UEFI PXE Boot - Pain
-
@rogerbrowntdl Yes very similar to Fortigate. So I have a Fortigate 70D in my offline lab, and have it set up same as you, but for ipxe (UEFI only) boot. DHCP option 67 can only specify one file name. My suggestion is to see if your DHCP server supports DHCP relay. If it does, specify your FOG server IP address. Since your FOG server is already set up to not hand out IP addresses, you should be good to go after that. We have DHCP relay set up on our prod network and both UEFI and Legacy pxe boot work just fine.
Oh and unfortunately you cannot add UEFI to a legacy device as far as I know. Not sure if it is a hardware or firmware limitation.
-
@brakcounty How is your relay setup? Is it a different server or running from fortigate itself?
-
@rogerbrowntdl https://forums.fogproject.org/topic/12796/installing-dnsmasq-on-your-fog-server
This is the easiest solution, it takes about 10 minutes to setup. If you are running subnets on your network you (after dnsmasq is installed and you remove the pxe boot info from your firewall/router) add the fog server’s IP address as the last server in your dhcp-relay /dhcp-helper service on your subnet router. This is only needed if you need to pxe boot computers not on the same subnet as the fog/dnsmasq server.
A bit longer answer is that your firewall/routers dhcp server most likely doesn’t support dynamic pxe booting, in that it will change the boot file name based on bios or uefi pxe booting computer.
-
@rogerbrowntdl We have the Fortigate DHCP relay set up with the FOG server IP. I did however have to install dnsmasq on my FOG server and disable tftpd.service. Here is where I found the instructions: https://forums.fogproject.org/topic/12133/fog-on-existing-dhcp-server
The code posted by @george1421 needed one line added which is marked below. Just remove the asterisks:
# Don't function as a DNS server: port=0 # Log lots of extra information about DHCP transactions. log-dhcp **# Enable TFTP enable-tftp** # Set the root directory for files available via FTP. tftp-root=/tftpboot # The boot filename, Server name, Server Ip Address dhcp-boot=undionly.kpxe,,<fog_server_IP> # Disable re-use of the DHCP servername and filename fields as extra # option space. That's to avoid confusing some old or broken DHCP clients. dhcp-no-override # inspect the vendor class string and match the text to set the tag dhcp-vendorclass=BIOS,PXEClient:Arch:00000 -
@george1421 @brakcounty
So the DHCP server runs off our Watchguard and is a separate network (we have one for our production lan and one for our build lab)
I can change the Watchguard interface from a DHCP server to a relay server but that would mean it wouldnt hand out DHCP leases right?
-
@rogerbrowntdl With this setup the dnsmasq server only provides pxe boot information using the proxydhcp protocol. It does not manage ip address with this configuration. Its intended to augment your existing dhcp server.
-
@rogerbrowntdl We would typically use this if your dhcp server is managed by an outside party, or your dhcp server settings can’t be changed or your dhcp server does not support dynamic pxe booting (pfsense router does by the way so dnsmasq on the fog server isn’t needed here).
-
This post is deleted! -
@george1421 So in effect, I just leave the Watchguard as a DHCP server, set option 66 and 150 to point to my FOG box, remove option 67 and then install DNSMasq? Or do I remove ALL options from my Watchguard and install DNSMasq?
Forgive my lack of knowledge on the subject lol. How does the PXE request then get to the FOG server? Does the client, send a DHCP request to the Watchguard and then a broadcast for PXE or do I need to leave something in the Watchguard to tell the client to go to FOG?
-
@rogerbrowntdl dnsmasq runs on the FOG server to detect architecture and boot type then serve the boot files over tftp. This is my understanding of how it all works:
PC sends DHCP server a request for an IP address with a pxe packet.
DHCP assigns an IP address then directs (relays) the PC to the FOG server.
FOG Server handles this request by sending either undionly.kpxe or ipxe.efi depending on the architecture of the PC (dnsmasq tftp service).
PC downloads and executes the correct file.
After that FOG loads the boot menus. -
@brakcounty Thats my question really, do I need to leave a setting in (66 67 or 150) to tell the Watchguard to send the PXE request to FOG? I presume I need to put a setting in somewhere or the client wont know where to go for it’s PXE boot
-
@rogerbrowntdl said in UEFI PXE Boot - Pain:
do I need to leave a setting in (66 67 or 150)
For clarity I would remove them from watchguard dhcp. Actually dhcp option 150 is not a thing at least for pxe booting. From a functional standpoint proxydhcp will override the values provided in the dhcp packet. The advantage of running dnsmasq on the FOG server is that when the fog server is not running, no pxe boot information will be handed out. All clients will boot normally, but this is also the issue with leaving unmanaged settings in dhcp where sometime down the road if the fog server isn’t running things might behave a bit unexpected if the old dhcp settings are found by the client computers.
-
@rogerbrowntdl said in UEFI PXE Boot - Pain:
I presume I need to put a setting in somewhere or the client wont know where to go for it’s PXE boot
With the proxy dhcp response that tells the target computer once you have an ip address speak to this server (the fog server’s dnsmasq) to get the pxe boot information. Other than setting up dnsmasq there is nothing else that needs to be touched (as long as the fog server and pxe booting clients are on the same subnet)
-
@brakcounty You mention you had to disable tftpd.service and yet your line in that code says “enable-tftp” Are they different things? (Yes I’m a noob to all this but up until recently FOG was a mint replacement to the shitty MDT box we had - Just damn manufacturers now stopping legacy option in bios means i’m forced to change this to UEFI)
-
@rogerbrowntdl Yes they are two different services. tftpd is what FOG uses by default. The TFTP protocol listens on TCP port 69, so two services cannot listen on the same port at the same time.
-
@brakcounty Okay makes sense… dnsmasq was already installed and configured… Weird that it wouldnt boot before (hence we had to go the legacy option I believe) however now when I try and start dnsmasq it tells me to piss off because 69 is already in use?
"[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server…
[624]: dnsmasq: syntax check OK.
[678]: dnsmasq: failed to create listening socket for port 69: Address already >
[678]: failed to create listening socket for port 69: Address already in use
[678]: FAILED to start up
[1]: dnsmasq.service: Control process exited, code=exited, status=2/INVALIDARGU>
[1]: dnsmasq.service: Failed with result ‘exit-code’.
[1]: Failed to start dnsmasq - A lightweight DHCP and caching DNS server. -
@rogerbrowntdl said in UEFI PXE Boot - Pain:
[678]: dnsmasq: failed to create listening socket for port 69: Address already >
This kind of indicates you did not follow the config file exactly. Since dnsmasq should not attempt to use tftp port with this configuraiton. Please post your complete ltsp.conf file here for review.
-
@rogerbrowntdl Ok so it seems that tftpd might still be running.
First stop and disable the tftpd servicesudo systemctl stop tftpd.service && sudo systemctl disable tftpd.serviceMake sure dnsmasq isn’t running
sudo systemctl stop dnsmasq.serviceEdit/Create a file called ltsp.conf in the /etc/dnsmasq.d directory
sudo nano /etc/dnsmasq.d/ltsp.confPaste the following code and replace <fog_server_IP> with your FOG server’s IP address
# Don't function as a DNS server: port=0 # Log lots of extra information about DHCP transactions. log-dhcp # Enable TFTP enable-tftp # Set the root directory for files available via FTP. tftp-root=/tftpboot # The boot filename, Server name, Server Ip Address dhcp-boot=undionly.kpxe,,<fog_server_IP> # Disable re-use of the DHCP servername and filename fields as extra # option space. That's to avoid confusing some old or broken DHCP clients. dhcp-no-override # inspect the vendor class string and match the text to set the tag dhcp-vendorclass=BIOS,PXEClient:Arch:00000Then start dnsmasq
sudo systemctl start dnsmasq.serviceLet me know how that works out for you.
-
@george1421 My ltsp file:
# Don't function as a DNS server: port=0 # Log lots of extra information about DHCP transactions. log-dhcp # Enable TFTP enable-tftp <<<<<<I added this bit as per @brakcounty suggested from his config # Set the root directory for files available via FTP. tftp-root=/tftpboot # The boot filename, Server name, Server Ip Address dhcp-boot=undionly.kpxe,,192.168.15.251 # Disable re-use of the DHCP servername and filename fields as extra # option space. That's to avoid confusing some old or broken DHCP clients. dhcp-no-override # inspect the vendor class string and match the text to set the tag dhcp-vendorclass=BIOS,PXEClient:Arch:00000 dhcp-vendorclass=UEFI32,PXEClient:Arch:00006 dhcp-vendorclass=UEFI,PXEClient:Arch:00007 dhcp-vendorclass=UEFI64,PXEClient:Arch:00009 # Set the boot file name based on the matching tag from the vendor class (above) dhcp-boot=net:UEFI32,i386-efi/ipxe.efi,,192.168.15.251 dhcp-boot=net:UEFI,ipxe.efi,,192.168.15.251 dhcp-boot=net:UEFI64,ipxe.efi,,192.168.15.251 # PXE menu. The first part is the text displayed to the user. The second is the timeout, in seconds. pxe-prompt="Booting FOG Client", 1 # The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86, # Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI # This option is first and will be the default if there is no input from the user. pxe-service=X86PC, "Boot to FOG", undionly.kpxe pxe-service=X86-64_EFI, "Boot to FOG UEFI", ipxe.efi pxe-service=BC_EFI, "Boot to FOG UEFI PXE-BC", ipxe.efi dhcp-range=192.168.15.251,proxy -
@rogerbrowntdl said in UEFI PXE Boot - Pain:
# Enable TFTP enable-tftp <<<<<<I added this bit as per @brakcounty suggested from his configYeah, lets go and take that out of your config file. FOG installs a tftp service where this setting will conflict. Go ahead and restart dnsmasq after that.