Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TFTP client behind pfSense: Does not work

    Scheduled Pinned Locked Moved NAT
    2 Posts 1 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • -flo- 0-
      -flo- 0
      last edited by

      Hi,

      I have a problem with a TFTP client. This is an IPTV appliance trying to get system updates from a server in the internet on startup. Client's IP-address is 172.27.2.54, server has IP-address 217.6.167.184.

      I have TFTP proxy enabled on my LAN interface. I get entries in the the system log like this:

      Feb 18 17:16:42	tftp-proxy[10100]: 172.27.2.54:1027 -> 127.0.0.1:6969/91.21.141.189:63065 -> 217.6.167.184:69 "RRQ sync"
Feb 18 17:16:51	tftp-proxy[20341]: 172.27.2.54:1027 -> 127.0.0.1:6969/91.21.141.189:52242 -> 217.6.167.184:69 "RRQ sync"
Feb 18 17:17:00	tftp-proxy[31289]: 172.27.2.54:1027 -> 127.0.0.1:6969/91.21.141.189:56774 -> 217.6.167.184:69 "RRQ sync"
Feb 18 17:17:09	tftp-proxy[33989]: 172.27.2.54:1027 -> 127.0.0.1:6969/91.21.141.189:53677 -> 217.6.167.184:69 "RRQ sync"
Feb 18 17:17:18	tftp-proxy[36770]: not a valid tftp request
Feb 18 17:17:18	inetd[20111]: /usr/libexec/tftp-proxy[36770]: exited, status 1

      In the states I can see this:

      LAN	udp	127.0.0.1:6969 (217.6.167.184:69) <- 172.27.2.54:1027	NO_TRAFFIC:SINGLE

      The client is not restricted in any way on the firewall.

      The client is not configured to use any TFTP proxy. Therefore I would not expect the proxy to intercept the requests made by the client. Apparently this is what happens however. Is this correct? How does this happen?

      The connection is not successful, the client aborts after a while and several retries.

      After seeing the message "not a valid tftp request" I checked this with Wireshark (LAN interface). The request from the client appears as a valid tftp read request, on the LAN side there are no answer packets. On the WAN interface I can also see the packets with read requests with my public IP address as source address (rewritten) and the server's IP address as target address and target port 69. I can also see answers from the server, these are option acknowledgment packets. These answer packets are sent from the server's IP address and source port 69, target IP is my public IP, target port is the source port of the original request. (Although this seems not to be required in tftp the answer is sent from the source port 69 which should allow pfsense to direct the answer packets to the client even without the tftp proxy.)

      This looks all fine to me.

      Why is there an error message by tftp proxy? Why are the answer packets not forwarded to the client into the LAN?

      How can I get this working?

      Thank you!

      -flo-

      1 Reply Last reply Reply Quote 0
      • -flo- 0-
        -flo- 0
        last edited by

        Ok, after writing this long post I tried to disable the tftp proxy. Don't know why I didn't do this in the first place. However now this works.

        Still I don't understand why the tftp proxy intercepts the udp traffic. Is this the right behavior? And is there a defect in the tftp proxy? If it is there it should be working, right?

        -flo-

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.