Kea DHCP UEFI PXE boot sends wrong boot file
-
I'm using netboot.xyz for network booting and I just switched to Kea DHCP. After the migration I noticed that network booting from UEFI bios does not work anymore, but legacy bios boot still does work.
Here are the configuration values I set in pfSense:
TFTP Server: IP of my netboot server
Next Server: IP of my netboot server
Default BIOS File Name: netboot.xyz.kpxe
UEFI 32 bit File Name: netboot.xyz.efi
UEFI 64 bit File Name: netboot.xyz.efi
ARM 64 bit File Name: netboot.xyz-arm64.efiFor some reason the Kea DHCP server always offers the default netboot.xyz.kpxe file to UEFI machines. I checked the DHCP packages and the UEFI bios sets the DHCP option 93 correctly to 0x0007, but receives the legacy bios image.
Also if I set Default BIOS File Name to netboot.xyz.efi UEFI booting works, but this again breaks booting in legacy bios.
Here are the logs from Kea DHCP:
Nov 23 12:23:55 kea-dhcp4 14098 INFO [kea-dhcp4.dhcp4.0x3e2f2f5b9300] EVAL_RESULT Expression ipxe_64_lan_pool_0 evaluated to 1 Nov 23 12:23:55 kea-dhcp4 14098 INFO [kea-dhcp4.dhcp4.0x3e2f2f5b9300] EVAL_RESULT Expression ipxe_legacy_lan_pool_0 evaluated to 1 Nov 23 12:23:55 kea-dhcp4 14098 INFO [kea-dhcp4.dhcp4.0x3e2f2f5b9300] EVAL_RESULT Expression ipxe_64_lan evaluated to 1 Nov 23 12:23:55 kea-dhcp4 14098 INFO [kea-dhcp4.dhcp4.0x3e2f2f5b9300] EVAL_RESULT Expression ipxe_legacy_lan evaluated to 1 Nov 23 12:23:55 kea-dhcp4 14098 INFO [kea-dhcp4.leases.0x3e2f2f5b9300] DHCP4_LEASE_ALLOC [hwtype=1 46:15:16:cd:59:84], cid=[no info], tid=0xaccc68dd: lease 172.17.128.2 has been allocated for 86400 seconds Nov 23 12:23:55 kea-dhcp4 14098 INFO [kea-dhcp4.dhcpsrv.0x3e2f2f5b9300] EVAL_RESULT Expression pool_opt1_0 evaluated to 1 Nov 23 12:23:55 kea-dhcp4 14098 INFO [kea-dhcp4.dhcpsrv.0x3e2f2f5b9300] EVAL_RESULT Expression pool_lan_0 evaluated to 1It seems that the ipxe_legacy_lan and ipxe_legacy_lan_pool_0 class is evaluated before the ipxe_64_lan and ipxe_64_lan_pool_0 class. And as far as I could see in the Kea configuration the legacy classes need the other classes to run first to get the correct tags.
Here is the kea-dhcp4.conf file. (I just removed the reservations)
{ "Dhcp4": { "interfaces-config": { "interfaces": [ "mlxen0", "mlxen0.2" ] }, "lease-database": { "type": "memfile", "persist": true, "name": "/var/lib/kea/dhcp4.leases" }, "loggers": [ { "name": "kea-dhcp4", "output_options": [ { "output": "syslog" } ], "severity": "INFO" } ], "valid-lifetime": 7200, "max-valid-lifetime": 86400, "ip-reservations-unique": false, "echo-client-id": false, "option-data": [ { "name": "domain-name", "data": "mydomain" } ], "option-def": [ { "space": "dhcp4", "name": "ldap-server", "code": 95, "type": "string" } ], "hooks-libraries": [ { "library": "/usr/local/lib/kea/hooks/libdhcp_lease_cmds.so" } ], "control-socket": { "socket-type": "unix", "socket-name": "/tmp/kea4-ctrl-socket" }, "authoritative": true, "client-classes": [ { "name": "ipxe_32_lan_pool_0", "test": "option[93].hex == 0x0006", "only-if-required": true, "option-data": [ { "name": "boot-file-name", "data": "netboot.xyz.efi" } ] }, { "name": "ipxe_64_lan_pool_0", "test": "option[93].hex == 0x0007 or option[93].hex == 0x0009", "only-if-required": true, "option-data": [ { "name": "boot-file-name", "data": "netboot.xyz.efi" } ] }, { "name": "ipxe_64arm_lan_pool_0", "test": "option[93].hex == 0x000b", "only-if-required": true, "option-data": [ { "name": "boot-file-name", "data": "netboot.xyz-arm64.efi" } ] }, { "name": "ipxe_legacy_lan_pool_0", "test": "not member('ipxe_32_lan_pool_0') and not member('ipxe_64_lan_pool_0') and not member('ipxe_64arm_lan_pool_0')", "only-if-required": true, "option-data": [ { "name": "boot-file-name", "data": "netboot.xyz.kpxe" } ] }, { "name": "pool_lan_0", "test": "member('ALL')" }, { "name": "ipxe_32_lan", "test": "option[93].hex == 0x0006", "only-if-required": true, "option-data": [ { "name": "boot-file-name", "data": "netboot.xyz.efi" } ] }, { "name": "ipxe_64_lan", "test": "option[93].hex == 0x0007 or option[93].hex == 0x0009", "only-if-required": true, "option-data": [ { "name": "boot-file-name", "data": "netboot.xyz.efi" } ] }, { "name": "ipxe_64arm_lan", "test": "option[93].hex == 0x000b", "only-if-required": true, "option-data": [ { "name": "boot-file-name", "data": "netboot.xyz-arm64.efi" } ] }, { "name": "ipxe_legacy_lan", "test": "not member('ipxe_32_lan') and not member('ipxe_64_lan') and not member('ipxe_64arm_lan')", "only-if-required": true, "option-data": [ { "name": "boot-file-name", "data": "netboot.xyz.kpxe" } ] }, { "name": "pool_opt1_0", "test": "member('ALL')" } ], "subnet4": [ { "id": 1, "subnet": "172.17.0.0/16", "option-data": [ { "name": "domain-name", "data": "mydomain" }, { "name": "domain-search", "data": "mydomain" }, { "name": "domain-name-servers", "data": "172.17.1.1" }, { "name": "routers", "data": "172.17.1.1" }, { "name": "netbios-name-servers", "data": "172.17.2.1" }, { "name": "netbios-node-type", "data": "8" } ], "pools": [ { "pool": "172.17.128.0 - 172.17.128.199", "client-class": "pool_lan_0", "option-data": [ { "name": "domain-name-servers", "data": "172.17.1.1" }, { "name": "tftp-server-name", "data": "172.17.2.17" } ], "require-client-classes": [ "ipxe_legacy_lan_pool_0", "ipxe_32_lan_pool_0", "ipxe_64_lan_pool_0", "ipxe_64arm_lan_pool_0" ] } ], "valid-lifetime": 86400, "next-server": "172.17.2.17", "require-client-classes": [ "ipxe_legacy_lan", "ipxe_32_lan", "ipxe_64_lan", "ipxe_64arm_lan" ], "reservations-in-subnet": true }, { "id": 2, "subnet": "172.20.0.0/16", "option-data": [ { "name": "domain-name-servers", "data": "172.20.1.1" }, { "name": "routers", "data": "172.20.1.1" } ], "pools": [ { "pool": "172.20.128.0 - 172.20.128.255", "client-class": "pool_opt1_0", "option-data": [ { "name": "domain-name-servers", "data": "172.20.1.1" } ] } ], "valid-lifetime": 86400, "reservations-in-subnet": true } ] }Any idea what could cause this problem?
-
@TheNetStriker said in Kea DHCP UEFI PXE boot sends wrong boot file:
I checked the DHCP packages and the UEFI bios sets the DHCP option 93 correctly to 0x0007, but receives the legacy bios image.
My understanding is that KEA does not yet support DHCP options.
-
@Misterb said in Kea DHCP UEFI PXE boot sends wrong boot file:
@TheNetStriker said in Kea DHCP UEFI PXE boot sends wrong boot file:
I checked the DHCP packages and the UEFI bios sets the DHCP option 93 correctly to 0x0007, but receives the legacy bios image.
My understanding is that KEA does not yet support DHCP options.
What exactly do you mean with DHCP options? Regading the logs the client classes are working as expected. When I start a computer with legacy bios the ipxe_64_lan and ipxe_64_lan_pool_0 are evaluated to 0, so this seem to work correctly. But the order in which those classes are evaluated seem to be reversed. As far as I understand the ipxe_legacy_lan and ipxe_legacy_lan_pool_0 should be evaluated after the other classes.
-
@TheNetStriker said in Kea DHCP UEFI PXE boot sends wrong boot file:
What exactly do you mean with DHCP options?
The following excerpt is taken from a Netgate blog post about KEA:
Basic functionality is present in version 23.09, but the Kea implementation lacks the following DHCP server features:
Local DNS Resolver/Forwarder Registration for static and dynamic DHCP clients Remote DNS server registration DHCPv6 Prefix Delegation High Availability Failover Lease statistics/graphs Custom DHCP optionsSo I assume that UEFI setting the DHCP option 93 will be ignored by KEA.
-
@Misterb I guess just found what is causing this problem. The order of the client-classes are correct, but the order of the require-client-classes is wrong. I just put the ipxe_legacy... class in both require-client-classes arrays to the bottom and restarted the DHCP service and now booting works for legacy and uefi bios.
I would have found this sooner, but for some reason the DHCP restart button in pfSense does not work. I had to restart the service over the command line.
I will take a look at the config generator for this config file. Maybe I can fix the problem myself and upload a pull request on GitHub to fix this.
-
I think I found the problem. In the services.inc file is an array_unshift command for the legacy classes which puts the legacy class at the top of the array. I just changed this to add the class to the end of the array and now booting from legacy and uefi works!
I also created a patch file for the services.inc file:
--- /etc/inc/services.inc.save 2023-11-24 15:19:26.797541000 +0100 +++ /etc/inc/services.inc 2023-11-24 15:24:17.000000000 +0100 @@ -1548,7 +1548,7 @@ if (!is_array($keapool['require-client-classes'])) { $keapool['require-client-classes'] = []; } - array_unshift($keapool['require-client-classes'], $name); + $keapool['require-client-classes'][] = $name; } if (!empty($poolconf['rootpath'])) { @@ -1719,7 +1719,7 @@ if (!is_array($keasubnet['require-client-classes'])) { $keasubnet['require-client-classes'] = []; } - array_unshift($keasubnet['require-client-classes'], $name); + $keasubnet['require-client-classes'][] = $name; } if (!empty($dhcpifconf['rootpath'])) {Just add this to the system patches and set the "Path Strip Count" to 0.
Can we somehow get a pfSense developer to take a look at this if this is the correct solution?
-
@TheNetStriker you can open a Redmine.pfsense.org issue.
-
@SteveITS I just created a bug report:
https://redmine.pfsense.org/issues/15032 -
We also have a problem with network boot and Kea DHCP server. We use Fog Project as our network boot server.
Setting in pfSense that works with ISC DHCP:
TFTP Server: IP of my netboot server (Fog Project)
Enable Network Booting: yes
Next Server: IP of my netboot server (Fog Project)
Default BIOS File Name: ipxe.kpxe
UEFI 32 bit File Name: i386-efi/snponly.efi
UEFI 64 bit File Name: snponly.efi
Root Path: /tftpbootBut if we change DHCP Server Backend to Kea DHCP, clients receive such error:
NBP filename is ipxe.kpxeÿ
NBP filesize is 0 Bytes
PXE-E23: Client received TFTP error from server.
As you can see client receive wrong Default BIOS File Name from Kea DHCP Server. -
@nockdown Have you tried to apply the patch I posted under System -- Patches? This should fix the problem with the wrong pxe file until this is fixed by Netgate.
-
@TheNetStriker We are having the exact same problem. I've not been able to prove the solution still as I'm finding that my edits to /usr/local/etc/kea/kea-dhcp4.conf to move the legacy to the bottom of each of the arrays are reverted when the DHCP service restarts. Am I missing something?
Thanks!
Tony -
I've now realised that services.inc creates the conf file. I've edited services.inc and can now see that legacy is the lowest priority and the problem seems to be solved.
Thanks!
-
I dont want to create more like this theme, i'm asking here
pfsense
Current Base System2.7.2
Latest Base System2.7.2
Kea DHCP
legacy BIOS~~May 16 10:48:41 kea-dhcp4 1713 INFO [kea-dhcp4.dhcpsrv.0x5b893e15f00] EVAL_RESULT Expression pool_lan_0 evaluated to 1 May 16 10:48:41 kea-dhcp4 1713 INFO [kea-dhcp4.leases.0x5b893e15f00] DHCP4_LEASE_ADVERT [hwtype=1 00:21:97:93:09:13], cid=[no info], tid=0x98930913: lease 192.168.110.3 will be advertised May 16 10:48:41 kea-dhcp4 1713 INFO [kea-dhcp4.dhcp4.0x5b893e15f00] EVAL_RESULT Expression ipxe_legacy_lan evaluated to 1 May 16 10:48:41 kea-dhcp4 1713 INFO [kea-dhcp4.dhcp4.0x5b893e15f00] EVAL_RESULT Expression ipxe_legacy_lan_pool_0 evaluated to 1 May 16 10:48:43 kea-dhcp4 1713 INFO [kea-dhcp4.dhcpsrv.0x5b893e15f00] EVAL_RESULT Expression pool_lan_0 evaluated to 1 May 16 10:48:43 kea-dhcp4 1713 INFO [kea-dhcp4.leases.0x5b893e15f00] DHCP4_LEASE_ALLOC [hwtype=1 00:21:97:93:09:13], cid=[no info], tid=0x98930913: lease 192.168.110.3 has been allocated for 7200 seconds May 16 10:48:43 kea-dhcp4 1713 INFO [kea-dhcp4.dhcp4.0x5b893e15f00] EVAL_RESULT Expression ipxe_legacy_lan evaluated to 1 May 16 10:48:43 kea-dhcp4 1713 INFO [kea-dhcp4.dhcp4.0x5b893e15f00] EVAL_RESULT Expression ipxe_legacy_lan_pool_0 evaluated to 1 May 16 10:48:47 kea-dhcp4 1713 INFO [kea-dhcp4.dhcpsrv.0x5b893e15f00] EVAL_RESULT Expression pool_lan_0 evaluated to 1 May 16 10:48:47 kea-dhcp4 1713 INFO [kea-dhcp4.leases.0x5b893e15f00] DHCP4_LEASE_ADVERT [hwtype=1 00:21:97:93:09:13], cid=[no info], tid=0x98930913: lease 192.168.110.3 will be advertised May 16 10:48:47 kea-dhcp4 1713 INFO [kea-dhcp4.dhcp4.0x5b893e15f00] **EVAL_RESULT Expression ipxe_legacy_lan evaluated to 1** May 16 10:48:47 kea-dhcp4 1713 INFO [kea-dhcp4.dhcp4.0x5b893e15f00] **EVAL_RESULT Expression ipxe_legacy_lan_pool_0 evaluated to 1**~~ -
@TheNetStriker Your patch resolved order, so UEFI client can get .efi boot file.
I edited services.inc file (by Diagnostics / Edit File) and changed mentioned lines.
But similar as @nockdown now my UEFI client receive boot file with addtional ÿ.
Not sure if I should do anything related to "Path Strip Count" ? And how to do it...
