Netgate 4200: PXE Boot Enabled Out of Box?

tgl

@LarryFahnoe said in Netgate 4200: PXE Boot Enabled Out of Box?:

After a reboot, all the variables come back as activated and boot order again includes all the entries. Thankfully, the SSD is still first, but something during the reboot process is resetting these variables.

I am seeing more or less the same thing with my new 4200. I did "efibootmgr -o 0014" to wipe out all but the SSD (the numbers for me are different than Larry's list), but after a power cycle I see all the other entries back in the list. At least the SSD is now first. But I'm still seeing the box sit in the pulsing-orange state for about a minute, which I consider quite unacceptable. I guess I'll have to figure out how to get into the BIOS to fix that.

Beyond the small issue of boot speed, I'd reiterate the upthread question: when in the world would it ever be appropriate for a firewall to search all its connected interfaces for a boot source? Let alone to do so by default, let alone for those to be searched before the local SSD by default. This is a pretty damn serious security fail.

stephenw10

The delay at boot is not due to any PXE boot attempts when the eMMC is at the top of the list.

tgl

@stephenw10 said in Netgate 4200: PXE Boot Enabled Out of Box?:

The delay at boot is not due to any PXE boot attempts when the eMMC is at the top of the list.

I observed about a 15-sec drop in boot time after I'd disabled the PXE network stack in the BIOS, despite having the SSD at the top already. Seems the BIOS is doing something fairly expensive with that, even if it's not an actual boot attempt.

wgstarks

It’s unclear to me after reading through this thread, is it possible to permanently disable pxe boot? How?

tgl

@wgstarks said in Netgate 4200: PXE Boot Enabled Out of Box?:

It’s unclear to me after reading through this thread, is it possible to permanently disable pxe boot? How?

Yup, I did it successfully. From memory:

• Attach the supplied cable to the console port. On the other end I used a Linux box running recent Fedora, which seemed to have the required kernel driver already present; I didn't need to do anything except run screen per the manual's directions. Confirm that it works: you should get the same numeric menu as you see when ssh'ing into the box.

• Reboot, wait ~30sec until you see the BIOS prompt to press ESC, and quickly do that. Press it only once, and expect to wait a few seconds for the BIOS menus to appear.

• Find the BIOS menu subheading that's labeled UEFI Network Stack or PXE Network Stack (I forget which); it's in one of the first menu tabs, fairly far down. Within that, toggle the first item which will disable the network stack entirely. (There is an item under the Boot menu that looks like it will disable PXE sources individually, but that setting did not "stick" for me.)

• Press F4 to save and exit.

And voila. To confirm, check efibootmgr in the FreeBSD shell; it should not show any of the PXE boot items. I also noted something like a 15sec decrease in the BIOS startup time.

wgstarks

@tgl
And you’re still able to boot from your m.2 nvme right?

Thanks for the info. I’ll be running this from a Mac laptop but don’t foresee any problems except I believe it’s DEL to enter bios and I doubt the function keys will be equivalent to Linux.

tgl

@wgstarks said in Netgate 4200: PXE Boot Enabled Out of Box?:

@tgl
And you’re still able to boot from your m.2 nvme right?

Yup, it's up and running right now. efibootmgr reports

Boot to FW : false
BootCurrent: 0014
Timeout    : 3 seconds
BootOrder  : 0014, 001D
+Boot0014* UEFI: Generic Ultra HS-COMBO, Partition 1
 Boot001D  UEFI: Built-in EFI Shell

Thanks for the info. I’ll be running this from a Mac laptop but don’t foresee any problems except I believe it’s DEL to enter bios and I doubt the function keys will be equivalent to Linux.

IIRC, either ESC or DEL would work according to the BIOS' prompt. I tend to prefer ESC because it's less ambiguous which key is meant ...

stephenw10

Yup you can use DEL or ESC to enter the BIOS setup but if you use DEL it responds instantly switching the text to 'entering setup'. If you press ESC nothing changes for a few seconds so you can end up hitting it multiple times.

wgstarks

@tgl said in Netgate 4200: PXE Boot Enabled Out of Box?:

@wgstarks said in Netgate 4200: PXE Boot Enabled Out of Box?:

It’s unclear to me after reading through this thread, is it possible to permanently disable pxe boot? How?

Yup, I did it successfully. From memory:

• Attach the supplied cable to the console port. On the other end I used a Linux box running recent Fedora, which seemed to have the required kernel driver already present; I didn't need to do anything except run screen per the manual's directions. Confirm that it works: you should get the same numeric menu as you see when ssh'ing into the box.

• Reboot, wait ~30sec until you see the BIOS prompt to press ESC, and quickly do that. Press it only once, and expect to wait a few seconds for the BIOS menus to appear.

• Find the BIOS menu subheading that's labeled UEFI Network Stack or PXE Network Stack (I forget which); it's in one of the first menu tabs, fairly far down. Within that, toggle the first item which will disable the network stack entirely. (There is an item under the Boot menu that looks like it will disable PXE sources individually, but that setting did not "stick" for me.)

• Press F4 to save and exit.

And voila. To confirm, check efibootmgr in the FreeBSD shell; it should not show any of the PXE boot items. I also noted something like a 15sec decrease in the BIOS startup time.

It was Advanced tab>Network stack configuration>disable network stack just in case anyone else goes looking for it.

artooro

Yeah just came across this too, who has 5 minutes to wait for a router to boot? Pretty poor default, but easy enough to fix from the console.