Bug #6829
closed
Possible tftp-proxy bug?
0%
Description
Seems we are running into an issue with tftp-proxy not working again (I want to say it did work briefly after the latest update, but now it isn't.)
Basically, it appears that the WAN-side port tftp-proxy is assigning (and listening on) is different than the source port the actual packet is going out on (and thus replies are coming in to from the TFTP server.) The end result is that the requesting device never receives its file. Here's an example:
I'm trying to request "spa504G.cfg" (a phone configuration file) from a TFTP server running on our PBX. When I request it, here's the long entry created by tftp-proxy:
Sep 29 17:41:56 pfsense tftp-proxy305: 10.20.30.223:39734 -> 127.0.0.1:6969/104.189.xxx.xx:52500 -> 52.5.xx.xxx:69 "RRQ spa504G.cfg"
Immediately after, "sockstat|grep tftp" shows it's listening as follows:
proxy tftp-proxy 305 0 udp4 127.0.0.1:23811 10.20.30.223:39734
proxy tftp-proxy 305 1 udp4 104.189.xxx.xx:52500 52.5.xx.xxx:69
proxy tftp-proxy 305 2 udp4 127.0.0.1:6969 *:*
However, tcpdump on the WAN interface shows this:
17:41:56.465299 IP 104.189.xxx.xx.48186 > 52.5.xx.xxx.69: 23 RRQ "spa504G.cfg" netascii
17:41:56.507535 IP 52.5.xx.xxx.53173 > 104.189.xxx.xx.48186: UDP, length 516
The packet seems to actually be leaving the pfSense box from port 48186 (whereas I'd think it should be leaving from port 52500?)
On the PBX end, I see:
17:41:56.483926 IP 104.189.xxx.xx.48186 > 10.21.2.247.tftp: 23 RRQ "spa504G.cfg" netascii
17:41:56.488298 IP 10.21.2.247.53173 > 104.189.xxx.xx.48186: UDP, length 516
NOTE: The TFTP server is an EC2 instance, so it's behind 1:1 NAT, and 10.21.2.247 is the RFC1918 address equivalent to 52.5.xx.xxx above. (I've verified that isn't the issue though, as I can TFTP from that system using a basic consumer router and it does work.)
So I'm seeing the same ports all the way across the link. Doesn't seem like anything is being rewritten between here and there.
Seems to me the packets ought to have come from 52500, not 48186. I've went through all my settings, trying to see if there's something that would rewrite ports (save for outbound NAT, which I would think shouldn't apply here since the tftp-proxy process is running on the firewall itself.)
Hopefully it's just something simple, but I'm wanting to make sure there's not still a bug here before I start ripping things (and my hair) apart!
Updated by Jim Pingle over 8 years ago
- Status changed from New to Rejected
Most likely cause is an improper outbound NAT rule that's matching traffic from the firewall itself. Please start a forum thread for discussion and troubleshooting until a definite bug has been identified.