OpenVPN tunnel beetween sites and TFTP provisionning

viragomann

@guillaume14
You might have to enable the TFTP proxy on the WAN.
System > Advanced > Firewall & NAT > TFTP Proxy

guillaume14

@viragomann Thanks a lot. Already tested but someone told me that a reboot may be necessary: will do that tonight

guillaume14

Hello !

With the TFTP proxy enabled the i don't have the "No TFTP response" message anymore: thats great !

But now the phone is rebooting at step 5 (Application Launch). On the IPBX i can see that the phone is trying to register but it looks like the IP of the phone is 192.168.1.254 (the IP of the Wan interface at company headquarters) instead of the IP of the phone (192.168.10.223).

NAT problem ?

Thanks
Guillaume

viragomann

@guillaume14
Yeah, pfSense is natting all traffic going out on the WAN.

You can disable NAT for traffic going to the IPBX though, but this would not work either, since then the box routes responses to the ISP router, since this is the default gateway.

If there is an option to add a static route for remote site on the IPBX it would work without NAT.
Otherwise you should consider to put the box behind pfSense.

Another option would be to put it into a separate network segment, either on the ISP router (and add the static route there) or on pfSense.

guillaume14

@viragomann Thanks a lot for your time !

I think i can add a static route to my IPBX. So i have to switch to "Manual Outbound NAT rule generation" and recreate a new rule for all networks that need Outbound NAT (and not list my remote LAN segment)

And a firewall rule to allow trafic coming from IPBX to my WAN IP ?

Thanks a lot
Regards

viragomann

@guillaume14 said in OpenVPN tunnel beetween sites and TFTP provisionning:

I think i can add a static route to my IPBX. So i have to switch to "Manual Outbound NAT rule generation" and recreate a new rule for all networks that need Outbound NAT

No. If you have a static route on the IPBX you just need to disable not for traffic going to it from pfSense.

To do so, enable the hybrid mode. Then add a rule:
check "Do not NAT"
interface: WAN
source: any (or maybe limit it)
destination: <IPBX IP>

And a firewall rule to allow trafic coming from IPBX to my WAN IP ?

This is only necessary if it initiates a connection towards pfSense on its own. But this has nothing to do with the NAT rule.

guillaume14

@viragomann Thanks a lot !

I am gonna make some tests tomorrow and let you know

guillaume14

Hello

Tried that but thats not working.

With the new rule the the phone appears as having the IP 192.168.1.254 in the IPBX (the local 8028S IP at remote site is 192.168.10.30). So NAT is not disabled right ?

My NAT rule is:
Source: *
Source port: *
Destination: 192.168.1.246
Enabling this option will disable NAT for traffic matching this rule and stop processing Outbound NAT rules: checked

Thanks in advance
Guillaume

viragomann

@guillaume14
Did you enable the hybrid mode?

Is the interface, the NAT rule is defined on, WAN?

guillaume14

@viragomann

Yes Hybrid Mode is enabled

The interface is WAN

Thanks.
Guillaume

viragomann

@guillaume14
Ensure all related states are flushed.

If the no-nat rule still isn't applied, there might something wrong in its settings, so that it doesn't match.
Ensure that the protocol and the destination port are correct if stated.