How to Setup IP Helpers on PAN Firewall for PXE Services

Reply
L1 Bithead

How to Setup IP Helpers on PAN Firewall for PXE Services

I'll start off by waving the "I'm not as strong in networking & network security as I probably should be" flag so I apologize in advance for my lack of expertise in these areas and products.
In short, I need assistance getting PXE to work on devices connected to a PA-820. In this particular case the PA-820 is the DHCP server which is different than our standard office configuration*.
 
That said, the setup here is fairly basic:
  • ethernet 1/1 is the WAN port
  • ethernet 1/2, 1/3 & 1/4 are up & configured for use
  • The PA-820 is the DHCP server
  • Under Network > DHCP > DHCP Server each ethernet interface has its own DHCP configuration. (I couldn't figure out if there was a better way to get DHCP working on all ports with the same IP range.)
    • ethernet 1/2 > 192.168.1.0/26
      • IP Pool: 192.168.1.20-62
      • Broadcast: 10.199.155.63
      • Subnet Mask: 255.255.255.192 (255.255.255.192/26)
    • ethernet 1/3 > 192.168.1.64/26
      • IP Pool: 192.168.1.65-126
      • Broadcast: 10.199.155.127
      • Subnet Mask: 255.255.255.192 (255.255.255.192/26)
    • ethernet 1/4 > 192.168.1.128/26
      • IP Pool: 192.168.1.129-190
      • Broadcast: 10.199.155.191
      • Subnet Mask: 255.255.255.192 (255.255.255.192/26)
  • No additional subnets
  • No VLANs
  • The imaging server that provides PXE services plugged into ethernet 1/2
  • The clients I need to image are plugged into ethernet 1/3 & 1/4
  • Server and clients can communicate with each other.
  • DHCP works on interfaces ethernet 1/2, 1/3 & 1/4
  • PXE doesn't work on any interface; not even ethernet 1/2 where I have the imaging server and a VM connected.
 
Here's what [I think] I know:
  1. When I attempt to PXE boot, it doesn't work and on the clients I'm seeing errors like:
    1. PXE-E16: No valid offer received
    2. PXE-E18: Server response timeout
  2. On the PXE server, I'm not seeing any PXE requests in the log which seems to suggest the client's discover request isn't reaching the PXE server
  3. I've tried two different clients in each port to confirm it wasn't a client/port specific issue
  4. I setup a VM on the imaging server to the same NIC as the imaging server and PXE fails there as well for the same reason as above.
  5. If I use boot media I can confirm IP's are issued and the imaging process works; just not PXE
  6. If I plug in a standard consumer switch into ethernet 1/2 then plug the imaging server and one of the clients into the consumer switch, DHCP works but not PXE.
 
I did find a post that suggested creating a NAT rule to translate incoming TFTP connections sent to the firewall IP to the IP address of the actual TFTP server. I'm skeptical because of my current understanding of how the DHCP/PXE process works, which admittedly might be incomplete and accurate. That said, I'm open to trying that if there isn't a better solution.
 
Thank you for taking the time to review this. I really appreciate any suggestions you might have not just about getting PXE working but also the setup.
 
*Standard Office Configuration: For what it's worth, in all of our offices, Domain Controllers serve up IP's via DHCP and we get the networking team to configure ip helpers on the Cisco switches that point to the PXE server which allows machines on all VLANs to PXE boot. We don't use DHCP options and I don't want to use them since Microsoft doesn't support using DHCP options and the MVP Community agrees:
Highlighted
L7 Applicator

for your clients connected to ports 1/3 & 1/4.   where on those 2 subnets is your IP helper?

 

Oh just noticed that this is your question...   are the cliients not connected to a switch that could have the helper address?

 

are you also saying that pxe failed on the same lan? If devices are within the same broadcast domain as the image server you do not need a helper...

 

 

I have never tried this but just trying to work out why it would fail.

Highlighted
L1 Bithead

Hi @MickBall - thank you for taking the time to reply!

Under Network > DHCP > DHCP Server each ethernet interface has its own DHCP configuration. (I couldn't figure out if there was a better way to get DHCP working on all ports with the same IP range.)

  • ethernet 1/2 > 192.168.1.0/26

    • IP Pool: 192.168.1.20-62

    • Broadcast: 10.199.155.63

    • Subnet Mask: 255.255.255.192 (255.255.255.192/26)

  • ethernet 1/3 > 192.168.1.64/26

    • IP Pool: 192.168.1.65-126

    • Broadcast: 10.199.155.127

    • Subnet Mask: 255.255.255.192 (255.255.255.192/26)

  • ethernet 1/4 > 192.168.1.128/26

    • IP Pool: 192.168.1.129-190

    • Broadcast: 10.199.155.191

    • Subnet Mask: 255.255.255.192 (255.255.255.192/26)

Yesterday I made progress on this by doing the following

  • Deleted a vlan that showed up in Network > VLANs.

  • Deleted the DHCP relay I created that referenced this VLAN

  • Deleted a NAT rule to translate incoming TFTP connections to the PXE server (I had forgotten I set this.)

After committing the changes, PXE works only for devices plugged into the same interface as the PXE server (so ethernet 1/2). Unfortunately PXE does not work on interfaces 1/3 or 1/4.

Highlighted
L1 Bithead

For what it's worth, I don't need/want to have this specific setup:  I don't need/want a DHCP server and different IP range/pool on each interface.  I would much prefer a single 1 DHCP service that serves up IP's from a single IP range/pool across all three interfaces (ethernet 1/2, ethernet 1/3 & ethernet 1/4) so that PXE works across all three.  The team that manages these devices does not seem to know how to do this so their solution is to plug in a switch in interface ethernet 1/2 and plug everything (PXE server, clients etc.) in there.  This is not ideal but it will allow me to do what I need.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!