Cisco IP Phone behind pfsense with ext. TFTP Server
-
Hello,
i have a Cisco IP Phone from my Company at home which will connect to the companys server to fetch the configurations per TFTP.
The Phone tells me there is a TFTP Timeout.I've googled a little bit around and find something called TFTP helper. Then i've activated the Option for LAN Section where the Phone is.
This appears every half minute in the system / General Log:
Oct 12 13:27:53 tftp-proxy[95448]: IP1:50355 -> 127.0.0.1:6969/IP2:49374 -> IP3:69 "RRQ SEPC4729xxxxx.cnf.xml"And this appears in the Firewall / Normalview log:
pass/0 Oct 12 13:27:53 Direction=OUT WAN IP2:49374 IP3:69 UDP
with: IP1 -> Phone, IP2 -> My IP from the ISP, IP3 -> Companys VoIP Server
The Phone still gets a TFTP Timeout… How can i find the issue?
Thaks
rspecht -
Have you verified that the phone is registered with the tftp server? Do you have a VPN or something back to the company network?
Have you taken the phone into work, plugged it into the network there and verified that it can boot?
Have you tried a packet capture on the WAN interface to see if any tftp packets are coming back (indicating that you got to the company server)?
All that we have to go on is "the phone did not get a tftp response in time".
It could be a number of different things, try to verify basic connectivity to the tftp server first. -
@mer:
Have you verified that the phone is registered with the tftp server? Do you have a VPN or something back to the company network?
This is everything managed from the Phone… My actuall problem is the TFTP Server Connection.
@mer:
Have you taken the phone into work, plugged it into the network there and verified that it can boot?
Yes… The Phone has worked without the PFSense. (before i had a IPFire Software on the Router)
@mer:
Have you tried a packet capture on the WAN interface to see if any tftp packets are coming back (indicating that you got to the company server)?
I've got this from the Packet Capture:
21:58:20.848008 IP local.61982 > server.69: UDP, length 31
21:58:20.888979 IP server.21349 >local.61982: UDP, length 516IP's replaced by local for my ISP IP and server for the VoIP Server.
So this looks to me like the Request is transmitted from LAN to WAN and replied from the Company's Server.
How can i Check the Transmission from WAN-Side to LAN-Side?@mer:
All that we have to go on is "the phone did not get a tftp response in time".
It could be a number of different things, try to verify basic connectivity to the tftp server first.Thank you very much for the quick reply :)
-
Looks like the packet capture is showing the phone is sending something out and receiving something back which is good. I think next thing is taking a look at whatever rules you have on the LAN and WAN interfaces (screenshots are usually the best thing). The tftp proxy is sitting in between everything. Outbound it starts from the phone on LAN, hits tftp-proxy (This is running on the pfSense box, yes?), which makes it hit the loopback interface on the pfSense box and then gets redirected out the WAN. The response from the server needs to get back from WAN to tftp-proxy before it goes out to the phone, so see if there are any logs for the tftp-proxy (I'm not familiar with that package).
-
I attached a Screenshot from everything special added for the Phone.
1. The Firewall outgoing rule on the LAN Section
2. The NAT Outbound rule for disabling the Portrewrite
3. The TFTP HelperI think the current problem is the transmission from the replied Package from WAN to LAN (the Phone). There is no transmission trough the pfsense-box :(
Must i have install the tftp server package?
I try both.. at the moment it is installed but there is still no transmission from the replied TFTP Package from WAN to LAN.Greetings
-
Is there anything in the logs about blocked packets, that would tell you if a rule somewhere is blocking the return. With proxies packets can get rewritten (headers) and then reinjected into the stack so another rule may be blocking them.
I'm assuming that the tftp proxy works the same way as the ftp proxy; for that all I needed to do was add a pass rule on the LAN side and make sure the ftp proxy service was started. I did not need any changes for NAT rules. I'm at the limit of what to suggest.
-
Threre is no Service called "tftp-helper"… may this be the problem?
 -
I'm not sure, tftp daemon may be the name of the service. For FTP, you need to install the FTP proxy package (at least starting with 2.2.3 you need to). Is there a way to get a screenshot of the packages you have installed?
-
Sure…
i've only installed the TFTP Package.
 -
i've only installed the TFTP Package.
Why? This is handled by /usr/libexec/tftp-proxy run via inetd…
-
Thanks for that dok. I had no idea that existed (never had a need for it).
OP: that gives you something new to search on.
-
The relevant code is in /etc/inc/filter.inc – and really no installing of anything is needed.
https://github.com/pfsense/pfsense/blob/RELENG_2_2/etc/inc/filter.inc#L1925
-
okay… but how to debug?
The Inetd is running:
# ps aux | grep inetd root 58922 0.0 0.9 10284 2024 - Is 9:00PM 0:00.08 /usr/sbin/inetd -wW -R 0 -a 127.0.0.1 /var/etc/inetd.confAnd the config contains the right code:
# cat /var/etc/inetd.conf tftp-proxy dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -v tftp dgram udp wait root /usr/libexec/tftpd tftpd /tftpbootThe tftp-proxy manpage says there should be something to activate the service:
In the NAT section:
nat on $ext_if from $int_if -> ($ext_if:0)
no nat on $ext_if to port tftp
rdr-anchor "tftp-proxy/*"
rdr on $int_if proto udp from $lan to any port tftp ->
127.0.0.1 port 6969In the filter section, an anchor must be added to hold the pass rules:
anchor "tftp-proxy/*"
inetd( 8 ) must be configured to spawn the proxy on the port that packets
are being forwarded to by pf(4). An example inetd.conf(5) entry follows:127.0.0.1:6969 dgram udp wait root
/usr/libexec/tftp-proxy tftp-proxyAnd i found those rows in /tmp/rules.debug:
nat on $WAN from 127.0.0.0/8 to any port 500 -> 123.123.123.123/32 static-port nat on $WAN from 127.0.0.0/8 to any -> 123.123.123.123/32 port 1024:65535 nat on $WAN from 192.168.0.0/24 to any port 500 -> 123.123.123.123/32 static-port nat on $WAN from 192.168.0.0/24 to any -> 123.123.123.123/32 port 1024:65535 ... rdr-anchor "tftp-proxy/*" ... rdr pass on vr1 proto udp from any to any port tftp -> 127.0.0.1 port 6969 rdr pass on vr0 proto udp from any to any port tftp -> 127.0.0.1 port 6969 ... anchor "tftp-proxy/*"with public IP 123.123.123.123 (modificated)
But there is no equivalent for "no nat on $ext_if to port tftp"
Is this the problem? But i think when the row is missing it must be a source code failure and still reported… or am i the only one user of this module? :)
Edit:
And this is the Output from the PacketCapture:79 284.067405 123.123.123.123 1.1.1.1 TFTP 67 Read Request, File: ITLSEPC.blubb, Transfer type: netascii 80 284.112678 1.1.1.1 123.123.123.123 TFTP 61 Error Code, Code: File not found, Message: File not foundWith 1.1.1.1 for VoIP Server and 123.123.123.123 for my Public IP
While this in my test client happens (A debian PC with tftp client software):
root@vidar:~# tftp 1.1.1.1 tftp> get ITLSEPC.blubb Transfer timed out.So this means the leakage is on the reply from router to client… everything else works.
-
You may need to go to the NAT page in the webGUI and see if you can put the equivalent no nat rule there. I'm guessing because I've not used this feature.
-
I've added something like this… but its still not working.
# cat /tmp/rules.debug | grep "no nat" no nat proto carp no nat on $WAN from any to any port 69
 -
Again. I'm just guessing because I haven't done the same thing, but look at your packet capture. The return packet is saying "…Error Code, Code: File not found, Message: File not found". That's a pretty clear indication that the file name you are requesting is wrong. Double check the file name. Any error in tftp is typically reported as "timeout" by clients.
Are you rebooting the pfSense box after you've made changes or clearing the states? Stateful firewalls sometimes need resetting/restarting after some rule changes.
After a reboot, before actually trying the tftp transfer, can you ssh to the pfSense box or from the console get the output of the following command (it dumps everything that pf knows about):pfctl -sa
That will give all the loaded rules, any NAT or RDR rules, anchors, etc.
-
Is there a way to debug the acual routing? I mean to follow a package.
I can look that there are some TFTP requests on the Lan side and that there also are some Requests on the WAN side with an reply from the server incoming to the WAN side. But can i also look what happens with the reply? The Router have to do something with it and also if its only thrown away - are there some logging options? -
How the packet gets from WAN to LAN? You could make sure to enable logging on all rules associated with the tftp ports. I think the path should be:
request from phone on LAN goes in LAN port on pfSense, gets pushed to tftp-proxy on lo interface, tftp-proxy does some stuff and then pushes it out WAN.
reply comes in WAN, redirect to tftp-proxy, tftp-proxy does stuff, goes out LAN.The "redirect to tftp-proxy/does stuff" may simply be look at packet header and add some rules.
You may be able to do packet capture on the lo interface to give you more data. Also do "man tftp-proxy" there may be options to increase logging level of the tftp-proxy.
-
So i try again… :D
this is the same problem and my goal to reach: http://taosecurity.blogspot.de/2009/07/freebsd-pf-and-tftp-proxy.htmlFirst the current comparison:
my Internal Port: vr0
my External Port: vr1
my DMZ (where the phone now is): vr2@his:
/etc/pf.conf
@my:
pfctl -sa | grep nat
@his:
no nat on $ext_if to port tftp
@my:
–-
@his:
rdr-anchor "tftp-proxy/*"
@my:
rdr-anchor "tftp-proxy/*" all
@his:
rdr on $int_if proto udp from $local192 to port tftp ->
$int_if port 6969@my:
rdr pass on vr2 inet proto udp from any to any port = tftp -> 127.0.0.1 port 6969
@his:
anchor "tftp-proxy/*"
@my:
anchor "tftp-proxy/*" all
Next File:
@his:/etc/inetd.conf
@my:
/var/etc/inetd.conf
@his:
acmsoda dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -v
@my:
tftp-proxy dgram udp wait root /usr/libexec/tftp-proxy tftp-proxy -v
Next File:
@his:/etc/rc.conf
@my:
i don't know where to look :o
@his:
inetd_enable="YES"
inetd_flags="-wW -C 60 -a 172.16.2.1"@my:
–-
So this is my current state… i hope it's also transparent for everyone later searching for this problem :)
Now i try to search wehre is my "real" difference... -
Now i have some more tests done:
/root: sockstat -4 | grep 6969 root inetd 18695 5 udp4 127.0.0.1:6969 *:*So the inetd should recive something…
Whats about the differences above?
I think the row```
no nat on $ext_if to port tftpAnd this seems to be my problem:rdr on $int_if proto udp from $local192 to port tftp ->
$int_if port 6969I also found the status page of the pfsense.. (so late… shame over me)@2(0) rdr-anchor "tftp-proxy/*" all
[ Evaluations: 1311 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: pid 30569 State Creations: 3295707264]
@3(0) rdr pass on vr0 inet proto udp from any to any port = tftp -> 127.0.0.1 port 6969
[ Evaluations: 1278 Packets: 5 Bytes: 310 States: 0 ]
[ Inserted: pid 30569 State Creations: 3302985768]
@4(0) rdr pass on vr2 inet proto udp from any to any port = tftp -> 127.0.0.1 port 6969
[ Evaluations: 171 Packets: 36 Bytes: 2132 States: 3 ]
[ Inserted: pid 30569 State Creations: 3313479976]@125(1444833473) pass in log quick on vr0 inet proto udp from 192.168.0.94 to any keep state label "USER_RULE: tftp test f. vida"
[ Evaluations: 112078 Packets: 233 Bytes: 22828 States: 0 ]
[ Inserted: pid 30569 State Creations: 3313640248]
@137(0) pass in quick on vr1 reply-to (vr1 some_IP_from_ISP) inet proto udp from any to 192.168.100.0 port >= 1024 keep state label "USER_RULE: NAT TFTP Test"
[ Evaluations: 36 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: pid 30569 State Creations: 3303019368]
@138(0) anchor "tftp-proxy/*" all
[ Evaluations: 1192 Packets: 41 Bytes: 2442 States: 17 ]
[ Inserted: pid 30569 State Creations: 3330904928]udp I 192.168.100.10:51222 127.0.0.1:6969 0:1 132 30 4 236
udp O myPublicIP:50914 remoteserver:69 1:0 132 168 1 59
udp O myPublicIP:53395 remoteserver:69 1:0 128 172 1 59Is the pftop Chart a timeline?udp Out myPublicIP:50914 remoteserver:69 SINGLE:NO_TRAFFIC 00:02:12 00:02:48 1 59 0 2
udp Out myPublicIP:53395 remoteserver:69 SINGLE:NO_TRAFFIC 00:02:08 00:02:52 1 59 0 2
udp In internal_phone_ip:52351 127.0.0.1:6969 remoteserver:69 NO_TRAFFIC:SINGLE 00:00:35 00:02:07 4 236 6 *