04-10-2020 11:24 AM - edited 04-12-2020 11:16 AM
04-11-2020 01:03 AM - edited 04-11-2020 01:23 AM
for your clients connected to ports 1/3 & 1/4. where on those 2 subnets is your IP helper?
Oh just noticed that this is your question... are the cliients not connected to a switch that could have the helper address?
are you also saying that pxe failed on the same lan? If devices are within the same broadcast domain as the image server you do not need a helper...
I have never tried this but just trying to work out why it would fail.
04-13-2020 05:33 AM
Hi @Mick_Ball - thank you for taking the time to reply!
Under Network > DHCP > DHCP Server each ethernet interface has its own DHCP configuration. (I couldn't figure out if there was a better way to get DHCP working on all ports with the same IP range.)
ethernet 1/2 > 192.168.1.0/26
IP Pool: 192.168.1.20-62
Broadcast: 10.199.155.63
Subnet Mask: 255.255.255.192 (255.255.255.192/26)
ethernet 1/3 > 192.168.1.64/26
IP Pool: 192.168.1.65-126
Broadcast: 10.199.155.127
Subnet Mask: 255.255.255.192 (255.255.255.192/26)
ethernet 1/4 > 192.168.1.128/26
IP Pool: 192.168.1.129-190
Broadcast: 10.199.155.191
Subnet Mask: 255.255.255.192 (255.255.255.192/26)
Yesterday I made progress on this by doing the following
Deleted a vlan that showed up in Network > VLANs.
Deleted the DHCP relay I created that referenced this VLAN
Deleted a NAT rule to translate incoming TFTP connections to the PXE server (I had forgotten I set this.)
After committing the changes, PXE works only for devices plugged into the same interface as the PXE server (so ethernet 1/2). Unfortunately PXE does not work on interfaces 1/3 or 1/4.
04-21-2020 12:34 PM
For what it's worth, I don't need/want to have this specific setup: I don't need/want a DHCP server and different IP range/pool on each interface. I would much prefer a single 1 DHCP service that serves up IP's from a single IP range/pool across all three interfaces (ethernet 1/2, ethernet 1/3 & ethernet 1/4) so that PXE works across all three. The team that manages these devices does not seem to know how to do this so their solution is to plug in a switch in interface ethernet 1/2 and plug everything (PXE server, clients etc.) in there. This is not ideal but it will allow me to do what I need.
11-04-2020 10:52 AM
Hi, I am just wondering if you have found any resolution about this issue. I have a very similar situation here. We have a PAN 820 in the office. The DHCP is configured on firewall. I have defined a server network in this case which has the routing sub-interface on 820. I also defined PXE option 66 and 67, plus a policy based forwarded on TFTP service to the server IP if the request is hitting on the gateway from the same network range.
11-05-2020 11:45 AM
Are the clients and PXE server in different zones? If so, you'll need to have security policies allowing the traffic from client to server.
Have you taken any captures on the interfaces to see what the traffic is doing?
02-17-2022 02:53 PM
Hi,
I know this thread is quite old, but I thought I'd share my resolution to the same issue. Of course, it can obviously be different on a case-by-case situation.
My test set-up I created today....
Physical Site A VLAN 1
Physical Site A Net 192.168.1.0/24.
Physical Site A PXE 192.168.1.1/32
Physical Site B VLAN 2
Physical Site B Net 192.168.2.0/24
Physical Site B DHCP 192.168.2.1/32 (Palo Alto FW)
Physical Site B "IP helper-address 192.168.1.1" (Set on Cisco Switch for VLAN 2)
Physical Site B "IP helper-address 192.168.2.1" (Set on Cisco Switch for VLAN 2)
Physical Site B client laptop patched into VLAN 2
I built up a test network with physical site A hosting the PXE server on VLAN 1, and site B with the DHCP server running on the Palo Firewall on the interface for VLAN 2. A site-site VPN was configured between the two sites using two Palo FW's.
Both sites have Cisco switches with L3 routing.
The trick was looking at the ip default-gateway set on the Cisco switch. - Basically, the DHCP broadcast comes from the laptop performing a Network boot. The Cisco switch will pick-up these broadcasts and convert them to Unicast and send to both IP helpers on behalf of the client.
If your routing on the L3 switch sends its packets out on the wrong route then the DHCP and PXE requests wont get to the PXE server. In my case I had to ensure that the default gateway set on the Cisco was set to the internal FW interface 192.168.2.1 that is allowed to traverse the site-site VPN.
Once I set this up everything fell into place and the laptop in Site B PXE booted to the PXE server in site A.
CISCO CONFIG:
show run int vlan 2
interface Vlan2
ip address 192.168.2.253 255.255.255.0
ip helper-address 192.168.1.1
ip helper-address 192.168.2.1
end
ip default-gateway 192.168.2.1
My next step is to look into iPXE as PXE on a site-site VPN is far too slow.
Anyhow, I hope that this helps someone in the future.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
