What IF's to enable TFTP Proxy on ?
-
I have a setup with 2 pfSense (latest vers) boxes connected via OpenVPN L2L (No NAT on L2L).
On central site i have anotherProvider supplied OpenVPN GW , going to a remote Phone PBX Site, connected to a PF Vlan.
On remote site i have a /28 Lan , where a few phones are connected.The Phones needs access to a TFTP server on the remote PBX site , in order to load some config files , before connecting to the PBX and join.
Phones works fine right now , meaning TFTP works and so does routing.
But when I had enabled TFTP Proxy on all IF's except WAN on both boxes (desperate) , it wouldn't work. And i saw those TFTP @ (proxy) log entries on many interfaces. Prob. too much proxying.I had to disable TFTP Proxy (well i couldn't disable it fully , but put it on a sleeping IF) , and then things started to work.
Right now i have permitted "any" from Remote PBX to the phone /28 , and same the other way.
If i was to narrow down the permissions and use TFTP Proxy.
Where does one enable the proxying ??
On the Phone (tftp initiator/ingress) IF ?
On the Final (pointing towards the TFTP server/egress) IF ?
On all IF's where the traffic is passed (tried that wo luck) ?Any help would be appreciated.
TIA
/Bingo
-
You select the interfaces you want the proxy to listen on. Redirect rules are added on those interfaces to catch the initial tftp requests.
See: https://www.freebsd.org/cgi/man.cgi?query=tftp-proxySteve
-
@stephenw10 said in What IF's to enable TFTP Proxy on ?:
You select the interfaces you want the proxy to listen on. Redirect rules are added on those interfaces to catch the initial tftp requests.
See: https://www.freebsd.org/cgi/man.cgi?query=tftp-proxySteve
But do i need to enable proxy on every interface the TFTP packets are passing , or only on the
Entry & Exit interfaces ??TIA
/Bingo -
You need to enable it on the entry interface of every firewall the initial request passes though passes through.
Steve
-
@stephenw10 said in What IF's to enable TFTP Proxy on ?:
You need to enable it on the entry interface of every firewall the initial request passes though passes through.
Steve
Thank you Stephen
That clears it up :-)/Bingo