Cisco IP Phone behind pfsense with ext. TFTP Server



  • Hello,
    i have a Cisco IP Phone from my Company at home which will connect to the companys server to fetch the configurations per TFTP.
    The Phone tells me there is a TFTP Timeout.

    I've googled a little bit around and find something called TFTP helper. Then i've activated the Option for LAN Section where the Phone is.

    This appears every half minute in the system / General Log:
    Oct 12 13:27:53    tftp-proxy[95448]: IP1:50355 -> 127.0.0.1:6969/IP2:49374 -> IP3:69 "RRQ SEPC4729xxxxx.cnf.xml"

    And this appears in the Firewall / Normalview log:

    pass/0 Oct 12 13:27:53    Direction=OUT WAN    IP2:49374  IP3:69      UDP

    with: IP1 -> Phone, IP2 -> My IP from the ISP, IP3 -> Companys VoIP Server

    The Phone still gets a TFTP Timeout… How can i find the issue?

    Thaks
    rspecht



  • Have you verified that the phone is registered with the tftp server?  Do you have a VPN or something back to the company network?

    Have you taken the phone into work, plugged it into the network there and verified that it can boot?

    Have you tried a packet capture on the WAN interface to see if any tftp packets are coming back (indicating that you got to the company server)?

    All that we have to go on is "the phone did not get a tftp response in time".
    It could be a number of different things, try to verify basic connectivity to the tftp server first.



  • @mer:

    Have you verified that the phone is registered with the tftp server?  Do you have a VPN or something back to the company network?

    This is everything managed from the Phone… My actuall problem is the TFTP Server Connection.

    @mer:

    Have you taken the phone into work, plugged it into the network there and verified that it can boot?

    Yes… The Phone has worked without the PFSense. (before i had a IPFire Software on the Router)

    @mer:

    Have you tried a packet capture on the WAN interface to see if any tftp packets are coming back (indicating that you got to the company server)?

    I've got this from the Packet Capture:

    21:58:20.848008 IP local.61982 > server.69: UDP, length 31
    21:58:20.888979 IP server.21349 >local.61982: UDP, length 516

    IP's replaced by local for my ISP IP and server for the VoIP Server.
    So this looks to me like the Request is transmitted from LAN to WAN and replied from the Company's Server.
    How can i Check the Transmission from WAN-Side to LAN-Side?

    @mer:

    All that we have to go on is "the phone did not get a tftp response in time".
    It could be a number of different things, try to verify basic connectivity to the tftp server first.

    Thank you very much for the quick reply :)



  • Looks like the packet capture is showing the phone is sending something out and receiving something back which is good.  I think next thing is taking a look at whatever rules you have on the LAN and WAN interfaces (screenshots are usually the best thing).  The tftp proxy is sitting in between everything.  Outbound it starts from the phone on LAN, hits tftp-proxy (This is running on the pfSense box, yes?), which makes it hit the loopback interface on the pfSense box and then gets redirected out the WAN.  The response from the server needs to get back from WAN to tftp-proxy before it goes out to the phone, so see if there are any logs for the tftp-proxy (I'm not familiar with that package).



  • I attached a Screenshot from everything special added for the Phone.
    1. The Firewall outgoing rule on the LAN Section
    2. The NAT Outbound rule for disabling the Portrewrite
    3. The TFTP Helper

    I think the current problem is the transmission from the replied Package from WAN to LAN (the Phone). There is no transmission trough the pfsense-box :(

    Must i have install the tftp server package?
    I try both.. at the moment it is installed but there is still no transmission from the replied TFTP Package from WAN to LAN.

    Greetings








  • Is there anything in the logs about blocked packets, that would tell you if a rule somewhere is blocking the return.  With proxies packets can get rewritten (headers) and then reinjected into the stack so another rule may be blocking them.

    I'm assuming that the tftp proxy works the same way as the ftp proxy;  for that all I needed to do was add a pass rule on the LAN side and make sure the ftp proxy service was started.  I did not need any changes for NAT rules.  I'm at the limit of what to suggest.



  • Threre is no Service called "tftp-helper"… may this be the problem?

    ![Status_ Services.png](/public/imported_attachments/1/Status_ Services.png)
    ![Status_ Services.png_thumb](/public/imported_attachments/1/Status_ Services.png_thumb)



  • I'm not sure, tftp daemon may be the name of the service.  For FTP, you need to install the FTP proxy package (at least starting with 2.2.3 you need to).  Is there a way to get a screenshot of the packages you have installed?



  • Sure…
    i've only installed the TFTP Package.

    ![System_Package Manager.png](/public/imported_attachments/1/System_Package Manager.png)
    ![System_Package Manager.png_thumb](/public/imported_attachments/1/System_Package Manager.png_thumb)


  • Banned

    @rpsecht:

    i've only installed the TFTP Package.

    Why? This is handled by /usr/libexec/tftp-proxy run via inetd…



  • Thanks for that dok.  I had no idea that existed (never had a need for it).

    OP: that gives you something new to search on.


  • Banned

    The relevant code is in /etc/inc/filter.inc – and really no installing of anything is needed.

    https://github.com/pfsense/pfsense/blob/RELENG_2_2/etc/inc/filter.inc#L1925



  • okay… but how to debug?

    The Inetd is running:

    # ps aux | grep inetd
    root    58922   0.0  0.9 10284  2024  -  Is    9:00PM     0:00.08 /usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.conf
    
    

    And the config contains the right code:

    # cat /var/etc/inetd.conf
    tftp-proxy      dgram   udp     wait            root    /usr/libexec/tftp-proxy tftp-proxy -v
    tftp            dgram   udp     wait            root    /usr/libexec/tftpd      tftpd /tftpboot
    
    

    The tftp-proxy manpage says there should be something to activate the service:

    In the NAT section:

    nat on $ext_if from $int_if -> ($ext_if:0)

    no nat on $ext_if to port tftp

    rdr-anchor "tftp-proxy/*"
      rdr on $int_if proto udp from $lan to any port tftp ->
          127.0.0.1 port 6969

    In the filter section, an anchor must be added to hold the pass rules:

    anchor "tftp-proxy/*"

    inetd( 8 ) must be configured to spawn the proxy on the port that packets
        are being forwarded to by pf(4).  An example inetd.conf(5) entry follows:

    127.0.0.1:6969  dgram  udp   wait   root
      /usr/libexec/tftp-proxy tftp-proxy

    And i found those rows in /tmp/rules.debug:

    
    nat on $WAN  from 127.0.0.0/8 to any port 500 -> 123.123.123.123/32  static-port
    nat on $WAN  from 127.0.0.0/8 to any -> 123.123.123.123/32 port 1024:65535
    nat on $WAN  from 192.168.0.0/24 to any port 500 -> 123.123.123.123/32  static-port
    nat on $WAN  from 192.168.0.0/24 to any -> 123.123.123.123/32 port 1024:65535
    ...
    rdr-anchor "tftp-proxy/*"
    ...
    rdr pass on vr1 proto udp from any to any port tftp -> 127.0.0.1 port 6969
    rdr pass on vr0 proto udp from any to any port tftp -> 127.0.0.1 port 6969
    ...
    anchor "tftp-proxy/*"
    
    

    with public IP 123.123.123.123 (modificated)

    But there is no equivalent for "no nat on $ext_if to port tftp"

    Is this the problem? But i think when the row is missing it must be a source code failure and still reported… or am i the only one user of this module? :)

    Edit:
    And this is the Output from the PacketCapture:

    
    79	284.067405	123.123.123.123    1.1.1.1 	TFTP	67	Read Request, File: ITLSEPC.blubb, Transfer type: netascii
    80	284.112678	1.1.1.1	123.123.123.123	TFTP	61	Error Code, Code: File not found, Message: File not found
    
    

    With 1.1.1.1 for VoIP Server and 123.123.123.123 for my Public IP

    While this in my test client happens (A debian PC with tftp client software):

    
    root@vidar:~# tftp 1.1.1.1
    tftp> get ITLSEPC.blubb
    Transfer timed out.
    
    

    So this means the leakage is on the reply from router to client… everything else works.



  • You may need to go to the NAT page in the webGUI and see if you can put the equivalent no nat rule there.  I'm guessing because I've not used this feature.



  • I've added something like this… but its still not working.

    # cat /tmp/rules.debug | grep "no nat"
    no nat proto carp
    no nat on $WAN  from any to any port 69
    
    

    ![NAT_ Outbound.png](/public/imported_attachments/1/NAT_ Outbound.png)
    ![NAT_ Outbound.png_thumb](/public/imported_attachments/1/NAT_ Outbound.png_thumb)



  • Again. I'm just guessing because I haven't done the same thing, but look at your packet capture.  The return packet is saying "…Error Code, Code: File not found, Message: File not found".  That's a pretty clear indication that the file name you are requesting is wrong.  Double check the file name.  Any error in tftp is typically reported as "timeout" by clients.

    Are you rebooting the pfSense box after you've made changes or clearing the states?  Stateful firewalls sometimes need resetting/restarting after some rule changes.
    After a reboot, before actually trying the tftp transfer, can you ssh to the pfSense box or from the console get the output of the following command (it dumps everything that pf knows about):

    pfctl -sa

    That will give all the loaded rules, any NAT or RDR rules, anchors, etc.



  • Is there a way to debug the acual routing? I mean to follow a package.
    I can look that there are some TFTP requests on the Lan side and that there also are some Requests on the WAN side with an reply from the server incoming to the WAN side. But can i also look what happens with the reply? The Router have to do something with it and also if its only thrown away - are there some logging options?



  • How the packet gets from WAN to LAN?  You could make sure to enable logging on all rules associated with the tftp ports.  I think the path should be:
    request from phone on LAN goes in LAN port on pfSense, gets pushed to tftp-proxy on lo interface, tftp-proxy does some stuff and then pushes it out WAN. 
    reply comes in WAN, redirect to tftp-proxy, tftp-proxy does stuff, goes out LAN.

    The "redirect to tftp-proxy/does stuff" may simply be look at packet header and add some rules.

    You may be able to do packet capture on the lo interface to give you more data.  Also do "man tftp-proxy" there may be options to increase logging level of the tftp-proxy.



  • So i try again…  :D
    this is the same problem and my goal to reach: http://taosecurity.blogspot.de/2009/07/freebsd-pf-and-tftp-proxy.html

    First the current comparison:

    my Internal Port: vr0
    my External Port: vr1
    my DMZ (where the phone now is): vr2

    @his:

    /etc/pf.conf

    @my:

    pfctl -sa | grep nat

    @his:

    no nat on $ext_if to port tftp

    @my:

    –-

    @his:

    rdr-anchor "tftp-proxy/*"

    @my:

    rdr-anchor "tftp-proxy/*" all

    @his:

    rdr on $int_if proto udp from $local192 to port tftp ->
        $int_if port 6969

    @my:

    rdr pass on vr2 inet proto udp from any to any port = tftp -> 127.0.0.1 port 6969

    @his:

    anchor "tftp-proxy/*"

    @my:

    anchor "tftp-proxy/*" all

    Next File:
    @his:

    /etc/inetd.conf

    @my:

    /var/etc/inetd.conf

    @his:

    acmsoda dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -v

    @my:

    tftp-proxy      dgram  udp    wait            root    /usr/libexec/tftp-proxy tftp-proxy -v

    Next File:
    @his:

    /etc/rc.conf

    @my:

    i don't know where to look  :o

    @his:

    inetd_enable="YES"
    inetd_flags="-wW -C 60 -a 172.16.2.1"

    @my:

    –-

    So this is my current state… i hope it's also transparent for everyone later searching for this problem :)
    Now i try to search wehre is my "real" difference...



  • Now i have some more tests done:

    /root: sockstat -4 | grep 6969
    root     inetd      18695 5  udp4   127.0.0.1:6969        *:*
    
    

    So the inetd should recive something…

    Whats about the differences above?
    I think the row```
    no nat on $ext_if to port tftp

    
    And this seems to be my problem:
    

    rdr on $int_if proto udp from $local192 to port tftp ->
        $int_if port 6969

    
    I also found the status page of the pfsense.. (so late… shame over me)
    
    

    @2(0) rdr-anchor "tftp-proxy/*" all
      [ Evaluations: 1311      Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 30569 State Creations: 3295707264]
    @3(0) rdr pass on vr0 inet proto udp from any to any port = tftp -> 127.0.0.1 port 6969
      [ Evaluations: 1278      Packets: 5        Bytes: 310        States: 0    ]
      [ Inserted: pid 30569 State Creations: 3302985768]
    @4(0) rdr pass on vr2 inet proto udp from any to any port = tftp -> 127.0.0.1 port 6969
      [ Evaluations: 171      Packets: 36        Bytes: 2132        States: 3    ]
      [ Inserted: pid 30569 State Creations: 3313479976]

    
    

    @125(1444833473) pass in log quick on vr0 inet proto udp from 192.168.0.94 to any keep state label "USER_RULE: tftp test f. vida"
      [ Evaluations: 112078    Packets: 233      Bytes: 22828      States: 0    ]
      [ Inserted: pid 30569 State Creations: 3313640248]
    @137(0) pass in quick on vr1 reply-to (vr1 some_IP_from_ISP) inet proto udp from any to 192.168.100.0 port >= 1024 keep state label "USER_RULE: NAT TFTP Test"
      [ Evaluations: 36        Packets: 0        Bytes: 0          States: 0    ]
      [ Inserted: pid 30569 State Creations: 3303019368]
    @138(0) anchor "tftp-proxy/*" all
      [ Evaluations: 1192      Packets: 41        Bytes: 2442        States: 17    ]
      [ Inserted: pid 30569 State Creations: 3330904928]

    
    

    udp  I 192.168.100.10:51222  127.0.0.1:6969        0:1    132    30    4  236
    udp  O myPublicIP:50914    remoteserver:69    1:0    132  168    1    59
    udp  O myPublicIP:53395    remoteserver:69    1:0    128  172    1    59

    
    Is the pftop Chart a timeline?
    
    

    udp    Out myPublicIP:50914    remoteserver:69                                  SINGLE:NO_TRAFFIC  00:02:12  00:02:48      1      59      0  2
    udp    Out myPublicIP:53395    remoteserver:69                                  SINGLE:NO_TRAFFIC  00:02:08  00:02:52      1      59      0  2
    udp    In  internal_phone_ip:52351  127.0.0.1:6969        remoteserver:69      NO_TRAFFIC:SINGLE      00:00:35  00:02:07      4    236      6  *


Log in to reply