FreePBX autoprovisioning

Dashrender

Have you done this?

I've found several wiki pages on building the configuration files, but nothing about setting up DHCP to option 66 or how to make sure tftp is running on the FreePBX server, etc.

I've purchased the Endpoint manager module and created a template and a config for a few phones, but when I ftp IP:69 from my windows workstation to my FreePBX box I get Connection Refused. I get the same when I ftp from the FreePBX box itself.

netstat -a | grep tftp provides

udp        0      0 *:tftp                      *:*

So I think it's enabled.

netstat -unlp | grep xinetd

udp        0      0 0.0.0.0:69                  0.0.0.0:*                               1119/xinetd

This tells me it's on port 69, OK.

iptables-save

# Generated by iptables-save v1.4.7 on Wed Jul  1 15:59:46 2015
*filter
:INPUT ACCEPT [1077942:539260982]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [931595:198694389]
:fail2ban-BadBots - [0:0]
:fail2ban-FTP - [0:0]
:fail2ban-PBX-GUI - [0:0]
:fail2ban-SIP - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-apache-auth - [0:0]
:fail2ban-recidive - [0:0]
-A INPUT -p tcp -j fail2ban-FTP
-A INPUT -p tcp -j fail2ban-apache-auth
-A INPUT -p tcp -j fail2ban-BadBots
-A INPUT -j fail2ban-SIP
-A INPUT -j fail2ban-PBX-GUI
-A INPUT -p tcp -j fail2ban-SSH
-A INPUT -j fail2ban-recidive
-A fail2ban-BadBots -j RETURN
-A fail2ban-FTP -j RETURN
-A fail2ban-PBX-GUI -j RETURN
-A fail2ban-SIP -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-apache-auth -j RETURN
-A fail2ban-recidive -s 142.54.168.154/32 -j DROP
-A fail2ban-recidive -j RETURN
COMMIT

Now it looks like tftp is not setup for access through iptables. Am I right? If so, how should I solve this?

#iptables -L -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-FTP  tcp  --  0.0.0.0/0            0.0.0.0/0
fail2ban-apache-auth  tcp  --  0.0.0.0/0            0.0.0.0/0
fail2ban-BadBots  tcp  --  0.0.0.0/0            0.0.0.0/0
fail2ban-SIP  all  --  0.0.0.0/0            0.0.0.0/0
fail2ban-PBX-GUI  all  --  0.0.0.0/0            0.0.0.0/0
fail2ban-SSH  tcp  --  0.0.0.0/0            0.0.0.0/0
fail2ban-recidive  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-BadBots (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-FTP (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-PBX-GUI (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-SIP (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

Google provided
iptables -A INPUT -m state --state NEW -i eth0 -p udp --dport 69 -j ACCEPT

But then states something to the effect that like FTP it needs help setting up a second connection on a higher port for actual transport of files.

selinux is disabled.

JaredBusch

Did you try and connect with a TFTP client from your desktop?

If that failed, then simply turn off the firewall on the PBX and try again. That will tell you if that is the problem.

Dashrender

This looks promising.

I'll try it in the morning.

http://community.freepbx.org/t/tftp/16037/5

JaredBusch

@Dashrender said:

This looks promising.

Why are you still chasing server side information?
Start at the beginning.
You installed the module and setup a phone
You setup your DHCP option
You rebooted a phone and it did not pull a config.

Now, to troubleshoot. The first thing you should do is attempt to connect manually from a windows or linux box where you can see what is happening.
You never confirmed if you could connect to the tftp server manually.

Once you confirm that, then you can go into more testing.

Turn off the firewall on the FreePBX machine
Check if the tftp service is running
Check if there is something wrong with the tftp server config
More advanced troubleshooting

Dashrender

I can't connect from Windows - I get "timedout occured."

there is no file /etc/sysconfig/iptables, according to http://community.freepbx.org/t/iptables-and-freepbx-distro/18352/2 , iptables is not enabled by default on FreePBX distros - and since it's missing the config file, I'm guessing that iptables is not doing anything. That said, I did type
service iptables stop

iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]

then tried again, and same thing, "timeout occurred."

I thought the following was the evidence that that tftp is running - am I wrong?

netstat -a | grep tftp provides

udp 0 0 *:tftp :

But now that I'm typing this, I found the chkconfig command and it's output for xinetd is:

xinetd based services:
    chargen-dgram:  off
    chargen-stream: off
    daytime-dgram:  off
    daytime-stream: off
    discard-dgram:  off
    discard-stream: off
    echo-dgram:     off
    echo-stream:    off
    rsync:          off
    tcpmux-server:  off
    tftp:           on
    time-dgram:     off
    time-stream:    off

This shows that tftp is on.
3) the contents of my /etc/xinetd.d/tftp is:

# default: off
# description: The tftp server serves files using the trivial file transfer \
#       protocol.  The tftp protocol is often used to boot diskless \
#       workstations, download configuration files to network-aware printers, \
#       and to start the installation process for some operating systems.
service tftp
{
    disable = no
    socket_type             = dgram
    protocol                = udp
    wait                    = yes
    user                    = root
    server                  = /usr/sbin/in.tftpd
    server_args             = -s /tftpboot
    per_source              = 11
    cps                     = 100 2
    flags                   = IPv4
}

(ML is changing the spacing, I don't recall how to show code to keep formatting)

Dashrender

I found a post where someone said they were having problems, so they deleted their tftp file and recreated it, I did that, rebooted - still not working.

Dashrender

OK shoot myself in the face - my windows firewall was preventing tftp from working, UG!

Seems to be OK.

Dashrender

And Auto Provisioning is working - though the time wrong... yet it tells me the correct timezone. weird.

scottalanmiller

Well, if the timezone is definitely correct and the time is wrong.... maybe you have not set the time correctly? No matter how well a clock keeps time if it is set incorrectly it will just keep the time off by a steady amount.

Dashrender

@scottalanmiller said:

Well, if the timezone is definitely correct and the time is wrong.... maybe you have not set the time correctly? No matter how well a clock keeps time if it is set incorrectly it will just keep the time off by a steady amount.

HUH? It's suppose to pull time from 0.us.pool.ntp.org

I would hope it pulls UTC time from them, then sets the offset based on my timezone.

scottalanmiller

@Dashrender said:

HUH? It's suppose to pull time from 0.us.pool.ntp.org

I would hope it pulls UTC time from them, then sets the offset based on my timezone.

I did not see you listing that as being set. Have you manually brought them into sync so that they can set the time? If they start too far off NTP can't correct it.

Try restarting the NTP service manually and see if it syncs up.

How much is it off by? Is it skewed or is it off by exactly X number of hours? The use of UTC to your OS time is determined by the UTC setting, not NTP.

Dashrender

@scottalanmiller said:

@Dashrender said:

HUH? It's suppose to pull time from 0.us.pool.ntp.org

I would hope it pulls UTC time from them, then sets the offset based on my timezone.

I did not see you listing that as being set. Have you manually brought them into sync so that they can set the time? If they start too far off NTP can't correct it.

Try restarting the NTP service manually and see if it syncs up.

How much is it off by? Is it skewed or is it off by exactly X number of hours? The use of UTC to your OS time is determined by the UTC setting, not NTP.

How would you manually reset the NTP on a phone?

It's off by 10 hours 5 mins.

scottalanmiller

OH, it's the phone. I see. Well in theory, same way as on a computer as most phones are Linux. But you may not be able to. Try restarting the phones. Or see if there is a way to manually set it to close enough so that NTP can correct it.

Dashrender

yeah, my phone. FreePBX is fine!

I'll try just unplugging and replugging the phone.

scottalanmiller

"Have you tried turning it off and back on again?" Tee hee.

Dashrender

@scottalanmiller said:

"Have you tried turning it off and back on again?" Tee hee.

Ha, beat you to that one