Enable Multicast Routing Through a Branch Office VPN Tunnel

You can enable multicast routing through a Branch Office VPN (BOVPN) tunnel to support one-way multicast streams between networks protected by Fireboxes. For example, you can use multicast routing through a BOVPN tunnel to stream media from a video on demand (VOD) server to users on the network at the other end of a branch office VPN tunnel. Multicast routing through a BOVPN tunnel is supported only between Fireboxes.

When you enable multicast routing through a BOVPN tunnel, the tunnel sends multicast traffic from a single IP address on one side of the tunnel to an IP Multicast Group address. You configure the multicast settings in the tunnel to send multicast traffic to this IP Multicast Group address through the tunnel.

You must configure the multicast settings on each Firebox differently. You must configure the tunnel on one Firebox to send multicast traffic through the tunnel, and configure the tunnel settings on the other Firebox to receive multicast traffic. You can configure only one origination IP address per tunnel.

The steps to configure this are different for a BOVPN virtual interface, and for a BOVPN tunnel that is not configured as part of a virtual interface.

  • For a branch office VPN tunnel that is not configured as a BOVPN virtual interface, you configure multicast routing in the tunnel settings.
  • For a BOVPN virtual interface, you configure multicast routing in the BOVPN virtual interface settings.

In Fireware v12.4 or higher, multicast routing is not supported if you select the IPv6 Addresses setting in the BOVPN gateway configuration.

About Helper Addresses

When you enable multicast routing for a BOVPN tunnel that is not a BOVPN virtual interface, you must also configure helper addresses. The Firebox uses these IP addresses as the endpoints of the broadcast/multicast GRE tunnel inside the IPSec BOVPN tunnel. You can set Local IP and Remote IP to any unused IP address. We recommend you use private IP addresses that are not used on any local network or on any remote network the Firebox connects to.

We recommend that you select helper IP addresses in a private network IP address range that is not used by any local network or by any remote network connected through a VPN. This ensures that the addresses do not conflict with any other device. The private network ranges are:

192.168.0.0/16

172.16.0.0/12

10.0.0.0/8

If you enable broadcast or multicast routing in more than one branch office VPN tunnel, make sure that you use a different pair of helper IP addresses for each tunnel.

If you enable broadcast or multicast routing for a FireCluster, make sure that the IP address does not conflict with the cluster interface IP addresses or the cluster management IP addresses.

When you enable multicast routing through a BOVPN tunnel, the Firebox creates a GRE tunnel inside the IPSec VPN tunnel between the networks. The Firebox sends the multicast traffic through the GRE tunnel. The GRE tunnel requires an unused IP address on each side of the tunnel. You must configure helper IP addresses for each end of the BOVPN tunnel.

If you enable broadcast or multicast routing in more than one BOVPN tunnel, make sure that you use a different pair of helper IP addresses for each tunnel.

You do not need to configure helper addresses to send multicast traffic through a BOVPN virtual interface, because the BOVPN virtual interface already includes a GRE tunnel. For a BOVPN virtual interface, the Firebox uses the virtual interface IP addresses (if configured), or the Firebox external interface IP addresses for the GRE tunnel endpoints.

Enable a Firebox to Send Multicast Traffic Through a Tunnel

On the Firebox from which the multicast traffic is sent, edit the tunnel configuration to enable the device to send multicast traffic through the BOVPN tunnel.

  1. Select VPN > Branch Office VPN.
  2. Select a tunnel and click Edit.
  3. From the Tunnel page, click the Multicast Settings tab.

Screen shot of the Tunnel configuration - Multicast settings

  1. Select the Enable multicast routing over the tunnel check box.
  2. In the Origination IP text box, type the IP address of the originator of the traffic.
  3. In the Group IP text box, type the multicast IP address to receive the traffic.
  4. Select Enable device to send multicast traffic.
  5. From the Input Interface drop-down list, select the interface from which the multicast traffic originates.
  6. Click the Addresses tab.

    The Helper Addresses settings are enabled at the bottom of the Addresses tab.

Screen shot of the Tunnel settings page - Addresses tab

  1. In the Helper Addresses section, type IP addresses for each end of the multicast tunnel.
    • In the Local IP text box, type an IP address to use for the local end of the tunnel.
    • In the Remote IP text box, type an IP address to use for the remote end of the tunnel.
  1. Select VPN > Branch Office Tunnels.
  2. Select a tunnel and click Edit.
  3. From the Edit Tunnel dialog box, click the Multicast Settings tab.

Screen shot of the Edit Tunnel dialog box - Multicast tab

  1. Select the Enable multicast routing over the tunnel check box.
  2. In the Origination IP text box, type the IP address of the originator of the traffic.
  3. In the Group IP text box, type the multicast IP address to receive the traffic.
  4. Select Enable device to send multicast traffic.
  5. From the Input Interface drop-down list, select the interface from which the multicast traffic originates.
  6. Click the Addresses tab.
    The Helper Addresses settings are enabled at the bottom of the Addresses tab.

Screen shot of the New Tunnel dialog box

  1. In the Helper Addresses section, type IP addresses for each end of the multicast tunnel.
    • In the Local IP text box, type an IP address to use for the local end of the tunnel.
    • In the Remote IP text box, type an IP address to use for the remote end of the tunnel.

Enable a Firebox to Receive Multicast Traffic Through a Tunnel

On the Firebox on the network on which you want to receive the multicast traffic, configure the multicast settings to enable the device to receive multicast traffic through the tunnel.

  1. Select VPN > Branch Office VPN.
  2. Select a tunnel and click Edit.
  3. From the Tunnel page, click the Multicast Settings tab.
  4. Select the Enable multicast routing over the tunnel check box.
  5. In the Origination IP text box, type the IP address of the originator of the traffic.
  6. In the Group IP text box, type the multicast address to receive the traffic.
  7. Select Enable device to receive multicast traffic.
  8. Select the check box for each interface that you want to receive multicast traffic.
  9. Select the Addresses tab.
    The Helper Address settings are enabled at the bottom of the Addresses tab.
  10. In the Helper Addresses section, type the opposite IP addresses you typed in the configuration for the other end of the tunnel.
    • In the Local IP text box, type the IP address that you typed in the Remote IP field for the Firebox at the other end of the tunnel.
    • In the Remote IP text box, type the IP address that you typed in the Local IP field for the Firebox at the other end of the tunnel.
  1. Select VPN > Branch Office Tunnels.
  2. Select a tunnel and click Edit.
  3. From the Edit Tunnel dialog box, click the Multicast Settings tab.
  4. Select the Enable multicast routing over the tunnel check box.
  5. In the Origination IP text box, type the IP address of the originator of the traffic.
  6. In the Group IP text box, type the multicast address to receive the traffic.
  7. Select Enable device to receive multicast traffic.
  8. Select the check box for each interface that you want to receive multicast traffic.
  9. Select the Addresses tab.
    The Helper Address settings are enabled at the bottom of the Addresses tab.
  10. In the Helper Addresses section, type the opposite IP addresses you typed in the configuration for the other end of the tunnel.
    • In the Local IP text box, type the IP address that you typed in the Remote IP field for the Firebox at the other end of the tunnel.
    • In the Remote IP text box, type the IP address that you typed in the Local IP field for the Firebox at the other end of the tunnel.

For an example of how to configure a Firebox to receive multicast traffic through a tunnel, go to Multicast Routing Through a BOVPN Tunnel

Enable a Firebox to Send Multicast Traffic Through a BOVPN Virtual Interface

On the Firebox from which the multicast traffic is sent, edit the tunnel configuration to enable the device to send multicast traffic through the BOVPN virtual interface.

  1. Select VPN > BOVPN Virtual Interface.
  2. Select a BOVPN virtual interface and click Edit.
  3. From the BOVPN Virtual Interface page, click the Multicast Settings tab.

Screen shot of the BOVPN Virtual Interfaces page, Multicast Settings tab

  1. Select the Enable multicast routing over the tunnel check box.
  2. In the Origination IP text box, type the IP address of the originator of the traffic.
  3. In the Group IP text box, type the multicast IP address to receive the traffic.
  4. Select Enable device to send multicast traffic.
  5. From the Input Interface drop-down list, select the interface from which the multicast traffic originates.
  1. Select VPN > BOVPN Virtual Interface.
  2. Select a BOVPN virtual interface and click Edit.
  3. From the Edit BOVPN Virtual Interfacedialog box, click the Multicast Settings tab.

Screen shot of the New BOVPN Virtual Interface dialog box, Multicast Settings tab

  1. Select the Enable multicast routing over the tunnel check box.
  2. In the Origination IP text box, type the IP address of the originator of the traffic.
  3. In the Group IP text box, type the multicast IP address to receive the traffic.
  4. Select Enable device to send multicast traffic.
  5. From the Input Interface drop-down list, select the interface from which the multicast traffic originates.

Enable a Firebox to Receive Multicast Traffic Through a BOVPN Virtual Interface

On the Firebox on the network on which you want to receive the multicast traffic, configure the multicast settings to enable the device to receive multicast traffic through the BOVPN virtual interface.

  1. Select VPN > BOVPN Virtual Interface.
  2. Select a BOVPN virtual interface and click Edit.
  3. From the BOVPN Virtual Interface page, click the Multicast Settings tab.
  4. Select the Enable multicast routing over the tunnel check box.
  5. In the Origination IP text box, type the IP address of the originator of the traffic.
  6. In the Group IP text box, type the multicast address to receive the traffic.
  7. Select Enable device to receive multicast traffic.
  8. Select the check box for each interfaces that you want to receive the multicast traffic.
  1. Select VPN > BOVPN Virtual Interface.
  2. Select a BOVPN virtual interface and click Edit.
  3. From the Edit BOVPN Virtual Interface dialog box, click the Multicast Settings tab.
  4. Select the Enable multicast routing over the tunnel check box.
  5. In the Origination IP text box, type the IP address of the originator of the traffic.
  6. In the Group IP text box, type the multicast address to receive the traffic.
  7. Select Enable device to receive multicast traffic.
  8. Select the check box for each interfaces that you want to receive the multicast traffic.

Related Topics

Define a Tunnel