Topics created by PCrispim

Looks like you are having issue with TFTP. With recent firewalld, you have to have some mechanism for inter-zone traffic. I’m not sure if the one on CentOS 7 is covered. Also, you missed to show the zones of your interfaces.

I have these on my setup where the storage server has 3 interfaces serving diskless clients via iscsi:

For my external zone:

[root@san ~]# ip -4 addr ls xenbr0 6: xenbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 inet 192.168.0.33/27 brd 192.168.0.63 scope global dynamic noprefixroute xenbr0 valid_lft 3181sec preferred_lft 3181sec [root@san ~]# [root@san ~]# firewall-cmd --get-zone-of-interface=xenbr0 external [root@san ~]# firewall-cmd --zone=external --list-services dhcp http https iscsi-target samba ssh tftp

And this is my internal zone

[root@san ~]# ip -4 addr ls xenbr10 7: xenbr10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP group default qlen 1000 inet 192.168.10.1/24 brd 192.168.10.255 scope global noprefixroute xenbr10 valid_lft forever preferred_lft forever [root@san ~]# [root@san ~]# firewall-cmd --get-zone-of-interface=xenbr10 internal [root@san ~]# firewall-cmd --zone=internal --list-services dhcp http https iscsi-target postgresql samba ssh tftp

I have these firewalld rule to enable the inter-zone traffic:

[root@san ~]# cat firewalld.txt firewall-cmd --new-policy NAT_int_to_ext --permanent firewall-cmd --permanent --policy NAT_int_to_ext --add-ingress-zone internal firewall-cmd --permanent --policy NAT_int_to_ext --add-egress-zone external firewall-cmd --permanent --policy NAT_int_to_ext --set-target ACCEPT

Finally, I test things out from one of my vms and tried to can grab a file over tftp

user@debian:~$ ip -4 addr ls virbr0 5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UP group default qlen 1000 inet 192.168.10.15/24 brd 192.168.10.255 scope global dynamic virbr0 valid_lft 2111sec preferred_lft 2111sec user@debian:~$ user@debian:~$ tftp 192.168.10.1 -vc get ipxe.d/roms/undionly.kpxe Connected to 192.168.10.1 (192.168.10.1), port 69 getting from 192.168.10.1:ipxe.d/roms/undionly.kpxe to undionly.kpxe [netascii] Received 75436 bytes in 0.6 seconds [928658 bit/s] user@debian:~$ ls -lh undionly.kpxe -rw-r--r-- 1 user user 74K Dec 12 10:25 undionly.kpxe

@george1421 I used TCPDUMP without telling which ports to listen (tcpdump -i enp12s0 -w output3-BIOS-hp.pcap), in 3 computers:

UEFI Computer #1 - file is “output1-UEFI-insys.pcap” - https://drive.google.com/file/d/1lBxNv2bhjTtMhPEC2gd66tpzV3egZK5i/view?usp=sharing UEFI Computer #2 - file is “output1-UEFI-b560m.pcap” - https://drive.google.com/file/d/1TgiQS15RrESjc3Q92euB7UWOMLPOxXFu/view?usp=sharing BIOS Computer #3 - file is “output1-BIOS-hp.pcap” - https://drive.google.com/file/d/1gkz71TMr8XzJovDSOZqyvkcvtsjCz2I0/view?usp=sharing

I think in these files, you can see at DHCP information and finally can figure out how to help me. I really need this to be working. School starts next tuesday and I have a lot of computers to deploy images to.

@george1421 , thank you for all your time. I will try it.

@pcrispim So if on the fog server you navigate to /var/www/html/fog/service/ipxe/ and key in file bzImageB851 what does it report?