Broadcast Routing Through a BOVPN Tunnel

In this example we use Fireware XTM Web UI to configure the BOVPN tunnel to enable broadcast routing from a device at Site A to the IP addresses on the trusted network at Site B.

For the example, we assume the BOVPN tunnel has already been created, as described in WatchGuard VPN Interoperability Fireware XTM to Fireware XTM .

Example Settings

These settings correspond to the settings shown in the screen shots used throughout this example.

SITE A (XTM device with Fireware XTM 11.x) 

Trusted network IP address: 10.0.50.0/24

Existing tunnel: Tunnel_to_SiteB

Existing tunnel route: 10.0.50.0/24 <==> 192.168.100.0/24

SITE B (XTM device with Fireware XTM 11.x)

Trusted network IP address: 192.168.100.0/24

Existing tunnel: Tunnel_to_SiteA

Existing tunnel route: 192.168.100.0/24 <==> 10.0.50.0/24

Broadcast device at Site A

Network IP address: 10.0.50.3

Configure Broadcast Routing for the BOVPN Tunnel at Site A

  1. Select VPN > Branch Office VPN.
  1. Select Tunnel_to_SiteB. Click Edit.
    The Edit Tunnel dialog box appears.
  2. From the Tunnel page, select the tunnel route and click Edit.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box

  1. Click the Enable broadcast routing over the tunnel check box. Click OK.
    You return to the Tunnel page. The Helper Addresses appear at the bottom of the Addresses tab.

Screen shot of the Tunnel settings - Addresses tab - Site A

  1. In the Helper Addresses section, type the IP addresses for each end of the broadcast tunnel. Use any two unused IP addresses, one for the local network and one for the remote network. You can set Local IP and Remote IP to any unused IP addresses.We recommend you use private IP addresses that are not used on any local network or on any remote network the XTM device connects to.
    For this example:

For more information about helper addresses, see Enable Broadcast Routing Through a Branch Office VPN Tunnel

  1. Save the configuration to the XTM device.

If you enable broadcast or multicast routing in more than one BOVPN tunnel, make sure that you use a different pair of helper IP addresses for each tunnel.

Configure Broadcast Routing for the BOVPN Tunnel at Site B

  1. Select VPN > Branch Office VPN.
  1. Select Tunnel_to_SiteA. Click Edit.
    The Edit Tunnel dialog box appears.
  2. From the Tunnel page, select the tunnel route and click Edit.
    The Tunnel Route Settings dialog box appears.
  3. Select the Enable broadcast routing over the tunnel check box. Click OK.
    You return to the Tunnel page. The Helper Addresses appear at the bottom of the Addresses tab.

Screen shot of the Tunnel page - Addresses tab - Site B

  1. In the Helper Addresses section type the IP addresses for each end of the multicast tunnel. These must be the same addresses you entered for the tunnel configuration in Site A, except that the order is reversed.
    For this example:
  1. Save the configuration to the XTM device.

Example Broadcast Scenarios

In this example, the BOVPN tunnel routes these broadcasts:

10.0.50.x/24 -> 192.168.100.255 (destination is the directed broadcast address of the remote network)

10.0.50.x/24 -> 255.255.255.255

192.168.100.x/24 -> 10.0.50.255 (destination is the directed broadcast address of the remote network)

192.168.100.x/24 -> 255.255.255.255

The BOVPN tunnel does not route these broadcasts:

0.0.0.0 -> 255.255.255.255 (dhcp/bootp broadcast)

10.0.50.x/24 -> 10.0.50.255 (netbios broadcast: not the directed broadcast address of the remote network)

192.168.100.x/24 -> 192.168.100.255 (netbios broadcast: not the directed broadcast address of the remote network)

203.0.113.x/24 -> 10.0.50.255 (source IP address does not match the local network)

198.51.100.x/24 -> 192.168.100.255 (source IP address does not match the local network)

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base