FOG-casting across VLANs (subnets)

  • Moderator

    FOG-casting or imaging multiple computers simultaneously using a single source image (and data stream) works really (really) well if the clients are on the same subnet as the fog server. If your network is properly setup FOG-casting to many computers on multiple subnets works really (really) well. If your network is not setup for multicast transmissions, FOG-casting across your subnets will simply and frustratingly not work, even though you can image a single computer with no issues.

    Simply, sending a single image to a single computer (i.e. unicast data stream) across subnet(s) uses standard TCP/IP communications. If IP routing is setup on your network then unicast imaging will work without any network reengineering. When you introduce multicasting into a pure IP routing nework, the multicast data streams are typically stopped by the subnet routers. This by intent and design. To propagate a multicast data stream across your subnets you need to use a mutlicast router instead of a traditional IP router. Some traditional IP routers natively support multicast routing but many do not. Some IP routers have helper services that can be enabled (akin to dhcp-relay) to forward the multicast stream to known targets. If you have a low end or consumer grade router, you are simply out of luck. Well, not totally out of luck there are a few open source multicast routers (mrouters) or multicast proxy services that we can utilize to allow the multicast data streams to flow across the subnets.

    This is a documented is intended to be a proof of concept tool to show how you could configure a network to allow multicasting between vlans and/or subnets. So, let me also preface this with I’m not a multicasting expert. This document may not cover the ideal design for all situation. My intent is to document the process that could be used to allow multicasting across or between vlans (which small SMB networks are not typically configured by default).

    The following is how I setup the proof of concept configuration. For completeness this design was constructed using 2 ESXi servers. The first ESXi server contained the FOG Server and the second ESXi server contained the pfSense router and the pxe client. The WAN interface of the pfSense router was connected to the pxe booting client via a isolated vSwitch.


    FOG Server Setup
    For this test setup the FOG server was setup on a fresh Centos 7 box. Once the Centos box was configured and updated with the latest updates, FOG 1.4.0 (stable) was installed.
    I copied one of my test Win10 images from my development FOG servers to this proof of concept [POC] FOG server and then manually created the Image settings in the fog web gui. I did create create a static route on the POC FOG server to map a route to subnet via the LAN interface of the PFSense router. This is needed because the FOG Server’s default route pointed to the ISP Router. We need this static route to tell the fog server how to reach the [imaging network] for pxe booting and to send command and control information to the pxe booting clients.

    Part 2: The Pfsense Router setup

  • Moderator

    Part 2 Pfsense Router setup

    In this design, the pfSense router will perform 4 different functions.

    1. Provide the dhcp addresses to the clients on the deployment network []
    2. Provide the necessary dhcp boot options to pxe boot the clients on the deployment network
    3. Act as a normal router to route traffic between the subnets
    4. Act as a IGMP route (via its built in IGMP Proxy server). The IGMP server will listen on its defined upstream interface [LAN] for any defined multicast streams and rebroadcast the stream on any of the defined downstream interfaces [WAN]. Please note I’m only using the concepts of LAN and WAN as interface names. I could have just as easily used em0 and em1, but inside pfSense they reference the logical names of LAN and WAN exclusively. To avoid confusion I’ll continue to use those labels through this document, just understand the are label and not based on functional intent.

    I’m not going to go through the setup of the pfSense router since there are many fine examples of setting up pfSense as a basic router. I will go through the settings I changed to configure the igmp proxy setting.

    In the graphic above I configured the pfSense router’s

    1. Set the LAN interface address to
      0_1495554662259_Interfaces_ LAN.png

    2. Set the WAN interface address to
      0_1495554685442_Interfaces_ WAN.png

    3. Configured the dhcp server on the WAN interface to issue IP addresses from to
      0_1495555318851_Services_ DHCP Server_WAN1.png

    4. For the imaging network, the default route points to the pfSense WAN interface of
      0_1495555352459_Services_ DHCP Server_WAN2.png

    5. Configured the netboot section of the WAN’s dhcp server to send out the {next-server} of with a bios {boot-file} of undionly,kpxe, ia32 uefi boot file of i386/ipxe.efi, and ipxe.efi for the x64 uefi boot file.
      0_1495555364450_Services_ DHCP Server_WAN3.png

    6. In pfSense Advanced Configuration I disabled all firewall rules. In this setup I want pfSense to act as a normal unrestricted router and not as a screening or firewall appliance.
      0_1495556193981_System_ Advanced_ Firewall_NAT.png

    7. You will need to go into the firewall rules and add one rule to each interface (LAN and WAN) that is an allow all to any
      WAN rule
      0_1495558034751_Firewall_ Rules_WAN1.png
      LAN rule
      0_1495558047051_Firewall_ Rules_ LAN1.png

    8. With the static route configured on your FOG server and the pfSense router now setup on the network, you should be able to ping the deployment network’s router interface [WAN] from the fog server. If you can’t then something is setup incorrectly on the iP router side. Don’t proceed until you have basic IP routing working correctly.

  • Moderator

    Part 3 IGMP Proxy setup

    The IGMP [Internet Group Management Protocol] proxy will be configured to listen on its upstream interface and will relay the multicast stream to any subscribers on its downstream interface(s). The pfSense igmp proxy service can only support one upstream interface, but may have many downstream interfaces. Think of an upstream interface is one that will listen for multicast data streams and then will only retransmit the multicast stream to those interfaces who have requesting clients. This avoids flooding all subnets with the multicast imaging data if there are no clients requesting to be imaged. You can further optomize your network by enabling the IGMP Snooping feature on your network switches.

    1. IGMP LAN settings
      0_1495557562514_Services_ IGMP_Proxy_LAN.png

    2. IGMP WAN settings
      0_1495557849014_Services_ IGMP_Proxy_WAN.png

  • Moderator

    (document placeholder)

  • Moderator

    (document placeholder)

    0_1495237622562_Firewall_ Rules_01.png

    0_1495237634074_Firewall_ Rules_02.png