VPN, forward broadcast packets

Unanswered Question
May 20th, 2008
User Badges:

We have two remote locations, each uses a CISCO dsl router (model: 870) which is setup to offer internet access as well as a VPN between the two locations.

Location 1 is and location 2 is Both networks are accessible and they can interconnect (remote desktop works fine, pinging works fine, etc etc).

We are using a special application between the two locations, location 1 has the server and location 2 has a client PC which connects to the server. The application connects to the server via TCP on a dedicated port (9191) and everything looks ok.

Unfortunately, the server sends replies in broadcast or multicast or whatever (yeah i know , its a bad implementation), which means that the client never receives an "ok" from the server because broadcast packets are not forwarded between the two locations over the VPN.

So here my question:

How do i forward broadcast packets? I'm only interested to forward packets from the server on location 1 to location 2, i'm not interested to forward ALL broadcast packets from location 1 to location 2.

Any help would be appreciated.

Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


A router will never forward a broadcast , let alone in a VPN tunnel. Unicast of course - multicast sure, if you tunnel them in GRE. Broadcast - nope.

I would take a closer look at the application if I was you as it sounds like it does not confirm to basic TCP/IP operation in the ISO model. Sounds like it was designed to run on a LAN in the same broadcast domain!


babis4141 Tue, 05/20/2008 - 07:31
User Badges:

hmm weird, because i was told that i should be able to turn a broadcast into a directional

broadcast or at least a unicast on the lan side with the ip helper address command on the inside of your source.

google turned up a few links but nothing related to CISCO routers.

babis4141 Tue, 05/20/2008 - 07:41
User Badges:

Thats why i mention in my first post that the application we are using is badly implemented.

These broadcasts are usually found on multiplayer games over LAN, not on financial applications.

Anyway, since this what what i've got to work with, i don't have any other option.

How can i use this feature to forward broadcasts then?

babis4141 Tue, 05/20/2008 - 08:12
User Badges:

I believe the broadcast address is based on my sniffing of the packets.

Richard Burts Tue, 05/20/2008 - 08:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Andrew takes a somewhat limited view of the possible use of helper-address. If your broadcasts were UDP then I believe that helper-address would do exactly what you want. But helper-address is for UDP not TCP broadcasts. So if your broadcasts are TCP then helper-address will not be much help.

I do not believe that there is a Cisco solution for your issue. Perhaps you could write a small application that would listen for broadcasts on that TCP port and would then generate unicast versions of the packet.



babis4141 Tue, 05/20/2008 - 10:28
User Badges:

Actually, i never mentioned TCP or UDP, so far i know the packets are broadcasts but in the next few days i'll know if they are TCP or UDP.

I suspect they are UDP because the "tech support" says they've setup the same application on other VPN networks and they got it working.

Can you please tell me how "helper-address" works?

All i want is to forward broadcast packets from ip to network

Richard Burts Tue, 05/20/2008 - 10:46
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Perhaps you did not really mean it, but in your original post you said:

"The application connects to the server via TCP on a dedicated port (9191)"

and some of us understood that literally.

If the broadcasts are indeed UDP then helper address may solve your problem. Here is how ip helper-address works: when you configure ip helper-address on an interface the interface begins to listen for UDP broadcasts that qualify. When it receives a qualifying broadcast then the router creates a unicast (or directed broadcast if configured for that) copy of the broadcast frame and sends it to the destination that you specify when you configure the ip helper-address.

So the response from Andrew was correct that routers never forward broadcasts because the broadcast itself is not forwarded. But a copy of the broadcast is created and that is what is forwarded.

Another aspect of this is the conept of qualifying broadcasts. The helper-address does not forward all broadcasts but only forwards selected broadcasts. There are several types of broadcast UDP frames that qualify by default (these include bootp/dhcp, tftp, and a few other). You can qualify additional types of broadcast using the command ip forward-protocol to specify additional UDP ports.

So assuming that the broadcasts do turn out to be UDP then you would want to configure something like this:

ip forward-protocol udp 9191

interface fastether x/y

ip helper-address

If the specified is unicast then a unicast copy if forwarded. If the is the broadcast address of the remote subnet then a directed broadcast is forwarded. (note that directed broadcast is not enabled by default. So if you want the directed broadcast to work you need to configure ip directed-broadcast on the receiving interface - the interface of the subnet to which you are forwarding).




This Discussion