TFTP on a Virtual IP?



  • Evening all,
    I did a couple of searches and wasn't able to pull anything up that seemed to match the issue I'm having.
    I have a pfsense 2.2.6 install (x64) that works great for pretty much everything I need.
    I have the TFTP server set up and configured on the firewall's LAN interface, and it works fine in that configuration (I can download files from it without issue)
    What I'm trying to do is add a virtual IP to the LAN interface (on the IP 10.0.0.2) so that I can use the Cisco autorecovery feature from ROMMON without having to interact with the device (if you hold the mode button down on most of the cisco kit it'll look for a default IOS tarball on a TFTP server in the 10.0.0.0/27 network, pull it in, install it and restart.
    I can assign the virtual IP fine, and devices on the LAN can see it (evidently pfsense routes to/from the network without issue) - I can even SSH/HTTPS to it, however when I try and TFTP files from the IP I get nothing.
    If I look in the states table I see:

    LAN udp 10.0.0.2:69 <- 10.0.5.2:53712 NO_TRAFFIC:SINGLE

    or if I try from a device on the subnet

    LAN udp 10.0.0.2:69 <- 10.0.0.5:54710 NO_TRAFFIC:SINGLE

    I've tried enabling NAT reflection (no love), TFTP proxy on the LAN address (seems to break TFTP), creating UDP/TCP rules for TFTP (both on the main LAN subnet (10.0.5.0) and the virtual subnet (10.0.0.0)) all to no avail.
    It's not an end of the world scenario, as I can always use TFTPD on my desktop, but I'd ideally like to keep it all in pfsense.

    Thanks in advance