Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 19 replies
  • Answers 2 answers
  • Subscribers 31 subscribers
  • Views 1147 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PXE Boot DHCP Option 66 + 67 - Client falsely using the Firewall IP-Address as TFTP Server

LHerzog

I'm trying to copy a PXE Boot Optin from the DHCP Server of a UTM to Sophos XGS

The problem I face is, the Boot Client uses the IP-Address of the Firewall/DHCP Server as TFTP Server instead of the value provided in the Option 66 (Next Server)

I tried with GUI

and with CLI

system dhcp dhcp-options binding add dhcpname my-dhcpservername optionname TFTP_Server_Name(66) value '172.16.1.2/bblefi-x64/shim_x64.efi'

console> system dhcp dhcp-options binding add dhcpname my-dhcpservername optionname TFTP_Server_Name(66) value '172.16.1.2'
DHCP option TFTP_Server_Name(66) added for DHCP Server my-dhcpservername.

console> system dhcp dhcp-options binding add dhcpname my-dhcpservername optionname Bootfile_Name(67) value '\bblefi-x64\shim_x64.efi'
DHCP option Bootfile_Name(67) added for DHCP Server my-dhcpservername.

console> system dhcp dhcp-options binding show dhcpname my-dhcpservername
Options Configured from GUI
---------------------------
xxx-removedbyauthor-xxx


Options Configured from CLI
---------------------------
TFTP_Server_Name(66)                                        "172.16.1.2"
Bootfile_Name(67)                                           "\\bblefi-x64\\shim_x64.efi"

and get the same result at the client:

192.168.32.1 is the sophos firewall

it should use 172.16.2.1 but it does not

172.16.2.1 is behind a IPSEC-VPN from the perspective of the Client.

That is the IP-Address of the Firewall that is also the DHCP Server.

Then I tested this - I found it in an other post here from Sophos Staff but with that value, the Client did not receive an IP Address at all. It already looks ugly.

console> system dhcp dhcp-options binding add dhcpname my-dhcpservername optionname TFTP_Server_Name(66) value '172.16.1.2/bblefi-x64/shim_x64.efi'
DHCP option TFTP_Server_Name(66) added for DHCP Server my-dhcpservername.

console> system dhcp dhcp-options binding show dhcpname my-dhcpservername
Options Configured from GUI
---------------------------
xxx-removed-xxx
Options Configured from CLI
---------------------------
TFTP_Server_Name(66)                                        "172.16.1.2/bblefi-x64/shim_x64.efi"

In a tcp dump, it all looks fine so far - the offer includes the correct IP:

    Option: (54) DHCP Server Identifier (192.168.32.1)
        Length: 4
        DHCP Server Identifier: 192.168.32.1
    Option: (51) IP Address Lease Time
    Option: (1) Subnet Mask (255.255.255.128)
    Option: (3) Router
    Option: (6) Domain Name Server
    Option: (15) Domain Name
    Option: (66) TFTP Server Name
        Length: 13
        TFTP Server Name: 172.16.1.2
    Option: (67) Bootfile name
        Length: 23
        Bootfile name: bblefi-x64\shim_x64.efi
    Option: (255) End
        Option End: 255

But then the Client uses the Firewall IP again instead of the real Server IP in TFTP communication:

Any idea?



This thread was automatically locked due to age.
Parents
  • 0

    We are facing the same issue, but with Sophos UTM 9.714-4.
    We have to deploy ip based deskphones and they use the tftp address to know where to look for the central management.
    In UTM the DHCP option is called "tftp-server-name", but its the same Code 66.
    If the client phones get a dhcp address from the firewall they recieve their ip address, netmask, gateway and dns correctly, but tftp stays empty.
    I have tried it with windows dhcp server, but that one is sending out the ip address of the first set DNS server as TFTP instead of the set parameter.

    Main difference to your case: I did not specify a boot file since that is automatically chosen depending on the ip deskphone type.


  • 0 in reply to Maximilian Wild

    Update: I just rechecked the Sophos UTM. TFTP Server and Next Server are different setable options.
    After also setting the "Next Server" flag to the wanted tftp address it worked. the clients recieved the correct address from the sophos utm dhcp.
    Maybe you need to set the "Next Server" flag via CLI additionally? 



  • 0 in reply to Maximilian Wild
    Maximilian Wild said:
    Maybe you need to set the "Next Server" flag via CLI additionally? 

    unfortunately that is not possible. The XG Setting is called Next Server on GUI but is uses 66 on the backend.

    On CLI there is nothing to configure Next server, only Option 66.

    And we have it also working on UTM. That is just a missing feature on XG if not a bug (Next Server on GUI).

  • 0 in reply to LHerzog

    asked  the support tech if that (orange text) is testworthy:

    edit that file dhcpd.conf manually and reload dhcpd after like followed:

    /cfs/system/dhcp/dhcpd.conf

    shared-network reds28 {

            subnet 192.168.9.40 netmask 255.255.255.248 {

            }

            pool {

     

                     # DHCPCONFID=15;

                     range 192.168.9.42 192.168.9.44;

                     ping-check false;

                     server-identifier 192.168.9.41;

                     option subnet-mask 255.255.255.248;

                     option routers 192.168.9.41;

                     option domain-name-servers 192.168.9.41;

                     option bootfile-name "test.efi";

                     option tftp-server-name "192.168.9.45";

                     filename "test.efi";

                     next-server 192.168.9.45;

                     max-lease-time 172800;

                     default-lease-time 86400;

            }

    }

    Most likely this will at at least get overwritten, when someone changes a DHCP setting somewhere else on GUI. Don't want to test this unless I have OK from support for that.

Reply
  • 0 in reply to LHerzog

    asked  the support tech if that (orange text) is testworthy:

    edit that file dhcpd.conf manually and reload dhcpd after like followed:

    /cfs/system/dhcp/dhcpd.conf

    shared-network reds28 {

            subnet 192.168.9.40 netmask 255.255.255.248 {

            }

            pool {

     

                     # DHCPCONFID=15;

                     range 192.168.9.42 192.168.9.44;

                     ping-check false;

                     server-identifier 192.168.9.41;

                     option subnet-mask 255.255.255.248;

                     option routers 192.168.9.41;

                     option domain-name-servers 192.168.9.41;

                     option bootfile-name "test.efi";

                     option tftp-server-name "192.168.9.45";

                     filename "test.efi";

                     next-server 192.168.9.45;

                     max-lease-time 172800;

                     default-lease-time 86400;

            }

    }

    Most likely this will at at least get overwritten, when someone changes a DHCP setting somewhere else on GUI. Don't want to test this unless I have OK from support for that.

Children
No Data
Unfiltered HTML