Enable Broadcast Routing Through a Branch Office VPN Tunnel

You can configure your Firebox to support limited broadcast routing through a Branch Office VPN (BOVPN) tunnel. When you enable broadcast routing, the tunnel supports broadcasts to the limited broadcast IP address, 255.255.255.255. Local subnet broadcast traffic is not routed through the tunnel. Broadcast routing supports broadcast only from one network to another through a BOVPN tunnel.

 Broadcast routing through a BOVPN tunnel is supported only between Fireboxes, and is not supported across a BOVPN virtual interface.

Broadcast routing through a BOVPN tunnel does not support these broadcast types:

  • DHCP/Bootstrap Protocol (bootp) broadcast
  • NetBIOS broadcast
  • Server Message Block (SMB) broadcast

For an example that shows which broadcasts can be routed through a BOVPN tunnel, go to Example of Broadcast Routing Through a BOVPN Tunnel.

Some software applications require the ability to broadcast to other network devices in order to operate. If devices that need to communicate this way are on networks connected by a BOVPN tunnel, you can enable broadcast routing through the tunnel so the application can find the devices on the network at the other end of the tunnel.

When you enable multicast or broadcast routing through a BOVPN tunnel, the Firebox creates a GRE tunnel inside the IPSec VPN tunnel between the networks. The Firebox sends the broadcast or multicast traffic through the GRE tunnel. The GRE tunnel requires an unused IP address on each side of the tunnel. So you must configure helper IP addresses for each end of the BOVPN tunnel.

We recommend that you select helper IP addresses in a private network IP address range that is not used by any local network or by any remote network connected through a VPN. This ensures that the addresses do not conflict with any other device. The private network ranges are:

192.168.0.0/16

172.16.0.0/12

10.0.0.0/8

If you enable broadcast or multicast routing in more than one branch office VPN tunnel, make sure that you use a different pair of helper IP addresses for each tunnel.

If you enable broadcast or multicast routing for a FireCluster, make sure that the IP address does not conflict with the cluster interface IP addresses or the cluster management IP addresses.

In Fireware v12.4 or higher, if you configure the Gateway Address Family setting to be IPv6 Addresses, you cannot enable broadcast routing. Broadcast routing is not supported for IPv6 tunnels.

Enable Broadcast Routing for the Local Firebox

  1. Select VPN > Branch Office VPN.
  2. Select a tunnel and click Edit.
  3. From the Tunnel page, select the tunnel route and click Edit.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. Select the Enable broadcast routing over the tunnel check box. Click OK.
    The Tunnel page appears. The Helper Addresses are enabled at the bottom of the Addresses tab.

Screen shot of the Tunnel page - Addresses tab

  1. In the Helper Addresses section, type IP addresses for each end of the broadcast tunnel. The Firebox uses these addresses as the endpoints of the broadcast/multicast GRE tunnel inside the IPSec BOVPN tunnel. You can set the Local IP and Remote IP to any unused IP address. We recommend you use private IP addresses that are not used on any local network or on any remote network the Firebox connects to.
  • In the Local IP text box, type an IP address to use for the local end of the tunnel.
  • In the Remote IP text box, type an IP address to use for the remote end of the tunnel.
  1. Select VPN > Branch Office Tunnels.
  2. Select a tunnel and click Edit.
  3. From the Edit Tunnel dialog box, select the tunnel route and click Edit.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. Select the Enable broadcast routing over the tunnel check box. Click OK.
    The Edit Tunnel dialog box appears. The Helper Addresses are enabled at the bottom of the Addresses tab.

Screen shot of the New Tunnel dialog box

  1. In the Helper Addresses section, type IP addresses for each end of the broadcast tunnel. The Firebox uses these addresses as the endpoints of the broadcast/multicast GRE tunnel inside the IPSec BOVPN tunnel. You can set the Local IP and Remote IP to any unused IP address. We recommend you use private IP addresses that are not used on any local network or on any remote network the Firebox connects to.
  • In the Local IP text box, type an IP address to use for the local end of the tunnel.
  • In the Remote IP text box, type an IP address to use for the remote end of the tunnel.

Configure Broadcast Routing for the Remote Firebox

  1. Repeat Steps 1–4 as described in the previous section to enable broadcast routing for the device at the other end of the tunnel.
  2. In the Helper Addresses section, type the opposite addresses you typed in the configuration for the other end of the tunnel.
  • In the Local IP text box, type the IP address that you typed in the Remote IP text box for the device at the other end of the tunnel.
  • In the Remote IP text box, type the IP address that you typed in the Local IP text box for the device at the other end of the tunnel.

Related Topics

Configure Manual BOVPN Tunnels

Add Routes for a Tunnel