Dear good day. I'm looking for the solution to this problem for quite some time, what I need is to extend a subnet in which there is multicast traffic through a VPN StS. I managed to extend the LAN without problems using virtual IPs and NAT, the problem is that I can not passing the multicast. I need to extend the LAN because I do not have access to the administration of the router that connects the LAN mentioned, and for this reason I force myself to extend it. Shipping diagram of a laboratory that have mounted to perform the tests. The segments are placed IP test, so the structure. At both ends of Sts 60C Fortigate equipment I use.
Deputy config summarized each team Forti my lab and diagram.
Config FORTIGATE "LOCAL"
#global_vdom=1
config system global
set fgd-alert-subscription advisory latest-threat
set gui-antivirus disable
set gui-application-control disable
set gui-endpoint-control disable
set gui-local-in-policy enable
set gui-multicast-policy enable
set gui-wan-load-balancing disable
set gui-webfilter disable
set gui-wireless-controller disable
set hostname "LOCAL"
set internal-switch-mode interface
set timezone 04
end
config system interface
edit "dmz"
set vdom "root"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping https http fgfm capwap
set type physical
set snmp-index 1
next
edit "wan2"
set vdom "root"
set mode dhcp
set allowaccess ping fgfm auto-ipsec
set type physical
set snmp-index 2
next
edit "wan1"
set vdom "root"
set ip 182.33.1.1 255.255.255.252
set allowaccess ping https ssh http
set type physical
set alias "Internet"
set snmp-index 3
next
edit "modem"
set vdom "root"
set mode pppoe
set type physical
set snmp-index 4
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 7
next
edit "internal1"
set vdom "root"
set ip 10.22.33.54 255.255.255.0
set allowaccess ping
set type physical
set alias "CONSOLAS"
set device-identification enable
set snmp-index 8
next
edit "internal2"
set vdom "root"
set type physical
set snmp-index 9
next
edit "internal3"
set vdom "root"
set type physical
set snmp-index 10
next
edit "internal4"
set vdom "root"
set type physical
set snmp-index 11
next
edit "internal5"
set vdom "root"
set type physical
set snmp-index 12
next
edit "STS"
set vdom "root"
set type tunnel
set snmp-index 5
set interface "wan1"
next
end
config system dns
set primary 208.91.112.53
set secondary 208.91.112.52
end
config system session-helper
edit 1
set name pptp
set protocol 6
set port 1723
next
edit 2
set name h323
set protocol 6
set port 1720
next
edit 3
set name ras
set protocol 17
set port 1719
next
edit 4
set name tns
set protocol 6
set port 1521
next
edit 5
set name tftp
set protocol 17
set port 69
next
edit 6
set name rtsp
set protocol 6
set port 554
next
edit 7
set name rtsp
set protocol 6
set port 7070
next
edit 8
set name rtsp
set protocol 6
set port 8554
next
edit 9
set name ftp
set protocol 6
set port 21
next
edit 10
set name mms
set protocol 6
set port 1863
next
edit 11
set name pmap
set protocol 6
set port 111
next
edit 12
set name pmap
set protocol 17
set port 111
next
edit 13
set name sip
set protocol 17
set port 5060
next
edit 14
set name dns-udp
set protocol 17
set port 53
next
edit 15
set name rsh
set protocol 6
set port 514
next
edit 16
set name rsh
set protocol 6
set port 512
next
edit 17
set name dcerpc
set protocol 6
set port 135
next
edit 18
set name dcerpc
set protocol 17
set port 135
next
edit 19
set name mgcp
set protocol 17
set port 2427
next
edit 20
set name mgcp
set protocol 17
set port 2727
next
end
config system ntp
set ntpsync enable
set syncinterval 60
end
config system settings
set multicast-ttl-notchange enable
end
config firewall address
edit "SSLVPN_TUNNEL_ADDR1"
set type iprange
set start-ip 10.212.134.200
set end-ip 10.212.134.210
next
edit "all"
next
edit "none"
set subnet 0.0.0.0 255.255.255.255
next
edit "apple"
set type fqdn
set fqdn "*.apple.com"
next
edit "dropbox.com"
set type fqdn
set fqdn "*.dropbox.com"
next
edit "Gotomeeting"
set type fqdn
set fqdn "*.gotomeeting.com"
next
edit "icloud"
set type fqdn
set fqdn "*.icloud.com"
next
edit "itunes"
set type fqdn
set fqdn "*itunes.apple.com"
next
edit "android"
set type fqdn
set fqdn "*.android.com"
next
edit "skype"
set type fqdn
set fqdn "*.messenger.live.com"
next
edit "swscan.apple.com"
set type fqdn
set fqdn "swscan.apple.com"
next
edit "update.microsoft.com"
set type fqdn
set fqdn "update.microsoft.com"
next
edit "appstore"
set type fqdn
set fqdn "*.appstore.com"
next
edit "eease"
set type fqdn
set fqdn "*.eease.com"
next
edit "google-drive"
set type fqdn
set fqdn "*drive.google.com"
next
edit "google-play"
set type fqdn
set fqdn "play.google.com"
next
edit "google-play2"
set type fqdn
set fqdn "*.ggpht.com"
next
edit "google-play3"
set type fqdn
set fqdn "*.books.google.com"
next
edit "microsoft"
set type fqdn
set fqdn "*.microsoft.com"
next
edit "adobe"
set type fqdn
set fqdn "*.adobe.com"
next
edit "Adobe Login"
set type fqdn
set fqdn "*.adobelogin.com"
next
edit "fortinet"
set type fqdn
set fqdn "*.fortinet.com"
next
edit "googleapis.com"
set type fqdn
set fqdn "*.googleapis.com"
next
edit "citrix"
set type fqdn
set fqdn "*.citrixonline.com"
next
edit "verisign"
set type fqdn
set fqdn "*.verisign.com"
next
edit "Windows update 2"
set type fqdn
set fqdn "*.windowsupdate.com"
next
edit "*.live.com"
set type fqdn
set fqdn "*.live.com"
next
edit "auth.gfx.ms"
set type fqdn
set fqdn "auth.gfx.ms"
next
edit "autoupdate.opera.com"
set type fqdn
set fqdn "autoupdate.opera.com"
next
edit "softwareupdate.vmware.com"
set type fqdn
set fqdn "softwareupdate.vmware.com"
next
edit "firefox update server"
set type fqdn
set fqdn "aus*.mozilla.org"
next
edit "STS_local_subnet_1"
set subnet 10.0.0.0 255.0.0.0
next
edit "STS_remote_subnet_1"
set subnet 192.168.1.0 255.255.255.0
next
edit "PC1-REMOTA"
set associated-interface "STS"
set subnet 192.168.1.55 255.255.255.255
next
edit "PC2-REMOTA"
set subnet 192.168.1.56 255.255.255.255
next
end
config firewall multicast-address
edit "all"
set start-ip 224.0.0.0
set end-ip 239.255.255.255
next
edit "all_hosts"
set start-ip 224.0.0.1
set end-ip 224.0.0.1
next
edit "all_routers"
set start-ip 224.0.0.2
set end-ip 224.0.0.2
next
edit "Bonjour"
set start-ip 224.0.0.251
set end-ip 224.0.0.251
next
edit "EIGRP"
set start-ip 224.0.0.10
set end-ip 224.0.0.10
next
edit "OSPF"
set start-ip 224.0.0.5
set end-ip 224.0.0.6
next
edit "audio PRUEBA"
set start-ip 224.0.0.0
set end-ip 239.255.255.255
next
end
config firewall addrgrp
edit "STS_local"
set member "STS_local_subnet_1"
set comment "VPN: STS (Created by VPN wizard)"
next
edit "STS_remote"
set member "STS_remote_subnet_1"
set comment "VPN: STS (Created by VPN wizard)"
next
end
config vpn ipsec phase1-interface
edit "STS"
set interface "wan1"
set comments "VPN: STS (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 182.33.1.2
set psksecret ENC
key key
next
end
config vpn ipsec phase2-interface
edit "STS"
set phase1name "STS"
set comments "VPN: STS (Created by VPN wizard)"
next
end
config firewall ippool
edit "PC1_ROMOTA"
set type one-to-one
set startip 10.22.33.55
set endip 10.22.33.55
next
edit "PC2-REMOTA"
set type one-to-one
set startip 10.22.33.56
set endip 10.22.33.56
next
end
config firewall vip
edit "PC1_ROMOTA"
set extip 10.22.33.55
set extintf "internal1"
set mappedip "192.168.1.55"
next
edit "PC2_ROMOTA"
set extip 10.22.33.56
set extintf "internal1"
set mappedip "192.168.1.56"
next
end
config firewall policy
edit 3
set srcintf "internal1"
set dstintf "STS"
set srcaddr "all"
set dstaddr "PC2_ROMOTA"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: STS (Created by VPN wizard)"
next
edit 1
set srcintf "internal1"
set dstintf "STS"
set srcaddr "all"
set dstaddr "PC1_ROMOTA"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: STS (Created by VPN wizard)"
next
edit 4
set srcintf "STS"
set dstintf "internal1"
set srcaddr "PC2-REMOTA"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: STS (Created by VPN wizard)"
set nat enable
set ippool enable
set poolname "PC2-REMOTA"
next
edit 2
set srcintf "STS"
set dstintf "internal1"
set srcaddr "PC1-REMOTA"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set comments "VPN: STS (Created by VPN wizard)"
set nat enable
set ippool enable
set poolname "PC1_ROMOTA"
next
end
config firewall multicast-policy
edit 1
set logtraffic enable
set srcintf "internal1"
set dstintf "STS"
set srcaddr "all"
set dstaddr "audio PRUEBA"
next
edit 2
set logtraffic enable
set srcintf "STS"
set dstintf "internal1"
set srcaddr "all"
set dstaddr "audio PRUEBA"
next
end
config router static
edit 1
set gateway 10.22.33.1
set device "internal1"
next
edit 2
set dst 192.168.1.0 255.255.255.0
set device "STS"
set comment "VPN: STS (Created by VPN wizard)"
next
edit 3
set dst 10.0.0.0 255.0.0.0
set gateway 10.22.33.1
set distance 1
set device "internal1"
next
end
config router multicast
end
Config FORTIGATE "REMOTO"
#global_vdom=1
config system global
set fgd-alert-subscription advisory latest-threat
set gui-antivirus disable
set gui-application-control disable
set gui-endpoint-control disable
set gui-multicast-policy enable
set gui-wan-load-balancing disable
set gui-webfilter disable
set gui-wireless-controller disable
set hostname "REMOTO"
set internal-switch-mode interface
set timezone 04
end
config system switch-interface
edit "sw"
set vdom "root"
set member "internal1" "internal2" "internal3" "internal4" "internal5"
set span enable
set span-dest-port "internal5"
set span-source-port "internal1" "internal2"
next
end
config system interface
edit "dmz"
set vdom "root"
set ip 10.10.10.1 255.255.255.0
set allowaccess ping https http fgfm capwap
set type physical
set snmp-index 1
next
edit "wan2"
set vdom "root"
set mode dhcp
set allowaccess ping fgfm auto-ipsec
set type physical
set snmp-index 2
next
edit "wan1"
set vdom "root"
set ip 182.33.1.2 255.255.255.252
set allowaccess ping
set type physical
set alias "Internet"
set snmp-index 3
next
edit "modem"
set vdom "root"
set mode pppoe
set type physical
set snmp-index 4
next
edit "ssl.root"
set vdom "root"
set type tunnel
set alias "SSL VPN interface"
set snmp-index 7
next
edit "internal1"
set vdom "root"
set type physical
set snmp-index 9
next
edit "internal2"
set vdom "root"
set type physical
set snmp-index 10
next
edit "internal3"
set vdom "root"
set type physical
set snmp-index 11
next
edit "internal4"
set vdom "root"
set type physical
set snmp-index 12
next
edit "internal5"
set vdom "root"
set type physical
set snmp-index 13
next
edit "sw"
set vdom "root"
set ip 192.168.1.1 255.255.255.0
set allowaccess ping https ssh http
set type switch
set device-identification enable
set snmp-index 6
next
edit "STS"
set vdom "root"
set type tunnel
set snmp-index 5
set interface "wan1"
next
end
config system dns
set primary 208.91.112.53
set secondary 208.91.112.52
end
config system session-helper
edit 1
set name pptp
set protocol 6
set port 1723
next
edit 2
set name h323
set protocol 6
set port 1720
next
edit 3
set name ras
set protocol 17
set port 1719
next
edit 4
set name tns
set protocol 6
set port 1521
next
edit 5
set name tftp
set protocol 17
set port 69
next
edit 6
set name rtsp
set protocol 6
set port 554
next
edit 7
set name rtsp
set protocol 6
set port 7070
next
edit 8
set name rtsp
set protocol 6
set port 8554
next
edit 9
set name ftp
set protocol 6
set port 21
next
edit 10
set name mms
set protocol 6
set port 1863
next
edit 11
set name pmap
set protocol 6
set port 111
next
edit 12
set name pmap
set protocol 17
set port 111
next
edit 13
set name sip
set protocol 17
set port 5060
next
edit 14
set name dns-udp
set protocol 17
set port 53
next
edit 15
set name rsh
set protocol 6
set port 514
next
edit 16
set name rsh
set protocol 6
set port 512
next
edit 17
set name dcerpc
set protocol 6
set port 135
next
edit 18
set name dcerpc
set protocol 17
set port 135
next
edit 19
set name mgcp
set protocol 17
set port 2427
next
edit 20
set name mgcp
set protocol 17
set port 2727
next
end
config system ntp
set ntpsync enable
set syncinterval 60
end
config system settings
set multicast-ttl-notchange enable
end
config firewall address
edit "SSLVPN_TUNNEL_ADDR1"
set type iprange
set start-ip 10.212.134.200
set end-ip 10.212.134.210
next
edit "all"
next
edit "none"
set subnet 0.0.0.0 255.255.255.255
next
edit "apple"
set type fqdn
set fqdn "*.apple.com"
next
edit "dropbox.com"
set type fqdn
set fqdn "*.dropbox.com"
next
edit "Gotomeeting"
set type fqdn
set fqdn "*.gotomeeting.com"
next
edit "icloud"
set type fqdn
set fqdn "*.icloud.com"
next
edit "itunes"
set type fqdn
set fqdn "*itunes.apple.com"
next
edit "android"
set type fqdn
set fqdn "*.android.com"
next
edit "skype"
set type fqdn
set fqdn "*.messenger.live.com"
next
edit "swscan.apple.com"
set type fqdn
set fqdn "swscan.apple.com"
next
edit "update.microsoft.com"
set type fqdn
set fqdn "update.microsoft.com"
next
edit "appstore"
set type fqdn
set fqdn "*.appstore.com"
next
edit "eease"
set type fqdn
set fqdn "*.eease.com"
next
edit "google-drive"
set type fqdn
set fqdn "*drive.google.com"
next
edit "google-play"
set type fqdn
set fqdn "play.google.com"
next
edit "google-play2"
set type fqdn
set fqdn "*.ggpht.com"
next
edit "google-play3"
set type fqdn
set fqdn "*.books.google.com"
next
edit "microsoft"
set type fqdn
set fqdn "*.microsoft.com"
next
edit "adobe"
set type fqdn
set fqdn "*.adobe.com"
next
edit "Adobe Login"
set type fqdn
set fqdn "*.adobelogin.com"
next
edit "fortinet"
set type fqdn
set fqdn "*.fortinet.com"
next
edit "googleapis.com"
set type fqdn
set fqdn "*.googleapis.com"
next
edit "citrix"
set type fqdn
set fqdn "*.citrixonline.com"
next
edit "verisign"
set type fqdn
set fqdn "*.verisign.com"
next
edit "Windows update 2"
set type fqdn
set fqdn "*.windowsupdate.com"
next
edit "*.live.com"
set type fqdn
set fqdn "*.live.com"
next
edit "auth.gfx.ms"
set type fqdn
set fqdn "auth.gfx.ms"
next
edit "autoupdate.opera.com"
set type fqdn
set fqdn "autoupdate.opera.com"
next
edit "softwareupdate.vmware.com"
set type fqdn
set fqdn "softwareupdate.vmware.com"
next
edit "firefox update server"
set type fqdn
set fqdn "aus*.mozilla.org"
next
edit "STS_local_subnet_1"
set subnet 192.168.1.0 255.255.255.0
next
edit "STS_remote_subnet_1"
set subnet 10.0.0.0 255.0.0.0
next
end
config firewall multicast-address
edit "all"
set start-ip 224.0.0.0
set end-ip 239.255.255.255
next
edit "all_hosts"
set start-ip 224.0.0.1
set end-ip 224.0.0.1
next
edit "all_routers"
set start-ip 224.0.0.2
set end-ip 224.0.0.2
next
edit "Bonjour"
set start-ip 224.0.0.251
set end-ip 224.0.0.251
next
edit "EIGRP"
set start-ip 224.0.0.10
set end-ip 224.0.0.10
next
edit "OSPF"
set start-ip 224.0.0.5
set end-ip 224.0.0.6
next
edit "audio PRUEBA"
set start-ip 224.0.0.0
set end-ip 239.255.255.255
next
end
config firewall addrgrp
edit "STS_local"
set member "STS_local_subnet_1"
set comment "VPN: STS (Created by VPN wizard)"
next
edit "STS_remote"
set member "STS_remote_subnet_1"
set comment "VPN: STS (Created by VPN wizard)"
next
end
config vpn ipsec phase1-interface
edit "STS"
set interface "wan1"
set comments "VPN: STS (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 182.33.1.1
set psksecret ENC
KEY.KEY
next
end
config vpn ipsec phase2-interface
edit "STS"
set phase1name "STS"
set comments "VPN: STS (Created by VPN wizard)"
next
end
config firewall policy
edit 1
set srcintf "sw"
set dstintf "STS"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: STS (Created by VPN wizard)"
next
edit 2
set srcintf "STS"
set dstintf "sw"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set comments "VPN: STS (Created by VPN wizard)"
next
edit 3
set srcintf "sw"
set dstintf "wan1"
set srcaddr "STS_local_subnet_1"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
end
config firewall multicast-policy
edit 1
set srcintf "STS"
set dstintf "sw"
set srcaddr "all"
set dstaddr "audio PRUEBA"
next
edit 2
set srcintf "sw"
set dstintf "STS"
set srcaddr "all"
set dstaddr "audio PRUEBA"
next
end
config router static
edit 1
set priority 1
set device "STS"
next
edit 2
set dst 10.0.0.0 255.0.0.0
set distance 1
set device "STS"
set comment "VPN: STS (Created by VPN wizard)"
next
end
config router multicast
end
I hope excuse my English.
From already thank you very much. Greetings atte. Mario.
