PXE boot under Fortigate 40C

Kpax

Server

• FOG Version: 1.3.5 svn Revision 6067
• OS: Ubuntu 16.04.2 LTS

Client

• Service Version:
• OS: Windows 10 64bit

Description

Greetings,

We got around 80 hosts running win1064bit
when setup fog as DHCP server all works and able to deploy and capture an image from and too.
the backwards that its kills the network and i prefer using my FGT to handle traffic and provide DHCP service instead.

Attache my FGT40C config file:
FGT firmware version 5.2.5 build 701 (GA)

thanks in advance,
Kpax

Kpax

@george1421

Hey george1421 some update:
all PC getting IP and seeing the Fog menu for deployment and registration much appreciated again, for direction.

might be its for new post but wondering I notice one thing that after Deploy image when PC rebooting he is looking for pxe instead load OS, so I need change the BIOS manually to UEFI enabled.
before the change it was done automatically enable/disable UEFI on BIOS

thanks ,
Kpax

george1421

<edit> Looking at the Fortigate configuration closer I can see one BIG mistake that is causing fog to not be happy. FOG no longer uses pxelinux.0 as a boot kernel. You MUST use one of the current iPXE kernels of undionly.kpxe or ipxe.kpxe or ipxe.efi [for uefi systems]. If you do not follow this warning you will have no joy. </edit>

We had someone else in the last month or so with the same configuration. What I want you to do is to switch back to using your Fortigate as your dhcp server. Make sure in your environment works as it should (except fog). Once you are sure your Fortigate is functioning as it did then we can work on makeing fog behave like we need. Note: Make sure you disable the dhcp server in FOG or you will have unexpected results

When your main dhcp server is setup we will install a service on the fog server called dnsmasq. DNSMasq is a ProxyDHCP server, in that we will use dnsmasq to provide the missing pxe boot information that your Fortigate can’t provide.

Install dnsmasq using your FOG servers linux distribution repository. I think this is the right command for ubuntu sudo apt-get install dnsmasq

Once that is installed run sudo chkconfig dnsmasq on

Then paste the contents of the following into /etc/dnsmasq.d/ltsp.conf

# Don't function as a DNS server:
port=0

# Log lots of extra information about DHCP transactions.
log-dhcp

# Set the root directory for files available via FTP.
tftp-root=/tftpboot

# The boot filename, Server name, Server Ip Address
dhcp-boot=undionly.kpxe,,<fog_server_IP>

# Disable re-use of the DHCP servername and filename fields as extra
# option space. That's to avoid confusing some old or broken DHCP clients.
dhcp-no-override

# inspect the vendor class string and match the text to set the tag
dhcp-vendorclass=BIOS,PXEClient:Arch:00000
dhcp-vendorclass=UEFI32,PXEClient:Arch:00006
dhcp-vendorclass=UEFI,PXEClient:Arch:00007
dhcp-vendorclass=UEFI64,PXEClient:Arch:00009

# Set the boot file name based on the matching tag from the vendor class (above)
dhcp-boot=net:UEFI32,i386-efi/ipxe.efi,,<fog_server_IP>
dhcp-boot=net:UEFI,ipxe.efi,,<fog_server_IP>
dhcp-boot=net:UEFI64,ipxe.efi,,<fog_server_IP>

# PXE menu.  The first part is the text displayed to the user.  The second is the timeout, in seconds.
pxe-prompt="Booting FOG Client", 1

# The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
# Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI
# This option is first and will be the default if there is no input from the user.
pxe-service=X86PC, "Boot to FOG", undionly.kpxe
pxe-service=X86-64_EFI, "Boot to FOG UEFI", ipxe.efi
pxe-service=BC_EFI, "Boot to FOG UEFI PXE-BC", ipxe.efi

dhcp-range=<fog_server_ip>,proxy

Don’t forget to replace <fog_server_ip> in the above text with the IP address of your fog server. The tag appears many times.

Now before you start dnsmasq I want you to run the following command and post the results here dnsmasq -v If the version is not 2.76 then we need to compile 2.76 to get bios and uefi compatibility.

https://forums.fogproject.org/topic/8725/compiling-dnsmasq-2-76-if-you-need-uefi-support

Kpax

@george1421
awesome mate, will follow instruction and update.

much appreciated

Sebastian Roth

@Kpax I don’t know much about the FGT config itself but what jumps at me is that you are trying to use pxelinux.0 instead of undionly.kpxe… Why that?

Kpax

greetings,

some update, following your instruction, thanks again…

1.FGT configuration

config system dhcp server
    edit 1
        set dns-service default
        set default-gateway 10.0.0.136
        set next-server 10.0.0.140
        set netmask 255.255.255.0
        set interface "internal"
            config ip-range
                edit 1
                    set start-ip 10.0.0.110
                    set end-ip 10.0.0.190
                next
            end
        set filename "undionly.kpxe" /* been tested with the value of undionly.kpxe or ipxe.kpxe or ipxe.efi */
        set option1 67 '0A00008C'
        set option2 66
            config reserved-address
                edit 1
                    set ip 10.0.0.140
                    set mac 00:00:00:00:00:00
                next
            end
    next
end

2. FGT is functioning well as DHCP server all hosts are receiving the correct IP and able access to the internet

3. FOG DHCP server role has been uninstalled (without dependent packages)

sudo apt-get remove isc-dhcp-server

4. DNSMasq is been installed

sudo apt-get install dnsmasq

5. chekconfig command is no longer in use under Ubuntu 16.04.2 LTS
   the equivalent command is update-rc.d

fogadmin@fog-srv:~$ sudo update-rc.d dnsmasq on
usage: update-rc.d [-n] [-f] <basename> remove
       update-rc.d [-n] <basename> disable|enable [S|2|3|4|5]
                -n: not really
                -f: force

The disable|enable API is not stable and might change in the future.
fogadmin@fog-srv:~$ sudo update-rc.d dnsmasq on^C
fogadmin@fog-srv:~$ /etc/init.d/dnsmasq start
[....] Starting dnsmasq (via systemctl): dnsmasq.service==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to start 'dnsmasq.service'.
Authenticating as: fogadmin,,, (fogadmin)
Password:
==== AUTHENTICATION COMPLETE ===
. ok
fogadmin@fog-srv:~$

6. ltsp.conf file wasnt exsist on that directory to i just create and paste the content with the change of IP_ADDRESS

drwxr-xr-x   2 root root  4096 מאי 13 05:20 .
drwxr-xr-x 133 root root 12288 מאי 11 19:26 ..
-rw-r--r--   1 root root  1429 מאי 11 19:41 ltsp.conf
-rw-r--r--   1 root root   202 ספט 27  2016 network-manager
-rw-r--r--   1 root root   211 מרץ 28 03:22 README

# Don't function as a DNS server:
port=0

# Log lots of extra information about DHCP transactions.
log-dhcp

# Set the root directory for files available via FTP.
tftp-root=/tftpboot

# The boot filename, Server name, Server Ip Address
dhcp-boot=undionly.kpxe,,10.0.0.140

# Disable re-use of the DHCP servername and filename fields as extra
# option space. That's to avoid confusing some old or broken DHCP clients.
dhcp-no-override

# inspect the vendor class string and match the text to set the tag
dhcp-vendorclass=BIOS,PXEClient:Arch:00000
dhcp-vendorclass=UEFI32,PXEClient:Arch:00006
dhcp-vendorclass=UEFI,PXEClient:Arch:00007
dhcp-vendorclass=UEFI64,PXEClient:Arch:00009

# Set the boot file name based on the matching tag from the vendor class (above)
dhcp-boot=net:UEFI32,i386-efi/ipxe.efi,,10.0.0.140
dhcp-boot=net:UEFI,ipxe.efi,,10.0.0.140
dhcp-boot=net:UEFI64,ipxe.efi,,10.0.0.140

# PXE menu.  The first part is the text displayed to the user.  The second is the timeout, in seconds.
pxe-prompt="Booting FOG Client", 1

# The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
# Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI
# This option is first and will be the default if there is no input from the user.
pxe-service=X86PC, "Boot to FOG", undionly.kpxe
pxe-service=X86-64_EFI, "Boot to FOG UEFI", ipxe.efi
pxe-service=BC_EFI, "Boot to FOG UEFI PXE-BC", ipxe.efi

dhcp-range=10.0.0.140,proxy

7. dnsmasq -v

fogadmin@fog-srv:/etc/dnsmasq.d$ dnsmasq -v
Dnsmasq version 2.75  Copyright (c) 2000-2015 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.

Additional method:
I update the BIOS firmware on most pc’s, try both UEFI enable/disable or choose legacy mode
Hosts now getting IP only from FGT (act as a dhcp server)
the output from Hosts at the moment is:

it was long

thanks in advance,
Kpax

Kpax

@Sebastian-Roth said in PXE boot under Fortigate 40C:

@Kpax I don’t know much about the FGT config itself but what jumps at me is that you are trying to use pxelinux.0 instead of undionly.kpxe… Why that?

its an mistake as George1421 said

george1421

@Kpax said in PXE boot under Fortigate 40C:

Dnsmasq version 2.75 Copyright 2000-2015 Simon Kelley

OK dnsmasq 2.75 is not new enough to enable both uefi and bios booting. UEFI booting is broken in 2.75. But now that you have 2.75 installed you can follow this process to compile 2.76: https://forums.fogproject.org/topic/8725/compiling-dnsmasq-2-76-if-you-need-uefi-support/6

There is more in the thread, but that is the actions part.

You will compile 2.76 and then just swap out the binary for 2.75 with 2.76. Restart dnsmasq, confirm that 2.76 is running with dnsmasq -v, then try to pxe boot your target computer again.

No worries, this is progressing just as I had planned. Your just distribution hasn’t released the latest version of dnsmasq yet, so you will compile it.

Also in your fortigate remove the line that contains the undionly.kpxe value, and then restart your dhcp server on your fortigate. We want dnsmasq to provide everything for pxe booting. This way the target computer only gets pxe booting instructions from dnsmasq

Kpax

@george1421

much appreciated will check and update

thanks in advance
Kpax

Kpax

@Kpax
Hey george1421

Thank you for lighting the way…

some update

1. FGT config (line set filename ‘undionly.kpxe’ has been removed)

    edit 1
        set dns-service default
        set default-gateway 10.0.0.136
        set next-server 10.0.0.140
        set netmask 255.255.255.0
        set interface "internal"
            config ip-range
                edit 1
                    set start-ip 10.0.0.110
                    set end-ip 10.0.0.190
                next
            end
        set option1 67 '0A00008C'
        set option2 66
            config reserved-address
                edit 1
                    set ip 10.0.0.140
                    set mac 00:00:00:00:00:00
                next
            end
    next
end

2. dnsmasq been compile to version 2.76 succefuly with no error

Dnsmasq version 2.76  Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.

3.additional check
dnsmasq status

ystemd/system/dnsmasq.service; enabled; vendor preset: enabled)
  Drop-In: /run/systemd/generator/dnsmasq.service.d
           └─50-dnsmasq-$named.conf, 50-insserv.conf-$named.conf
   Active: active (running) since ב' 2017-05-15 11:04:34 IDT; 13min ago
  Process: 1097 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
  Process: 1054 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
  Process: 976 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
 Main PID: 1096 (dnsmasq)
   CGroup: /system.slice/dnsmasq.service
           └─1096 /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -r /var/run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local

מאי 15 11:04:33 fog-vm systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server...
מאי 15 11:04:33 fog-vm dnsmasq[976]: dnsmasq: syntax check OK.
מאי 15 11:04:33 fog-vm dnsmasq[1096]: started, version 2.76 DNS disabled
מאי 15 11:04:33 fog-vm dnsmasq[1096]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
מאי 15 11:04:33 fog-vm dnsmasq[1096]: DNS service limited to local subnets
מאי 15 11:04:33 fog-vm dnsmasq-dhcp[1096]: DHCP, proxy on subnet 10.0.0.140
מאי 15 11:04:34 fog-vm systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
מאי 15 11:12:47 fog-vm systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.

route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.0.0.136      0.0.0.0         UG    100    0        0 ens33
10.0.0.0        *               255.255.255.0   U     100    0        0 ens33
link-local      *               255.255.0.0     U     1000   0        0 ens33

Config.h file

/* Build options which require external libraries.

   Defining HAVE_<opt>_STATIC as _well_ as HAVE_<opt> will link the library statically.

   You can use "make COPTS=-DHAVE_<opt>" instead of editing these.
*/

/* #define HAVE_LUASCRIPT */
/* #define HAVE_DBUS */
/* #define HAVE_IDN */
/* #define HAVE_CONNTRACK */
/* #define HAVE_DNSSEC */

/* Default locations for important system files. */
#define HAVE_DBUS
#define HAVE_IDN
#define HAVE_IDN_STATIC
#define HAVE_CONNTRACK
#define HAVE_DNSSEC

#ifndef LEASEFILE
#   if defined(__FreeBSD__) || defined (__OpenBSD__) || defined(__DragonFly__) || defined(__NetBSD__)

will update shortly I still have users around.

thanks in advance,
Kpax

Kpax

@george1421

Hey george1421 some update:
all PC getting IP and seeing the Fog menu for deployment and registration much appreciated again, for direction.

might be its for new post but wondering I notice one thing that after Deploy image when PC rebooting he is looking for pxe instead load OS, so I need change the BIOS manually to UEFI enabled.
before the change it was done automatically enable/disable UEFI on BIOS

thanks ,
Kpax