014

Will the 1st drop is netbios related and the 2nd is probably due to a www services rules that' s not allowing tcp traffic & your right in that' s a forward policy drop.

PCNSE

NSE

StrongSwan

Forwarding broadcasts in transprent mode

Nominate a Forum Post for Knowledge Article Creation