Linux TFTP server external access through router

Question

I am using Ubuntu as the host machine for my embedded Linux board with the tftp-hpa service. I can boot just fine using the u-boot bootloader while passing the local ( 192.168.1.10 ) ip address of the TFTP server running on the host to the target board ( which has ip address 192.168.1.3 ). This is the case where both server and client are behind the router and on the 192.168.1.x network.

I want to be able to export my directory beyond my router to the external network. My TFTP Server is configured ( via the /etc/default/tftp-hpa ) as follows:

user@ubuntu:~$ cat /etc/default/tftpd-hpa

RUN_DAEMON="yes"

TFTP_USERNAME="tftp"

TFTP_DIRECTORY="/home/user/exported-nfs"

TFTP_ADDRESS="0.0.0.0:69"

TFTP_OPTIONS="-l --secure"

I have forwarded port 69 ( UDP ) to my server at 192.168.1.10 within the router config as shown here:

I also setup my router to use the server ( 192.168.1.10 ) as the DMZ:

This works:

user@ubuntu:~$ tftp
tftp> trace
Packet tracing on.
tftp> connect 192.168.1.10
tftp> get /boot/uImage
sent RRQ <file=/boot/uImage, mode=netascii>
received DATA <block=1, 512 bytes>
sent ACK <block=1>
received DATA <block=2, 512 bytes>
sent ACK <block=2>
received DATA <block=3, 512 bytes>
...
sent ACK <block=4465>
received DATA <block=4466, 343 bytes>
Received 2286423 bytes in 0.5 seconds
tftp>

And this does NOT work:

user@ubuntu:~$ tftp
tftp> trace
Packet tracing on.
tftp> connect 129.196.194.210
tftp> 
tftp> get /boot/uImage
sent RRQ <file=/boot/uImage, mode=netascii>
sent RRQ <file=/boot/uImage, mode=netascii>
sent RRQ <file=/boot/uImage, mode=netascii>
sent RRQ <file=/boot/uImage, mode=netascii>
sent RRQ <file=/boot/uImage, mode=netascii>
Transfer timed out.

I can successfully SSH ( port 22 ) to my 192.168.1.10 server using the external router ip ( 129.196.194.210 ) so my port forwarding is working.

user@ubuntu:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 0a:0c:c9:b1:fa:43  
          inet addr:192.168.1.10  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:feb1:da43/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:174803 errors:0 dropped:0 overruns:0 frame:0
          TX packets:155485 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:32417220 (32.4 MB)  TX bytes:94986400 (94.9 MB)
          Interrupt:19 Base address:0x2024 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:45130 errors:0 dropped:0 overruns:0 frame:0
          TX packets:45130 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:12913549 (12.9 MB)  TX bytes:12913549 (12.9 MB)

user@ubuntu:~$ ssh [email protected]
[email protected]'s password: 
Linux ubuntu 2.6.32-42-generic #96-Ubuntu SMP Wed Aug 15 18:57:09 UTC 2012 i686 GNU/Linux
Ubuntu 10.04.4 LTS

Welcome to Ubuntu!
 * Documentation:  https://help.ubuntu.com/

New release 'precise' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Tue Sep 11 07:55:30 2012 from 129.196.194.210
user@ubuntu:~$ 

But the TFTP access from outside the router is constantly failing and timing out. What am I doing wrong? How can I fix this? Thanks -

Answer 1

TFTP through NAT is very problematic since it uses UDP, not TCP for the data transfer. You'll need to set have your router act as a TFTP proxy, which most home routers won't be able to do (but I know that pfSense has this feature).

Answer 2

You need tftp proxy or single port tftp configuration (because on rfc, tftp server must answer on another port, after receive request to 69 port ). Some tftp servers support this, for example:

1. Open tftp http://sourceforge.net/projects/tftp-server/
2. Patch for tftpd (hpa) - http://www.syslinux.org/archives/2010-March/014150.html