OpenVPN tunnel beetween sites and TFTP provisionning
-
Hi everyone !
At work we have a new remote site connected to the internet with a fiber internet access and a Netgate 6100, two computers and one Alcatel 8028S IP phone. All devices are in the same network segment (192.168.10.x) using the Netgate 6100 as gateway (192.168.10.254).
At the company headquarters we have a Netgate 6100, some computers and IP phones connected to an Aclatel IPBX. We have 2 network segments:
- one with the IP phones (192.168.1.X/24), the ISP fiber box (192.168.1.1) and the Alcatel IPBX (192.168.1.246). The IPBX and the phones use the ISP fiber box (192.168.1.1) as gateway
- one with the computers (192.168.2.x/24) and the Netgate 6100 (192.168.2.254) using the ISP fibre box (192.168.1.1) as gateway for the WAN interface.
I set up an OpenVPN site to site tunnel beetween the two sites. I can ping the IPBX (192.168.1.246) from a computer at remote site (192.168.10.x), the traceroute seems OK but TFTP provisionning is not working on the phone (i have a "No TFTP response" message).
I made a lot of search and tests (with or without TFTP proxy, with a separate Raspberry acting as OpenVPN client at remote site instead of pfSense... ) without success. It looks like sometimes TFTP is a bit tricky. Any advice please ? Maybe a NAT problem or something ?
Regards
Guillaume -
@guillaume14
You might have to enable the TFTP proxy on the WAN.
System > Advanced > Firewall & NAT > TFTP Proxy -
@viragomann Thanks a lot. Already tested but someone told me that a reboot may be necessary: will do that tonight
-
Hello !
With the TFTP proxy enabled the i don't have the "No TFTP response" message anymore: thats great !
But now the phone is rebooting at step 5 (Application Launch). On the IPBX i can see that the phone is trying to register but it looks like the IP of the phone is 192.168.1.254 (the IP of the Wan interface at company headquarters) instead of the IP of the phone (192.168.10.223).
NAT problem ?
Thanks
Guillaume -
@guillaume14
Yeah, pfSense is natting all traffic going out on the WAN.You can disable NAT for traffic going to the IPBX though, but this would not work either, since then the box routes responses to the ISP router, since this is the default gateway.
If there is an option to add a static route for remote site on the IPBX it would work without NAT.
Otherwise you should consider to put the box behind pfSense.Another option would be to put it into a separate network segment, either on the ISP router (and add the static route there) or on pfSense.
-
@viragomann Thanks a lot for your time !
I think i can add a static route to my IPBX. So i have to switch to "Manual Outbound NAT rule generation" and recreate a new rule for all networks that need Outbound NAT (and not list my remote LAN segment)
And a firewall rule to allow trafic coming from IPBX to my WAN IP ?
Thanks a lot
Regards -
@guillaume14 said in OpenVPN tunnel beetween sites and TFTP provisionning:
I think i can add a static route to my IPBX. So i have to switch to "Manual Outbound NAT rule generation" and recreate a new rule for all networks that need Outbound NAT
No. If you have a static route on the IPBX you just need to disable not for traffic going to it from pfSense.
To do so, enable the hybrid mode. Then add a rule:
check "Do not NAT"
interface: WAN
source: any (or maybe limit it)
destination: <IPBX IP>And a firewall rule to allow trafic coming from IPBX to my WAN IP ?
This is only necessary if it initiates a connection towards pfSense on its own. But this has nothing to do with the NAT rule.
-
@viragomann Thanks a lot !
I am gonna make some tests tomorrow and let you know
-
Hello
Tried that but thats not working.
With the new rule the the phone appears as having the IP 192.168.1.254 in the IPBX (the local 8028S IP at remote site is 192.168.10.30). So NAT is not disabled right ?
My NAT rule is:
Source: *
Source port: *
Destination: 192.168.1.246
Enabling this option will disable NAT for traffic matching this rule and stop processing Outbound NAT rules: checkedThanks in advance
Guillaume -
@guillaume14
Did you enable the hybrid mode?Is the interface, the NAT rule is defined on, WAN?
-
-
@guillaume14
Ensure all related states are flushed.If the no-nat rule still isn't applied, there might something wrong in its settings, so that it doesn't match.
Ensure that the protocol and the destination port are correct if stated.