Netgate 4200: PXE Boot Enabled Out of Box?
-
Yup, you can easily change the order as shown there if you find it is waiting for PXE at boot.
-
@stephenw10 said in Netgate 4200: PXE Boot Enabled Out of Box?:
Yup, you can easily change the order as shown there if you find it is waiting for PXE at boot.
Sure, it can be changed. The question is why PXE boot is even enabled on a firewall by default? It should be disabled wholesale for security reasons; not pushed down in the boot order.
Imagine a scenario where one of the ports of the Netgate 4200 is connected to an untrusted network. The untrusted network has a rouge PXE server. That PXE server then boots the Netgate 4200 during reboot with its own malicious image.
-
Yes we are investigating.
But for now the command I show in the linked thread leaves the eMMC as the only boot device entry.
-
@stephenw10 said in Netgate 4200: PXE Boot Enabled Out of Box?:
Yes we are investigating.
But for now the command I show in the linked thread leaves the eMMC as the only boot device entry.
This is efibootmgr output from our Netgate 4100 and 6100 devices:
efibootmgr Boot to FW : false BootCurrent: 001f Timeout : 0 seconds BootOrder : 0001, 0000 Boot0001* bootx64.efi Boot0000* PXE-0PXE also enabled, but at least the boot order is OK.
-
@stephenw10 said in Netgate 4200: PXE Boot Enabled Out of Box?:
Yes we are investigating.
Some additional data in case it is of interest. The 4200 I'm working on is booting from the NVMe SSD without delays since the SSD is first in the boot order, however efibootmgr shows other entries in the boot order.
My system is different from stock in that after I installed the M.2 NVMe SSD, I zeroed out the eMMC and then reinstalled from the 23.09.1 image I got from TAC.
# efibootmgr Boot to FW : false BootCurrent: 0001 Timeout : 3 seconds BootOrder : 0001, 000B, 0000, 000C, 000D, 000E, 000F, 0010, 0011, 0012, 0013, 0014, 0009 +Boot0001* FreeBSD Boot000B* Fedora Boot0000* Fedora Boot000C* UEFI: PXE IPv4 Intel(R) Ethernet Controller I226-V Boot000D* UEFI: PXE IPv6 Intel(R) Ethernet Controller I226-V Boot000E* UEFI: PXE IPv4 Intel(R) Ethernet Controller I226-V Boot000F* UEFI: PXE IPv6 Intel(R) Ethernet Controller I226-V Boot0010* UEFI: PXE IPv4 Intel(R) Ethernet Controller I226-V Boot0011* UEFI: PXE IPv6 Intel(R) Ethernet Controller I226-V Boot0012* UEFI: PXE IPv4 Intel(R) Ethernet Controller I226-V Boot0013* UEFI: PXE IPv6 Intel(R) Ethernet Controller I226-V Boot0014* UEFI OS Boot0009* UEFI: Built-in EFI ShellSetting the boot order to only the SSD
# efibootmgr -o 0001 Boot to FW : false BootCurrent: 0001 Timeout : 3 seconds BootOrder : 0001 +Boot0001* FreeBSD # efibootmgr Boot to FW : false BootCurrent: 0001 Timeout : 3 seconds BootOrder : 0001 +Boot0001* FreeBSDHowever efibootmgr -v still showed that the other variables (now unreferenced) are all activated (with the asterisk), so I deleted the PXE variables (with -B) and deactivated the others (with -A).
After a reboot, all the variables come back as activated and boot order again includes all the entries. Thankfully, the SSD is still first, but something during the reboot process is resetting these variables.
# efibootmgr Boot to FW : false BootCurrent: 0001 Timeout : 3 seconds BootOrder : 0001, 0002, 0003, 0004, 0005, 0006, 0007, 0008, 0009, 000A, 000B +Boot0001* FreeBSD Boot0002* UEFI OS Boot0003* UEFI: PXE IPv4 Intel(R) Ethernet Controller I226-V Boot0004* UEFI: PXE IPv6 Intel(R) Ethernet Controller I226-V Boot0005* UEFI: PXE IPv4 Intel(R) Ethernet Controller I226-V Boot0006* UEFI: PXE IPv6 Intel(R) Ethernet Controller I226-V Boot0007* UEFI: PXE IPv4 Intel(R) Ethernet Controller I226-V Boot0008* UEFI: PXE IPv6 Intel(R) Ethernet Controller I226-V Boot0009* UEFI: PXE IPv4 Intel(R) Ethernet Controller I226-V Boot000A* UEFI: PXE IPv6 Intel(R) Ethernet Controller I226-V Boot000B* UEFI: Built-in EFI Shell--Larry
-
Hmm, new devices are detected and added there to allow them to be selected at boot. If you plug in a USB drive it will create an entry there for example.
You can disable the PXE network stack entirely in the BIOS setup if that's what you need.
-
@LarryFahnoe said in Netgate 4200: PXE Boot Enabled Out of Box?:
After a reboot, all the variables come back as activated and boot order again includes all the entries. Thankfully, the SSD is still first, but something during the reboot process is resetting these variables.
I am seeing more or less the same thing with my new 4200. I did "efibootmgr -o 0014" to wipe out all but the SSD (the numbers for me are different than Larry's list), but after a power cycle I see all the other entries back in the list. At least the SSD is now first. But I'm still seeing the box sit in the pulsing-orange state for about a minute, which I consider quite unacceptable. I guess I'll have to figure out how to get into the BIOS to fix that.
Beyond the small issue of boot speed, I'd reiterate the upthread question: when in the world would it ever be appropriate for a firewall to search all its connected interfaces for a boot source? Let alone to do so by default, let alone for those to be searched before the local SSD by default. This is a pretty damn serious security fail.
-
The delay at boot is not due to any PXE boot attempts when the eMMC is at the top of the list.
-
@stephenw10 said in Netgate 4200: PXE Boot Enabled Out of Box?:
The delay at boot is not due to any PXE boot attempts when the eMMC is at the top of the list.
I observed about a 15-sec drop in boot time after I'd disabled the PXE network stack in the BIOS, despite having the SSD at the top already. Seems the BIOS is doing something fairly expensive with that, even if it's not an actual boot attempt.
-
It’s unclear to me after reading through this thread, is it possible to permanently disable pxe boot? How?
-
@wgstarks said in Netgate 4200: PXE Boot Enabled Out of Box?:
It’s unclear to me after reading through this thread, is it possible to permanently disable pxe boot? How?
Yup, I did it successfully. From memory:
-
Attach the supplied cable to the console port. On the other end I used a Linux box running recent Fedora, which seemed to have the required kernel driver already present; I didn't need to do anything except run screen per the manual's directions. Confirm that it works: you should get the same numeric menu as you see when ssh'ing into the box.
-
Reboot, wait ~30sec until you see the BIOS prompt to press ESC, and quickly do that. Press it only once, and expect to wait a few seconds for the BIOS menus to appear.
-
Find the BIOS menu subheading that's labeled UEFI Network Stack or PXE Network Stack (I forget which); it's in one of the first menu tabs, fairly far down. Within that, toggle the first item which will disable the network stack entirely. (There is an item under the Boot menu that looks like it will disable PXE sources individually, but that setting did not "stick" for me.)
-
Press F4 to save and exit.
And voila. To confirm, check efibootmgr in the FreeBSD shell; it should not show any of the PXE boot items. I also noted something like a 15sec decrease in the BIOS startup time.
-
-
@tgl
And you’re still able to boot from your m.2 nvme right?Thanks for the info. I’ll be running this from a Mac laptop but don’t foresee any problems except I believe it’s DEL to enter bios and I doubt the function keys will be equivalent to Linux.
-
@wgstarks said in Netgate 4200: PXE Boot Enabled Out of Box?:
@tgl
And you’re still able to boot from your m.2 nvme right?Yup, it's up and running right now. efibootmgr reports
Boot to FW : false BootCurrent: 0014 Timeout : 3 seconds BootOrder : 0014, 001D +Boot0014* UEFI: Generic Ultra HS-COMBO, Partition 1 Boot001D UEFI: Built-in EFI ShellThanks for the info. I’ll be running this from a Mac laptop but don’t foresee any problems except I believe it’s DEL to enter bios and I doubt the function keys will be equivalent to Linux.
IIRC, either ESC or DEL would work according to the BIOS' prompt. I tend to prefer ESC because it's less ambiguous which key is meant ...
-
Yup you can use DEL or ESC to enter the BIOS setup but if you use DEL it responds instantly switching the text to 'entering setup'. If you press ESC nothing changes for a few seconds so you can end up hitting it multiple times.
-
@tgl said in Netgate 4200: PXE Boot Enabled Out of Box?:
@wgstarks said in Netgate 4200: PXE Boot Enabled Out of Box?:
It’s unclear to me after reading through this thread, is it possible to permanently disable pxe boot? How?
Yup, I did it successfully. From memory:
-
Attach the supplied cable to the console port. On the other end I used a Linux box running recent Fedora, which seemed to have the required kernel driver already present; I didn't need to do anything except run screen per the manual's directions. Confirm that it works: you should get the same numeric menu as you see when ssh'ing into the box.
-
Reboot, wait ~30sec until you see the BIOS prompt to press ESC, and quickly do that. Press it only once, and expect to wait a few seconds for the BIOS menus to appear.
-
Find the BIOS menu subheading that's labeled UEFI Network Stack or PXE Network Stack (I forget which); it's in one of the first menu tabs, fairly far down. Within that, toggle the first item which will disable the network stack entirely. (There is an item under the Boot menu that looks like it will disable PXE sources individually, but that setting did not "stick" for me.)
-
Press F4 to save and exit.
And voila. To confirm, check efibootmgr in the FreeBSD shell; it should not show any of the PXE boot items. I also noted something like a 15sec decrease in the BIOS startup time.
It was Advanced tab>Network stack configuration>disable network stack just in case anyone else goes looking for it.
-
-
Yeah just came across this too, who has 5 minutes to wait for a router to boot? Pretty poor default, but easy enough to fix from the console.
