Difference between revisions of "Manual:IP/TFTP"

From MikroTik Wiki
Jump to: navigation, search
(+ moved to *)
(Troubleshooting)
 
(30 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
==Summary==
 
==Summary==
 +
<p id="shbox"><b>Standards:</b> <code>RFC 1350 RFC 2348</code><br />
 +
</p>
  
 
TFTP is a very simple protocol used to transfer files.  It is from this that its name comes, Trivial File Transfer Protocol or TFTP.  Each nonterminal packet is acknowledged separately. RouterOS has a built-in TFTP server since v3.22
 
TFTP is a very simple protocol used to transfer files.  It is from this that its name comes, Trivial File Transfer Protocol or TFTP.  Each nonterminal packet is acknowledged separately. RouterOS has a built-in TFTP server since v3.22
  
==/ip tftp==
+
{{Warning|Since version 4.4 to set up tftp rules you will '''have to have''' policy '''''sensitive''''' enabled for your account.}}
  
* '''ip-address''' ''(required)'' - range of IP addresses accepted as clients
+
{{ Note |Since RouterOS 5.6 sequence number roll-over is supported by TFTP server. That has to be set specifically for TFTP rule that allows it.}}
* '''req-filename''' - requested filename as ''regular expression (regex)'' if field is left empty it defaults to ''.*''
 
* '''real-filename''' - if above two values are set and valid, the requested filename will be replaced with this. If this field is empty, the ''req-filename'' will be used. If multiple ''regex'' are specified in ''req-filename'', with this field you can set which ones should match, so this rule is validated. ''real-filename'' format for using multiple ''regex'' is '''filename\0\5\6'''
 
* '''allow''' (''default: yes'') - to allow connection if above fields are set. if ''no'', connection will be interrupted
 
* '''read-only''' (''default: no'') -  sets if file can be written to, if set to "no" write attempt will fail with error
 
* '''hits''' -  how many times this configuration entry has been executed (viewable only)
 
  
[[Image:2009-04-03 1314.png]]
+
==TFTP==
 +
<p id="shbox"><b>Sub-menu level:</b> <code> /ip tftp</code>
 +
</p>
 +
This menu contains all TFTP access rules. If in this menu are no rules, TFTP server is not started when RouterOS boots. This menu only shows 1 additional attribute compared to what you can set when creating rule, see explanations of attribute descriptions lower.
 +
{| cellpadding="2"
 +
!width="300px" style="background:#cccccc; border-bottom:1px solid gray;"| Property
 +
!width="450px" style="background:#cccccc; border-bottom:1px solid gray;"| Desciption
 +
|-
 +
|style="border-bottom:1px solid gray;" valign="top"|'''hits'''
 +
|style="border-bottom:1px solid gray;" valign="top"|how many times this access rule entry has been used (read-only)
 +
|}
 +
 
 +
==Add new access rule==
 +
<p id="shbox"><b>Expansion of command:</b> <code> /ip tftp add</code>
 +
</p>
 +
 
 +
To add new tftp access rule you will have to issue command ''add'' under ''/ip tftp'' menu with attributes as follows:
 +
 
 +
{| cellpadding="2"
 +
!width="300px" style="background:#cccccc; border-bottom:1px solid gray;"| Property
 +
!width="450px" style="background:#cccccc; border-bottom:1px solid gray;"| Desciption
 +
|-
 +
|style="border-bottom:1px solid gray;" valign="top"|'''ip-address''' ''(required)''
 +
|style="border-bottom:1px solid gray;" valign="top"|range of IP addresses accepted as clients if empty ''0.0.0.0/0'' will be used
 +
|-
 +
|style="border-bottom:1px solid gray;" valign="top"|'''allow-rollover'''  ''(Default:No)''
 +
|style="border-bottom:1px solid gray;" valign="top"|if set to yes TFTP server will allow sequence number to roll over when maximum value is reached. This is used to enable large downloads using TFTP server.
 +
|-
 +
|style="border-bottom:1px solid gray;" valign="top"|'''req-filename'''
 +
|style="border-bottom:1px solid gray;" valign="top"|requested filename as ''regular expression (regex)'' if field is left empty it defaults to ''.*''
 +
|-
 +
|style="border-bottom:1px solid gray;" valign="top"|'''real-filename'''
 +
|style="border-bottom:1px solid gray;" valign="top"|if '''req-filename''' and '''real-filename''' values are set and valid, the requested filename will be replaced with matched file. This field has to be set. If multiple ''regex'' are specified in ''req-filename'', with this field you can set which ones should match, so this rule is validated. ''real-filename'' format for using multiple ''regex'' is '''filename\0\5\6'''
 +
|-
 +
|style="border-bottom:1px solid gray;" valign="top"|'''allow''' (''default: yes'')
 +
|style="border-bottom:1px solid gray;" valign="top"|to allow connection if above fields are set. if ''no'', connection will be interrupted
 +
|-
 +
|style="border-bottom:1px solid gray;" valign="top"|'''read-only''' (''default: no'')
 +
|style="border-bottom:1px solid gray;" valign="top"|sets if file can be written to, if set to "no" write attempt will fail with error
 +
|}
 +
 
 +
==TFTP settings==
 +
<p id="shbox"><b>Sub-menu level:</b> <code> /ip tftp settings</code>
 +
</p>
 +
This menu contains all TFTP settings.
 +
{| cellpadding="2"
 +
!width="300px" style="background:#cccccc; border-bottom:1px solid gray;"| Property
 +
!width="450px" style="background:#cccccc; border-bottom:1px solid gray;"| Desciption
 +
|-
 +
|style="border-bottom:1px solid gray;" valign="top"|'''max-block-size''' (''default: 4096'')
 +
|style="border-bottom:1px solid gray;" valign="top"| maximum accepted block size value. During transfer negotiation phase, RouterOS device will not negotiate larger value than this.
 +
|}
 +
 
 +
 
 +
[[Image:2009-04-03 1314.png|757px]]
  
 
==req-filename field allowed regexp==
 
==req-filename field allowed regexp==
Line 18: Line 69:
 
allowed regexps in this field are
 
allowed regexps in this field are
  
* '''brackets ()'''
+
* '''brackets ()''' - marking subsection
* '''caret "^"''' - used at the beginning of the line means that line starts with,
+
    example 1 ''a(sd|fg)'' will match asd or afg
 
* '''asterisk "*"''' - match zero or more times preceding symbol,  
 
* '''asterisk "*"''' - match zero or more times preceding symbol,  
 
     example 1 ''a*'' will match any length name consisting purely of symbols ''a'' or no symbols at all
 
     example 1 ''a*'' will match any length name consisting purely of symbols ''a'' or no symbols at all
     example 2 ''.*'' will match any length name  
+
     example 2 ''.*'' will match any length name, also, empty field
 
     example 3 ''as*df'' will match adf, asdf, assdf, asssdf etc.
 
     example 3 ''as*df'' will match adf, asdf, assdf, asssdf etc.
* '''plus "+"''' will match one or more times preceding symbol, example: as+df will match asdf, assdf etc.
+
* '''plus "+"''' will match one or more times preceding symbol,  
 +
    example: as+df will match asdf, assdf etc.
 
* '''dot "."''' - matches any symbol
 
* '''dot "."''' - matches any symbol
* '''square brackets []''' - variation between ''as[df]'' will match ''asd'' and ''asf''
+
    example ''as.f'' will match asdf, asbf ashf etc.
 +
* '''square brackets []''' - variation between  
 +
    example ''as[df]'' will match ''asd'' and ''asf''
 +
* '''question mark "?"''' will match one or none symbols,
 +
    example ''asd?f'' will match ''asdf'' and ''asf''
 +
* '''caret "^"''' - used at the beginning of the line means that line starts with,
 
* '''dollar "$"''' - means at the end of the line
 
* '''dollar "$"''' - means at the end of the line
* '''question mark "?"''' will match one or none symbols, example asd?f will match ''asdf'' and ''asf''
 
  
 
== Examples ==
 
== Examples ==
Line 44: Line 100:
 
/ip tftp add req-filename="(aaa.bin)|(bbb.bin)" real-filename="/sata1/ccc.bin\\0" allow=yes read-only=yes
 
/ip tftp add req-filename="(aaa.bin)|(bbb.bin)" real-filename="/sata1/ccc.bin\\0" allow=yes read-only=yes
 
</nowiki></pre>
 
</nowiki></pre>
 +
 +
==Troubleshooting==
 +
 +
==== RouterOS receives TFTP requests, but client get transfer timeout ====
 +
 +
Some embedded clients request large block sizes and yet do not handle fragmented packets correctly. For these clients, it is recommended to set "max-block-size" on RouterOS side or "blksize" on Client side to value of the smallest MTU on your network minus 32 bytes (20  bytes for IP, 8 for UDP, and 4 for TFTP) and more if you use IP options on your network.
 +
 +
[[Category:Manual|T]] [[Category:IP|T]]

Latest revision as of 11:09, 26 April 2019

Summary

Standards: RFC 1350 RFC 2348

TFTP is a very simple protocol used to transfer files. It is from this that its name comes, Trivial File Transfer Protocol or TFTP. Each nonterminal packet is acknowledged separately. RouterOS has a built-in TFTP server since v3.22

Icon-warn.png

Warning: Since version 4.4 to set up tftp rules you will have to have policy sensitive enabled for your account.


Icon-note.png

Note: Since RouterOS 5.6 sequence number roll-over is supported by TFTP server. That has to be set specifically for TFTP rule that allows it.


TFTP

Sub-menu level: /ip tftp

This menu contains all TFTP access rules. If in this menu are no rules, TFTP server is not started when RouterOS boots. This menu only shows 1 additional attribute compared to what you can set when creating rule, see explanations of attribute descriptions lower.

Property Desciption
hits how many times this access rule entry has been used (read-only)

Add new access rule

Expansion of command: /ip tftp add

To add new tftp access rule you will have to issue command add under /ip tftp menu with attributes as follows:

Property Desciption
ip-address (required) range of IP addresses accepted as clients if empty 0.0.0.0/0 will be used
allow-rollover (Default:No) if set to yes TFTP server will allow sequence number to roll over when maximum value is reached. This is used to enable large downloads using TFTP server.
req-filename requested filename as regular expression (regex) if field is left empty it defaults to .*
real-filename if req-filename and real-filename values are set and valid, the requested filename will be replaced with matched file. This field has to be set. If multiple regex are specified in req-filename, with this field you can set which ones should match, so this rule is validated. real-filename format for using multiple regex is filename\0\5\6
allow (default: yes) to allow connection if above fields are set. if no, connection will be interrupted
read-only (default: no) sets if file can be written to, if set to "no" write attempt will fail with error

TFTP settings

Sub-menu level: /ip tftp settings

This menu contains all TFTP settings.

Property Desciption
max-block-size (default: 4096) maximum accepted block size value. During transfer negotiation phase, RouterOS device will not negotiate larger value than this.


2009-04-03 1314.png

req-filename field allowed regexp

allowed regexps in this field are

  • brackets () - marking subsection
    example 1 a(sd|fg) will match asd or afg
  • asterisk "*" - match zero or more times preceding symbol,
    example 1 a* will match any length name consisting purely of symbols a or no symbols at all
    example 2 .* will match any length name, also, empty field
    example 3 as*df will match adf, asdf, assdf, asssdf etc.
  • plus "+" will match one or more times preceding symbol,
    example: as+df will match asdf, assdf etc.
  • dot "." - matches any symbol
    example as.f will match asdf, asbf ashf etc.
  • square brackets [] - variation between
    example as[df] will match asd and asf
  • question mark "?" will match one or none symbols,
    example asd?f will match asdf and asf
  • caret "^" - used at the beginning of the line means that line starts with,
  • dollar "$" - means at the end of the line

Examples

  • example 1 if file is requested return file from store called sata1:
/ip tftp add req-filename=file.txt real-filename=/sata1/file.txt allow=yes read-only=yes
  • example 2 if we want to give out one specific file no matter what user is requesting:
/ip tftp add req-filename=.* real-filename=/sata1/file.txt allow=yes read-only=yes
  • example 3 if user requests aaa.bin or bbb.bin then give them ccc.bin:
/ip tftp add req-filename="(aaa.bin)|(bbb.bin)" real-filename="/sata1/ccc.bin\\0" allow=yes read-only=yes

Troubleshooting

RouterOS receives TFTP requests, but client get transfer timeout

Some embedded clients request large block sizes and yet do not handle fragmented packets correctly. For these clients, it is recommended to set "max-block-size" on RouterOS side or "blksize" on Client side to value of the smallest MTU on your network minus 32 bytes (20 bytes for IP, 8 for UDP, and 4 for TFTP) and more if you use IP options on your network.