Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Tftp-proxy between two subnets - reply blocked

    Scheduled Pinned Locked Moved General pfSense Questions
    tftp
    5 Posts 3 Posters 209 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O Offline
      opoplawski
      last edited by

      I seem to be experiencing essentially the same thing as this post (https://forum.netgate.com/topic/44445/tftp-proxy-between-two-subnets-reply-blocked) but it my case I don't have an explicit block/log rule.

      It is my expectation that tftp-proxy will add the needed rules to allow the responses from the tftp server on second internal network - otherwise what is the point of the proxy? But instead there are ICMP denials sent back. How would I see those rules? I'm not finding them myself in the pfctl -s all output.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator @opoplawski
        last edited by

        @opoplawski why would you think you need a tftp proxy between your own networks.. This is for when your wanting to talk to some tftp server outside pfsense, ie out on the wan.

        https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#tftp-proxy

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 26.03 | Lab VMs 2.8.1, 26.03

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          The rules created by the tftp proxy are dynamic and can be very hard to catch!

          You can see them using pfanchordrill if you run it at the right time. For example see: https://redmine.pfsense.org/issues/16485

          O 1 Reply Last reply Reply Quote 0
          • O Offline
            opoplawski @stephenw10
            last edited by

            @stephenw10 Thanks for that. I ran it multiple times while trying a transfer but did not see any entries at all:

            $ sudo pfSsh.php playback pfanchordrill

ipsec rules/nat contents:

natearly rules/nat contents:

natrules rules/nat contents:

openvpn rules/nat contents:

tftp-proxy rules/nat contents:

userrules rules/nat contents:

            I do see messages from tftp-proxy:

            tftp-proxy[52265]: 10.10.20.9:41107 -> 127.0.0.1:6969/10.11.9.3:58834 -> 10.11.9.6:69 "RRQ grub/grub.cfg"

            @johnpoz I still think it would be useful to avoid blanket allow rules for all high port UDP ranges from the TFTP server back out.

            O 1 Reply Last reply Reply Quote 0
            • O Offline
              opoplawski @opoplawski
              last edited by

              Looks like it need to test this out with an updated system. I'm still running 25.07.1

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.