Help with pfSense and TFTP / Polycom provisioning server

Using FreePBX 12 & OSS End Point Manager 2.11.7

We have a few Polycom IP331 here and I’m trying to make it so the phones don’t need any manual communication at all.

The way I understood it is that the DHCP server needs to inform the phone upon connection of the TFTP address.

Therefore, in pfSense, here’s what I did:

  1. System > Advanced > Firewall and NAT > Choose the interfaces where you want TFTP proxy helper to be enabled : LAN

  2. Services > DHCP server > TFTP server : LAN IP of my FreePBX server

It does not work… If i boot a IP331 it will not find the provisioning server.

If I type in the IP of the FreePBX server manually into the phone, then the rest of the process will go accordingly.
(so the provisioning server DOES work)

It’s just about auto-discovery.

Any ideas? Thanks!

Is your DHCP server setup to provide the phones with the IP of the provisioning server?

Well I have no idea how to find that out.

I tried posting on a pfSense forum and they have no idea what I’m talking about.

That’s why I turned to this forum, hoping someone had some experience with pfSense :smile:

But I just found a “workaround”

It’s not a work around per say, I just mean that I don’t use the default TFTP protocol but instead HTTP

I’m not sure about the implications of that so if that’s not a good idea please let me know why.

Anyway I just thought I’d post for someone looking to do the same thing as me.

Step 1 : FreePBX > End Point Configuration Manager > Advanced Settings > Settings
Change TFTP to HTTP

Step 2 : pfSense > Services > DHCP server > Additional BOOTP/DHCP Options
Add option 66 with TEXT : http://XXX/provisioning/p.php/

Where XXX is your FreePBX server IP.

Now you can even format completely a Polycom phone and it will boot by itself, then find the provisioning server using DHCP, download firmware, configure and VOILÀ.

PfSense (for some strange reason) requires you to create a specific TFTP out rule from LAN to WAN. the generic allow all out rule doesn’t get the job done, yeah, weird.

I’ve got over a dozen clients with PfSense firewalls getting phone configs from a “cloud” based provisioning server. You need that firewall rule

add TFTP LAN outbound rule (to allow IP phone configuration retrieval)
LAN net
allow TFTP out rule