Configuring multicast forwarding
There is sometimes confusion between the terms forwarding and routing. These two functions should not take place at the same time. Multicast forwarding should be enabled when the FortiGate is in NAT mode and you want to forward multicast packets between multicast routers and receivers. However, this function should not be enabled when the FortiGate itself is operating as a multicast router. This includes instances where the FortiGate has an applicable routing protocol that uses multicast.
There are two steps to configure multicast forwarding:
Multicast forwarding is enabled by default. If a FortiGate is operating in transparent mode, adding a multicast policy enables multicast forwarding. In NAT mode you must use the
multicast-forward setting to enable or disable multicast forwarding.
multicast-forward is enabled, the FortiGate forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces, except the receiving interface. The TTL in the IP header will be reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add multicast policies to allow multicast packets through the FortiGate.
To enable multicast forwarding when using NAT mode:
config system settings set multicast-forward enable end
You can use the
multicast-ttl-notchange option so that the FortiGate does not increase the TTL value for forwarded multicast packets. Use this option only if packets are expiring before reaching the multicast router.
To prevent the TTL for forwarded packets from being changed:
config system settings set multicast-ttl-notchange enable end
In transparent mode, the FortiGate does not forward frames with multicast destination addresses. The FortiGate should not interfere with the multicast traffic used by routing protocols, streaming media, or other multicast communication. To avoid any issues during transmission, you can disable
multicast-skip-policy and configure multicast security policies.
To disable multicast traffic from passing through the FortiGate without a policy check:
config system settings set multicast-skip-policy disable end
Multicast packets require multicast policies to allow packets to pass from one interface to another. Similar to firewall policies, in a multicast policy you specify the source and destination interfaces and, optionally, the allowed address ranges for the source and destination addresses of the packets. You can also use multicast policies to configure source NAT and destination NAT for multicast packets.
Keep the following in mind when configuring multicast policies:
- The matched forwarded (outgoing) IP multicast source IP address is changed to the configured IP address.
- The source and destination interfaces are optional. If left unset, the multicast will be forwarded to all interfaces.
- The source and destination addresses are optional. If left unset, all addresses will be used.
- The SNAT setting is optional. Use it when SNAT is needed.
Sample basic policy
In this basic policy, multicast packets received on an interface are flooded unconditionally to all interfaces on the forwarding domain, except the incoming interface.
config firewall multicast-policy edit 1 set action accept next end
Sample policy with specific source and destination interfaces
This multicast policy only applies to the source port
wan1 and the destination port
config firewall multicast-policy edit 1 set srcintf wan1 set dstinf internal set action accept next end
Sample policy with specific source address object
In this policy, packets are allowed to flow from
internal, and sourced by the address 172.20.120.129, which is represented by the
example_addr-1 address object.
config firewall multicast-policy edit 1 set srcintf wan1 set srcaddr example_addr-1 set dstinf internal set action accept next end
Sample detailed policy
This policy accepts multicast packets that are sent from a PC with IP address 192.168.5.18 to destination address range 126.96.36.199-255. The policy allows the multicast packets to enter the
internal interface and then exit the
external interface. When the packets leave the external interface, their source address is translated to 192.168.18.10.
config firewall address edit "192.168.5.18" set subnet 192.168.5.18 255.255.255.255 next end
config firewall multicast-address edit "188.8.131.52" set start-ip 184.108.40.206 set end-ip 220.127.116.11 next end
config firewall multicast-policy edit 1 set srcintf "internal" set dstintf "external" set srcaddr "192.168.5.18" set dstaddr "18.104.22.168" set snat enable set snat-ip 192.168.18.10 next end
To configure multicast policies in the GUI, enable Multicast Policy in System > Feature Visibility.