FOG-casting across VLANs (subnets)

george1421

FOG-casting or imaging multiple computers simultaneously using a single source image (and data stream) works really (really) well if the clients are on the same subnet as the fog server. If your network is properly setup FOG-casting to many computers on multiple subnets works really (really) well. If your network is not setup for multicast transmissions, FOG-casting across your subnets will simply and frustratingly not work, even though you can image a single computer with no issues.

Simply, sending a single image to a single computer (i.e. unicast data stream) across subnet(s) uses standard TCP/IP communications. If IP routing is setup on your network then unicast imaging will work without any network reengineering. When you introduce multicasting into a pure IP routing nework, the multicast data streams are typically stopped by the subnet routers. This by intent and design. To propagate a multicast data stream across your subnets you need to use a mutlicast router instead of a traditional IP router. Some traditional IP routers natively support multicast routing but many do not. Some IP routers have helper services that can be enabled (akin to dhcp-relay) to forward the multicast stream to known targets. If you have a low end or consumer grade router, you are simply out of luck. Well, not totally out of luck there are a few open source multicast routers (mrouters) or multicast proxy services that we can utilize to allow the multicast data streams to flow across the subnets.

This is a documented is intended to be a proof of concept tool to show how you could configure a network to allow multicasting between vlans and/or subnets. So, let me also preface this with I’m not a multicasting expert. This document may not cover the ideal design for all situation. My intent is to document the process that could be used to allow multicasting across or between vlans (which small SMB networks are not typically configured by default).

The following is how I setup the proof of concept configuration. For completeness this design was constructed using 2 ESXi servers. The first ESXi server contained the FOG Server and the second ESXi server contained the pfSense router and the pxe client. The WAN interface of the pfSense router was connected to the pxe booting client via a isolated vSwitch.

FOG Server Setup
For this test setup the FOG server was setup on a fresh Centos 7 box. Once the Centos box was configured and updated with the latest updates, FOG 1.4.0 (stable) was installed.
I copied one of my test Win10 images from my development FOG servers to this proof of concept [POC] FOG server and then manually created the Image settings in the fog web gui. I did create create a static route on the POC FOG server to map a route to 192.168.23.0/24 subnet via the LAN interface of the PFSense router. This is needed because the FOG Server’s default route pointed to the ISP Router. We need this static route to tell the fog server how to reach the 192.168.23.0/24 [imaging network] for pxe booting and to send command and control information to the pxe booting clients.

Part 2: The Pfsense Router setup

george1421

(document placeholder)

george1421

(document placeholder)

george1421

Part 3 IGMP Proxy setup

The IGMP [Internet Group Management Protocol] proxy will be configured to listen on its upstream interface and will relay the multicast stream to any subscribers on its downstream interface(s). The pfSense igmp proxy service can only support one upstream interface, but may have many downstream interfaces. Think of an upstream interface is one that will listen for multicast data streams and then will only retransmit the multicast stream to those interfaces who have requesting clients. This avoids flooding all subnets with the multicast imaging data if there are no clients requesting to be imaged. You can further optomize your network by enabling the IGMP Snooping feature on your network switches.

1. IGMP LAN settings
   

2. IGMP WAN settings
   

george1421

Part 2 Pfsense Router setup

In this design, the pfSense router will perform 4 different functions.

1. Provide the dhcp addresses to the clients on the deployment network [192.168.23.0/24]
2. Provide the necessary dhcp boot options to pxe boot the clients on the deployment network
3. Act as a normal router to route traffic between the subnets
4. Act as a IGMP route (via its built in IGMP Proxy server). The IGMP server will listen on its defined upstream interface [LAN] for any defined multicast streams and rebroadcast the stream on any of the defined downstream interfaces [WAN]. Please note I’m only using the concepts of LAN and WAN as interface names. I could have just as easily used em0 and em1, but inside pfSense they reference the logical names of LAN and WAN exclusively. To avoid confusion I’ll continue to use those labels through this document, just understand the are label and not based on functional intent.

I’m not going to go through the setup of the pfSense router since there are many fine examples of setting up pfSense as a basic router. I will go through the settings I changed to configure the igmp proxy setting.

In the graphic above I configured the pfSense router’s

1. Set the LAN interface address to 192.168.50.250/24
   

2. Set the WAN interface address to 192.168.23.1/24
   

3. Configured the dhcp server on the WAN interface to issue IP addresses from 192.168.23.10 to 192.168.23.250.
   

4. For the imaging network, the default route points to the pfSense WAN interface of 192.168.23.1
   

5. Configured the netboot section of the WAN’s dhcp server to send out the {next-server} of 192.168.50.100 with a bios {boot-file} of undionly,kpxe, ia32 uefi boot file of i386/ipxe.efi, and ipxe.efi for the x64 uefi boot file.
   

6. In pfSense Advanced Configuration I disabled all firewall rules. In this setup I want pfSense to act as a normal unrestricted router and not as a screening or firewall appliance.
   

7. You will need to go into the firewall rules and add one rule to each interface (LAN and WAN) that is an allow all to any
   WAN rule
   
   LAN rule
   

8. With the static route configured on your FOG server and the pfSense router now setup on the network, you should be able to ping the deployment network’s router interface [WAN] from the fog server. If you can’t then something is setup incorrectly on the iP router side. Don’t proceed until you have basic IP routing working correctly.