Cloud FOG Imaging with iPXE boot using USB
I’ve read through the past comments and posts regarding this topic, but the one I saw that meant the most for me didn’t help much.
I have a server on an OVH platform that is hosting FOG. It doesn’t seem that my pfsense router/goofy network setup on the OVH server is allowing pxe to boot.
This is a proof of concept because my work had 3 servers with 1000/1000 bandwidth for the remainder of the month I can play with.
What I’d LOVE to do is boot to the cloud server like normal - pfsense is handing out the address correctly, but i get TFTP timeout.
I do not wish to create a storage node at the location. The idea will be used in an MSP model if I can get it to work.
If I have to, I wouldn’t mind creating a flash drive that would boot the correct stuff, to point to the cloud fogserver. It’d be a lot easier to bring a flash drive to a random client location than a fog storage node.
What steps should I take to make this happen?
@p4cm4n You can do that, there is a tutorial (for uefi) to create a boot drive the easy way. This will load iPXE from a usb stick and then boot into FOG. https://forums.fogproject.org/topic/6350/usb-boot-uefi-client-into-fog-menu-easy-way
For those that can’t use iPXE I have FOS Linux on a usb stick too. You lose about 30% of the functionality of FOG but you can image no problem with it. https://forums.fogproject.org/topic/7727/building-usb-booting-fos-image
@george1421 I know this isn’t expected and is super insecure. I can secure things later as needed (or just security by obscurity…possibly even turning it off when not in use) but we’ll worry about that if it works as expected.
I believe I’m ahead of you.
I can ping OVH, get to fogserver url and management pages.
Instead of installing tftp in windows I used a linux box - in both my network, and the OVH network.
OVH worked, however my network did not. I then (for shits and giggles) created a storage node in my own network, pointing it to the OVH fogserver, and pointed my DHCP from the 167.x OVH IP, to my storage node. Changed storage node to 0 clients.
This gave me success, in all forms.
So for whatever reason, the tftp connection won’t open between behind my pfsense box and the OVH server. I can see the ports going through the logs - but I get single:no_traffic as the status.
I guess what I’d love to try to do is this:
Create a USB device that houses the ipxe kernel, and information for undionly.kpxe/ipxe.efi to point to that server out in the wild. Put all the TFTP boot files on this drive.
I did image from/to the OVH server. Just couldn’t boot to it.
@p4cm4n Well first of all let me say FOG server is insecure when exposed directly to the internet. Running it in this configuration was never the intent of the FOG developers (speaking not really knowing the actual intent of the developers).
I can say that tftp is / was not very forgiving trying to PXE boot in a routed invironment. In the early days the PXE ROM (what we are dealing with at this point) was not very smart and didn’t know how to deal with routers and such. Its much better now in this era. So what I would do from your home network. From a windows computer can you ping the cloud fog server? If so you have to remember that tftp much like ftp actually opens 2 channels to transfer files. One channel is from the client to the server. This is the command channel. The second channel is the data channel and its opened from the (t)ftp server back to the target computer. If your firewalls are not ftp aware they might block the data channel from being created.
So what I would test next is to install the tftp feature in windows and then allow the tftp program network access through the windows firewall. Then if possible configure your home router to allow tftp traffic through. And then finally test with the tftp program in windows to see if you can download ipxe.efi (or whatever) from the FOG server. Right now you need to test connectivity to download via tftp from the Cloud fog server. If you can do that then the problem is with your home dhcp server. Right now you need to understand where its working and where its not.
@george1421 correct -
i have cloud hosting platform, open to the internet (OVH) ((fogserver on debian 10 on an esxi VM with a public IP))
i have a home network, that i had my own personal fogserver running. pfsense is my home routing platform. i changed the IP address in DHCP to go from my internal IP, to the 167.x OVH IP.
i created a VM inside my home network, on an esxi box. i booted PXE, and got nothing.
i then went to OVH Server number 2. it’s running proxmox. i opened a tftp connection between OVH2 and OVH and was able to transfer undionly.kpxe.
if i go to a box inside my pfsense home network, and try to open the same tftp connection, i get a timeout.
so for now, it might be a routing thing, or where tftp doesn’t like the goofy network configuration that OVH requires me to have.
@p4cm4n So you are trying to pxe boot across the internet between the cloud provider and the local network? Understand I’m trying to get a picture of how this is setup. Where is your pfsense box in relation to the FOG server and in relationship to the clients?
@george1421 OVH is just a cloud hosting provider.
I have no connection whatsoever to this env. Just wide open, dedicated server at the moment.
I was hoping to do this without modifying the client network in any way.
OK I don’t know what an OVH platform is. I assume its off site? Do you have a full time VPN connection between your cloud environment and the local network?
I just started testing.
With a server in the same datacenter, TFTP works as expected (I’m not able to mess with pxe settings at the moment but probably can in the future)
With a server at my home, I cannot chainload an image from the OVH server. TFTP times out. I’ve tried to manually open the connection and transfer, but it fails.