Enable Broadcast Routing Through a Branch Office VPN Tunnel

You can configure your XTM device to support limited broadcast routing through a Branch Office VPN (BOVPN) tunnel. When you enable broadcast routing, the tunnel supports broadcasts to the limited broadcast IP address, 255.255.255.255. Local subnet broadcast traffic is not routed through the tunnel. Broadcast routing supports broadcast only from one network to another through a BOVPN tunnel.

 Broadcast routing through a BOVPN tunnel is supported only between XTM devices, and is not supported across a BOVPN virtual interface.

Broadcast routing through a BOVPN tunnel does not support these broadcast types:

For an example that shows which broadcasts can be routed through a BOVPN tunnel, see Broadcast Routing Through a BOVPN Tunnel.

Some software applications require the ability to broadcast to other network devices in order to operate. If devices that need to communicate this way are on networks connected by a BOVPN tunnel, you can enable broadcast routing through the tunnel so the application can find the devices on the network at the other end of the tunnel.

When you enable multicast or broadcast routing through a BOVPN tunnel, the XTM device creates a GRE tunnel inside the IPSec VPN tunnel between the networks. The XTM device sends the broadcast or multicast traffic through the GRE tunnel. The GRE tunnel requires an unused IP address on each side of the tunnel. So you must configure helper IP addresses for each end of the BOVPN tunnel.

We recommend that you select helper IP addresses in a private network IP address range that is not used by any local network or by any remote network connected through a VPN. This ensures that the addresses do not conflict with any other device. The private network ranges are:

192.168.0.0/16

172.16.0.0/12

10.0.0.0/8

If you enable broadcast or multicast routing in more than one branch office VPN tunnel, make sure that you use a different pair of helper IP addresses for each tunnel.

If you enable broadcast or multicast routing for a FireCluster, make sure that the IP address does not conflict with the cluster interface IP addresses or the cluster management IP addresses.

Enable Broadcast Routing for the Local XTM device

  1. Select VPN > Branch Office VPN.
  2. Select a tunnel and click Edit.
  3. From the Tunnel page, select the tunnel route and click Edit.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. Select the Enable broadcast routing over the tunnel check box. Click OK.
    The Tunnel pageappears.The Helper Addresses are enabled at the bottom of the Addresses tab.

Screen shot of the Tunnel page - Addresses tab

  1. In the Helper Addresses section, type IP addresses for each end of the broadcast tunnel. The XTM device uses these addresses as the endpoints of the broadcast/multicast GRE tunnel inside the IPSec BOVPN tunnel. You can set the Local IP and Remote IP to any unused IP address. We recommend you use private IP addresses that are not used on any local network or on any remote network the XTM device connects to.

Configure Broadcast Routing for the XTM Device at the Other End of the Tunnel

  1. Repeat Steps 1–4 above to enable broadcast routing for the device at the other end of the tunnel.
  2. In the Helper Addresses section, type the opposite addresses you typed in the configuration for the other end of the tunnel.

See Also

Make Tunnels Between Gateway Endpoints

Add Routes for a Tunnel

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base