TFTP & pfsense



  • I've searched the forums and on Google for a while.  Is it correct that my VoIP phones can't update through tftp when they are behind pfsense?  I can't get this working and it seems that it is a problem with no solution.  Anyone had luck with this?



  • This is a little frustrating.  I have tried everything and searched everywhere with no solution.  One individual suggests the below:

    nano /etc/rc.d/rc.network
    
    add these two lines:
    modprobe ip_conntrack_tftp
    modprobe ip_nat_tftp
    
    Save and exit.
    

    I have no way to test this right now.  Does anyone have some reference to how to fix this problem?  Thanks.



  • The suggestion they gave you seems to have been for a linux setup :(  Do your phones connect to a tftp server visible to anyone on the internet?  If so, that is not very secure.



  • Do your phones connect to a tftp server visible to anyone on the internet?  If so, that is not very secure.

    We have taken proper measures to ensure security.  I do want to get TFTP working though.  Anyone with any thoughts?



  • Technically to allow your IP phones to download from public TFTP server it is enough to open UDP port 69. So if your phone settings allow you specify TFTP server IP you should be fine.
    But typical scenario is IP phone gets TFTP server address from DHCP-server. As I know in 1.2.3 DHCP server does not allow you to distribute TFTP server IP address, so the solution would be to use separate DHCP server for your phones.



  • true for 1.2.3 - however i found it a one-line patch to the services.inc file to allow me to set my tftp server address.  2.0 allows this the right way though.



  • also, when you said it didn't work, that didn't really get too specific.  do you have any kind of packet trace showing what is going on (if anything?)



  • @cjkeeme:

    . . . Is it correct that my VoIP phones can't update through tftp when they are behind pfsense?  I can't get this working and it seems that it is a problem with no solution.  Anyone had luck with this?

    The pfSense book says (p150) TFTP will not work through pfSense 1.2. pFsense 2.0 includes a TFTP proxy that eliminates this limitation.

    @Eugene:

    Technically to allow your IP phones to download from public TFTP server it is enough to open UDP port 69.

    The pfSense book says the TFTP server is supposed to reply from a pseudo random source port rather than port 69. Consequently the firewall code thinks a TFTP response is unsolicited (the pseudo random source port doesn't match the destination port of previously seen traffic from the LAN) and blocks it.



  • good point, wallaby, i'd forgotten about that.  the protocol is that the first packet arrives on port 69, the first reply is sent from an ephemeral port, and the client's subsequent requests are sent to that port (i think it's done that way so it will work out of inetd.)



  • @wallabybob:

    The pfSense book says (p150) TFTP will not work through pfSense 1.2. pFsense 2.0 includes a TFTP proxy that eliminates this limitation.

    I am sorry I was wrong. Forgot this specifics.



  • TFTP proxy is the only way.



  • Just to elaborate on the previous reply because the question didn't make the context plain. TFTP on "local" subnets (routing between source and destination but not NAT) shouldn't be any problem. TFTP through NAT (e.g. to Internet) requires a TFTP proxy as discussed earlier in this topic.


Log in to reply