What IF's to enable TFTP Proxy on ?



  • I have a setup with 2 pfSense (latest vers) boxes connected via OpenVPN L2L (No NAT on L2L).

    On central site i have anotherProvider supplied OpenVPN GW , going to a remote Phone PBX Site, connected to a PF Vlan.
    On remote site i have a /28 Lan , where a few phones are connected.

    The Phones needs access to a TFTP server on the remote PBX site , in order to load some config files , before connecting to the PBX and join.

    Phones works fine right now , meaning TFTP works and so does routing.
    But when I had enabled TFTP Proxy on all IF's except WAN on both boxes (desperate) , it wouldn't work. And i saw those TFTP @ (proxy) log entries on many interfaces. Prob. too much proxying.

    I had to disable TFTP Proxy (well i couldn't disable it fully , but put it on a sleeping IF) , and then things started to work.

    Right now i have permitted "any" from Remote PBX to the phone /28 , and same the other way.

    If i was to narrow down the permissions and use TFTP Proxy.

    Where does one enable the proxying ??

    On the Phone (tftp initiator/ingress) IF ?
    On the Final (pointing towards the TFTP server/egress) IF ?
    On all IF's where the traffic is passed (tried that wo luck) ?

    Any help would be appreciated.

    TIA

    /Bingo


  • Netgate Administrator

    You select the interfaces you want the proxy to listen on. Redirect rules are added on those interfaces to catch the initial tftp requests.
    See: https://www.freebsd.org/cgi/man.cgi?query=tftp-proxy

    Steve



  • @stephenw10 said in What IF's to enable TFTP Proxy on ?:

    You select the interfaces you want the proxy to listen on. Redirect rules are added on those interfaces to catch the initial tftp requests.
    See: https://www.freebsd.org/cgi/man.cgi?query=tftp-proxy

    Steve

    But do i need to enable proxy on every interface the TFTP packets are passing , or only on the
    Entry & Exit interfaces ??

    TIA
    /Bingo


  • Netgate Administrator

    You need to enable it on the entry interface of every firewall the initial request passes though passes through.

    Steve



  • @stephenw10 said in What IF's to enable TFTP Proxy on ?:

    You need to enable it on the entry interface of every firewall the initial request passes though passes through.

    Steve

    Thank you Stephen
    That clears it up :-)

    /Bingo


Log in to reply