TFTP over two subnets

rkreienbuehl · May 30, 2018, 8:17 AM

Hi
I'm very new to pfsense. At our company we use pfsense. I'm responsible for our phone system. therefore I need to use TFTP over two subnets. I read many posts on the forum about nearly the same problems, but no solution to fix this.

I allowed port 69 from subnet with the client to the subnet with the server. from the subnet with the server all traffic to the other subnet is allowed.
The problem here is (and that I don't understand why), that the TFTP traffic does not get through the pfsense. There is no log entry that the traffic is blocked by the firewall. At this Point the TFTP proxy is disabled on these interfaces.

When I activate the TFTP proxy on these interfaces, the traffic gets from client via proxy to the server. In a trace I also see, that the source address is changed to the address of the pfsense. The server then responses to the request and sends the file to the pfsense, which is what should be.
The problem then is, that the response is never is forwarded to the client.

How can I fix this issue? Why is the response to the proxy is not forwarded?
Or better, how is it possible to let TFTP traffic pass the pfsense without using the proxy? With my knowledge of network routing I don't thing the proxy is really needed for two internal subnets.

Kind regards
Roger

Derelict · May 30, 2018, 8:38 AM

I tftp across subnets all the time. You must have something in place that is blocking it if it is not working.

It requires the ability for the server to connect back to the requesting client from an ephemeral UDP port.

So the rules must pass for the client to destination server:69 (udp). The rules from the other side must pass server:ephemeral to client:ephemeral.

At least that's my initial reading. I have never had to debug a tftp issue.

rkreienbuehl · May 30, 2018, 8:51 AM

Thanks for the fast response.
What you describe is what I would expect from each firewall.
As I wrote, the the port 69(udp) from client to server is allowed. From server to client all udp traffic is allowed. I also don't have any entries in the log that the traffic is blocked, but the traffic never gets to the server.
what could possibly block this traffic on pfsense?

Derelict · May 30, 2018, 8:58 AM

If you are passing it, nothing. Packet capture, pull it into wireshark, and see what's happening. Check the firewall logs.

Like I said, I TFTP across subnets all the time. Firmware on FreeNAS from all over the place.

rkreienbuehl · May 30, 2018, 9:08 AM

Something is really strange. I especially have set the rule for passing port 69 to be logged. In the firewall-log there is no entry in the log that anything is passed by this rule. Also there is no entry that this traffic is blocked by an other rule.
A trace on the pfsense tells me that the tftp request comes in, but never gets out on the second interface.

Derelict · May 30, 2018, 9:22 AM

Not pfSense. Not sure what you have done there. You probably need to post said rules and packet captures because if it was how you say it is it would be working.

rkreienbuehl · May 30, 2018, 11:10 AM

After long time of searching i figured out, that one of the upper rules (which was for outgoing traffic) was responsible for the problem. after i set it to the bottom, everithing worked fine.

Thanks for your fast response

Kind regards
Roger