Dear Concern,
We have a fortigate 300C over which we are able to receive broadcast on physical interfaces from our server on specific UDP ports.
We have our clients connecting to us on our Fortigate via public network (Internet). Client connect us on on Dialup ipsec tunnel using Forti client from their respective end points and we want to forward the same broadcast information to them.
When the VPN is connected clients are not able to receive real time broadcast on their systems. When the same client IP is connected directly without VPN on firewall, broadcast starts forwarding but on VPN the numbers are stuck unless we close the application from client and restart it. Upon restart the numbers that appear on the screen are different from the previous one which means that the numbers have refreshed.
We have enabled broadcast forward on tunnel and physical interface but still no luck.
Please suggest any way we can receive broadcast with dst IP 255.255.255.255 from application source IP x.x.x.x using custom dialup user tunnel
Regards,
Arshad
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Any router including FortiGate never forward packets with limited broadcast address, or 255.255.255.255 as described in RFC919, 922. It's not routable address unlike 10.255.255.255 or 192.168.255.255.
If it's UDP packets for application updates, that's not broadcast. Instead unicast to individual IP on the client from the server. The problem is likely because you don't have a policy from the server/internal interface toward your SSL VPN interface. Any config examples for SSL VPN assume all sessions are from client to server over TCP, or out to in. They don't assume any random UDP packets toward the clients, or in to out.
UDP packets are forwarded from application server to client end to float real time information on application portal.
On VPN application is login and we have no issues with application functionality but udp broadcast is not getting available.
Policies have been made but still we are unable to find way out to transmit broadcast on dialup VPN (users connecting from internet) to allow real time information visibility at client end.
I thought it was an SSL VPN, which we fixed a similar problem before with UDP update packets from a server. If it's really a L2 broadcast like 192.168.255.255/16 it wouldn't be able to go over the boundary of a broadcast domain. Did you sniff it with Wireshark connected to the server's local network to see the actual packet header?
Any router including FortiGate never forward packets with limited broadcast address, or 255.255.255.255 as described in RFC919, 922. It's not routable address unlike 10.255.255.255 or 192.168.255.255.
thanks for your suggestion.
can we convert broadcast to unicast and then forward the same to client end or a router would be mandatory for this purpose?
If yes. what is the command to covert broadcast to unicast? please suggest.
Regards,
Shoaib Hassan
Whatever the application is, it should have a setting to specify broadcast (all clients are local) or unicast (clients may not be local) is used for solicit update packets.
Hi,
any updates thereafter ?
I am asking because i am stucked with similar issue. I am using an application related to Stock exchange and having similar issue. I can login through ipsec vpn but cannot able to get the stock market prices/updates.
If you achieved it, please let me know.
We are using Fortigate 600c and got another link https://kb.fortinet.com/kb/documentLink.do?externalID=FD36040
let me check if it works till your reply
Thanks
Rohit
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.