PXE boot under Fortigate 40C



  • Server
    • FOG Version: 1.3.5 svn Revision 6067
    • OS: Ubuntu 16.04.2 LTS
    Client
    • Service Version:
    • OS: Windows 10 64bit
    Description

    Greetings,

    We got around 80 hosts running win1064bit
    when setup fog as DHCP server all works and able to deploy and capture an image from and too.
    the backwards that its kills the network and i prefer using my FGT to handle traffic and provide DHCP service instead.

    Attache my FGT40C config file:
    FGT firmware version 5.2.5 build 701 (GA)
    0_1494431795737_Capture.JPG

    0_1494432505500_Capture2.JPG

    thanks in advance,
    Kpax



  • @george1421

    Hey george1421 some update: :)
    all PC getting IP and seeing the Fog menu for deployment and registration much appreciated again, for direction.

    might be its for new post but wondering I notice one thing that after Deploy image when PC rebooting he is looking for pxe instead load OS, so I need change the BIOS manually to UEFI enabled.
    before the change it was done automatically enable/disable UEFI on BIOS

    thanks ,
    Kpax



  • @Kpax
    Hey george1421

    Thank you for lighting the way…

    some update

    1. FGT config (line set filename ‘undionly.kpxe’ has been removed)
        edit 1
            set dns-service default
            set default-gateway 10.0.0.136
            set next-server 10.0.0.140
            set netmask 255.255.255.0
            set interface "internal"
                config ip-range
                    edit 1
                        set start-ip 10.0.0.110
                        set end-ip 10.0.0.190
                    next
                end
            set option1 67 '0A00008C'
            set option2 66
                config reserved-address
                    edit 1
                        set ip 10.0.0.140
                        set mac 00:00:00:00:00:00
                    next
                end
        next
    end
    
    1. dnsmasq been compile to version 2.76 succefuly with no error
    Dnsmasq version 2.76  Copyright (c) 2000-2016 Simon Kelley
    Compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
    
    This software comes with ABSOLUTELY NO WARRANTY.
    Dnsmasq is free software, and you are welcome to redistribute it
    under the terms of the GNU General Public License, version 2 or 3.
    

    3.additional check
    dnsmasq status

    ystemd/system/dnsmasq.service; enabled; vendor preset: enabled)
      Drop-In: /run/systemd/generator/dnsmasq.service.d
               └─50-dnsmasq-$named.conf, 50-insserv.conf-$named.conf
       Active: active (running) since ב' 2017-05-15 11:04:34 IDT; 13min ago
      Process: 1097 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
      Process: 1054 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
      Process: 976 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
     Main PID: 1096 (dnsmasq)
       CGroup: /system.slice/dnsmasq.service
               └─1096 /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -r /var/run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local
    
    מאי 15 11:04:33 fog-vm systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server...
    מאי 15 11:04:33 fog-vm dnsmasq[976]: dnsmasq: syntax check OK.
    מאי 15 11:04:33 fog-vm dnsmasq[1096]: started, version 2.76 DNS disabled
    מאי 15 11:04:33 fog-vm dnsmasq[1096]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
    מאי 15 11:04:33 fog-vm dnsmasq[1096]: DNS service limited to local subnets
    מאי 15 11:04:33 fog-vm dnsmasq-dhcp[1096]: DHCP, proxy on subnet 10.0.0.140
    מאי 15 11:04:34 fog-vm systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
    מאי 15 11:12:47 fog-vm systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
    
    

    route

    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         10.0.0.136      0.0.0.0         UG    100    0        0 ens33
    10.0.0.0        *               255.255.255.0   U     100    0        0 ens33
    link-local      *               255.255.0.0     U     1000   0        0 ens33
    

    Config.h file

    /* Build options which require external libraries.
    
       Defining HAVE_<opt>_STATIC as _well_ as HAVE_<opt> will link the library statically.
    
       You can use "make COPTS=-DHAVE_<opt>" instead of editing these.
    */
    
    /* #define HAVE_LUASCRIPT */
    /* #define HAVE_DBUS */
    /* #define HAVE_IDN */
    /* #define HAVE_CONNTRACK */
    /* #define HAVE_DNSSEC */
    
    /* Default locations for important system files. */
    #define HAVE_DBUS
    #define HAVE_IDN
    #define HAVE_IDN_STATIC
    #define HAVE_CONNTRACK
    #define HAVE_DNSSEC
    
    #ifndef LEASEFILE
    #   if defined(__FreeBSD__) || defined (__OpenBSD__) || defined(__DragonFly__) || defined(__NetBSD__)
    

    will update shortly I still have users around.

    thanks in advance,
    Kpax



  • @george1421

    much appreciated will check and update

    thanks in advance
    Kpax


  • Moderator

    @Kpax said in PXE boot under Fortigate 40C:

    Dnsmasq version 2.75 Copyright © 2000-2015 Simon Kelley

    OK dnsmasq 2.75 is not new enough to enable both uefi and bios booting. UEFI booting is broken in 2.75. But now that you have 2.75 installed you can follow this process to compile 2.76: https://forums.fogproject.org/topic/8725/compiling-dnsmasq-2-76-if-you-need-uefi-support/6

    There is more in the thread, but that is the actions part.

    You will compile 2.76 and then just swap out the binary for 2.75 with 2.76. Restart dnsmasq, confirm that 2.76 is running with dnsmasq -v, then try to pxe boot your target computer again.

    No worries, this is progressing just as I had planned. Your just distribution hasn’t released the latest version of dnsmasq yet, so you will compile it.

    Also in your fortigate remove the line that contains the undionly.kpxe value, and then restart your dhcp server on your fortigate. We want dnsmasq to provide everything for pxe booting. This way the target computer only gets pxe booting instructions from dnsmasq



  • @Sebastian-Roth said in PXE boot under Fortigate 40C:

    @Kpax I don’t know much about the FGT config itself but what jumps at me is that you are trying to use pxelinux.0 instead of undionly.kpxe… Why that?

    its an mistake as George1421 said :)



  • greetings,

    some update, following your instruction, thanks again…

    1.FGT configuration

    config system dhcp server
        edit 1
            set dns-service default
            set default-gateway 10.0.0.136
            set next-server 10.0.0.140
            set netmask 255.255.255.0
            set interface "internal"
                config ip-range
                    edit 1
                        set start-ip 10.0.0.110
                        set end-ip 10.0.0.190
                    next
                end
            set filename "undionly.kpxe" /* been tested with the value of undionly.kpxe or ipxe.kpxe or ipxe.efi */
            set option1 67 '0A00008C'
            set option2 66
                config reserved-address
                    edit 1
                        set ip 10.0.0.140
                        set mac 00:00:00:00:00:00
                    next
                end
        next
    end
    
    1. FGT is functioning well as DHCP server all hosts are receiving the correct IP and able access to the internet

    0_1494682897742_Caaapture.JPG

    1. FOG DHCP server role has been uninstalled (without dependent packages)
    sudo apt-get remove isc-dhcp-server
    
    1. DNSMasq is been installed
    sudo apt-get install dnsmasq
    
    1. chekconfig command is no longer in use under Ubuntu 16.04.2 LTS
      the equivalent command is update-rc.d
    fogadmin@fog-srv:~$ sudo update-rc.d dnsmasq on
    usage: update-rc.d [-n] [-f] <basename> remove
           update-rc.d [-n] <basename> disable|enable [S|2|3|4|5]
                    -n: not really
                    -f: force
    
    The disable|enable API is not stable and might change in the future.
    fogadmin@fog-srv:~$ sudo update-rc.d dnsmasq on^C
    fogadmin@fog-srv:~$ /etc/init.d/dnsmasq start
    [....] Starting dnsmasq (via systemctl): dnsmasq.service==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
    Authentication is required to start 'dnsmasq.service'.
    Authenticating as: fogadmin,,, (fogadmin)
    Password:
    ==== AUTHENTICATION COMPLETE ===
    . ok
    fogadmin@fog-srv:~$
    
    1. ltsp.conf file wasnt exsist on that directory to i just create and paste the content with the change of IP_ADDRESS
    drwxr-xr-x   2 root root  4096 מאי 13 05:20 .
    drwxr-xr-x 133 root root 12288 מאי 11 19:26 ..
    -rw-r--r--   1 root root  1429 מאי 11 19:41 ltsp.conf
    -rw-r--r--   1 root root   202 ספט 27  2016 network-manager
    -rw-r--r--   1 root root   211 מרץ 28 03:22 README
    
    # Don't function as a DNS server:
    port=0
    
    # Log lots of extra information about DHCP transactions.
    log-dhcp
    
    # Set the root directory for files available via FTP.
    tftp-root=/tftpboot
    
    # The boot filename, Server name, Server Ip Address
    dhcp-boot=undionly.kpxe,,10.0.0.140
    
    # Disable re-use of the DHCP servername and filename fields as extra
    # option space. That's to avoid confusing some old or broken DHCP clients.
    dhcp-no-override
    
    # inspect the vendor class string and match the text to set the tag
    dhcp-vendorclass=BIOS,PXEClient:Arch:00000
    dhcp-vendorclass=UEFI32,PXEClient:Arch:00006
    dhcp-vendorclass=UEFI,PXEClient:Arch:00007
    dhcp-vendorclass=UEFI64,PXEClient:Arch:00009
    
    # Set the boot file name based on the matching tag from the vendor class (above)
    dhcp-boot=net:UEFI32,i386-efi/ipxe.efi,,10.0.0.140
    dhcp-boot=net:UEFI,ipxe.efi,,10.0.0.140
    dhcp-boot=net:UEFI64,ipxe.efi,,10.0.0.140
    
    # PXE menu.  The first part is the text displayed to the user.  The second is the timeout, in seconds.
    pxe-prompt="Booting FOG Client", 1
    
    # The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
    # Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI
    # This option is first and will be the default if there is no input from the user.
    pxe-service=X86PC, "Boot to FOG", undionly.kpxe
    pxe-service=X86-64_EFI, "Boot to FOG UEFI", ipxe.efi
    pxe-service=BC_EFI, "Boot to FOG UEFI PXE-BC", ipxe.efi
    
    dhcp-range=10.0.0.140,proxy
    
    1. dnsmasq -v
    fogadmin@fog-srv:/etc/dnsmasq.d$ dnsmasq -v
    Dnsmasq version 2.75  Copyright (c) 2000-2015 Simon Kelley
    Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
    
    This software comes with ABSOLUTELY NO WARRANTY.
    Dnsmasq is free software, and you are welcome to redistribute it
    under the terms of the GNU General Public License, version 2 or 3.
    

    Additional method:
    I update the BIOS firmware on most pc’s, try both UEFI enable/disable or choose legacy mode
    Hosts now getting IP only from FGT (act as a dhcp server)
    the output from Hosts at the moment is:
    0_1494684559061_aaaaaa.jpg

    it was long :)

    thanks in advance,
    Kpax


  • Developer

    @Kpax I don’t know much about the FGT config itself but what jumps at me is that you are trying to use pxelinux.0 instead of undionly.kpxe… Why that?



  • @george1421
    awesome mate, will follow instruction and update.

    much appreciated


  • Moderator

    <edit> Looking at the Fortigate configuration closer I can see one BIG mistake that is causing fog to not be happy. FOG no longer uses pxelinux.0 as a boot kernel. You MUST use one of the current iPXE kernels of undionly.kpxe or ipxe.kpxe or ipxe.efi [for uefi systems]. If you do not follow this warning you will have no joy. </edit>

    We had someone else in the last month or so with the same configuration. What I want you to do is to switch back to using your Fortigate as your dhcp server. Make sure in your environment works as it should (except fog). Once you are sure your Fortigate is functioning as it did then we can work on makeing fog behave like we need. Note: Make sure you disable the dhcp server in FOG or you will have unexpected results

    When your main dhcp server is setup we will install a service on the fog server called dnsmasq. DNSMasq is a ProxyDHCP server, in that we will use dnsmasq to provide the missing pxe boot information that your Fortigate can’t provide.

    Install dnsmasq using your FOG servers linux distribution repository. I think this is the right command for ubuntu sudo apt-get install dnsmasq

    Once that is installed run sudo chkconfig dnsmasq on

    Then paste the contents of the following into /etc/dnsmasq.d/ltsp.conf

    # Don't function as a DNS server:
    port=0
    
    # Log lots of extra information about DHCP transactions.
    log-dhcp
    
    # Set the root directory for files available via FTP.
    tftp-root=/tftpboot
    
    # The boot filename, Server name, Server Ip Address
    dhcp-boot=undionly.kpxe,,<fog_server_IP>
    
    # Disable re-use of the DHCP servername and filename fields as extra
    # option space. That's to avoid confusing some old or broken DHCP clients.
    dhcp-no-override
    
    # inspect the vendor class string and match the text to set the tag
    dhcp-vendorclass=BIOS,PXEClient:Arch:00000
    dhcp-vendorclass=UEFI32,PXEClient:Arch:00006
    dhcp-vendorclass=UEFI,PXEClient:Arch:00007
    dhcp-vendorclass=UEFI64,PXEClient:Arch:00009
    
    # Set the boot file name based on the matching tag from the vendor class (above)
    dhcp-boot=net:UEFI32,i386-efi/ipxe.efi,,<fog_server_IP>
    dhcp-boot=net:UEFI,ipxe.efi,,<fog_server_IP>
    dhcp-boot=net:UEFI64,ipxe.efi,,<fog_server_IP>
    
    # PXE menu.  The first part is the text displayed to the user.  The second is the timeout, in seconds.
    pxe-prompt="Booting FOG Client", 1
    
    # The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
    # Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI
    # This option is first and will be the default if there is no input from the user.
    pxe-service=X86PC, "Boot to FOG", undionly.kpxe
    pxe-service=X86-64_EFI, "Boot to FOG UEFI", ipxe.efi
    pxe-service=BC_EFI, "Boot to FOG UEFI PXE-BC", ipxe.efi
    
    dhcp-range=<fog_server_ip>,proxy
    

    Don’t forget to replace <fog_server_ip> in the above text with the IP address of your fog server. The tag appears many times.

    Now before you start dnsmasq I want you to run the following command and post the results here dnsmasq -v If the version is not 2.76 then we need to compile 2.76 to get bios and uefi compatibility.

    https://forums.fogproject.org/topic/8725/compiling-dnsmasq-2-76-if-you-need-uefi-support


Log in to reply
 

326
Online

38724
Users

10553
Topics

99906
Posts

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.