Cisco IP Phone behind pfsense with ext. TFTP Server
-
I attached a Screenshot from everything special added for the Phone.
1. The Firewall outgoing rule on the LAN Section
2. The NAT Outbound rule for disabling the Portrewrite
3. The TFTP HelperI think the current problem is the transmission from the replied Package from WAN to LAN (the Phone). There is no transmission trough the pfsense-box :(
Must i have install the tftp server package?
I try both.. at the moment it is installed but there is still no transmission from the replied TFTP Package from WAN to LAN.Greetings
-
Is there anything in the logs about blocked packets, that would tell you if a rule somewhere is blocking the return. With proxies packets can get rewritten (headers) and then reinjected into the stack so another rule may be blocking them.
I'm assuming that the tftp proxy works the same way as the ftp proxy; for that all I needed to do was add a pass rule on the LAN side and make sure the ftp proxy service was started. I did not need any changes for NAT rules. I'm at the limit of what to suggest.
-
Threre is no Service called "tftp-helper"… may this be the problem?
![Status_ Services.png](/public/imported_attachments/1/Status_ Services.png)
![Status_ Services.png_thumb](/public/imported_attachments/1/Status_ Services.png_thumb) -
I'm not sure, tftp daemon may be the name of the service. For FTP, you need to install the FTP proxy package (at least starting with 2.2.3 you need to). Is there a way to get a screenshot of the packages you have installed?
-
Sure…
i've only installed the TFTP Package.![System_Package Manager.png](/public/imported_attachments/1/System_Package Manager.png)
![System_Package Manager.png_thumb](/public/imported_attachments/1/System_Package Manager.png_thumb) -
i've only installed the TFTP Package.
Why? This is handled by /usr/libexec/tftp-proxy run via inetd…
-
Thanks for that dok. I had no idea that existed (never had a need for it).
OP: that gives you something new to search on.
-
The relevant code is in /etc/inc/filter.inc – and really no installing of anything is needed.
https://github.com/pfsense/pfsense/blob/RELENG_2_2/etc/inc/filter.inc#L1925
-
okay… but how to debug?
The Inetd is running:
# ps aux | grep inetd root 58922 0.0 0.9 10284 2024 - Is 9:00PM 0:00.08 /usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf
And the config contains the right code:
# cat /var/etc/inetd.conf tftp-proxy dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -v tftp dgram udp wait root /usr/libexec/tftpd tftpd /tftpboot
The tftp-proxy manpage says there should be something to activate the service:
In the NAT section:
nat on $ext_if from $int_if -> ($ext_if:0)
no nat on $ext_if to port tftp
rdr-anchor "tftp-proxy/*"
rdr on $int_if proto udp from $lan to any port tftp ->
127.0.0.1 port 6969In the filter section, an anchor must be added to hold the pass rules:
anchor "tftp-proxy/*"
inetd( 8 ) must be configured to spawn the proxy on the port that packets
are being forwarded to by pf(4). An example inetd.conf(5) entry follows:127.0.0.1:6969 dgram udp wait root
/usr/libexec/tftp-proxy tftp-proxyAnd i found those rows in /tmp/rules.debug:
nat on $WAN from 127.0.0.0/8 to any port 500 -> 123.123.123.123/32 static-port nat on $WAN from 127.0.0.0/8 to any -> 123.123.123.123/32 port 1024:65535 nat on $WAN from 192.168.0.0/24 to any port 500 -> 123.123.123.123/32 static-port nat on $WAN from 192.168.0.0/24 to any -> 123.123.123.123/32 port 1024:65535 ... rdr-anchor "tftp-proxy/*" ... rdr pass on vr1 proto udp from any to any port tftp -> 127.0.0.1 port 6969 rdr pass on vr0 proto udp from any to any port tftp -> 127.0.0.1 port 6969 ... anchor "tftp-proxy/*"
with public IP 123.123.123.123 (modificated)
But there is no equivalent for "no nat on $ext_if to port tftp"
Is this the problem? But i think when the row is missing it must be a source code failure and still reported… or am i the only one user of this module? :)
Edit:
And this is the Output from the PacketCapture:79 284.067405 123.123.123.123 1.1.1.1 TFTP 67 Read Request, File: ITLSEPC.blubb, Transfer type: netascii 80 284.112678 1.1.1.1 123.123.123.123 TFTP 61 Error Code, Code: File not found, Message: File not found
With 1.1.1.1 for VoIP Server and 123.123.123.123 for my Public IP
While this in my test client happens (A debian PC with tftp client software):
root@vidar:~# tftp 1.1.1.1 tftp> get ITLSEPC.blubb Transfer timed out.
So this means the leakage is on the reply from router to client… everything else works.
-
You may need to go to the NAT page in the webGUI and see if you can put the equivalent no nat rule there. I'm guessing because I've not used this feature.
-
I've added something like this… but its still not working.
# cat /tmp/rules.debug | grep "no nat" no nat proto carp no nat on $WAN from any to any port 69
![NAT_ Outbound.png](/public/imported_attachments/1/NAT_ Outbound.png)
![NAT_ Outbound.png_thumb](/public/imported_attachments/1/NAT_ Outbound.png_thumb) -
Again. I'm just guessing because I haven't done the same thing, but look at your packet capture. The return packet is saying "…Error Code, Code: File not found, Message: File not found". That's a pretty clear indication that the file name you are requesting is wrong. Double check the file name. Any error in tftp is typically reported as "timeout" by clients.
Are you rebooting the pfSense box after you've made changes or clearing the states? Stateful firewalls sometimes need resetting/restarting after some rule changes.
After a reboot, before actually trying the tftp transfer, can you ssh to the pfSense box or from the console get the output of the following command (it dumps everything that pf knows about):pfctl -sa
That will give all the loaded rules, any NAT or RDR rules, anchors, etc.
-
Is there a way to debug the acual routing? I mean to follow a package.
I can look that there are some TFTP requests on the Lan side and that there also are some Requests on the WAN side with an reply from the server incoming to the WAN side. But can i also look what happens with the reply? The Router have to do something with it and also if its only thrown away - are there some logging options? -
How the packet gets from WAN to LAN? You could make sure to enable logging on all rules associated with the tftp ports. I think the path should be:
request from phone on LAN goes in LAN port on pfSense, gets pushed to tftp-proxy on lo interface, tftp-proxy does some stuff and then pushes it out WAN.
reply comes in WAN, redirect to tftp-proxy, tftp-proxy does stuff, goes out LAN.The "redirect to tftp-proxy/does stuff" may simply be look at packet header and add some rules.
You may be able to do packet capture on the lo interface to give you more data. Also do "man tftp-proxy" there may be options to increase logging level of the tftp-proxy.
-
So i try again… :D
this is the same problem and my goal to reach: http://taosecurity.blogspot.de/2009/07/freebsd-pf-and-tftp-proxy.htmlFirst the current comparison:
my Internal Port: vr0
my External Port: vr1
my DMZ (where the phone now is): vr2@his:
/etc/pf.conf
@my:
pfctl -sa | grep nat
@his:
no nat on $ext_if to port tftp
@my:
–-
@his:
rdr-anchor "tftp-proxy/*"
@my:
rdr-anchor "tftp-proxy/*" all
@his:
rdr on $int_if proto udp from $local192 to port tftp ->
$int_if port 6969@my:
rdr pass on vr2 inet proto udp from any to any port = tftp -> 127.0.0.1 port 6969
@his:
anchor "tftp-proxy/*"
@my:
anchor "tftp-proxy/*" all
Next File:
@his:/etc/inetd.conf
@my:
/var/etc/inetd.conf
@his:
acmsoda dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -v
@my:
tftp-proxy dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -v
Next File:
@his:/etc/rc.conf
@my:
i don't know where to look :o
@his:
inetd_enable="YES"
inetd_flags="-wW -C 60 -a 172.16.2.1"@my:
–-
So this is my current state… i hope it's also transparent for everyone later searching for this problem :)
Now i try to search wehre is my "real" difference... -
Now i have some more tests done:
/root: sockstat -4 | grep 6969 root inetd 18695 5 udp4 127.0.0.1:6969 *:*
So the inetd should recive something…
Whats about the differences above?
I think the row```
no nat on $ext_if to port tftpAnd this seems to be my problem:
rdr on $int_if proto udp from $local192 to port tftp ->
$int_if port 6969I also found the status page of the pfsense.. (so late… shame over me)
@2(0) rdr-anchor "tftp-proxy/*" all
[ Evaluations: 1311 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: pid 30569 State Creations: 3295707264]
@3(0) rdr pass on vr0 inet proto udp from any to any port = tftp -> 127.0.0.1 port 6969
[ Evaluations: 1278 Packets: 5 Bytes: 310 States: 0 ]
[ Inserted: pid 30569 State Creations: 3302985768]
@4(0) rdr pass on vr2 inet proto udp from any to any port = tftp -> 127.0.0.1 port 6969
[ Evaluations: 171 Packets: 36 Bytes: 2132 States: 3 ]
[ Inserted: pid 30569 State Creations: 3313479976]@125(1444833473) pass in log quick on vr0 inet proto udp from 192.168.0.94 to any keep state label "USER_RULE: tftp test f. vida"
[ Evaluations: 112078 Packets: 233 Bytes: 22828 States: 0 ]
[ Inserted: pid 30569 State Creations: 3313640248]
@137(0) pass in quick on vr1 reply-to (vr1 some_IP_from_ISP) inet proto udp from any to 192.168.100.0 port >= 1024 keep state label "USER_RULE: NAT TFTP Test"
[ Evaluations: 36 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: pid 30569 State Creations: 3303019368]
@138(0) anchor "tftp-proxy/*" all
[ Evaluations: 1192 Packets: 41 Bytes: 2442 States: 17 ]
[ Inserted: pid 30569 State Creations: 3330904928]udp I 192.168.100.10:51222 127.0.0.1:6969 0:1 132 30 4 236
udp O myPublicIP:50914 remoteserver:69 1:0 132 168 1 59
udp O myPublicIP:53395 remoteserver:69 1:0 128 172 1 59Is the pftop Chart a timeline?
udp Out myPublicIP:50914 remoteserver:69 SINGLE:NO_TRAFFIC 00:02:12 00:02:48 1 59 0 2
udp Out myPublicIP:53395 remoteserver:69 SINGLE:NO_TRAFFIC 00:02:08 00:02:52 1 59 0 2
udp In internal_phone_ip:52351 127.0.0.1:6969 remoteserver:69 NO_TRAFFIC:SINGLE 00:00:35 00:02:07 4 236 6 *