Fortinet white logo
Fortinet white logo

Administration Guide

Configuring multicast forwarding

Configuring multicast forwarding

There is sometimes confusion between the terms forwarding and routing. These two functions should not take place at the same time. Multicast forwarding should be enabled when the FortiGate is in NAT mode and you want to forward multicast packets between multicast routers and receivers. However, this function should not be enabled when the FortiGate itself is operating as a multicast router, or has an applicable routing protocol that uses multicast.

Multicast forwarding is not supported on enhanced MAC VLAN interfaces. To use multicast with enhanced MAC VLAN interfaces, use PIM (Multicast routing and PIM support).

There are two steps to configure multicast forwarding:

  1. Enabling multicast forwarding

  2. Configuring multicast policies

Enabling multicast forwarding

Multicast forwarding is enabled by default. If a FortiGate is operating in transparent mode, adding a multicast policy enables multicast forwarding. In NAT mode you must use the multicast-forward setting to enable or disable multicast forwarding.

Multicast forwarding in NAT mode

When multicast-forward is enabled, the FortiGate forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces, except the receiving interface. The TTL in the IP header will be reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add multicast policies to allow multicast packets through the FortiGate.

To enable multicast forwarding in NAT mode:
config system settings
    set multicast-forward enable
end

Prevent the TTL for forwarded packets from being changed

You can use the multicast-ttl-notchange option so that the FortiGate does not increase the TTL value for forwarded multicast packets. Use this option only if packets are expiring before reaching the multicast router.

To prevent the TTL for forwarded packets from being changed:
config system settings
    set multicast-ttl-notchange enable
end	

Disable multicast traffic from passing through the FortiGate without a policy check in transparent mode

In transparent mode, the FortiGate does not forward frames with multicast destination addresses. The FortiGate should not interfere with the multicast traffic used by routing protocols, streaming media, or other multicast communication. To avoid any issues during transmission, you can disable multicast-skip-policy and configure multicast security policies.

To disable multicast traffic from passing through the FortiGate without a policy check in transparent mode:
config system settings
    set multicast-skip-policy disable
end

Configuring multicast policies

Multicast packets require multicast policies to allow packets to pass from one interface to another. Similar to firewall policies, in a multicast policy you specify the source and destination interfaces, and the allowed address ranges for the source and destination addresses of the packets. You can also use multicast policies to configure source NAT and destination NAT for multicast packets.

Keep the following in mind when configuring multicast policies:

  • The matched forwarded (outgoing) IP multicast source IP address is changed to the configured IP address.

  • The snat setting is optional. Use it when SNAT is needed.

Tooltip

IPv4 and IPv6 multicast policies can be configured in the GUI. Go to System > Feature Visibility, and enable Multicast Policy and IPv6.

Sample basic policy

In this basic policy, multicast packets received on an interface are flooded unconditionally to all interfaces on the forwarding domain, except the incoming interface.

The destination address (dstaddr) is a multicast address object. The all option corresponds to all multicast addresses in the range 224.0.0.0-239.255.255.255.

To configure the multicast policy in the CLI:
config firewall multicast-policy
    edit 1
        set name "basic"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
    next
end
To configure the multicast policy in the GUI:
  1. Go to Policy & Objects > Multicast Policy an click Create New.

  2. Enter the required information:

    Name

    basic

    Incoming Interface

    any

    Outgoing Interface

    any

    Source Address

    all

    Destination Address

    all

  3. Click OK.

Sample policy with specific source and destination interfaces

This multicast policy only applies to the source port wan1 and the destination port internal.

To configure the multicast policy in the CLI:
config firewall multicast-policy
    edit 1
        set name "SrcDst"
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
    next
end
To configure the multicast policy in the GUI:
  1. Go to Policy & Objects > Multicast Policy an click Create New.

  2. Enter the required information:

    Name

    SrcDst

    Incoming Interface

    wan1

    Outgoing Interface

    internal

    Source Address

    all

    Destination Address

    all

  3. Click OK.

Sample policy with specific source address object

In this policy, packets are allowed to flow from wan1 to internal, and sourced by the address 172.20.120.129, which is represented by the example_addr-1 address object.

To configure the multicast policy in the CLI:
config firewall multicast-policy
    edit 1
        set name "SrcAdd"
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "example_addr-1"
        set dstaddr "all"
    next
end
To configure the multicast policy in the GUI:
  1. Go to Policy & Objects > Multicast Policy an click Create New.

  2. Enter the required information:

    Name

    SrcAdd

    Incoming Interface

    wan1

    Outgoing Interface

    internal

    Source Address

    example_addr-1

    Destination Address

    all

  3. Click OK.

Sample detailed policy

This policy accepts multicast packets that are sent from a PC with IP address 192.168.5.18 to destination address range 239.168.4.0-255. The policy allows the multicast packets to enter the internal interface and then exit the external interface. When the packets leave the external interface, their source address is translated to 192.168.18.10.

config firewall address
    edit "192.168.5.18"
        set subnet 192.168.5.18 255.255.255.255
    next
end
config firewall multicast-address
    edit "239.168.4.0"
        set start-ip 239.168.4.0
        set end-ip 239.168.4.255
    next
end
config firewall multicast-policy
    edit 1
        set srcintf "internal"
        set dstintf "external"
        set srcaddr "192.168.5.18"
        set dstaddr "239.168.4.0"
        set snat enable
        set snat-ip 192.168.18.10
    next
end
Tooltip

To configure multicast policies in the GUI, enable Multicast Policy in System > Feature Visibility.

Using multi-VDOM mode

When using multi-VDOM mode, it is important to avoid causing a multicast network loop by creating an all-to-all multicast policy. By default, on models that support NPU virtual links, changing the vdom-mode to multi-vdom will create a pair of npu0_vlink0 and npu0_vlink1 interfaces in the same root VDOM. By virtue of the all-to-all multicast policy and the fact the npu0_vlink interfaces are virtually connected, it forms a multicast network loop.

Therefore, when using multi-VDOM mode:

  1. Ensure there is no existing all-to-all multicast policy before changing to multi-VDOM mode.

  2. If an all-to-all multicast policy must be defined, ensure that no two connected interfaces (such as npu0_vlink0 and npu0_vlink1) belong in the same VDOM.

This configuration will result in a multicast loop:
config system global
    set vdom-mode multi-vdom
end
config firewall multicast-policy
    edit 1
        set logtraffic enable
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
    next
end
show system interface
config system interface
    edit "npu0_vlink0"
        set vdom "root"
        set type physical
    next
    edit "npu0_vlink1"
        set vdom "root"
        set type physical
    next
end

Configuring multicast forwarding

Configuring multicast forwarding

There is sometimes confusion between the terms forwarding and routing. These two functions should not take place at the same time. Multicast forwarding should be enabled when the FortiGate is in NAT mode and you want to forward multicast packets between multicast routers and receivers. However, this function should not be enabled when the FortiGate itself is operating as a multicast router, or has an applicable routing protocol that uses multicast.

Multicast forwarding is not supported on enhanced MAC VLAN interfaces. To use multicast with enhanced MAC VLAN interfaces, use PIM (Multicast routing and PIM support).

There are two steps to configure multicast forwarding:

  1. Enabling multicast forwarding

  2. Configuring multicast policies

Enabling multicast forwarding

Multicast forwarding is enabled by default. If a FortiGate is operating in transparent mode, adding a multicast policy enables multicast forwarding. In NAT mode you must use the multicast-forward setting to enable or disable multicast forwarding.

Multicast forwarding in NAT mode

When multicast-forward is enabled, the FortiGate forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces, except the receiving interface. The TTL in the IP header will be reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add multicast policies to allow multicast packets through the FortiGate.

To enable multicast forwarding in NAT mode:
config system settings
    set multicast-forward enable
end

Prevent the TTL for forwarded packets from being changed

You can use the multicast-ttl-notchange option so that the FortiGate does not increase the TTL value for forwarded multicast packets. Use this option only if packets are expiring before reaching the multicast router.

To prevent the TTL for forwarded packets from being changed:
config system settings
    set multicast-ttl-notchange enable
end	

Disable multicast traffic from passing through the FortiGate without a policy check in transparent mode

In transparent mode, the FortiGate does not forward frames with multicast destination addresses. The FortiGate should not interfere with the multicast traffic used by routing protocols, streaming media, or other multicast communication. To avoid any issues during transmission, you can disable multicast-skip-policy and configure multicast security policies.

To disable multicast traffic from passing through the FortiGate without a policy check in transparent mode:
config system settings
    set multicast-skip-policy disable
end

Configuring multicast policies

Multicast packets require multicast policies to allow packets to pass from one interface to another. Similar to firewall policies, in a multicast policy you specify the source and destination interfaces, and the allowed address ranges for the source and destination addresses of the packets. You can also use multicast policies to configure source NAT and destination NAT for multicast packets.

Keep the following in mind when configuring multicast policies:

  • The matched forwarded (outgoing) IP multicast source IP address is changed to the configured IP address.

  • The snat setting is optional. Use it when SNAT is needed.

Tooltip

IPv4 and IPv6 multicast policies can be configured in the GUI. Go to System > Feature Visibility, and enable Multicast Policy and IPv6.

Sample basic policy

In this basic policy, multicast packets received on an interface are flooded unconditionally to all interfaces on the forwarding domain, except the incoming interface.

The destination address (dstaddr) is a multicast address object. The all option corresponds to all multicast addresses in the range 224.0.0.0-239.255.255.255.

To configure the multicast policy in the CLI:
config firewall multicast-policy
    edit 1
        set name "basic"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
    next
end
To configure the multicast policy in the GUI:
  1. Go to Policy & Objects > Multicast Policy an click Create New.

  2. Enter the required information:

    Name

    basic

    Incoming Interface

    any

    Outgoing Interface

    any

    Source Address

    all

    Destination Address

    all

  3. Click OK.

Sample policy with specific source and destination interfaces

This multicast policy only applies to the source port wan1 and the destination port internal.

To configure the multicast policy in the CLI:
config firewall multicast-policy
    edit 1
        set name "SrcDst"
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
    next
end
To configure the multicast policy in the GUI:
  1. Go to Policy & Objects > Multicast Policy an click Create New.

  2. Enter the required information:

    Name

    SrcDst

    Incoming Interface

    wan1

    Outgoing Interface

    internal

    Source Address

    all

    Destination Address

    all

  3. Click OK.

Sample policy with specific source address object

In this policy, packets are allowed to flow from wan1 to internal, and sourced by the address 172.20.120.129, which is represented by the example_addr-1 address object.

To configure the multicast policy in the CLI:
config firewall multicast-policy
    edit 1
        set name "SrcAdd"
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "example_addr-1"
        set dstaddr "all"
    next
end
To configure the multicast policy in the GUI:
  1. Go to Policy & Objects > Multicast Policy an click Create New.

  2. Enter the required information:

    Name

    SrcAdd

    Incoming Interface

    wan1

    Outgoing Interface

    internal

    Source Address

    example_addr-1

    Destination Address

    all

  3. Click OK.

Sample detailed policy

This policy accepts multicast packets that are sent from a PC with IP address 192.168.5.18 to destination address range 239.168.4.0-255. The policy allows the multicast packets to enter the internal interface and then exit the external interface. When the packets leave the external interface, their source address is translated to 192.168.18.10.

config firewall address
    edit "192.168.5.18"
        set subnet 192.168.5.18 255.255.255.255
    next
end
config firewall multicast-address
    edit "239.168.4.0"
        set start-ip 239.168.4.0
        set end-ip 239.168.4.255
    next
end
config firewall multicast-policy
    edit 1
        set srcintf "internal"
        set dstintf "external"
        set srcaddr "192.168.5.18"
        set dstaddr "239.168.4.0"
        set snat enable
        set snat-ip 192.168.18.10
    next
end
Tooltip

To configure multicast policies in the GUI, enable Multicast Policy in System > Feature Visibility.

Using multi-VDOM mode

When using multi-VDOM mode, it is important to avoid causing a multicast network loop by creating an all-to-all multicast policy. By default, on models that support NPU virtual links, changing the vdom-mode to multi-vdom will create a pair of npu0_vlink0 and npu0_vlink1 interfaces in the same root VDOM. By virtue of the all-to-all multicast policy and the fact the npu0_vlink interfaces are virtually connected, it forms a multicast network loop.

Therefore, when using multi-VDOM mode:

  1. Ensure there is no existing all-to-all multicast policy before changing to multi-VDOM mode.

  2. If an all-to-all multicast policy must be defined, ensure that no two connected interfaces (such as npu0_vlink0 and npu0_vlink1) belong in the same VDOM.

This configuration will result in a multicast loop:
config system global
    set vdom-mode multi-vdom
end
config firewall multicast-policy
    edit 1
        set logtraffic enable
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
    next
end
show system interface
config system interface
    edit "npu0_vlink0"
        set vdom "root"
        set type physical
    next
    edit "npu0_vlink1"
        set vdom "root"
        set type physical
    next
end