DHCP-PXE booting process problem with BIOS+UEFI computers simultaneously

SERVER AND NETWORK INFORMATION
The main FOG Server IP is 10.1.8.1 (interface enp12s0)
I have severall VLAN in my network.
I have two NICs in the FOG Server (one that resides in the Quarantine VLAN, which is the 10.1.8.0/23 network - the enp12s0 interface) and another which is in the 10.114.187.0/24 network).
After the image is deployed, hosts can only communicate with the 10.114.187.14 IP interface (that is the second IP of the FOG Server), because computers are no longer in the Quarantine VLAN, so the FOG Client can communicate with FOG.
All has been working until removing option 66 & 67 and trying to get dnsmasq to work.

FOG Server is latest stable version (1.5.9) and OS is CentOS 7.

FIREWALL
This is the output of the services and ports open - is anything missing?

• firewall-cmd --list-services
  dhcp dhcpv6-client dns ftp http https mountd mysql nfs proxy-dhcp rpc-bind samba ssh tftp
• firewall-cmd --list-ports
  49152-65532/udp 67/tcp 68/tcp 69/tcp 4011/tcp 80/tcp 443/tcp 69/udp 68/udp 67/udp 4011/udp 8099/tcp 22/tcp 22/udp

SITUATION
I cannot get both my BIOS and UEFI computers to image with FOG.
So far I only had BIOS comuters, and was using option 66 and 67 (equivalent settings in CISCO DHCP Server).
Then, I removed both those options and installed dnsmasq (according to https://forums.fogproject.org/topic/12796/installing-dnsmasq-on-your-fog-server).
I configured it exactly as stated there, replacing <fog_server_IP> with 10.1.8.1

RESULTS IN BIOS COMPUTER
I boot in PXE, and I get what appears in this video: https://drive.google.com/file/d/1htJ21EpTW17sGUcnlAOXbLdcQsP-cC1a/view?usp=sharing
After what you see in the video, it takes a long time (10 minutes or more) until appearing 3 times “PXE-E32: TFTP open timeout” and then “PXE-M0F: Exiting Intel Boot Agent.”
As it was doing the process of the video, I had tcpdump running (tcpdump -i enp12s0 -w output-BIOS.pcap - I used no filters so all traffic could be captured, because almost no other computers where active at the moment I captured this) which you can download from https://drive.google.com/file/d/1pQe0BpY1Y8f4F4vKXfzNdWtSov6sHvSw/view?usp=sharing

RESULTS IN UEFI COMPUTER
I boot in PXE, and I get what appears in this video:
https://drive.google.com/file/d/1NIzl-W_ZRmXf1aPPTaHypPpNszdjqsOQ/view?usp=sharing
(as you see, we only know it receives an IP, but no more messages until it returns to UEFI, from where I forced to boot in PXE).
As it was doing the process of the video, I had tcpdump running (tcpdump -i enp12s0 -w output-UEFI.pcap - once again, I used no filters so all traffic could be captured, because almost no other computers where active at the moment I captured this)
which you can download from https://drive.google.com/file/d/1QH3nHbLeCbNEwIsHB5Hk1sN6XzOuPIDX/view?usp=sharing

OTHER THINGS

• In https://forums.fogproject.org/topic/12796/installing-dnsmasq-on-your-fog-server is mentioned Option 93 in DHCP. Do I need to configure something in the CISCO DHCP server, regarding that option?
• We are a public secondary school, but the Network devices (CISCO Switches and Routers) are managed by a private enterprise that works for our Education Ministry, and it’s hard to tell them what we want to do.
  Any help would be really appreciated (school starts next tuesday and I still don’t have the computers with the images for this school year).

@george1421 I used TCPDUMP without telling which ports to listen (tcpdump -i enp12s0 -w output3-BIOS-hp.pcap), in 3 computers:

• UEFI Computer #1 - file is “output1-UEFI-insys.pcap” - https://drive.google.com/file/d/1lBxNv2bhjTtMhPEC2gd66tpzV3egZK5i/view?usp=sharing
• UEFI Computer #2 - file is “output1-UEFI-b560m.pcap” - https://drive.google.com/file/d/1TgiQS15RrESjc3Q92euB7UWOMLPOxXFu/view?usp=sharing
• BIOS Computer #3 - file is “output1-BIOS-hp.pcap” - https://drive.google.com/file/d/1gkz71TMr8XzJovDSOZqyvkcvtsjCz2I0/view?usp=sharing

I think in these files, you can see at DHCP information and finally can figure out how to help me. I really need this to be working. School starts next tuesday and I have a lot of computers to deploy images to.

@george1421 said in BIOS + UEFI in a CISCO network:

@pcrispim There is a lot of things to unpack here.

When computers boot, they are placed in a Quarentine VLAN (10.1.8.0/23), which is where the FOG Server is (10.1.8.1).

Ok on this quarantine vlan what device is your dhcp server?

It’s a CISCO device (I don’t know if it’s a router or a layer 3 switch)

Also, the FOG server as another NIC in a different VLAN, so clients can connect to it once a user logs on (so the FOG Client can communicate with FOG server in a different VLAN).

FOG is only designed to work for imaging with a single network interface. You can have multiple management or interfaces network cards, but as you noted you will need to bind dnsmasq to a single interface so you don’t confuse pxe booting clients on other vlans.

How can I do that? Is it enough to put a line in ltsp.conf to use only the network interface that is bind to IP 10.1.8.1, like this:

interface=enp12s0

That has been working for over a decade, so I don’t think that’s the problem.

Makes me wonder what version of FOG are you running??

I’m in the latest stable version, 1.5.9

Is there a way I can see the dnsmasq log and figure out if the UEFI computers do try to communicate?

I have a tutorial on using the FOG server to capture the packets the target computer is being told for the dhcp process I think we need to get a pcap to see exactly what is going on. Its a bit more in depth step to see what they are really being told.

https://forums.fogproject.org/topic/9673/when-dhcp-pxe-booting-process-goes-bad-and-you-have-no-clue

Look at the pcap with wireshark. The DISCOVER packet will be from the target computer. Look at dhcp option 93 or 94 (can’t remember) that is where the client will say I’m a bios or uefi computer. Then look at the offer packets. You should see two. One from your main dhcp server and one from dnsmasq. The dnsmasq OFFER will have dhcp option 60 set to something like PXEClient and the main dhcp sever OFFER will not have dhcp option 60. DHCP option 60 tells the client its a proxydhcp packet. After the ACK packet you should see the client reach out to the FOG server on port 4011. Then you should see the tftp request from the client for the boot loader files. If you don’t know wireshark then post the pcap to a public file share and then either post the link here or DM me the link in FOG chat and I will take a look at it.

I’ve sent you by DM the link to the file

@george1421 One other thing: in BIOS computers, I get no menu when I boot to PXE, and I think it was supposed to appear the menu, because I see it in the ltsp.conf file, right?
What I’m wondering is that maybe the IT guy removed the options but didn’t restart the service or something like that.

@george1421 Yes, they are. When computers boot, they are placed in a Quarentine VLAN (10.1.8.0/23), which is where the FOG Server is (10.1.8.1).
Another thing: I see UEFI computers boot to PXE, but I get no output messages, only that it is trying to connect (and don’t find a place in UEFI where I can configure so it is a verbose output).
Also, the FOG server as another NIC in a different VLAN, so clients can connect to it once a user logs on (so the FOG Client can communicate with FOG server in a different VLAN).
That has been working for over a decade, so I don’t think that’s the problem.
I also tried to add a line in ltsp.conf with “interface=enp12s0”, which is the interface with the 10.1.8.1 IP Address.

Is there a way I can see the dnsmasq log and figure out if the UEFI computers do try to communicate?

@george1421 , thank you.
I did that, but still can’t get UEFI computers to work with FOG.
I asked the IT team to remove option 66 and 67, and BIOS computers are working, but not UEFI ones.
Could IT guys missed something?

@george1421 Thank you very much.
Just tell me one other thing, please: my Cisco is also my DHCP Server.
Do I remove both option 66 and option 67 from the configuration, or just option 67?

Hello!
I used to have only BIOS computers, but now we aquired UEFI computers too and I can’t seem to have them working with FOG.
We are using a CISCO as our DHCP server, so what must I need to configure so both BIOS and UEFI computers get the corresponding file they need?

Thank you

@george1421 , thank you for all your time. I will try it.

@george1421 , good morning!
I already had a group and placed all HPs in there (it was the last image I sent you).
But, as I showed you in the last image, there’s no option in FOG Groups to set the Host Init (I will post the image below, once again).
Is there another way to set it?