Centos 7 Fog Setup with 2 network cards, Public / Private



  • Hi guys I am currently setting up FOG to run on a Centos 7 box. The machine has two network cards.

    The first card is public and is connected to a switch and is used for outside i.e internet etc.

    The second card Is going to be hooked up to a separate network card, connected to a isolated network switch to purely be used for imaging purposes.

    Currently there is a DHCP server running on the public network. I want to add a new DHCP server on the isolated network card to purely dish out ips for machines to be imaged.

    So how do I go about setting this up?

    The server ip will be eth0 (public? or the second private ip?)

    regarding eth1 the isolated card what would be the gateway? do I set one? or do I use the server addy?

    Many Thanks for the help guys



  • @Wayne-Workman

    Many Thanks for the guidance I really do appreciate it because of yourself and others on this fantastic forum I have learned alot.

    I haven’t had a chance today to play with the FOG stuff. However hopefully I can look at the DHCP configuration side of things tommorow.

    I will report back my progress and any problems.

    Many Thanks


  • Moderator

    @ally_uk said in Centos 7 Fog Setup with 2 network cards, Public / Private:

    I need a Centos7 DHCP tutorial now lol

    The configuration file on all linux distributions is setup exactly the same. The only variation is the commands to install, start, and enable.

    I didn’t include DHCP instructions in the CentOS 7 wiki article because no one-size fits all, and I figured people either have a pre-existing DHCP server they want to use, or they want FOG to do it all and in which case they just answer “yes” to DHCP during the fog installer and the installer does take care of it.

    You can’t do that though because you have two NICs.

    You need a custom configuration, and you cannot let FOG manage it - because it’ll mess it up, because it’s written under the assumption of one Network Interface being used, and every time you run the installer with FOG managing DHCP, it’ll write-over the custom configuration unless you just totally disable FOG touching DHCP.

    There’s no way around this, not at all. You must manually edit or create a DHCP configuration - and it’s not all that tough, and all the instructions are already written in my first post in this thread.



  • I will fire up the machine and report progress tommorow.

    Regarding DHCP I assumed FOG would automatically setup a range and automatically configure the DHCP side of things.

    The installation guide I have been following on the wiki had no mention of how to configure DHCP.

    Ahwell least I am learning loads :)

    I need a Centos7 DHCP tutorial now lol

    Thank you guys


  • Moderator

    @ally_uk Knowing what we know now, you may want to review Wayne’s post https://forums.fogproject.org/topic/8861/centos-7-fog-setup-with-2-network-cards-public-private/3 because it pretty much covered what we are talking about now.


  • Moderator

    @ally_uk Is this the first time you’ve got this far with the installer?

    I can’t say for sure, I don’t remember the exact steps the installer uses on a fresh install. As long as you told the installer you wanted to have fog manage the dhcp server we can get you to where you need. The key is getting the isc-dhcp installed.



  • I am getting a warning after the mysql update that says there is no dns / dhcp address is this ok to proceed?



  • Thank you my man :)


  • Moderator

    @ally_uk As far as FOG goes, ignore that you have a business LAN nic installed in this computer. It (fog) only needs to know about interfaces it must use. So for server IP it would be the nic address on the imaging LAN.

    As for dhcp router address, that should be blank because there is no path data out of your isolated imaging LAN.



  • Please tell me if any of this information is wrong. I have put a # next to items I am unsure of

    #Server I.P Address: 192.168.1.102
    Server S/M 255.255.255.0
    #Interface enp3s9 ( Second network card has different i.p from server i.p addy)
    Installation type: normal server
    Image storage location /images
    Using Fog DHCP: yes
    #DHCP Router address:

    Again many thanks for holding my hand I will document everything once it is working lol


  • Moderator

    @ally_uk Your network settings look correct based on what we know so far.

    As for your default network card, you want to select the one for your imaging network. You want the imaging servers (dhcp especially) to bind to the imaging LAN interface and not to your business LAN (which would be a bad thing).



  • The main reason was to have the imaging side isolated because of the DHCP server running on the main network I wanted to avoid any potential conflicts.

    The first Ethernet card connected to main network;

    192.168.1.102/24
    ( This network has gateway and DNS setup the router handles DHCP I have manually set it as a static I,P this card is for server to get to outside world)

    The second card is isolated for imaging connected to a separate switch.

    192.168.2.12
    255.255.255.0
    No Gateway


    Firstly are these networking details ok?

    Go easy on me lads as this is all new to me :) during the initial fog setup it asks for a default network card to use? am I right in saying it would be the first Ethernet card?

    Secondly it is asking me whether to use DHCP and which device to use this part is giving me a headache I assume I set it to the second network card?

    Again thank you


  • Senior Developer

    While it may not make sense to all, the idea of “isolated networks” is that they are independent of the main network infrastructure the rest of the business is using. Isolated networks actually make multicast, I think, a lot more reliable without potentially causing issues with the main network due to the oblivious network packets pushed around.

    There’s any number of reasons a business, or user, would prefer to have fog on it’s own network though. The aim of FOG is to support whatever the environment is around them. Some of the reasons may include security, but I’ll side more on the area of just keeping large bandwidth usage off of the main “users” network is more likely.

    To work off of @george1421’s question regarding:

    Now something you haven’t mentioned is this: When you image your target computers on your isolated imaging LAN, do they need to connect to resources on your business LAN during imaging like active directory. If so you will need to take a few steps to turn your fog server into a router too.

    I don’t know that imaging, itself, would require AD access unless you’re specifically using AD to connect to a file share that a download script is going to be connecting, to place files on. (This is fairly uncommon from what I’ve seen.)

    Maybe I’m asking too many questions? The area of concern here is the isolated network though. As @george1421 asked, if you do need AD joining after imaging has finished, are these systems going to be connected to both networks? Maybe you could do better using a setup of VLAN’s so as to limit traffic to a specific VLAN, while enabling cross-VLAN communication? This way you don’t need to keep disconnecting the systems being imaged to get profile stuff after imaging is completed: (For example FOG Client, while allowing the freshly imaged systems to still pickup their Windows Updates or activation schema’s).

    I personally prefer the VLAN approach as the vlan can be segmented while still allowing communication to the whole network. This is just my own personal preference as I’m not a fan (myself) of doing that much more work.

    The way I’m understanding the current workflow for most Isolated networks is:

    1. System needs to be taken off “primary” network and placed on “imaging” network.
    2. System needs to be rebooted (however you may decide to do this).
    3. System images through and may need to be shutdown after imaging to ensure PC is in still waiting in “clean” state.
    4. System needs to be taken off “imaging” network and placed on “primary” network.
    5. System needs to be booted to make sure the system gets it’s information depending on your layout.

    I think this is just a lot of extra steps when you could more simply just keep traffic restricted to a particular vlan. Heck you can even setup so that you don’t have to worry about a specific VLAN doing the imaging and never even have to take down a whole network. I know this may seem a bit involved, but when we switched to VLANs in my past position, there was as significant improvement in the overall network availability during imaging.

    There are some caveats that I think need to be added. If I could redo the structure, I’d have placed a FOG Storage Node on each separate VLAN and installed the location plugin. I’d then point the systems within the VLAN scope to the location defined for each related VLAN Storage node. This would totally perform exactly as needed while, again, keeping the imaging restricted to the relevant VLAN scope for such things as Multicast, Unicast, Uploads, etc…

    These are just my thoughts and you can do as you please. If you don’t mind doing the extra work of disconnecting from main and putting on isolated switch, then everything should be fairly straight forward from now on.


  • Moderator

    @george1421 when dhcp is managed by a third party, dnsmasq is an option that will work usually. When there is voip on the network, you would create dhcp matching for the phones you have so they get the correct option 066 and 067, and also create matching for legacy and uefi. I helped a guy in Australia set this up once using isc-dhcp, it worked fine. For bandwidth problems, there are storage nodes, the location plugin, and multi-master setups if need be. If there are 10Mbps switches in use, those are extremely obsolete, are beyond end-of-life, out of warranty, and need replacing. 100Mbps while very old can do imaging at an acceptable rate, 3 of our 24 buildings are 100Mbps and they do ok.


  • Moderator

    @Wayne-Workman While I can’t speak for the OP, there are valid reasons for using an isolated imaging LAN vs the business LAN. The one thing that comes to mind is having conflicting dhcp settings that can’t be overcome. In some environments dhcp is managed by a third party or there are conflicts between voip (which uses dhcp/pxe to provision the phones) and pxe based imaging. There also many be bandwidth constrains where some people may have to limit high bandwidth traffic to a single dedicated switch.

    The benefit of FOG is that it supports both the traditional distributed imaging environment as well as the dedicated imaging environment. You just make the decision at install time which functions you want FOG to do and it creates the proper configuration.


  • Moderator

    @george1421 said in Centos 7 Fog Setup with 2 network cards, Public / Private:

    When you image your target computers on your isolated imaging LAN, do they need to connect to resources on your business LAN during imaging like active directory. If so you will need to take a few steps to turn your fog server into a router too.

    I really dislike it when people want to “isolate” fog, like it’s some liability or threat or some boogie man on the network that you can’t control.


  • Moderator

    @ally_uk said in Centos 7 Fog Setup with 2 network cards, Public / Private:

    If I set this card to say 192.168.2.56
    Would that work? Does it need a gateway? Or do I literally just configure S/M and I.P?

    Since there is no way out of this isolated network then no gateway value is needed (or should be added since the default router on your business network is your path to the internet). If you had two gateways (for the fog server since its dual homes) how would the fog server know how to reach the internet or other subnets beyond your router.

    Or to say it another way, supply ip and subnet mask for your imaging LAN nic and ip, subnet mask, and default gateway on your business lan nic.

    Now something you haven’t mentioned is this: When you image your target computers on your isolated imaging LAN, do they need to connect to resources on your business LAN during imaging like active directory. If so you will need to take a few steps to turn your fog server into a router too.


  • Moderator

    In CentOS 7, routes control what gateway is used for the server.

    I think I already explained below about not handing out a gateway or DNS on the isolated network via dhcp. A network doesn’t need either of these things.



  • Thank you both for your input. I wont be able to get hands on and play until tommorow.

    Regarding the second network card. it is completely isolated from the business network. the card literally is being plugged initially into a small network switch. I obviously want this card to hand out I.ps to anything connected to this card for pxe booting.

    If I set this card to say 192.168.2.56
    Would that work? Does it need a gateway? Or do I literally just configure S/M and I.P?

    The other network is public and is 191.168.1 based the router on this network handles all the internal DHCP requests. The reason why it is public is because I need Internet access to doenload packages etc.

    Thank you for being very clear and understanding you guys are a credit to this place.


  • Moderator

    George’s steps will work, I don’t even need to read/test them to know that. Because George is the man.

    My thoughts on how I would do it, I’d go ahead and have BOTH of the NICs installed, One on your production network, the other not connected. I’d install the Linux OS next. The active NIC ought to be statically addressed within the OS setup, it’s usually just easier to do here.

    Then I’d go straight to FOG 1.3.0 RC, and I’d tell FOG to not setup DHCP. After that’'s done, I’d connect the other NIC to a stand-alone switch just so it’s connected to something.

    I’d configure the 2nd NIC to have a static address. You must set up the NIC to be using a different network. For instance if nic 1 is on 10.0.0.0/16 then your nic 2 could not use that network because it’d mess up the routes on the server. You could setup nic 2 in this case to be on 192.168.1.0/24 and that would be fine. You’d need to follow documentation for your Linux distribution on configuring the 2nd NIC and having it be enabled at boot. Luckily it’s easy in CentOS 7, all the files you need are inside of /etc/sysconfig/network-scripts

    After doing this, you would go through steps to change FOG’s IP address. Even though you’re not changing the server’s actual IP, FOG must be re-configured to use the other IP address. Steps on that are here.

    Next, install dhcp for CentOS 7.
    yum install dhcp -y

    Next, I would just hand-write a configuration file for dhcp. I’m really good at doing this actually, and if you gave me the output of ip addr show after you have both NICs configured and working properly as described above, I could just give you a configuration file.

    But, if you wanted to write the file on your own, to make one interface not serve DHCP, create a section in the DHCP configuration that specifies that interface’s network, and just leave it blank. Using a 192.168.1.0/24 network as an example:

    subnet 192.168.1.0 netmask 255.255.255.0 {
    }
    

    The NIC you want serving DHCP is basically copy/paste from here but would probably need modifying for your specific network. You would not need DNS or router since it’s isolated. But you’d need to tweak the subnet address, mask, range, and next-server of course.

    After doing that, start and enable DHCP.


Log in to reply
 

352
Online

39.3k
Users

11.0k
Topics

104.4k
Posts

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.