Isolated dnsmasq Setup
-
I’ve setup dnsmasq in Ubuntu 18.04 Server on a Windows machine in VirtualBox. I have dnsmasq running as the DHCP server. This works perfectly, I’m able to boot legacy and UEFI. I have the ethernet port on a 10.0.0.0 network where FOG is 10.0.0.1 and a USB to ethernet adapter that is connected to our production network that I used for the install and to log in remotely.
My goal was to create an isolated box off of our network for our sales prep team to image machines with Windows and not have to worry about our network. We recently outsourced IT support and they’ve wrecked a few things. So I just wanted to create a machine and a switch they can connect to at their own station. But we activate Windows before we ship it to the customer, so I just realized yesterday that they would have to connect back to our network to activate it. I need a way to PXE boot without our network, and then connect to our network after, if that makes sense.
I just went into the weeds with dnsmasq and I think I can still do this, but wanted some reassurance on how to proceed.
So my long intro to a question is should I use dnsmasq, via proxy, on our network for PXE boot? And if so, would it be possible to have the imaged Windows machine then boot up using our production network?
Or is there a way better way to do this? Basically I’d like to PXE boot offline, but the Windows machines we activate would need to connect to the network after. This is probably a can of worms but is there a better way to activate Windows? I’ll just leave that there and probably open a new thread on that one if you guys say yes.
Thanks in advance! It’s late and I apologize if this didn’t make any sense, just let me know any other information you need.
-
@mwilcox Not exactly sure if I get this right but from what I understand you want to boot up via PXE using an external USB Ethernet adapter to image the machine via FOG and then on reboot remove the USB adapter and let it boot up to Windows and pull a normal IP from your cooperate network subnet. Is that right?
Let me ask, what is you current DHCP server in the cooperate network like?
-
@Sebastian-Roth I am using the USB Ethernet adapter on our cooperate network for internet access. I have the Ethernet port on the machine set to the PXE network with that connected to an 8 port dumb switch. I’d like them to be able to plug into the switch, PXE boot and image, then be able to access the internet through that switch on the private network still. The Ubuntu Server has 2 NIC’s configured, both bridged, one private and one on the network.
What I’m thinking I can do with dnsmasq is when a machine PXE boots, dnsmasq will step in and hand out the information, but when a machine boots normally it will get it’s DHCP from our network. Is that correct and does that make sense?
We have Windows Server 2012 I believe, but I can’t alter it easily. We outsourced our IT and I had a hard time explaining to them what a FOG server was and why it was issuing IP’s. So I’d like to eliminate it from our infrastructure so I can manage it locally.
-
@mwilcox ok lets take a step back here. You expressed a few technologies that I’m seeing a conflict.
So do you have a dedicated fog server or are you running a FOG server on each sales team laptop?
If you are running a fog server and have a dedicated imaging network why are you using dnsmasq? The fog server (if asked during install) will install isc-dhcp server that will issue IP addresses for your imaging network.
You can use the (a) FOG server as a router so you can bridge between the imaging network and the business network via FOG server. Since you don’t have access to your infrastructure you will probably have to use NAT instead of full routing between the subnets.
If you have a dnsmasq server you can connect it to your business network and override any dhcp settings provided by the main dhcp server. The only thing you can’t do is have 2 proxydhcp servers on the same subnet. So if the MSP has installed SCCM or WDS on the business side you can’t run a proxydhcp server like dnsmasq to provide / override the pxe boot into. If they don’t have that setup then you don’t technically need an isolated imaging network for FOG.
-
I apologize if this is confusing, I tend to make things more complicated than they need to be, that’s why I reached out for help. It was getting to be too much. Let me try to sum up what I have and what I want to do.
I built what was basically a test run of FOG in a VM a few years ago, my former boss ended up putting this into production on our network and added in the DHCP options. I normally do on-site data erasure so I’m not in the office, but that has slowed so I’ve focused on updating FOG. We use it for imaging and also to boot Parted Magic to test machines and get specs. The problems I’m having is that our network isn’t the best for this. It’s pieced together with random equipment (we’re an ITAD company). The VM is Ubuntu Server 16.04 and it’s running FOG 1.5.4. It’s also got over 20 useless images on it. It’s been very neglected over the last couple years.
So I just wanted to start fresh. Give the sales team their own box to image on so they wouldn’t have to worry about the network going down or the MSP messing with the VM itself (they’ve shut it down a few times).
I’ll stop here and ask your advice on the best way to achieve this. We do not have SCCM or WDS. Right now FOG is the only thing that would be using for PXE booting and that is currently set up on our Windows Server. I can continue to use that if it’s the best option.
Thanks!
-
@mwilcox OK I have a better picture of your situation. I think a clean install on a current host OS for fog is probably the best. If you want run the latest version of Ubuntu you will need to be on the FOG dev branch, but that’s easy to switch before you install FOG.
Your new FOG server will need 2 interfaces setup before you install FOG. One will need to be on the business LAN that has internet access and the other on the dedicated imaging network. You will want to assign a static IP address to your imaging network nic AND know the linux name of the nic before you install FOG since the installer will ask you what interface to use. The business LAN nic can be static or dhcp defined. I think I would make it static just to keep things from moving about. FOG doesn’t like it when you moving the IP address of the imaging interface after FOG is installed so make sure you have that IP and your imaging subnet defined before you install FOG.
The installer will ask if you want to install the dhcp server, answer yes and the installer will install and setup the isc-dhcp server on the imaging network.
Once the setup is complete then you should be able to attach a physical computer to the dedicated imaging network and get to the fog ipxe menu.
When you get this far then we can talk about the next bit of getting access to the business network from the imaging network.
-
@george1421 Thank you for the information George.
So if I want to run Ubuntu Server 20.04, that would require the dev branch? Good to know, I was going to use that but wasn’t sure of compatibility so I went with 18.04.
So far the steps you’ve described are what I’ve done. I have the FOG server set up with 2 interfaces, I set up a 10.0.0.0/8 network on the Ethernet interface.
The USB interface on our business LAN I used DHCP, I can’t assign a static without contacting our MSP.
When I installed FOG I changed the interface and issued it a 10.0.0.1 address. But here’s where I ran into trouble. I don’t know what I was doing wrong but whenever I told it to use FOG for DHCP the install would fail at “Setting up and starting DCHP Server”. It would create the dhcpd.conf file though.
Looking back now, would a DNS setting, or lack of, fail the DCHP install? I didn’t realize that 127.0.0.53 was Ubuntu’s default DNS and I think I changed that to the FOG IP on those installs. It wasn’t until I was messing with dnsmasq that I figured that out.
So anyway, that is how I got into using dnsmasq instead of the isc-dhcp server. I can try another install this way and see how I fair.
-
Update:
Installed Ubuntu Server 20.04 with the dev branch. I still got an error with starting the dhcp though. Digging through the forums I found it was my /8 mask that was causing it to fail. I changed it to /24 and everything installed flawlessly and I’m able to get to the ipxe menu.
I’ve always had it stuck in my head that a 10.0.0.0 network was a 255.0.0.0 mask and forgot what that actually meant. I do not need 16 million hosts.
That is indeed what broke the install, there was a thread here that helped me figure it out.
-
@mwilcox said in Isolated dnsmasq Setup:
That is indeed what broke the install, there was a thread here that helped me figure it out.
So I’m not sure if this is considered a bug, or the system telling you; hey guy do you really want to do this??
So now you have your FOG server spanning both networks and a dedicated imaging network setup. And on that imaging network you can pxe boot into the iPXE menu?
Understand that dedicated imaging network subnet range shall not be used anywhere else in your network. If it is then pick a new range.
-
It’s a good precaution either way!
Yes, I’m able to boot into the iPXE menu on the 10.0.0.1 network. We only have the one network so we’re good there.
-
@george1421 So would it be possible to PXE boot on the imaging network, and after imaging allow the PC to boot to the business network if it is not PXE booting? After imaging they install drivers and activate Windows, then shut it down to OOBE and we ship it out. It would be nice if they didn’t have to plug into a different switch.
-
@mwilcox While its not a supported configuration, if your FOG server spans both networks the FOG server can act as a router too.
The setup is pretty simple, on your business network default router you just describe the imaging network and its accessible via the Business network interface of the FOG server.
On the imaging network side, just ensure that the FOG server imaging network interface is configured as the default router.
Then a quick kernel parameter change and your FOG server will be a router.
-
@george1421 Thanks George.
What exactly needs to happen on the business network side? Access for me might be limited there. I’m not quite following the details.
-
@mwilcox The ONLY thing you need to do on the business side is provide a static route on your default route for the business network back to your imaging network. That way when you have packets destined for the 10.0.0.0/24 network and that packet exists on the business network the devices know to send it via the business network interface of the FOG server.
IF you can’t modify the business network at all, then we will need to configure the fog server to do NAT between the imaging network and the business network. You will do that with iptables and mangle (I think).
-
@george1421 I will check with our MSP and see if that’s an option, I’ll also test out your link.
My FOG server is running in VirtualBox, do you know if I can change that interface to NAT? I’ve always read not to use NAT for PXE booting. I did have it on once and it issues the server a 10.0.2.15 address I think and I can still access the internet. I didn’t install FOG that way though. I’ll try and test it out just wondering if you knew of the top of your head.
Thanks again.
-
@mwilcox said in Isolated dnsmasq Setup:
My FOG server is running in VirtualBox, do you know if I can change that interface to NAT? I’ve always read not to use NAT for PXE booting.
Ok what you need to do is isolate the FOG Imaging bits from the fog server acting as a router. Two different functions that are not connected.
Normally a linux server with multiple interfaces will not send packets between its interfaces. You can turn on that kernel parameter and it will “act” like a router. For this to work you need to know how to get packets on and off your network. That is why you need to create an static route on your business network so your business network knows how to send data back to the imaging network (such as in windows activation)
So what I’m suggesting is to enable in the linux kernel to act as a NAT router when sending packets between the imaging network and the business LAN. FOG Imaging does not do/use/work by sending packets between the interfaces. SO there will be NO impact to fog imaging or how you have things setup in virtualbox because the NAT is happening inside the linux kernel. With NAT turned on inside the FOG sever’s host OS linux kernel all traffic on the business network will actually look like its coming from the FOG server, when in fact the traffic could be coming from the imaging network clients reaching out to the business network.
-
@mwilcox Just a quick hint on this from my side. As far as I see you have two physical network interfaces and FOG running in VirtualBox, right? Don’t confuse VirtualBox’s NAT setting with the NAT George proposed to enable in the FOG Server!! I reckon you need to set both VirtualBox network interfaces to Bridge Mode so they act as much physical interfaces as possible. Then look into the NAT stuff in the FOG Linux OS…
-
@Sebastian-Roth Thanks Sebastian, that’s what I was wondering, I won’t bother with NAT in VirtualBox then. Hopefully I will have time tomorrow to try and get this set up and tested.
Yes, I do have two physical network interfaces. The machine is a Lenovo M92 with one network port. I’m using that for the imaging network and attached a USB to ethernet adapter for the business network. They are both in bridged mode.
