Getting PXEBoot (ADS) to work through the firewall

[brixo]

Hi all.

I am trying to get PXEboot to work through difference VLAN's on my R60. I have set the DHCP relay and set to accept 0.0.0.0 traffic etc. I can get the client to get a DHCP address no problem.

My problem is that I am trying to PXEBoot and get an image from our MS ADS (Automated Deployment Services) at boot time - this part isn't working.

I was under the impression that PXEboot uses the same mechanism as DHCP.

So basically - the client can get a DHCP address but can't PXEBOOT.

Any ideas?

[captain-midnight]

What about trying to figure this out from a different angle?

Have you tried placing the device which needs to use PXEBoot on the same VLAN 1st of all and conducting a packet capture of the conversation between the device and your MS ADS. By doing this, at least you'll be able to confirm the exact process of this function - just a thought.

[dguinn]

AFAIK PXE will use DHCP/BOOTP to pull an address, but then uses either FTP or TFTP to pull the initial bootstrap to the system. Check your log files and see if you are having anything dropped immediately after you see the accepted DHCP conversation.

For MS-PXE, I believe all you need is DHCP, DNS, and TFTP for the initial load.

[munrog]

I had heaps of troubles with this, but now have it working.

DHCRelay out of the box on R60 doesnt work so well. In particular it tries to reply to the client with a random source port (but with the correct destination port) and in the case of Windows clients, it doesnt honor the Unicast flag of the DHCP request.

Basically you need to be running either R61 or call Check Point and ask for the latest kernel and DHCRelay.

Your rulebase should include rules as follows:
>>DHCP sends packets to Broadcast (DHCPDiscover).
Src-> Any, Dst->Broadcast (255.255.255.255), Svc->Bootp (UDP/67), Accept

>>FW receives Broadcast (BootP) and responds with DHCPDiscover. Client sends DHCPrequest (BootP) and FW Relays to DHCP Server which responds with DHCPOffer (BootPS) which FW relays to client.
Src-> Firewall, Dst->Any, Svc->Bootp (UDP/67), Bootps (UDP/68), Accept

>>Depending upon your DHCP server and PXE boot server you may need to allow bootps, bootp and icmp-echo to your client subnets.
Src->dns1,dhcp1,pxe1, dst->ClientNetworks, Svc->Bootp,Bootps,echo-request

>>PXE Boot
Src-> ClientNetworks, Dst->PXE Boot Servers, Svc->PXEBootUDP (UDP/4011) and tftp(UDP/69) , Accept
>>We also have a reverse of this rule, but I'm not sure it if is actually needed.

Cheers
Greg