Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Locked Locked
  • Replies 12 replies
  • Subscribers 45 subscribers
  • Views 18971 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PXE Boot DONE!

Panagiotis Vakerlis

Hello everyone!

Since documentation on pxe booting on XG is (at least) gray, I've finally found a solution that works for me and opened this discussion to share ideas or success stories if it's working for others.

First of all, we'll need to login to the console of the XG.  There are 2 ways for that:

1) On the webpage of the XG, click on your name(probably admin) on the top right corner and click console. It will ask for password and then to press enter to show the console menu

2) Via SSH(eg. putty). Remember your username is not root if you're used to it, it's admin!

After that, we get to the same menu for both. A list with numbers to select for settings. We press 4 to enter Device Console.

Once we're in the Console, we'll need to know 3 things. The name of the DHCP server(the default is Default_DHCP_Server, the Tftp-server IP and the bootfile. My case let's say it's Default_DHCP_Server, tftp ip is10.10.10.148 and the bootfile is pxelinux.0 
You can find the name of the DHCP Server clicking Network->DHCP on the sfos web page.
We enter these 2 commands:

system dhcp dhcp-options binding add dhcpname Default_DHCP_Server optionname TFTP_Server_Name(66) value 10.10.10.148

system dhcp dhcp-options binding add dhcpname Default_DHCP_Server optionname Bootfile_Name(67) value pxelinux.0

Notice that although all the manuals and other people used brackets on the values(eg. 'pxelinux.0'), I didn't. Don't know if it's better, but since it's working this way, I didn't touch it!

Close the console. At this point, you should get an ip address when you try to boot from lan, but will not boot to the environment, although you should. I believe the problem lies the XG doesnt like to forward to another server, although it now knows there's a pxe boot.

Next step is to go to the web page of the XG and go to Firewall -> Add Firewall Rule ->Business Application Rule

Application Template "Full Nat/DNAT/Load Balancing"

Position "Top"

Enter the rule name you want (eg. TFTP)

Source "LAN" - Allowed Client Networks "ANY"

Destination "10.10.10.1" (Your routers address. DO NOT use the ones with a # in front. We'll need it for later! Probably you don't have it, so create one. Name it Sophos and put its address)

Services add one with port UDP 69 and one with port UDP 4011

Protected Servers "10.10.10.148" (your pxe servers address. add it if you don't have it)

Protected Zone "Lan"

Next click Rewrite Source Address "Masquerading" and click the one with the rules name(in my case it was #TFTP). Do not use MASQ

Finally click create reflexive rule and save the rule.

Voila! For me anyways.

I tested this with Clonedeploy and FOG and it boots.



This thread was automatically locked due to age.
Parents

  • I've tested this and it doesn't work for WDS or SCCM PXE.

    Two problems: 

    The XG business application rule does not limit its matching to the services specified, so all traffic destined for your PXE server gets NATed, not just the port 69 and 4011 traffic. Additionally, all traffic coming from the PXE server gets NATed as well, even when it shouldn't be. Why you need to bother specifying services if it's going to match everything anyway is bizarre and infuriating.

    Most PXE clients absolutely need the next-server value specified. With the NAT rule in place, I do get the initial file from the TFTP server, but there is a referral in the response that instructs PXE to get other files and the client will then try to get the file from the server specified in DHCP. Since next-server isn't (and can't be) specified, the client tries to get it from 0.0.0.0 which is invalid and doesn't exist (and the XG will not allow you to create a NAT rule to forward traffic destined for 0.0.0.0).

    Why is the ability to configure next-server missing? Isn't this a core, standard part of the DHCP server specification?

    My Sophos rep pushed me hard to switch from UTM to XG and I'm very, very disappointed with the XG firewalls for this and a number of other issues.

  • in reply to asander

    First of all, sorry for being away for some time.

    As I've mentioned, I wrote this to look for feedback. See if it's a global solution or a personal. No need to get cranky on something I've already declared to be a personal solution.

    Second to that, the business rule imitates next-server. For me at least. I've had the same problem for the next-server going to 0.0.0.0 and not loading the menu and when I created the business rule, it worked. Wrong or right, it worked and didn't have any side effects for my setup. 

    However, after one full year of ACTIVELY using this, I have to say that it's not working on all machines. Maybe it's a Clonedeploy problem (It throws an error TFTP bootfile is too long). But I've setup a few machines as cloners and they work flawlessly. On other machines it's trial-and-error.

    With your pxe server being out of the subnet, I can't help with that.

  • in reply to Panagiotis Vakerlis

    Any way to get updated instructions for V18? They have changed the way dnat/snat/business rules get created. 

    Trying to mobilize a remote work group and wanted to pxe boot remotely but its not working for me. 

    It tries to reach 0.0.0.0 and it fails.

    Any help would be greatly appreciated. 

    Thanks

    Gus

Reply
  • in reply to Panagiotis Vakerlis

    Any way to get updated instructions for V18? They have changed the way dnat/snat/business rules get created. 

    Trying to mobilize a remote work group and wanted to pxe boot remotely but its not working for me. 

    It tries to reach 0.0.0.0 and it fails.

    Any help would be greatly appreciated. 

    Thanks

    Gus

Children
No Data
Unfiltered HTML