Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mariotc
New Contributor

Created on ‎10-18-2016 09:47 AM

Multicast forwarding in extended LAN using VPN StS.

Dear good day. I'm looking for the solution to this problem for quite some time, what I need is to extend a subnet in which there is multicast traffic through a VPN StS. I managed to extend the LAN without problems using virtual IPs and NAT, the problem is that I can not passing the multicast. I need to extend the LAN because I do not have access to the administration of the router that connects the LAN mentioned, and for this reason I force myself to extend it. Shipping diagram of a laboratory that have mounted to perform the tests. The segments are placed IP test, so the structure. At both ends of Sts 60C Fortigate equipment I use.

Deputy config summarized each team Forti my lab and diagram.

Config FORTIGATE "LOCAL"

#global_vdom=1
config system global
    set fgd-alert-subscription advisory latest-threat
    set gui-antivirus disable
    set gui-application-control disable
    set gui-endpoint-control disable
    set gui-local-in-policy enable
    set gui-multicast-policy enable
    set gui-wan-load-balancing disable
    set gui-webfilter disable
    set gui-wireless-controller disable
    set hostname "LOCAL"
    set internal-switch-mode interface
    set timezone 04
end
config system interface
    edit "dmz"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https http fgfm capwap
        set type physical
        set snmp-index 1
    next
    edit "wan2"
        set vdom "root"
        set mode dhcp
        set allowaccess ping fgfm auto-ipsec
        set type physical
        set snmp-index 2
    next
    edit "wan1"
        set vdom "root"
        set ip 182.33.1.1 255.255.255.252
        set allowaccess ping https ssh http
        set type physical
        set alias "Internet"
        set snmp-index 3
    next
    edit "modem"
        set vdom "root"
        set mode pppoe
        set type physical
        set snmp-index 4
    next
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 7
    next
    edit "internal1"
        set vdom "root"
        set ip 10.22.33.54 255.255.255.0
        set allowaccess ping
        set type physical
        set alias "CONSOLAS"
        set device-identification enable
        set snmp-index 8
    next
    edit "internal2"
        set vdom "root"
        set type physical
        set snmp-index 9
    next
    edit "internal3"
        set vdom "root"
        set type physical
        set snmp-index 10
    next
    edit "internal4"
        set vdom "root"
        set type physical
        set snmp-index 11
    next
    edit "internal5"
        set vdom "root"
        set type physical
        set snmp-index 12
    next
    edit "STS"
        set vdom "root"
        set type tunnel
        set snmp-index 5
        set interface "wan1"
    next
end
config system dns
    set primary 208.91.112.53
    set secondary 208.91.112.52
end
config system session-helper
    edit 1
        set name pptp
        set protocol 6
        set port 1723
    next
    edit 2
        set name h323
        set protocol 6
        set port 1720
    next
    edit 3
        set name ras
        set protocol 17
        set port 1719
    next
    edit 4
        set name tns
        set protocol 6
        set port 1521
    next
    edit 5
        set name tftp
        set protocol 17
        set port 69
    next
    edit 6
        set name rtsp
        set protocol 6
        set port 554
    next
    edit 7
        set name rtsp
        set protocol 6
        set port 7070
    next
    edit 8
        set name rtsp
        set protocol 6
        set port 8554
    next
    edit 9
        set name ftp
        set protocol 6
        set port 21
    next
    edit 10
        set name mms
        set protocol 6
        set port 1863
    next
    edit 11
        set name pmap
        set protocol 6
        set port 111
    next
    edit 12
        set name pmap
        set protocol 17
        set port 111
    next
    edit 13
        set name sip
        set protocol 17
        set port 5060
    next
    edit 14
        set name dns-udp
        set protocol 17
        set port 53
    next
    edit 15
        set name rsh
        set protocol 6
        set port 514
    next
    edit 16
        set name rsh
        set protocol 6
        set port 512
    next
    edit 17
        set name dcerpc
        set protocol 6
        set port 135
    next
    edit 18
        set name dcerpc
        set protocol 17
        set port 135
    next
    edit 19
        set name mgcp
        set protocol 17
        set port 2427
    next
    edit 20
        set name mgcp
        set protocol 17
        set port 2727
    next
end
config system ntp
    set ntpsync enable
    set syncinterval 60
end
config system settings
    set multicast-ttl-notchange enable
end
config firewall address
    edit "SSLVPN_TUNNEL_ADDR1"
        set type iprange
        set start-ip 10.212.134.200
        set end-ip 10.212.134.210
    next
    edit "all"
    next
    edit "none"
        set subnet 0.0.0.0 255.255.255.255
    next
    edit "apple"
        set type fqdn
        set fqdn "*.apple.com"
    next
    edit "dropbox.com"
        set type fqdn
        set fqdn "*.dropbox.com"
    next
    edit "Gotomeeting"
        set type fqdn
        set fqdn "*.gotomeeting.com"
    next
    edit "icloud"
        set type fqdn
        set fqdn "*.icloud.com"
    next
    edit "itunes"
        set type fqdn
        set fqdn "*itunes.apple.com"
    next
    edit "android"
        set type fqdn
        set fqdn "*.android.com"
    next
    edit "skype"
        set type fqdn
        set fqdn "*.messenger.live.com"
    next
    edit "swscan.apple.com"
        set type fqdn
        set fqdn "swscan.apple.com"
    next
    edit "update.microsoft.com"
        set type fqdn
        set fqdn "update.microsoft.com"
    next
    edit "appstore"
        set type fqdn
        set fqdn "*.appstore.com"
    next
    edit "eease"
        set type fqdn
        set fqdn "*.eease.com"
    next
    edit "google-drive"
        set type fqdn
        set fqdn "*drive.google.com"
    next
    edit "google-play"
        set type fqdn
        set fqdn "play.google.com"
    next
    edit "google-play2"
        set type fqdn
        set fqdn "*.ggpht.com"
    next
    edit "google-play3"
        set type fqdn
        set fqdn "*.books.google.com"
    next
    edit "microsoft"
        set type fqdn
        set fqdn "*.microsoft.com"
    next
    edit "adobe"
        set type fqdn
        set fqdn "*.adobe.com"
    next
    edit "Adobe Login"
        set type fqdn
        set fqdn "*.adobelogin.com"
    next
    edit "fortinet"
        set type fqdn
        set fqdn "*.fortinet.com"
    next
    edit "googleapis.com"
        set type fqdn
        set fqdn "*.googleapis.com"
    next
    edit "citrix"
        set type fqdn
        set fqdn "*.citrixonline.com"
    next
    edit "verisign"
        set type fqdn
        set fqdn "*.verisign.com"
    next
    edit "Windows update 2"
        set type fqdn
        set fqdn "*.windowsupdate.com"
    next
    edit "*.live.com"
        set type fqdn
        set fqdn "*.live.com"
    next
    edit "auth.gfx.ms"
        set type fqdn
        set fqdn "auth.gfx.ms"
    next
    edit "autoupdate.opera.com"
        set type fqdn
        set fqdn "autoupdate.opera.com"
    next
    edit "softwareupdate.vmware.com"
        set type fqdn
        set fqdn "softwareupdate.vmware.com"
    next
    edit "firefox update server"
        set type fqdn
        set fqdn "aus*.mozilla.org"
    next
    edit "STS_local_subnet_1"
        set subnet 10.0.0.0 255.0.0.0
    next
    edit "STS_remote_subnet_1"
        set subnet 192.168.1.0 255.255.255.0
    next
    edit "PC1-REMOTA"
        set associated-interface "STS"
        set subnet 192.168.1.55 255.255.255.255
    next
    edit "PC2-REMOTA"
        set subnet 192.168.1.56 255.255.255.255
    next
end
config firewall multicast-address
    edit "all"
        set start-ip 224.0.0.0
        set end-ip 239.255.255.255
    next
    edit "all_hosts"
        set start-ip 224.0.0.1
        set end-ip 224.0.0.1
    next
    edit "all_routers"
        set start-ip 224.0.0.2
        set end-ip 224.0.0.2
    next
    edit "Bonjour"
        set start-ip 224.0.0.251
        set end-ip 224.0.0.251
    next
    edit "EIGRP"
        set start-ip 224.0.0.10
        set end-ip 224.0.0.10
    next
    edit "OSPF"
        set start-ip 224.0.0.5
        set end-ip 224.0.0.6
    next
    edit "audio PRUEBA"
        set start-ip 224.0.0.0
        set end-ip 239.255.255.255
    next
end
config firewall addrgrp
    edit "STS_local"
        set member "STS_local_subnet_1"
        set comment "VPN: STS (Created by VPN wizard)"
    next
    edit "STS_remote"
        set member "STS_remote_subnet_1"
        set comment "VPN: STS (Created by VPN wizard)"
    next
end

config vpn ipsec phase1-interface
    edit "STS"
        set interface "wan1"
        set comments "VPN: STS (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw 182.33.1.2
        set psksecret ENC 
      key key
    next
end
config vpn ipsec phase2-interface
    edit "STS"
        set phase1name "STS"
        set comments "VPN: STS (Created by VPN wizard)"
    next
end
config firewall ippool
    edit "PC1_ROMOTA"
        set type one-to-one
        set startip 10.22.33.55
        set endip 10.22.33.55
    next
    edit "PC2-REMOTA"
        set type one-to-one
        set startip 10.22.33.56
        set endip 10.22.33.56
    next
end
config firewall vip
    edit "PC1_ROMOTA"
        set extip 10.22.33.55
        set extintf "internal1"
        set mappedip "192.168.1.55"
    next
    edit "PC2_ROMOTA"
        set extip 10.22.33.56
        set extintf "internal1"
        set mappedip "192.168.1.56"
    next
end
config firewall policy
    edit 3
        set srcintf "internal1"
        set dstintf "STS"
        set srcaddr "all"
        set dstaddr "PC2_ROMOTA"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments "VPN: STS (Created by VPN wizard)"
    next
    edit 1
        set srcintf "internal1"
        set dstintf "STS"
        set srcaddr "all"
        set dstaddr "PC1_ROMOTA"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments "VPN: STS (Created by VPN wizard)"
    next
    edit 4
        set srcintf "STS"
        set dstintf "internal1"
        set srcaddr "PC2-REMOTA"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments "VPN: STS (Created by VPN wizard)"
        set nat enable
        set ippool enable
        set poolname "PC2-REMOTA"
    next
    edit 2
        set srcintf "STS"
        set dstintf "internal1"
        set srcaddr "PC1-REMOTA"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments "VPN: STS (Created by VPN wizard)"
        set nat enable
        set ippool enable
        set poolname "PC1_ROMOTA"
    next
end
config firewall multicast-policy
    edit 1
        set logtraffic enable
        set srcintf "internal1"
        set dstintf "STS"
        set srcaddr "all"
        set dstaddr "audio PRUEBA"
    next
    edit 2
        set logtraffic enable
        set srcintf "STS"
        set dstintf "internal1"
        set srcaddr "all"
        set dstaddr "audio PRUEBA"
    next
end
config router static
    edit 1
        set gateway 10.22.33.1
        set device "internal1"
    next
    edit 2
        set dst 192.168.1.0 255.255.255.0
        set device "STS"
        set comment "VPN: STS (Created by VPN wizard)"
    next
    edit 3
        set dst 10.0.0.0 255.0.0.0
        set gateway 10.22.33.1
        set distance 1
        set device "internal1"
    next
end
config router multicast
end

 

Config FORTIGATE "REMOTO"

#global_vdom=1
config system global
    set fgd-alert-subscription advisory latest-threat
    set gui-antivirus disable
    set gui-application-control disable
    set gui-endpoint-control disable
    set gui-multicast-policy enable
    set gui-wan-load-balancing disable
    set gui-webfilter disable
    set gui-wireless-controller disable
    set hostname "REMOTO"
    set internal-switch-mode interface
    set timezone 04
end
config system switch-interface
    edit "sw"
        set vdom "root"
        set member "internal1" "internal2" "internal3" "internal4" "internal5"
        set span enable
        set span-dest-port "internal5"
        set span-source-port "internal1" "internal2"
    next
end
config system interface
    edit "dmz"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https http fgfm capwap
        set type physical
        set snmp-index 1
    next
    edit "wan2"
        set vdom "root"
        set mode dhcp
        set allowaccess ping fgfm auto-ipsec
        set type physical
        set snmp-index 2
    next
    edit "wan1"
        set vdom "root"
        set ip 182.33.1.2 255.255.255.252
        set allowaccess ping
        set type physical
        set alias "Internet"
        set snmp-index 3
    next
    edit "modem"
        set vdom "root"
        set mode pppoe
        set type physical
        set snmp-index 4
    next
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 7
    next
    edit "internal1"
        set vdom "root"
        set type physical
        set snmp-index 9
    next
    edit "internal2"
        set vdom "root"
        set type physical
        set snmp-index 10
    next
    edit "internal3"
        set vdom "root"
        set type physical
        set snmp-index 11
    next
    edit "internal4"
        set vdom "root"
        set type physical
        set snmp-index 12
    next
    edit "internal5"
        set vdom "root"
        set type physical
        set snmp-index 13
    next
    edit "sw"
        set vdom "root"
        set ip 192.168.1.1 255.255.255.0
        set allowaccess ping https ssh http
        set type switch
        set device-identification enable
        set snmp-index 6
    next
    edit "STS"
        set vdom "root"
        set type tunnel
        set snmp-index 5
        set interface "wan1"
    next
end
config system dns
    set primary 208.91.112.53
    set secondary 208.91.112.52
end
config system session-helper
    edit 1
        set name pptp
        set protocol 6
        set port 1723
    next
    edit 2
        set name h323
        set protocol 6
        set port 1720
    next
    edit 3
        set name ras
        set protocol 17
        set port 1719
    next
    edit 4
        set name tns
        set protocol 6
        set port 1521
    next
    edit 5
        set name tftp
        set protocol 17
        set port 69
    next
    edit 6
        set name rtsp
        set protocol 6
        set port 554
    next
    edit 7
        set name rtsp
        set protocol 6
        set port 7070
    next
    edit 8
        set name rtsp
        set protocol 6
        set port 8554
    next
    edit 9
        set name ftp
        set protocol 6
        set port 21
    next
    edit 10
        set name mms
        set protocol 6
        set port 1863
    next
    edit 11
        set name pmap
        set protocol 6
        set port 111
    next
    edit 12
        set name pmap
        set protocol 17
        set port 111
    next
    edit 13
        set name sip
        set protocol 17
        set port 5060
    next
    edit 14
        set name dns-udp
        set protocol 17
        set port 53
    next
    edit 15
        set name rsh
        set protocol 6
        set port 514
    next
    edit 16
        set name rsh
        set protocol 6
        set port 512
    next
    edit 17
        set name dcerpc
        set protocol 6
        set port 135
    next
    edit 18
        set name dcerpc
        set protocol 17
        set port 135
    next
    edit 19
        set name mgcp
        set protocol 17
        set port 2427
    next
    edit 20
        set name mgcp
        set protocol 17
        set port 2727
    next
end
config system ntp
    set ntpsync enable
    set syncinterval 60
end
config system settings
    set multicast-ttl-notchange enable
end
config firewall address
    edit "SSLVPN_TUNNEL_ADDR1"
        set type iprange
        set start-ip 10.212.134.200
        set end-ip 10.212.134.210
    next
    edit "all"
    next
    edit "none"
        set subnet 0.0.0.0 255.255.255.255
    next
    edit "apple"
        set type fqdn
        set fqdn "*.apple.com"
    next
    edit "dropbox.com"
        set type fqdn
        set fqdn "*.dropbox.com"
    next
    edit "Gotomeeting"
        set type fqdn
        set fqdn "*.gotomeeting.com"
    next
    edit "icloud"
        set type fqdn
        set fqdn "*.icloud.com"
    next
    edit "itunes"
        set type fqdn
        set fqdn "*itunes.apple.com"
    next
    edit "android"
        set type fqdn
        set fqdn "*.android.com"
    next
    edit "skype"
        set type fqdn
        set fqdn "*.messenger.live.com"
    next
    edit "swscan.apple.com"
        set type fqdn
        set fqdn "swscan.apple.com"
    next
    edit "update.microsoft.com"
        set type fqdn
        set fqdn "update.microsoft.com"
    next
    edit "appstore"
        set type fqdn
        set fqdn "*.appstore.com"
    next
    edit "eease"
        set type fqdn
        set fqdn "*.eease.com"
    next
    edit "google-drive"
        set type fqdn
        set fqdn "*drive.google.com"
    next
    edit "google-play"
        set type fqdn
        set fqdn "play.google.com"
    next
    edit "google-play2"
        set type fqdn
        set fqdn "*.ggpht.com"
    next
    edit "google-play3"
        set type fqdn
        set fqdn "*.books.google.com"
    next
    edit "microsoft"
        set type fqdn
        set fqdn "*.microsoft.com"
    next
    edit "adobe"
        set type fqdn
        set fqdn "*.adobe.com"
    next
    edit "Adobe Login"
        set type fqdn
        set fqdn "*.adobelogin.com"
    next
    edit "fortinet"
        set type fqdn
        set fqdn "*.fortinet.com"
    next
    edit "googleapis.com"
        set type fqdn
        set fqdn "*.googleapis.com"
    next
    edit "citrix"
        set type fqdn
        set fqdn "*.citrixonline.com"
    next
    edit "verisign"
        set type fqdn
        set fqdn "*.verisign.com"
    next
    edit "Windows update 2"
        set type fqdn
        set fqdn "*.windowsupdate.com"
    next
    edit "*.live.com"
        set type fqdn
        set fqdn "*.live.com"
    next
    edit "auth.gfx.ms"
        set type fqdn
        set fqdn "auth.gfx.ms"
    next
    edit "autoupdate.opera.com"
        set type fqdn
        set fqdn "autoupdate.opera.com"
    next
    edit "softwareupdate.vmware.com"
        set type fqdn
        set fqdn "softwareupdate.vmware.com"
    next
    edit "firefox update server"
        set type fqdn
        set fqdn "aus*.mozilla.org"
    next
    edit "STS_local_subnet_1"
        set subnet 192.168.1.0 255.255.255.0
    next
    edit "STS_remote_subnet_1"
        set subnet 10.0.0.0 255.0.0.0
    next
end
config firewall multicast-address
    edit "all"
        set start-ip 224.0.0.0
        set end-ip 239.255.255.255
    next
    edit "all_hosts"
        set start-ip 224.0.0.1
        set end-ip 224.0.0.1
    next
    edit "all_routers"
        set start-ip 224.0.0.2
        set end-ip 224.0.0.2
    next
    edit "Bonjour"
        set start-ip 224.0.0.251
        set end-ip 224.0.0.251
    next
    edit "EIGRP"
        set start-ip 224.0.0.10
        set end-ip 224.0.0.10
    next
    edit "OSPF"
        set start-ip 224.0.0.5
        set end-ip 224.0.0.6
    next
    edit "audio PRUEBA"
        set start-ip 224.0.0.0
        set end-ip 239.255.255.255
    next
end
config firewall addrgrp
    edit "STS_local"
        set member "STS_local_subnet_1"
        set comment "VPN: STS (Created by VPN wizard)"
    next
    edit "STS_remote"
        set member "STS_remote_subnet_1"
        set comment "VPN: STS (Created by VPN wizard)"
    next
end
config vpn ipsec phase1-interface
    edit "STS"
        set interface "wan1"
        set comments "VPN: STS (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw 182.33.1.1
        set psksecret ENC 
      KEY.KEY
    next
end
config vpn ipsec phase2-interface
    edit "STS"
        set phase1name "STS"
        set comments "VPN: STS (Created by VPN wizard)"
    next
end

config firewall policy
    edit 1
        set srcintf "sw"
        set dstintf "STS"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "VPN: STS (Created by VPN wizard)"
    next
    edit 2
        set srcintf "STS"
        set dstintf "sw"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "VPN: STS (Created by VPN wizard)"
    next
    edit 3
        set srcintf "sw"
        set dstintf "wan1"
        set srcaddr "STS_local_subnet_1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end
config firewall multicast-policy
    edit 1
        set srcintf "STS"
        set dstintf "sw"
        set srcaddr "all"
        set dstaddr "audio PRUEBA"
    next
    edit 2
        set srcintf "sw"
        set dstintf "STS"
        set srcaddr "all"
        set dstaddr "audio PRUEBA"
    next
end
config router static
    edit 1
        set priority 1
        set device "STS"
    next
    edit 2
        set dst 10.0.0.0 255.0.0.0
        set distance 1
        set device "STS"
        set comment "VPN: STS (Created by VPN wizard)"
    next
end
config router multicast
end

 

 

 

I hope excuse my English.

From already thank you very much. Greetings atte. Mario.

Preview file
181 KB
Labels:
2110
0 Kudos
0 REPLIES 0
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.