TFTP client behind pfSense: Does not work



  • Hi,

    I have a problem with a TFTP client. This is an IPTV appliance trying to get system updates from a server in the internet on startup. Client's IP-address is 172.27.2.54, server has IP-address 217.6.167.184.

    I have TFTP proxy enabled on my LAN interface. I get entries in the the system log like this:

    Feb 18 17:16:42	tftp-proxy[10100]: 172.27.2.54:1027 -> 127.0.0.1:6969/91.21.141.189:63065 -> 217.6.167.184:69 "RRQ sync"
    Feb 18 17:16:51	tftp-proxy[20341]: 172.27.2.54:1027 -> 127.0.0.1:6969/91.21.141.189:52242 -> 217.6.167.184:69 "RRQ sync"
    Feb 18 17:17:00	tftp-proxy[31289]: 172.27.2.54:1027 -> 127.0.0.1:6969/91.21.141.189:56774 -> 217.6.167.184:69 "RRQ sync"
    Feb 18 17:17:09	tftp-proxy[33989]: 172.27.2.54:1027 -> 127.0.0.1:6969/91.21.141.189:53677 -> 217.6.167.184:69 "RRQ sync"
    Feb 18 17:17:18	tftp-proxy[36770]: not a valid tftp request
    Feb 18 17:17:18	inetd[20111]: /usr/libexec/tftp-proxy[36770]: exited, status 1
    

    In the states I can see this:

    LAN	udp	127.0.0.1:6969 (217.6.167.184:69) <- 172.27.2.54:1027	NO_TRAFFIC:SINGLE
    

    The client is not restricted in any way on the firewall.

    The client is not configured to use any TFTP proxy. Therefore I would not expect the proxy to intercept the requests made by the client. Apparently this is what happens however. Is this correct? How does this happen?

    The connection is not successful, the client aborts after a while and several retries.

    After seeing the message "not a valid tftp request" I checked this with Wireshark (LAN interface). The request from the client appears as a valid tftp read request, on the LAN side there are no answer packets. On the WAN interface I can also see the packets with read requests with my public IP address as source address (rewritten) and the server's IP address as target address and target port 69. I can also see answers from the server, these are option acknowledgment packets. These answer packets are sent from the server's IP address and source port 69, target IP is my public IP, target port is the source port of the original request. (Although this seems not to be required in tftp the answer is sent from the source port 69 which should allow pfsense to direct the answer packets to the client even without the tftp proxy.)

    This looks all fine to me.

    Why is there an error message by tftp proxy? Why are the answer packets not forwarded to the client into the LAN?

    How can I get this working?

    Thank you!

    -flo-



  • Ok, after writing this long post I tried to disable the tftp proxy. Don't know why I didn't do this in the first place. However now this works.

    Still I don't understand why the tftp proxy intercepts the udp traffic. Is this the right behavior? And is there a defect in the tftp proxy? If it is there it should be working, right?

    -flo-