Helpful ReplyHot!Unable to Forward Broadcast using Dialup IPSEC tunnel

Author
Arshad Ali
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/19 04:45:39
  • Status: offline
2017/12/19 05:01:42 (permalink)
0

Unable to Forward Broadcast using Dialup IPSEC tunnel

Dear Concern,
 
We have a fortigate 300C over which we are able to receive broadcast on physical interfaces from our server on specific UDP ports.
 
We have our clients connecting to us on our Fortigate via public network (Internet). Client connect us on on Dialup ipsec tunnel using Forti client from their respective end points and we want to forward the same broadcast information to them.
 
When the VPN is connected clients are not able to receive real time broadcast on their systems. When the same client IP is connected directly without VPN on firewall, broadcast starts forwarding but on VPN the numbers are stuck unless we close the application from client and restart it. Upon restart the numbers that appear on the screen are different from the previous one which means that the numbers have refreshed.

We have enabled broadcast forward on tunnel and physical interface but still no luck.
 
Please suggest any way we can receive broadcast with dst IP 255.255.255.255 from application source IP x.x.x.x using custom dialup user tunnel
 
Regards,
Arshad
#1
Toshi Esumi
Expert Member
  • Total Posts : 1427
  • Scores: 129
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Unable to Forward Broadcast using Dialup IPSEC tunnel 2017/12/19 12:58:26 (permalink)
0
If it's UDP packets for application updates, that's not broadcast. Instead unicast to individual IP on the client from the server. The problem is likely because you don't have a policy from the server/internal interface toward your SSL VPN interface. Any config examples for SSL VPN assume all sessions are from client to server over TCP, or out to in. They don't assume any random UDP packets toward the clients, or in to out.
#2
Arshad Ali
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/19 04:45:39
  • Status: offline
Re: Unable to Forward Broadcast using Dialup IPSEC tunnel 2017/12/19 23:22:22 (permalink)
0
UDP packets are forwarded from application server to client end to float real time information on application portal.
 
On VPN application is login and we have no issues with application functionality but udp broadcast is not getting available.
Policies have been made but still we are unable to find way out to transmit broadcast on dialup VPN (users connecting from internet) to allow real time information visibility at client end.
 
 
#3
Toshi Esumi
Expert Member
  • Total Posts : 1427
  • Scores: 129
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Unable to Forward Broadcast using Dialup IPSEC tunnel 2017/12/20 08:51:02 (permalink)
0
I thought it was an SSL VPN, which we fixed a similar problem before with UDP update packets from a server. If it's really a L2 broadcast like 192.168.255.255/16 it wouldn't be able to go over the boundary of a broadcast domain. Did you sniff it with Wireshark connected to the server's local network to see the actual packet header? 
#4
Arshad Ali
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/19 04:45:39
  • Status: offline
Re: Unable to Forward Broadcast using Dialup IPSEC tunnel 2017/12/20 10:13:43 (permalink)
0
Yes I have captured the packets with wireshark but its showing the DST add of 255.255.255.255 from source interface of virtual IP. Please let me know if I need to forward broadcast packets on dialup VPN using custom tunnel in fortigate connecting from internet what is the way for it?Broadcast should reach on the physical interface of system connected to public network which is internet with source IP that of server and DST IP 255.255.255.255.pl suggest configuration for it. Broadcast information is properly landing on local interfaces of firewall but how can I forward the same on interface with internet ip where users connect to us via tunnel from public network. Pl suggest
#5
Toshi Esumi
Expert Member
  • Total Posts : 1427
  • Scores: 129
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Unable to Forward Broadcast using Dialup IPSEC tunnel 2017/12/20 22:22:10 (permalink) ☄ Helpfulby Arshad Ali 2017/12/20 22:27:40
0
Any router including FortiGate never forward packets with limited broadcast address, or 255.255.255.255 as described in RFC919, 922. It's not routable address unlike 10.255.255.255 or 192.168.255.255.
#6
Arshad Ali
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/19 04:45:39
  • Status: offline
Re: Unable to Forward Broadcast using Dialup IPSEC tunnel 2017/12/20 22:33:09 (permalink)
0
thanks for your suggestion.
can we convert broadcast to unicast and then forward the same to client end or a router would be mandatory for this purpose?
 
If yes. what is the command to covert broadcast to unicast? please suggest.
Regards,
Shoaib Hassan
 
#7
Toshi Esumi
Expert Member
  • Total Posts : 1427
  • Scores: 129
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Unable to Forward Broadcast using Dialup IPSEC tunnel 2017/12/21 08:29:21 (permalink)
0
Whatever the application is, it should have a setting to specify broadcast (all clients are local) or unicast (clients may not be local) is used for solicit update packets.
#8
rohitchoudhary1978@gmail.com
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/11/30 23:07:36
  • Status: offline
Re: Unable to Forward Broadcast using Dialup IPSEC tunnel 2019/02/06 02:28:24 (permalink)
0
Hi,
any updates thereafter ?
I am asking because i am stucked with similar issue. I am using an application related to Stock exchange and having similar issue. I can login through ipsec vpn but cannot able to get the stock market prices/updates.
If you achieved it, please let me know.
We are using Fortigate 600c and got another link https://kb.fortinet.com/kb/documentLink.do?externalID=FD36040
let me check if it works till your reply
 
Thanks
Rohit
post edited by rohitchoudhary1978@gmail.com - 2019/02/06 02:29:49
#9
Jump to:
© 2019 APG vNext Commercial Version 5.5