DHCP works but no internet to clients

davidka · Oct 30, 2019, 9:58 AM

okay I got fog set up, DHCP is giving out IP and booting to the fog menu. I’m using a server with two NICs
one is connected to my work network for internet, the second is on a separate switch to provide imaging and internet to client machines ( we use an isolated network for imaging of new machines)
I can ping from and remote in tothe server so I know its getting a network connection, just for whatever reason its not serving the connection through the second NIC along with the DHCP. I Feel like there needs to be something else in the DHCP config file, I just cant figure out what to put in there. This is on Fedora 30 with the latest Fogserver from github. (as of Oct 25 2019)

This is my current DHCPD config

# DHCP Server Configuration file\n#see /usr/share/doc/dhcp*/dhcpd.conf.sample
# This file was created by FOG
#Definition of PXE-specific options
# Code 1: Multicast IP Address of bootfile
# Code 2: UDP Port that client should monitor for MTFTP Responses
# Code 3: UDP Port that MTFTP servers are using to listen for MTFTP requests
# Code 4: Number of seconds a client must listen for activity before trying
#         to start a new MTFTP transfer
# Code 5: Number of seconds a client must listen before trying to restart
#         a MTFTP transfer
option space PXE;
option PXE.mtftp-ip code 1 = ip-address;
option PXE.mtftp-cport code 2 = unsigned integer 16;
option PXE.mtftp-sport code 3 = unsigned integer 16;
option PXE.mtftp-tmout code 4 = unsigned integer 8;
option PXE.mtftp-delay code 5 = unsigned integer 8;
option arch code 93 = unsigned integer 16;
use-host-decl-names on;
ddns-update-style interim;
ignore client-updates;
# Specify subnet of ether device you do NOT want service.
# For systems with two or more ethernet devices.
# subnet 136.165.0.0 netmask 255.255.0.0 {}
subnet 192.168.1.0 netmask 255.255.255.0{
    option subnet-mask 255.255.255.0;
    range dynamic-bootp 192.168.1.10 192.168.1.254;
    default-lease-time 21600;
    max-lease-time 43200;
   # option routers 192.168.1.1
    option domain-name-servers 8.8.8.8;
    next-server 192.168.1.1;
    class "Legacy" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:>
        filename "undionly.kkpxe";
    }
    class "UEFI-32-2" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:>
        filename "i386-efi/ipxe.efi";
 }
    class "UEFI-32-1" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:>
        filename "i386-efi/ipxe.efi";
    }
    class "UEFI-64-1" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:>
        filename "ipxe.efi";
    }
    class "UEFI-64-2" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:>
        filename "ipxe.efi";
    }
    class "UEFI-64-3" {
        match if substring(option vendor-class-identifier, 0, 20) = "PXEClient:>
        filename "ipxe.efi";
    }
    class "SURFACE-PRO-4" {
        match if substring(option vendor-class-identifier, 0, 32) = "PXEClient:>
        filename "ipxe.efi";
 }
    class "Apple-Intel-Netboot" {
        match if substring(option vendor-class-identifier, 0, 14) = "AAPLBSDPC/>
        option dhcp-parameter-request-list 1,3,17,43,60;
        if (option dhcp-message-type = 8) {
            option vendor-class-identifier "AAPLBSDPC";
            if (substring(option vendor-encapsulated-options, 0, 3) = 01:01:01)>
                # BSDP List
                option vendor-encapsulated-options 01:01:01:04:02:80:00:07:04:8>
                filename "ipxe.efi";
            }
        }
    }
}
#END OF DHCPD.conf

#AND this is my current NIC config(I stared out part of the IP because its my works IP from our ISP and you know, I don’t want to be the guy that gave the IP to the world.)

#This is the connection that gets internet from the network and allows remote connection for managing the server

eno1: connected to eno1
        "Intel 82579V"
        ethernet (e1000e), *C:*2:*9:20:CE:B0, hw, mtu 1500
        ip4 default
        inet4 ***.***.215.106/24
        route4 ***.***.215.0/24
        route4 0.0.0.0/0
        inet6 fe80::c**f:c9dd:**6f:d2bd/64
        route6 fe80::/64
        route6 ff00::/8

#This is the connection that DHCP is served to

enp3s0: connected to enp3s0
        "Intel 82574L"
        ethernet (e1000e), **:0*:CA:2C:5D:45, hw, mtu 1500
        inet4 192.168.1.1/24
        route4 192.168.1.0/24
        inet6 fe80::f111:****:3679:****/64
        route6 fe80::/64
        route6 ff00::/8

lo: unmanaged
        "lo"
        loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536

DNS configuration:
        servers: ***.***.37.20
        interface: eno1

        servers: ***.***.37.20
        interface: enp3s0

Sebastian Roth · Oct 30, 2019, 3:57 PM

@davidka Dual-NIC setups are advanced. You can make it work but it’s not something we support by default because every setup is somewhat different and it’s very hard to try and suite for all.

just for whatever reason its not serving the connection through the second NIC along with the DHCP.

Please explain what you mean by that. The config and information you posted seems ok so far.

george1421 · Oct 30, 2019, 5:37 PM

Ah I see what you are trying to do. What, do you think the fog server can be a router too?

The short answer is, YES you can do that.

You will need to update the dhcp server to tell to push the default route is the imaging network’s LAN interface on the fog server.

Then what you need to do is set a kernel parameter to allow forwarding between your network interfaces. I suggest that you google “linux kernel ip forwarding” to better understand what you are doing but the quick answer is this.
cat /proc/sys/net/ipv4/ip_forward
should return 0 so not forwarding.

echo 1> /proc/sys/net/ipv4/ip_forward
then
cat /proc/sys/net/ipv4/ip_forward
should return 1 so do IP forwarding.

To make it persistent (survive fog server reboots) you need to update /etc/sysctl.conf and add in as the last line net.ipv4.ip_forward = 1 On a line by itself.

Lastly if you need to send data back to your imaging network from your business lan, you will need to create a static route in the default router for your business lan describing the imaging network IP address and how to get there via the Business LAN interface of your fog server.

Understand this request has nothing to do with fog, but more to do with using linux as a router and pure IP routing.

davidka · Nov 5, 2019, 5:18 PM

I got it figured out. had to setup routes through iptable etc. Thanks.

george1421 · Nov 5, 2019, 5:45 PM

@davidka said in DHCP works but no internet to clients:

had to setup routes through iptable

I guess I can say OK to that, but iptables shouldn’t be involved here unless you are doing NAT. But if you have it working, great.

davidka · Nov 5, 2019, 5:51 PM

@george1421 Yes NAT got involved. lol.

now I’m having issues with capturing the images. all signs are pointing to tftp but nothing I’ve tried has worked.) Its saving the images to /images/dev using the client MAC as the folder name. It just never finishes the process so it wont restore the images.

george1421 · Nov 5, 2019, 5:57 PM

@davidka said in DHCP works but no internet to clients:

…all signs are pointing to tftp but nothing I’ve tried has worked.) Its saving the images to /images/dev using the client MAC as the folder name.

If this is the case then its not a tftp issue. If the files are being created in /images/dev FOS Linux is running at this point. TFTP is only used to deliver iPXE (FOG Menu) to the target computer.

It just never finishes the process so it wont restore the images.

What error is it giving you at this point. The upload is done. Do you see an error regarding FTP? A screen shot of the error should help us decide where to look next.

davidka · Nov 5, 2019, 6:45 PM

@george1421 I get that right after it gets done cloning. I recored that as a video its on my google drive https://drive.google.com/open?id=18fwBwbhZ34qPPnrlWwQA_EDyTevForsg I’ve got a couple guys on k-12 Technition suport group discord looking at with me too. (I found out about from the network admin at another school. I work at a college I’m trying to show my sysadmin we need to use FOG lol.)

Sebastian Roth · Nov 5, 2019, 7:49 PM

@davidka This Type: 1024 error is probably caused by a connection issue. We often have people post a similar picture but with authentication error. Here I guess it’s a connection thing. From the network where you have your hosts can you open a FTP connection from any of the clients (e.g. use WinSCP or FileZilla)? Username is fogproject and the password you find in /var/www/html/fog/lib/fog/config.class.php on your FOG server.

davidka · Nov 5, 2019, 8:42 PM

@Sebastian-Roth when I try to connect using an ftp client (coreftp) it gives me this:```

Connect socket #1904 to ***.***.215.106, port 22...
Can't establish connection --> ***.***.215.106:22 @ Tue Nov 05 14:38:50 2019   (0-38)
Connection Failed

I started out the first part of my IP as that is a a private IP for our school.

george1421 · Nov 5, 2019, 3:01 PM

@davidka Hmmm did someone play (test) with iptables that may be blocking ftp access? </snark>

Sebastian Roth · Nov 5, 2019, 9:01 PM

@davidka said in DHCP works but no internet to clients:

Connect socket #1904 to ..215.106, port 22…

Port 22 is SSH/SCP not FTP?!

george1421 · Nov 5, 2019, 9:03 PM

@davidka From your windows computer, can you ftp to 192.168.1.1 (your fog server I guess) with the user name of fogproject and the password found in /opt/fog/.fogsettings ? it will be a random long password. If you can connect via FTP from a windows computer then we have something else going wrong.

davidka · Nov 5, 2019, 9:09 PM

@Sebastian-Roth 22 is just was in the blank be default. I’m not sure what port it should be.

davidka · Nov 5, 2019, 9:13 PM

@george1421 I’ve changed that password in all its locations to a custom password. (but it was messing up before I did that though) and no it doesn’t connect.

Okay so I changed it to port 21 and got this

Connect socket #1760 to ***.***.215.106, port 21...
500 OOPS: tcp_wrappers is set to YES but no tcp wrapper support compiled in  
Can't establish connection --> ***.***.215.106:21 @ Tue Nov 05 15:12:53 2019   (0-

the 192.168.1.1 is my DHCP pool the server IP is different. it ends in 215.106

george1421 · Nov 5, 2019, 9:31 PM

@davidka said in DHCP works but no internet to clients:

the 192.168.1.1 is my DHCP pool the server IP is different. it ends in 215.106

You are going to have to explain how you have things setup, because from your picture the client is trying to connect to 192.168.1.1

I’m also concerned about this statement

I’ve changed that password in all its locations to a custom password

What does that mean? The fogproject service account is owned and managed by the fog installer. Its password shouldn’t be touched.

davidka · Nov 5, 2019, 3:51 PM

@george1421 I went into all the config files and changed it. didnt realize it was a big deal. But it was messing up even before I did that. do I need to run the fog installer again ?

I’ve got two NICs one is 192.168.1.1 for DHCP on an isolated network the other is ..215.106 this one has access to the rest of the schools network and assigned by my sysadmin. I needed to be able to remote into the server and supply intert the clients at the same time, so I have it configured to route the traffic from 192.168.1.1 through IP tables and NAT to the 215.106 interface.

My sysadmin does not want DHCP to the rest of the network, hence the utterly complex setup i’m trying to pull off. I’ve tryed to explain to him that FOG wants to be part of the main network, and is expecting a DHCP server to already be setup, etc. But at this time he don’t want that. Its a whole other rant for another time… (we are manually updating everything, not using SCCM or any thing…)

george1421 · Nov 5, 2019, 3:47 PM

@davidka Well there is a tutorial I have on resyncing all of the password locations that you can run through. You can change the password to what ever you like as long as its secure and consistent. https://forums.fogproject.org/topic/11203/resyncing-fog-s-service-account-password

Looking at your other posts it appears you do have the imaging lan nic set to 192.168.1.1 (at least in your OP).

From your fog server you can run this command to see if the ftp server is running. netstat -an | grep ":21" should show you the ftp server is up and running.

From either the imaging network or from your business network you should be able to connect to the ftp server on the FOG server using a windows computer and the ftp command line client. Again the password will be what is found in /opt/fog/.fogsettings file once you resync all of the passwords. If you can log in via ftp to the fog server then we will dig elsewhere.

davidka · Nov 5, 2019, 10:18 PM

@george1421

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN

thats what that gave me.

and this

ftp> open ***.***.215.106
Connected to ***.***.215.106.
500 OOPS: tcp_wrappers is set to YES but no tcp wrapper support compiled in
Connection closed by remote host.

george1421 · Nov 5, 2019, 10:20 PM

@davidka said in DHCP works but no internet to clients:

500 OOPS: tcp_wrappers is set to YES but no tcp wrapper support compiled in

what is the OS distro FOG is running on?

DHCP works but no internet to clients

199

12.1k

17.3k

155.2k