Technical Tip: Multicast over GRE tunnel with PIM dense mode

dkochhar · ‎09-26-2023

Description

This article describes how to setup multicast over a GRE tunnel with PIM dense mode.

Scope

FortiGate.

Solution

This article demonstrates an example of multicast over a GRE tunnel with PIM dense mode.

The fllowing topology is used:
Machine:192.168.1.10 ----------FortiGate 1 -----------(GRE Tunnel)---------FortiGate 2------------Machine: 192.168.3.1
(Sending Multicast traffic) (Receiving Multicast traffic)
Configuration on FortiGate 1:

For the GRE tunnel:

config system gre-tunnel

edit "GRE_TUNNEL"

set interface "port1"

set remote-gw 5.6.7.8 <- The remote side IP.

set local-gw 1.2.3.4

end

Assigning IP to tunnel interface in order to establish PIM neighborship:

config system interface

edit "GRE_TUNNEL"

set ip 10.1.1.1 255.255.255.255 <- The tunnel interface IP.

set type tunnel

set remote-ip 10.1.1.2 255.255.255.0 <- The remote side tunnel interface IP.

set interface "port1"

end

Since multicast routing is being used, multicast forwarding should be disabled as follows:

config system settings
set multicast-forward disable
end

For Multicast configuration:

Note: Both interfaces have to take part in multicast neighborship (incoming interface and outgoing interface).

config router multicast

set multicast-routing enable

config interface

edit "port3" <- Local Interface.

set pim-mode dense-mode

end

Screenshot from the GUI:

Creating multicast policies:

config firewall multicast-policy

edit 1

set name "Multicast_Outbound" <- Outbound policy.
set srcintf "port3"
set dstintf "GRE_TUNNEL"
set srcaddr "all"
set dstaddr "all"

config firewall multicast-policy

edit 2

set name "Multicast_Inbound" <- Inbound policy.
set srcintf "GRE_TUNNEL"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"

Configuration on FortiGate 2:

config system gre-tunnel

edit "GRE_TUNNEL"

set interface "port1"

set remote-gw 1.2.3.4 <- Remote side IP.

set local-gw 5.6.7.8

end

Assigning an IP to the tunnel interface in order to establish PIM neighborship:

config system interface

edit "GRE_TUNNEL"

set ip 10.1.1.2 255.255.255.255 <- Tunnel Interface IP.

set type tunnel

set remote-ip 10.1.1.1 255.255.255.0 <- Remote Side tunnel interface IP.

set interface "port1"

end

Since multicast routing is being used, multicast forwarding should again be disabled as follows:

config system settings

set multicast-forward disable

end

For multicast configuration:

Note: Both interface must take part in multicast neighborship (Incoming interface and outgoing interface).

config router multicast

set multicast-routing enable

config interface

edit "GRE_TUNNEL" <- Tunnel interface.

set pim-mode dense-mode

end

Screenshot from the GUI:

Multicast firewall policy:

config firewall multicast-policy

edit 2

set name "Multicast_Inbound"

set srcintf "GRE_TUNNEL"

set dstintf "port3"

set srcaddr "all"

set dstaddr "All"

Static route to route the traffic via the GRE tunnel (if dynamic routing is not used or is used to route the traffic via the underlay IPsec tunnel if the GRE tunnel was configured via the IPsec tunnel):

config router static

edit 1

set device GRE_TUNNEL

set dst 192.168.1.10 255.255.255.255 (192.168.3.1 for the other side)

set device GRE_TUNNEL

set dst 1.2.3.4 255.255.255.255

Command to see if neighborship is active or not:

get router info multicast pim dense-mode neighbour

Once neighborship is up, multicast traffic should be passing through the GRE tunnel:

2023-09-26 13:14:52.200146 port3 in 192.168.1.10.55254 -> 224.2.2.2.8910: udp 1000
2023-09-26 13:14:52.200180 GRE_TUNNEL out 192.168.1.10.55254 -> 224.2.2.2.8910: udp 1000
2023-09-26 13:14:57.280430 port3 in 192.168.1.10.55254 -> 224.2.2.2.8910: udp 1000
2023-09-26 13:14:57.280466 GRE_TUNNEL out 192.168.1.10.55254 -> 224.2.2.2.8910: udp 1000