[SOLVED] SmoothWall firewall and PXE boot

lpallard · 05-30-2010, 08:54 AM

I have installed Smoothwall 3.0 on one of my machines (lets call it netserver) to act as my DHCP server and firewall... Everything is working like a charm except the network boot functionality. I am not capable of booting my laptop from its DHCP server.

Basically, Network boot is activated in the DHCP config page, In the boot server text field I entered the IP of my machine where the boot packets are stored, In the root path text field I entered the address ON the machine (lets call it lhost3) where the Slackware packages (mirror of the Slackware tree) are all located, and finally in the boot filename I entered the path where the pxelinux.0 file sits...

For everybody to understand better, here's the file structure in lhost3:

Slackware mirror is located at:
/mnt/lhost3-mnt/slackware-current/slackware-current/

Content:
BOOTING.TXT
COPYING
CURRENT.WARNING
GPG-KEY
README_LVM.TXT
Slackware-HOWTO
kernels/
testing/
CHANGES_AND_HINTS.TXT
COPYING3
ChangeLog.txt
PACKAGES.TXT
README_RAID.TXT
UPGRADE.TXT
patches/
usb-and-pxe-installers/
CHECKSUMS.md5
COPYRIGHT.TXT
FAQ.TXT
README.initrd
SPEAKUP_DOCS.TXT
extra/
slackware/
CHECKSUMS.md5.asc
CRYPTO_NOTICE.TXT
FILELIST.TXT
README_CRYPT.TXT
SPEAK_INSTALL.TXT
isolinux/
source/

Network boot files (tftpboot) located at:
/mnt/lhost3-mnt/tftpboot/slackware-current/pxelinux.0

Content:
f2.txt
initrd.img
kernels/
message.txt
pxelinux.0
pxelinux.cfg/

Basically once my laptop has booted (using a slack CD#1, a bootable usb stick, etc) I can easily install Slackware from the lhost3 server by selecting the NFS option as the installation source media. The problem is that when I try the network boot, my laptop's BIOS says "File not found" or something like that to say that it couldn't find a bootable packet...

What is wrong? When I had Slackware on the DHCP server, everything was working fine. I could reinstall slack but I installed smoothwall because I liked the web interface for administration purposes and the fact that it is preloaded with nice features. Also, I had severe networking problems with slack (I could not connect to the web, etc)..

Thanks in advance for your inputs!

theNbomr · 05-31-2010, 07:50 PM

Your explanation jumps over a lot of critical detail.

There are a number of stages that a network boot goes through, and any one of them failing will stop the whole process. To diagnose the problem, it is good to treat each part in its own right. A good place to start is, not surprisingly, at the beginning.

When the PXE client starts, its very first step is to get two things from the network: an IP, and a PXE bootloader. These are obtained from a dhcp server and a tftp server, respectively. Typically, as in your case, these two servers exist on the same host. So, the first step is to make sure the dhcp server is running, and has a proper config file. You should be able to see the dhcp server in the process list. If there is any question about whether the dhcp server config file is valid, then post it here, and someone can probably confirm that is looks okay, or point out potential problems. To see if the dhcp server is receiving requests from any clients, run as root:

Code:

tail -f /var/log/messages

while the PXE client tries to boot. If it is seeing DHCP requests, they should be getting reported in the system log file (at least, they have been in any configuration I've used).

The dhcp server should report a filename for the PXE client to fetch, and in more recent versions of the ISC dhcp server, the name of the next-host from which to fetch it. Normally, the filename will be pxelinux.0, and the next-server variable (in dhcp.conf) will be the same as the dhcp server host. The filename is then fetched by tftp from the specified host. This implies that a properly configured tftp server is running on that host. The tftp server will be given all it needs to know from its startup arguments, which are normally in the xinetd configuration scripts. Before I continue this explanation, can you please confirm how much of this you know is working? If we can't confirm that the first stages are right, it is pointless to carry the diagnosis any further, for now.

--- rod.

jefro · 05-31-2010, 07:58 PM

For some reason I kind of think the files ought to be the the base of tftp.

What how to did you use for the pxe? It may help us.

If you get totally off track you may have to setup wireshark to view the actual handshaking to see how far it gets.

Guess you could setup a http or ftp server and use gpxe but that that sort of is a different deal and not what you are asking.

lpallard · 05-31-2010, 08:56 PM

theNbomr, I did some verifications like you suggested.

I tried to boot my laptop through my network, basically, after the POST, the Internal NIC does its things with the DHCP server (handshaking) and I see this screen:

Code:

CLIENT MAC ADDR 00 1D 09 48 97 C8 GUID 4454C5C ....... and so on...
CLIENT IP 192.168.0.106 MASK 255.255.255.0 DHCP IP 192.168.0.100
GATEWAY 192.168.0.100
TFTP
PXE-T01: File not found
PXE-E3B: TFTP error - File not found
PXE-M0F: Exiting Broadcom PXE ROM

No bootable devices -- Strike F1 to retry boot or F2 to enter BIOS setup.

SO apparently, my laptop can "handshake" with my DHCP machine and get an IP... I double-checked in the DHCP logs and here's what I've found:

Code:

21:42:20 dhcpd DHCPDISCOVER from 00:1d:09:48:97:c8 via eth0
21:42:20 dhcpd DHCPOFFER on 192.168.0.106 to 00:1d:09:48:97:c8 via eth0
21:42:20 dhcpd DHCPREQUEST for 192.168.0.106 (192.168.0.100) from 00:1d:09:48:97:c8 via eth0
21:42:20 dhcpd DHCPACK on 192.168.0.106 to 00:1d:09:48:97:c8 via eth0

Now I attached a screenshot of my DHCP server to show you the options I entered there...

I hope this will help you to help me! Haha

theNbomr · 06-01-2010, 11:17 AM

Okay, so far we know that the DHCP server is running, receiving requests, and at least partly processing them.
What we still don't know is whether the DHCP server is correctly specifying the name of the bootloader (almost certainly pxelinux.0), and whether there is a running and correctly configured TFTP server to supply the bootloader and its config file. Here, it becomes a bit unclear whether your TFTP server is supposed to be on the same host as the DHCP server, and the text entry shown in your screen grab does not show enough text to allow this. Can you show the file /etc/dhcpd.conf? (it would be so much easier to help people without having the good stuff concealed by GUIs). We want to confirm that the DHCP server is specifying a bootloader filename correctly. In it, there should be a stanza that looks similar to this:

Code:

host lpallardlap {
    hardware ethernet     00:11:22:33:44:55;
    fixed-address         192.168.0.106;
    next-server           192.168.0.100;
    filename              "pxelinux.0";
}

I've tried to show addresses that seem to match your settings. The MAC, of course, will be different.

If the DHCP server looks good, then we want to confirm that the TFTP server is running. For this to be true, the xinetd daemon must be running, and the TFTP config file, /etc/xinetd.d/tftp muust exist and look much like this:

Code:

# default: off
# description: The tftp server serves files using the trivial file transfer \
#       protocol.  The tftp protocol is often used to boot diskless \
#       workstations, download configuration files to network-aware printers, \
#       and to start the installation process for some operating systems.
service tftp
{
        socket_type             = dgram
        protocol                = udp
        wait                    = yes
        user                    = root
        server                  = /usr/sbin/in.tftpd
        server_args             = -s /tftpboot
        disable                 = no
        per_source              = 11
        cps                     = 100 2
        flags                   = IPv4
}

The really important elements in this sample are the 'disable = no' and 'server = /usr/sbin/in.tftpd' entries. The first one says "don't not run the server" (love those double negatives) and the second one says where in the filesystem to export data.
Right now, there is a problem related to tftp, but we need to find out whether it is a missing spec in the dhcp server, or a missing tftp server, or a missing file in the tftp server's export, or some combination of these.

--- rod.

lpallard · 06-01-2010, 08:17 PM

theNbomr, please see the attache screenshot of the dhcp.conf file on the smoothwall machine. Unfortunately, I couldn't copy/paste the text because I used the java console interpreter from my web browser to ssh to the smoothwall machine.

As for the TFTP stuff, please note I am using slackware on ALL machines... According to AlienBOB (http://alien.slackbook.org/dokuwiki/...=slackware:pxe), I need to get inetd running properly, and I can assure this is done. Basically, everything on the TFTP server is properly configured because when I had slackware on my DHCP server (instead of smoothwall), everything was working like a charm.... SO the problem has to be on the smoothwall machine no??

I'm confused! I guess I'll wait for your response..
Thanks!

theNbomr · 06-01-2010, 10:01 PM

Well, before we can go any further, the DHCP server needs to specify a bootloader. It doesn't. See the sample DHCP server config that I posted earlier. It needs to have the 'filename' statement, specifying the PXE bootloader.
I'm sorry I don't know anything about smoothwall. I can probably not give any further advice, unless it is about a conventional Linux distribution.

--- rod

lpallard · 06-04-2010, 09:53 PM

Rod,

thanks for replying.

I understand about not supporting smoothwall... after all, this is only one more product in the linux world!

how difficult it would be to replace smoothwall my lets say slackware and implement the dhcp server, pxe net boot, firewall and all other gadgets I need (hardware monitoring like temperature, fan speeds, voltages) and not forgetting the bandwodth monitoring (speeds and data)...??

If its fairly simple, I might go back to slack 13 on that machine... just a very plain install without a GUI...

theNbomr · 06-04-2010, 11:48 PM

Well, as far as I'm concerned, it is simpler. At least when you go to set things up, you will find all kinds of examples and configs that you can simly cut and paste into your setup. Also, explaining to people how to manipulate something that is wrapped up in a GUI is difficult, whereaes passing along a commandline or config fragment is simple. I would consider it an enlightened step to install a standard distro for the sole purpose of setting up a firewall. I assume Slackware comes with the collection of gadgets you want; most distros seem to. If it doesn't try almost any other distro.
--- rod.

lpallard · 06-06-2010, 06:23 PM

Rod,

I decided to install slackware (plain install) without a GUI, only the bare minimum to act as a router/firewall/dhcp server...

now I got the dhcp server running properly, I have a problem getting packet forwarding to work between my interfaces.... since the title of this thread is misleading, I will check this one as solved and open a new one in the slackware section of the forum. If you are still interested to help, please look there!

Thanks!