Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PXE Boot DHCP Option 66 + 67 - Client falsely using the Firewall IP-Address as TFTP Server

I'm trying to copy a PXE Boot Optin from the DHCP Server of a UTM to Sophos XGS

The problem I face is, the Boot Client uses the IP-Address of the Firewall/DHCP Server as TFTP Server instead of the value provided in the Option 66 (Next Server)

I tried with GUI

and with CLI

system dhcp dhcp-options binding add dhcpname my-dhcpservername optionname TFTP_Server_Name(66) value '172.16.1.2/bblefi-x64/shim_x64.efi'

console> system dhcp dhcp-options binding add dhcpname my-dhcpservername optionname TFTP_Server_Name(66) value '172.16.1.2'
DHCP option TFTP_Server_Name(66) added for DHCP Server my-dhcpservername.

console> system dhcp dhcp-options binding add dhcpname my-dhcpservername optionname Bootfile_Name(67) value '\bblefi-x64\shim_x64.efi'
DHCP option Bootfile_Name(67) added for DHCP Server my-dhcpservername.

console> system dhcp dhcp-options binding show dhcpname my-dhcpservername
Options Configured from GUI
---------------------------
xxx-removedbyauthor-xxx


Options Configured from CLI
---------------------------
TFTP_Server_Name(66)                                        "172.16.1.2"
Bootfile_Name(67)                                           "\\bblefi-x64\\shim_x64.efi"

and get the same result at the client:

192.168.32.1 is the sophos firewall

it should use 172.16.2.1 but it does not

172.16.2.1 is behind a IPSEC-VPN from the perspective of the Client.

That is the IP-Address of the Firewall that is also the DHCP Server.

Then I tested this - I found it in an other post here from Sophos Staff but with that value, the Client did not receive an IP Address at all. It already looks ugly.

console> system dhcp dhcp-options binding add dhcpname my-dhcpservername optionname TFTP_Server_Name(66) value '172.16.1.2/bblefi-x64/shim_x64.efi'
DHCP option TFTP_Server_Name(66) added for DHCP Server my-dhcpservername.

console> system dhcp dhcp-options binding show dhcpname my-dhcpservername
Options Configured from GUI
---------------------------
xxx-removed-xxx
Options Configured from CLI
---------------------------
TFTP_Server_Name(66)                                        "172.16.1.2/bblefi-x64/shim_x64.efi"

In a tcp dump, it all looks fine so far - the offer includes the correct IP:

    Option: (54) DHCP Server Identifier (192.168.32.1)
        Length: 4
        DHCP Server Identifier: 192.168.32.1
    Option: (51) IP Address Lease Time
    Option: (1) Subnet Mask (255.255.255.128)
    Option: (3) Router
    Option: (6) Domain Name Server
    Option: (15) Domain Name
    Option: (66) TFTP Server Name
        Length: 13
        TFTP Server Name: 172.16.1.2
    Option: (67) Bootfile name
        Length: 23
        Bootfile name: bblefi-x64\shim_x64.efi
    Option: (255) End
        Option End: 255

But then the Client uses the Firewall IP again instead of the real Server IP in TFTP communication:

Any idea?



This thread was automatically locked due to age.
Parents Reply Children
  • Thank you, too.

    In the meantime we distributed a small VLAN over some remote locations where we have a XGS and tell the guys to connect a PXE client to that VLAN. On the other end of the VLAN sits our Windows DHCP server and serves the correct DHCP options to the remote location.

    I think this is such a basic and common demand, Sophos should adjust their DHCP server to support that, just like we all want Sophos Firewall to be working as a NTP server without nasty workarounds.

  • You are welcome, that is also a clever workaround. It seems to be a bug of sorts, I spotted the problem in 2 other threads and got this reply:

     RE: SOPHOS XG DHCP BOOT FILE PXE/SCCM 

    So we just have to cope for a little longer ;)