TFTP uses UDP packets. The client connects from a random port to port 69, then the server connects back to the original port. This does not survive NAT (network address translation), possibly not on either end. trixbox pro and many other phone systems use TFTP for provisioning phones, so this is a problem for remote phones. Here is a fix that allows tftp traffic through an iptables based firewall (IPCop in this example).
You will need to enable ssh on the firewall and connect a session. IPCop uses non-standard port 222, and can usually only be connected to from the internal (green) network.
nano /etc/rc.d/rc.network
add these two lines:
modprobe ip_conntrack_tftp
modprobe ip_nat_tftp
Save and exit.
For immediate effect, repeat the two lines at the command prompt, or reboot the firewall. I had to repeat this on both firewalls, as IPCop firewalls were on both ends.
If using trixbox pro, you also need to make a few minor changes to the configuration files for the phones in order for the phone to try the correct server. Change the sNNNN.trixbox.fonality.com settings to sNNNNx.trixbox.fonality.com where NNNN is your server number. I modified the file itself. Fonality recommends modifying the phone config on the phone once it is initially configured.
September 10, 2008 at 7:09 pm |
[...] TFTP from another subnet Ok, a bit of searching turned up this: TFTP through IPCOP or other iptables firewalls « Keystone IT Tech IPCop is derived from Smoothwall so it should be similar. I think the key module to load is the [...]