Created on 05-27-2009 10:05 AM Edited on 07-06-2022 09:23 AM By Anonymous
Purpose
This document provides an example of how to configure the FortiGate to route "Wake On Lan magic packet". This example is based on broadcast type of Wake On Lan "magic packet".
The idea of Wake On Lan (WOL) is to trigger the "wake up" (boot-up) of a device from the LAN via a specific Ethernet packet called 'Magic Packet'. This requires the PC network interface and BIOS to support WOL. There are different types of Magic Packets that can be used depending on the NIC manufacturer and driver. In some cases, a unicast destination IP can be used which makes the routing straight forward, however most generally the destination MAC of the magic packet must be a broadcast which causes a routing problem. This is the particular case which is discussed here.
Scope
All FortiGate units in NAT/Route mode
Diagram
****************
* PC to wakeup *
****************
| .18
|
| 10.199.3.0/28
|
| .17
(internal)
**********
* FWF60A *
**********
(dmz)
| .33
|
| 10.199.3.32/28
|
| .34
***********************************
* Server sending WOL Magic packet *
***********************************
Expectations, Requirements
- "Server" sends a Wake On Lan Magic Packet to "PC to wake up".
- The WOL packet is received from the FortiGate DMZ and routed to "PC to wakeup" as an Ethernet broadcast.
- Packet is received from "PC to wake up" network interface and triggers the Wake on Lan startup.
The main problem is to get the magic packet forwarded as a broadcast once routed to get it recognized by the PC NIC. For this, we use a different IP address for the magic packet to reach the PC than the main PC IP address (choose an IP address not used on the PC subnet). Forwarding the packet as a broadcast is achieved with a static ARP entry with mac FF:FF:FF:FF:FF:FF.
Note : using the PC IP (instead of another IP) in the static ARP entry would work to wake the PC up, but this may break other traffic destined to the PC.
Configuration
FortiGate relevant configuration extract
config system interface edit "internal" set vdom "root" set ip 10.199.3.17 255.255.255.240 set allowaccess ping https ssh set type physical next edit "dmz" set vdom "root" set ip 10.199.3.33 255.255.255.240 set allowaccess ping set type physical next end config firewall address edit "backup_server" set subnet 10.199.3.18 255.255.255.255 next edit "NAS" set subnet 10.199.3.34 255.255.255.255 next edit "wol-ip-backup-server" set associated-interface "internal" set subnet 10.199.3.19 255.255.255.255 next end config firewall policy edit 31 #1 set srcintf "dmz" set dstintf "internal" set srcaddr "NAS" set dstaddr "wol-ip-backup-server" set action accept set schedule "always" set service "ANY" next edit 28 set srcintf "dmz" #2 set dstintf "internal" set srcaddr "NAS" set dstaddr "backup_server" set action accept set schedule "always" set service "ANY" next end config system arp-table edit 1 #3 set interface "internal" set ip 10.199.3.18 set mac 00:11:d8:12:89:17 next edit 2 set interface "internal" set ip 10.199.3.19 set mac ff:ff:ff:ff:ff:ff next end |
#1 : Policy to allow the Wake On Lan "magic packet" using its dedicated IP
#2 : Policy to allow general traffic to the PC
#3 : Static ARP entry to force destination MAC for the magic packet to be a broadcast
Linux wakeonlan command line used in this example:
/usr/bin/wakeonlan -p 7 -i 10.199.3.19 17:89:12:d8:11:00 |
Note: In this example with 'wakeonlan', the MAC address required to build the magic packet has to be reversed compared to the PC real MAC address (00:11:d8:12:89:17)
For more information, please look at the linux man page
Verification
Generate the magic packet from the server and the PC should wake up.
Troubleshooting
Take a sniffer trace of the magic packet on the FortiGate interfaces to make sure the packet is forwarded as a broadcast.
Internal interface sniffer trace:
FWF60A# diagnose sniffer packet internal '' 3 interfaces=[internal] filters=[] 13.388587 10.199.3.34.32770 -> 10.199.3.19.7: udp 102 0x0000 ffff ffff ffff 0009 0f40 8c80 0800 4500 .........@....E. 0x0010 0082 0000 4000 3f11 1fa9 0ac7 0322 0ac7 ....@.?......".. 0x0020 0313 8002 0007 006e ad32 ffff ffff ffff .......n.2...... 0x0030 1789 12d8 1100 1789 12d8 1100 1789 12d8 ................ 0x0040 1100 1789 12d8 1100 1789 12d8 1100 1789 ................ 0x0050 12d8 1100 1789 12d8 1100 1789 12d8 1100 ................ 0x0060 1789 12d8 1100 1789 12d8 1100 1789 12d8 ................ 0x0070 1100 1789 12d8 1100 1789 12d8 1100 1789 ................ 0x0080 12d8 1100 1789 12d8 1100 1789 12d8 1100 ................ |
==> see the destination MAC address is a broadcast FFFF FFFF FFFF
DMZ interface sniffer trace :
FWF60A# diagnose sniffer packet dmz '' 3 interfaces=[dmz] filters=[] 9.388377 10.199.3.34.32770 -> 10.199.3.19.7: udp 102 0x0000 0009 0f40 8c81 0008 9bac a067 0800 4500 ...@.......g..E. 0x0010 0082 0000 4000 4011 1ea9 0ac7 0322 0ac7 ....@.@......".. 0x0020 0313 8002 0007 006e ad32 ffff ffff ffff .......n.2...... 0x0030 1789 12d8 1100 1789 12d8 1100 1789 12d8 ................ 0x0040 1100 1789 12d8 1100 1789 12d8 1100 1789 ................ 0x0050 12d8 1100 1789 12d8 1100 1789 12d8 1100 ................ 0x0060 1789 12d8 1100 1789 12d8 1100 1789 12d8 ................ 0x0070 1100 1789 12d8 1100 1789 12d8 1100 1789 ................ 0x0080 12d8 1100 1789 12d8 1100 1789 12d8 1100 ................ |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.