FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cgustave
Staff
Staff
Article Id 198103

Purpose
This document provides an example of how to configure the FortiGate to route "Wake On Lan magic packet". This example is based on broadcast type of Wake On Lan "magic packet".

Wake On Lan basics

The idea of Wake On Lan (WOL) is to trigger the "wake up" (boot-up) of a device from the LAN via a specific Ethernet packet called 'Magic Packet'. This requires the PC network interface and BIOS to support WOL. There are different types of Magic Packets that can be used depending on the NIC manufacturer and driver. In some cases, a unicast destination IP can be used which makes the routing straight forward, however most generally the destination MAC of the magic packet must be a broadcast which causes a routing problem. This is the particular case which is discussed here.
Scope
All FortiGate units in NAT/Route mode

Diagram
****************
* PC to wakeup *
****************
    | .18  
    |
    |  10.199.3.0/28
    |
    | .17
(internal)
**********
* FWF60A *
**********
  (dmz)
    | .33
    |
    |  10.199.3.32/28
    |
    | .34
***********************************
* Server sending WOL Magic packet *
***********************************


Expectations, Requirements

Expectations

- "Server" sends a Wake On Lan Magic Packet to "PC to wake up".
- The WOL packet is received from the FortiGate DMZ and routed to "PC to wakeup" as an Ethernet broadcast.
- Packet is received from "PC to wake up" network interface and triggers the Wake on Lan startup.

Solution principle

The main problem is to get the magic packet forwarded as a broadcast once routed  to get it recognized by the PC NIC. For this, we use a different IP address for the magic packet to reach the PC than the main PC IP address (choose an IP address not used on the PC subnet). Forwarding the packet as a broadcast is achieved with a static ARP entry with mac FF:FF:FF:FF:FF:FF.

Note : using the PC IP (instead of another IP) in the static ARP entry would work to wake the PC up, but this may break other traffic destined to the PC.





Configuration
FortiGate relevant configuration extract

config system interface
    edit "internal"
        set vdom "root"
        set ip 10.199.3.17 255.255.255.240
        set allowaccess ping https ssh
        set type physical
    next
    edit "dmz"
        set vdom "root"
        set ip 10.199.3.33 255.255.255.240
        set allowaccess ping
        set type physical
    next
end

config firewall address
    edit "backup_server"
        set subnet 10.199.3.18 255.255.255.255
    next
    edit "NAS"
        set subnet 10.199.3.34 255.255.255.255
    next
    edit "wol-ip-backup-server"
        set associated-interface "internal"
        set subnet 10.199.3.19 255.255.255.255
    next
end


config firewall policy
    edit 31                                      #1
        set srcintf "dmz"
        set dstintf "internal"
            set srcaddr "NAS"
            set dstaddr "wol-ip-backup-server"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 28
        set srcintf "dmz"                       #2
        set dstintf "internal"
            set srcaddr "NAS"
            set dstaddr "backup_server"
        set action accept
        set schedule "always"
            set service "ANY"
    next
end

config system arp-table
    edit 1                                       #3
        set interface "internal"
        set ip 10.199.3.18
        set mac 00:11:d8:12:89:17
    next
    edit 2
        set interface "internal"
        set ip 10.199.3.19
        set mac ff:ff:ff:ff:ff:ff
    next
end



#1 : Policy to allow the Wake On Lan "magic packet" using its dedicated IP
#2 : Policy to allow general traffic to the PC
#3 : Static ARP entry to force destination MAC for the magic packet to be a broadcast


Linux wakeonlan command line used in this example:

/usr/bin/wakeonlan -p 7 -i 10.199.3.19 17:89:12:d8:11:00

Note: In this example with 'wakeonlan', the MAC address required to build the magic packet has to be reversed compared to the PC real MAC address (00:11:d8:12:89:17)

For more information, please look at the linux man page

Verification
Generate the magic packet from the server and the PC should wake up.
Troubleshooting
Take a sniffer trace of  the magic packet on the FortiGate interfaces to make sure the packet is forwarded as a broadcast.

Internal interface sniffer trace:

FWF60A# diagnose sniffer packet internal '' 3
interfaces=[internal]
filters=[]
13.388587 10.199.3.34.32770 -> 10.199.3.19.7: udp 102
0x0000   ffff ffff ffff 0009 0f40 8c80 0800 4500        .........@....E.
0x0010   0082 0000 4000 3f11 1fa9 0ac7 0322 0ac7        ....@.?......"..
0x0020   0313 8002 0007 006e ad32 ffff ffff ffff        .......n.2......
0x0030   1789 12d8 1100 1789 12d8 1100 1789 12d8        ................
0x0040   1100 1789 12d8 1100 1789 12d8 1100 1789        ................
0x0050   12d8 1100 1789 12d8 1100 1789 12d8 1100        ................
0x0060   1789 12d8 1100 1789 12d8 1100 1789 12d8        ................
0x0070   1100 1789 12d8 1100 1789 12d8 1100 1789        ................
0x0080   12d8 1100 1789 12d8 1100 1789 12d8 1100        ................


==> see the destination MAC address is a broadcast FFFF FFFF FFFF

DMZ interface sniffer trace :

FWF60A# diagnose sniffer packet dmz '' 3
interfaces=[dmz]
filters=[]
9.388377 10.199.3.34.32770 -> 10.199.3.19.7: udp 102
0x0000   0009 0f40 8c81 0008 9bac a067 0800 4500        ...@.......g..E.
0x0010   0082 0000 4000 4011 1ea9 0ac7 0322 0ac7        ....@.@......"..
0x0020   0313 8002 0007 006e ad32 ffff ffff ffff        .......n.2......
0x0030   1789 12d8 1100 1789 12d8 1100 1789 12d8        ................
0x0040   1100 1789 12d8 1100 1789 12d8 1100 1789        ................
0x0050   12d8 1100 1789 12d8 1100 1789 12d8 1100        ................
0x0060   1789 12d8 1100 1789 12d8 1100 1789 12d8        ................
0x0070   1100 1789 12d8 1100 1789 12d8 1100 1789        ................
0x0080   12d8 1100 1789 12d8 1100 1789 12d8 1100        ................
Contributors