Enable Multicast Routing Through a Branch Office VPN Tunnel

You can enable multicast routing through a Branch Office VPN (BOVPN) tunnel to support one-way multicast streams between networks protected by XTM devices. For example, you can use multicast routing through a BOVPN tunnel to stream media from a video on demand (VOD) server to users on the network at the other end of a branch office VPN tunnel. Multicast routing through a BOVPN tunnel is supported only between XTM devices.

The ability for a BOVPN tunnel to send or receive multicast traffic through a VLAN or Bridge interface is supported in Fireware XTM  v11.9.3. or higher.

When you enable multicast routing through a BOVPN tunnel, the tunnel sends multicast traffic from a single IP address on one side of the tunnel to an IP Multicast Group address. You configure the multicast settings in the tunnel to send multicast traffic to this IP Multicast Group address through the tunnel.

You must configure the multicast settings on each XTM device differently. You must configure the tunnel on one XTM device to send multicast traffic through the tunnel, and configure the tunnel settings on the other XTM device to receive multicast traffic. You can configure only one origination IP address per tunnel.

The steps to configure this are different for a BOVPN virtual interface, and for a BOVPN tunnel that is not configured as part of a virtual interface.

About Helper Addresses

When you enable multicast routing for a BOVPN tunnel that is not a BOVPN virtual interface, you must also configure helper addresses. The XTM device uses these IP addresses as the endpoints of the broadcast/multicast GRE tunnel inside the IPSec BOVPN tunnel. You can set Local IP and Remote IP to any unused IP address. We recommend you use private IP addresses that are not used on any local network or on any remote network the XTM device connects to.

We recommend that you select helper IP addresses in a private network IP address range that is not used by any local network or by any remote network connected through a VPN. This ensures that the addresses do not conflict with any other device. The private network ranges are:

192.168.0.0/16

172.16.0.0/12

10.0.0.0/8

If you enable broadcast or multicast routing in more than one branch office VPN tunnel, make sure that you use a different pair of helper IP addresses for each tunnel.

If you enable broadcast or multicast routing for a FireCluster, make sure that the IP address does not conflict with the cluster interface IP addresses or the cluster management IP addresses.

When you enable multicast routing through a BOVPN tunnel, the XTM device creates a GRE tunnel inside the IPSec VPN tunnel between the networks. The XTM device sends the multicast traffic through the GRE tunnel. The GRE tunnel requires an unused IP address on each side of the tunnel. You must configure helper IP addresses for each end of the BOVPN tunnel.

If you enable broadcast or multicast routing in more than one BOVPN tunnel, make sure that you use a different pair of helper IP addresses for each tunnel.

You do not need to configure helper addresses to send multicast traffic through a BOVPN virtual interface, because the BOVPN virtual interface already includes a GRE tunnel. For a BOVPN virtual interface, the XTM device uses the virtual interface IP addresses (if configured), or the XTM device external interface IP addresses for the GRE tunnel endpoints.

Enable an XTM Device to Send Multicast Traffic Through a Tunnel

On the XTM device from which the multicast traffic is sent, edit the tunnel configuration to enable the device to send multicast traffic through the BOVPN tunnel.

  1. Select VPN > Branch Office VPN.
  2. Select a tunnel and click Edit.
  3. From the Tunnel page, click the Multicast Settings tab.

Screen shot of the Tunnel configuration - Multicast settings

  1. Select the Enable multicast routing over the tunnel check box.
  2. In the Origination IP text box, type the IP address of the originator of the traffic.
  3. In the Group IP text box, type the multicast IP address to receive the traffic.
  4. Select Enable device to send multicast traffic.
  5. From the Input Interface drop-down list, select the interface from which the multicast traffic originates.
  6. Click the Addresses tab.
    The Helper Addresses settings are enabled at the bottom of the Addresses tab.

Screen shot of the Tunnel settings page - Addresses tab

  1. In the Helper Addresses section, type IP addresses for each end of the multicast tunnel.

Enable an XTM Device to Receive Multicast Traffic Through a Tunnel

On the XTM device on the network on which you want to receive the multicast traffic, configure the multicast settings to enable the device to receive multicast traffic through the tunnel.

  1. Select VPN > Branch Office VPN.
  2. Select a tunnel and click Edit.
  3. From the Tunnel page, click the Multicast Settings tab.
  4. Select the Enable multicast routing over the tunnel check box.
  5. In the Origination IP text box, type the IP address of the originator of the traffic.
  6. In the Group IP text box, type the multicast address to receive the traffic.
  7. Select Enable device to receive multicast traffic.
  8. Select the check box for each interface that you want to receive multicast traffic.
  9. Select the Addresses tab.
    The Helper Address settings are enabled at the bottom of the Addresses tab.
  10. In the Helper Addresses section, type the opposite IP addresses you typed in the configuration for the other end of the tunnel.

For an example of how to do this, see Multicast Routing Through a BOVPN Tunnel

Enable an XTM Device to Send Multicast Traffic Through a BOVPN Virtual Interface

On the XTM device from which the multicast traffic is sent, edit the tunnel configuration to enable the device to send multicast traffic through the BOVPN virtual interface.

  1. Select VPN > BOVPN Virtual Interface.
  2. Select a BOVPN virtual interface and click Edit.
  3. From the BOVPN Virtual Interface page, click the Multicast Settings tab.

Screen shot of the BOVPN Virtual Interfaces page, Multicast Settings tab

  1. Select the Enable multicast routing over the tunnel check box.
  2. In the Origination IP text box, type the IP address of the originator of the traffic.
  3. In the Group IP text box, type the multicast IP address to receive the traffic.
  4. Select Enable device to send multicast traffic.
  5. From the Input Interface drop-down list, select the interface from which the multicast traffic originates.

Enable an XTM Device to Receive Multicast Traffic Through a BOVPN Virtual Interface

On the XTM device on the network on which you want to receive the multicast traffic, configure the multicast settings to enable the device to receive multicast traffic through the BOVPN virtual interface.

  1. Select VPN > BOVPN Virtual Interface.
  2. Select a BOVPN virtual interface and click Edit.
  3. From the BOVPN Virtual Interface page, click the Multicast Settings tab.
  4. Select the Enable multicast routing over the tunnel check box.
  5. In the Origination IP text box, type the IP address of the originator of the traffic.
  6. In the Group IP text box, type the multicast address to receive the traffic.
  7. Select Enable device to receive multicast traffic.
  8. Select the check box for each interfaces that you want to receive the multicast traffic.

See Also

Define a Tunnel

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base