TFTP server behind pfsense can't talk to clients over OpenVPN

bodagetta · Oct 11, 2014, 1:33 PM

I have the following set up

FreePBX (asterisk) server (site A) – pfSense -- OpenVPN Site To Site Shared Key -- ddwrt router -- site B

The FreePBX server is running a tftp server for phone provisioning.

Phones that are on the same side of pfSense as the FreePBX server provision fine, everything works perfect

Phones that are at site B can connect to the tftp server but downloads are VERY slow, like 300 bps dialup slow and eventually time out.

I have the TFTP proxy turned on in my advanced settings for both WAN and LAN but this doesn't seem to help.

I've spent a lot of time on Google and these forums and can't quite figure it out. I'm thinking it might be NAT?

Any advice would be greatly appreciated.

cmb · Oct 11, 2014, 6:49 PM

Turn off the TFTP proxy, you don't want or need it in that circumstance.

bodagetta · Oct 12, 2014, 3:13 PM

Thanks for the response cmb. I turned off the TFTP proxy.

I'm able to use the linux tftp client on a machine at site B to download a file. I'm getting around 16,380 bytes per second download speed and everything looks OK.

However, when my phones try to download their provisioning files, I see

tftp: read(ack): Connection refused

in my /var/log/messages

and the phones never provision.

The full section from the /var/log/messages is

Oct 12 09:57:01 localhost xinetd[28219]: xinetd Version 2.3.14 started with libwrap loadavg labeled-networking options compiled in.
Oct 12 09:57:01 localhost xinetd[28219]: Started working: 1 available service
Oct 12 09:57:29 localhost xinetd[28219]: START: tftp pid=28246 from=192.168.2.145
Oct 12 09:57:29 localhost in.tftpd[28247]: RRQ from 192.168.2.145 filename 0004f2a8e449.cfg
Oct 12 09:57:29 localhost in.tftpd[28248]: RRQ from 192.168.2.145 filename polycom/1/2345-12365-001.sip.ld
Oct 12 09:57:46 localhost in.tftpd[28249]: RRQ from 192.168.2.145 filename 0004f2a8e449-features.cfg
Oct 12 09:57:59 localhost in.tftpd[28248]: tftpd: read(ack): Connection refused
Oct 12 09:58:22 localhost in.tftpd[28274]: RRQ from 192.168.2.145 filename 129.cfg
Oct 12 09:58:53 localhost in.tftpd[28275]: RRQ from 192.168.2.145 filename 0004f2a8e449-sip-interop.cfg
Oct 12 09:58:54 localhost in.tftpd[28276]: RRQ from 192.168.2.145 filename 0004f2a8e449-phone.cfg
Oct 12 09:58:54 localhost in.tftpd[28277]: RRQ from 192.168.2.145 filename 0004f2a8e449-web.cfg
Oct 12 09:58:54 localhost in.tftpd[28278]: RRQ from 192.168.2.145 filename 000000000000-license.cfg
Oct 12 09:58:54 localhost in.tftpd[28279]: RRQ from 192.168.2.145 filename 0004f2a8e449-license.cfg
Oct 12 09:59:32 localhost in.tftpd[28304]: RRQ from 192.168.2.145 filename 0004f2a8e449.cfg
Oct 12 09:59:33 localhost in.tftpd[28305]: RRQ from 192.168.2.145 filename polycom/1/2345-12365-001.sip.ld

This is an out of the box FreePBX distro with TFTP already configured.

I'm attaching screen shots of my firewall rules.

I greatly appreciate help on this, I've been banging my head against the wall for days.

![Screen Shot 2014-10-12 at 10.11.41 AM.png](/public/imported_attachments/1/Screen Shot 2014-10-12 at 10.11.41 AM.png)
![Screen Shot 2014-10-12 at 10.11.41 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-10-12 at 10.11.41 AM.png_thumb)
![Screen Shot 2014-10-12 at 10.11.50 AM.png](/public/imported_attachments/1/Screen Shot 2014-10-12 at 10.11.50 AM.png)
![Screen Shot 2014-10-12 at 10.11.50 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-10-12 at 10.11.50 AM.png_thumb)
![Screen Shot 2014-10-12 at 10.11.57 AM.png](/public/imported_attachments/1/Screen Shot 2014-10-12 at 10.11.57 AM.png)
![Screen Shot 2014-10-12 at 10.11.57 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-10-12 at 10.11.57 AM.png_thumb)
![Screen Shot 2014-10-12 at 10.12.04 AM.png](/public/imported_attachments/1/Screen Shot 2014-10-12 at 10.12.04 AM.png)
![Screen Shot 2014-10-12 at 10.12.04 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-10-12 at 10.12.04 AM.png_thumb)

bodagetta · Oct 12, 2014, 10:42 PM

Another piece of information that I'm not quite able to figure out how to use to solve the puzzle.

When downloading a 4MB file from a linux tftp client on the site A subnet (192.168.1.x) it takes about 4 seconds.

When I try to download this same file from a tftp client on the site B subnet (192.168.2.x) it takes over 300 seconds.

My internet connection is about 20MB/s down and 10MB/s up on both sides. I would expect it to be slower than 4 seconds but not as slow at 300. I think my phones on the site B subnet are timing out on the download which is causing me the entire issue.

Anyone else run into really slow TFTP transfers?

cmb · Oct 13, 2014, 4:32 AM

TFTP is odd in that it doesn't reply back flipping the source and destination ports, it's effectively a one-way UDP stream in one direction, and a different one-way UDP stream in the other direction. For this reason it needs helpers or "fixups" to get through NAT, which could be interfering on the remote devices. Would have to packet capture to see what's going on in detail. Turning off all TFTP proxies everywhere would be best assuming the only TFTP goes over the VPN. Using HTTP or FTP instead of TFTP might be an easier option to resolve. It sounds likely the DDWRT at site B is responsible.

bodagetta · Oct 13, 2014, 4:52 AM

I gave up on TFTP and switched to HTTP for provisioning and everything seems happy now.

I'm fairly green to networking and always looking to learn more. Can you recommend some resources? During this entire process I felt like I was missing the knowledge on how to debug the problem.

What's the best way to do packet capture on linux?

Thank you for your help.