FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff
Article Id 198625

Description


This article describes how to configure Apple Airprint between two subnets configured on different interfaces.

 

Scope

 

FortiGate.


Solution


Configuration.

1) Enable Multicast forwarding:

# config system settings
       set multicast-forward enable
end

2) Interface configuration:
Two different interface having two different IP addresses assigned. 

# config system interface
     edit "internal1"
          set vdom "root"
          set ip 192.168.1.1 255.255.255.0   
          set allowaccess ping https ssh snmp http fgfm ftm
          set type physical
          set device-identification enable
          set device-identification-active-scan enable
    next
     edit "internal7"
          set vdom "root"
         set ip 192.168.2.1 255.255.255.0
         set allowaccess ping https ssh
         set type physical
         set device-identification enable
    next
end

3) Configuring Multicast Policies:

# config firewall multicast-policy
         edit 1
             set logtraffic enable
             set srcintf "internal1"
             set dstintf "internal7"
             set srcaddr "all"
             set dstaddr "Bonjour" "EIGRP" "OSPF"
             set protocol 17
             set end-port 5353
         next
         edit 2
             set logtraffic enable
             set srcintf "internal7"
             set dstintf "internal1"
             set srcaddr "all"
             set dstaddr "Bonjour" "EIGRP" "OSPF"
             set protocol 17
             set end-port 5353
         next
     end

4) Check if multicast routing is enabled or not:

# config router multicast
        
set multicast-routing disable
     end

Note.
If multicast routing is enabled, the traffic receives on the internal1 interface but not forwarded out of the internal7 interface.
The reason is that the destination IP, with the packets received on FortiGate, is part of 'Local Network Control Block' and by default it's not forwarded out of the L3 interface.


It is also necessary to have a normal IPv4 firewall policy between these 2 different interfaces as once the device is detected the traffic becomes unicast traffic.

 

Related article:

Technical Note : Extending AirPlay and AirPrint communication