topic Re: How to Setup IP Helpers on PAN Firewall for PXE Services in General Topics

How to Setup IP Helpers on PAN Firewall for PXE Services

JuliusPIV — Sun, 12 Apr 2020 18:16:01 GMT

I'll start off by waving the "I'm not as strong in networking & network security as I probably should be" flag so I apologize in advance for my lack of expertise in these areas and products.

In short, I need assistance getting PXE to work on devices connected to a PA-820. In this particular case the PA-820 is the DHCP server which is different than our standard office configuration*.

That said, the setup here is fairly basic:

ethernet 1/1 is the WAN port
ethernet 1/2, 1/3 & 1/4 are up & configured for use
The PA-820 is the DHCP server
Under Network > DHCP > DHCP Server each ethernet interface has its own DHCP configuration. (I couldn't figure out if there was a better way to get DHCP working on all ports with the same IP range.)
- ethernet 1/2 > 192.168.1.0/26
  - IP Pool: 192.168.1.20-62
  - Broadcast: 10.199.155.63
  - Subnet Mask: 255.255.255.192 (255.255.255.192/26)
- ethernet 1/3 > 192.168.1.64/26
  - IP Pool: 192.168.1.65-126
  - Broadcast: 10.199.155.127
  - Subnet Mask: 255.255.255.192 (255.255.255.192/26)
- ethernet 1/4 > 192.168.1.128/26
  - IP Pool: 192.168.1.129-190
  - Broadcast: 10.199.155.191
  - Subnet Mask: 255.255.255.192 (255.255.255.192/26)
No additional subnets
No VLANs
The imaging server that provides PXE services plugged into ethernet 1/2
The clients I need to image are plugged into ethernet 1/3 & 1/4
Server and clients can communicate with each other.
DHCP works on interfaces ethernet 1/2, 1/3 & 1/4
PXE doesn't work on any interface; not even ethernet 1/2 where I have the imaging server and a VM connected.

Here's what [I think] I know:

When I attempt to PXE boot, it doesn't work and on the clients I'm seeing errors like:
1. PXE-E16: No valid offer received
2. PXE-E18: Server response timeout
On the PXE server, I'm not seeing any PXE requests in the log which seems to suggest the client's discover request isn't reaching the PXE server
I've tried two different clients in each port to confirm it wasn't a client/port specific issue
I setup a VM on the imaging server to the same NIC as the imaging server and PXE fails there as well for the same reason as above.
If I use boot media I can confirm IP's are issued and the imaging process works; just not PXE
If I plug in a standard consumer switch into ethernet 1/2 then plug the imaging server and one of the clients into the consumer switch, DHCP works but not PXE.

I did find a post that suggested creating a NAT rule to translate incoming TFTP connections sent to the firewall IP to the IP address of the actual TFTP server. I'm skeptical because of my current understanding of how the DHCP/PXE process works, which admittedly might be incomplete and accurate. That said, I'm open to trying that if there isn't a better solution.

Thank you for taking the time to review this. I really appreciate any suggestions you might have not just about getting PXE working but also the setup.

*Standard Office Configuration: For what it's worth, in all of our offices, Domain Controllers serve up IP's via DHCP and we get the networking team to configure ip helpers on the Cisco switches that point to the PXE server which allows machines on all VLANs to PXE boot. We don't use DHCP options and I don't want to use them since Microsoft doesn't support using DHCP options and the MVP Community agrees:

Re: How to Setup IP Helpers on PAN Firewall for PXE Services

Mick_Ball — Sat, 11 Apr 2020 08:23:37 GMT

for your clients connected to ports 1/3 & 1/4. where on those 2 subnets is your IP helper?

Oh just noticed that this is your question... are the cliients not connected to a switch that could have the helper address?

are you also saying that pxe failed on the same lan? If devices are within the same broadcast domain as the image server you do not need a helper...

I have never tried this but just trying to work out why it would fail.

Re: How to Setup IP Helpers on PAN Firewall for PXE Services

JuliusPIV — Mon, 13 Apr 2020 12:33:46 GMT

Hi @Mick_Ball - thank you for taking the time to reply!

Under Network > DHCP > DHCP Server each ethernet interface has its own DHCP configuration. (I couldn't figure out if there was a better way to get DHCP working on all ports with the same IP range.)

ethernet 1/2 > 192.168.1.0/26
- IP Pool: 192.168.1.20-62
- Broadcast: 10.199.155.63
- Subnet Mask: 255.255.255.192 (255.255.255.192/26)
ethernet 1/3 > 192.168.1.64/26
- IP Pool: 192.168.1.65-126
- Broadcast: 10.199.155.127
- Subnet Mask: 255.255.255.192 (255.255.255.192/26)
ethernet 1/4 > 192.168.1.128/26
- IP Pool: 192.168.1.129-190
- Broadcast: 10.199.155.191
- Subnet Mask: 255.255.255.192 (255.255.255.192/26)

Yesterday I made progress on this by doing the following

Deleted a vlan that showed up in Network > VLANs.
Deleted the DHCP relay I created that referenced this VLAN
Deleted a NAT rule to translate incoming TFTP connections to the PXE server (I had forgotten I set this.)

After committing the changes, PXE works only for devices plugged into the same interface as the PXE server (so ethernet 1/2). Unfortunately PXE does not work on interfaces 1/3 or 1/4.

Re: How to Setup IP Helpers on PAN Firewall for PXE Services

JuliusPIV — Tue, 21 Apr 2020 19:34:26 GMT

For what it's worth, I don't need/want to have this specific setup: I don't need/want a DHCP server and different IP range/pool on each interface. I would much prefer a single 1 DHCP service that serves up IP's from a single IP range/pool across all three interfaces (ethernet 1/2, ethernet 1/3 & ethernet 1/4) so that PXE works across all three. The team that manages these devices does not seem to know how to do this so their solution is to plug in a switch in interface ethernet 1/2 and plug everything (PXE server, clients etc.) in there. This is not ideal but it will allow me to do what I need.

Re: How to Setup IP Helpers on PAN Firewall for PXE Services

johneyboy — Wed, 04 Nov 2020 18:52:38 GMT

Hi, I am just wondering if you have found any resolution about this issue. I have a very similar situation here. We have a PAN 820 in the office. The DHCP is configured on firewall. I have defined a server network in this case which has the routing sub-interface on 820. I also defined PXE option 66 and 67, plus a policy based forwarded on TFTP service to the server IP if the request is hitting on the gateway from the same network range.

Re: How to Setup IP Helpers on PAN Firewall for PXE Services

rmfalconer — Thu, 05 Nov 2020 19:45:59 GMT

Are the clients and PXE server in different zones? If so, you'll need to have security policies allowing the traffic from client to server.

Have you taken any captures on the interfaces to see what the traffic is doing?

Re: How to Setup IP Helpers on PAN Firewall for PXE Services

RLJFRY — Thu, 17 Feb 2022 22:53:53 GMT

Hi,

I know this thread is quite old, but I thought I'd share my resolution to the same issue. Of course, it can obviously be different on a case-by-case situation.

My test set-up I created today....

Physical Site A VLAN 1

Physical Site A Net 192.168.1.0/24.

Physical Site A PXE 192.168.1.1/32

Physical Site B VLAN 2

Physical Site B Net 192.168.2.0/24

Physical Site B DHCP 192.168.2.1/32 (Palo Alto FW)

Physical Site B "IP helper-address 192.168.1.1" (Set on Cisco Switch for VLAN 2)

Physical Site B "IP helper-address 192.168.2.1" (Set on Cisco Switch for VLAN 2)

Physical Site B client laptop patched into VLAN 2

I built up a test network with physical site A hosting the PXE server on VLAN 1, and site B with the DHCP server running on the Palo Firewall on the interface for VLAN 2. A site-site VPN was configured between the two sites using two Palo FW's.

Both sites have Cisco switches with L3 routing.

The trick was looking at the ip default-gateway set on the Cisco switch. - Basically, the DHCP broadcast comes from the laptop performing a Network boot. The Cisco switch will pick-up these broadcasts and convert them to Unicast and send to both IP helpers on behalf of the client.

If your routing on the L3 switch sends its packets out on the wrong route then the DHCP and PXE requests wont get to the PXE server. In my case I had to ensure that the default gateway set on the Cisco was set to the internal FW interface 192.168.2.1 that is allowed to traverse the site-site VPN.

Once I set this up everything fell into place and the laptop in Site B PXE booted to the PXE server in site A.

CISCO CONFIG:

show run int vlan 2

interface Vlan2
ip address 192.168.2.253 255.255.255.0
ip helper-address 192.168.1.1
ip helper-address 192.168.2.1
end

ip default-gateway 192.168.2.1

My next step is to look into iPXE as PXE on a site-site VPN is far too slow.

Anyhow, I hope that this helps someone in the future.