Looks like you are having issue with TFTP. With recent firewalld, you have to have some mechanism for inter-zone traffic. I’m not sure if the one on CentOS 7 is covered. Also, you missed to show the zones of your interfaces.
I have these on my setup where the storage server has 3 interfaces serving diskless clients via iscsi:
For my external zone:
[root@san ~]# ip -4 addr ls xenbr0 6: xenbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 inet 192.168.0.33/27 brd 192.168.0.63 scope global dynamic noprefixroute xenbr0 valid_lft 3181sec preferred_lft 3181sec [root@san ~]# [root@san ~]# firewall-cmd --get-zone-of-interface=xenbr0 external [root@san ~]# firewall-cmd --zone=external --list-services dhcp http https iscsi-target samba ssh tftpAnd this is my internal zone
[root@san ~]# ip -4 addr ls xenbr10 7: xenbr10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP group default qlen 1000 inet 192.168.10.1/24 brd 192.168.10.255 scope global noprefixroute xenbr10 valid_lft forever preferred_lft forever [root@san ~]# [root@san ~]# firewall-cmd --get-zone-of-interface=xenbr10 internal [root@san ~]# firewall-cmd --zone=internal --list-services dhcp http https iscsi-target postgresql samba ssh tftpI have these firewalld rule to enable the inter-zone traffic:
[root@san ~]# cat firewalld.txt firewall-cmd --new-policy NAT_int_to_ext --permanent firewall-cmd --permanent --policy NAT_int_to_ext --add-ingress-zone internal firewall-cmd --permanent --policy NAT_int_to_ext --add-egress-zone external firewall-cmd --permanent --policy NAT_int_to_ext --set-target ACCEPTFinally, I test things out from one of my vms and tried to can grab a file over tftp
user@debian:~$ ip -4 addr ls virbr0 5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP group default qlen 1000 inet 192.168.10.15/24 brd 192.168.10.255 scope global dynamic virbr0 valid_lft 2111sec preferred_lft 2111sec user@debian:~$ user@debian:~$ tftp 192.168.10.1 -vc get ipxe.d/roms/undionly.kpxe Connected to 192.168.10.1 (192.168.10.1), port 69 getting from 192.168.10.1:ipxe.d/roms/undionly.kpxe to undionly.kpxe [netascii] Received 75436 bytes in 0.6 seconds [928658 bit/s] user@debian:~$ ls -lh undionly.kpxe -rw-r--r-- 1 user user 74K Dec 12 10:25 undionly.kpxe