1

I have an ESXi VM running a tftpd-hpa server on the latest version of Debian 9 for the network PXE environment. For testing purposes, I configured another VM to handle DHCP on Debian 9 using isc-dhcp-server (with next-server and bootfile directives). Using a third VM with no OS, I am able to PXE boot to the server with no issues. However, when implementing the PXE on the network (specifically the Ubiquiti EdgeRouter) the PXE server does not work unless the tftpd-hpa configuration is modified.

If I comment out the TFTP_OPTIONS="--secure" line from the tftpd-hpa file, the server will work fine with the EdgeRouter. I've also tried adding the following configuration lines to the EdgeRouter config file to no avail:

subnet-parameters "filename "/srv/tftp/pxelinux.0";"
subnet-parameters "filename ;pxelinux.0";"

I am led to believe that the issue is stemming from how the EdgeRouter is relaying the DHCP options to the client, but what is causing this and how could I fix it? I realize I could just leave the secure option disabled but I would rather not do that. I have tried adding full and partial paths to the router configuration as well.

Error:

TFTP.
PXE-T01: File not found
PXE-E3B: TFTP Error - File Not found
PXE-M0F: Exiting Intel PXE ROM.
Operating System not found

/etc/default/tftpd-hpa:

TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/srv/tftp"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure"

/srv/tftp:

$ ls -alh
total 20K
drwxrwxr-x 3 root root 4.0K Mar  4 14:38 .
drwxr-xr-x 3 root root 4.0K Apr 18 00:37 ..
drwxrwxr-x 3 root root 4.0K Mar  4 14:38 debian-installer
lrwxrwxrwx 1 root root   47 Mar  4 14:38 ldlinux.c32 -> debian-installer/amd64/boot-screens/ldlinux.c32
lrwxrwxrwx 1 root root   33 Mar  4 14:38 pxelinux.0 -> debian-installer/amd64/pxelinux.0
lrwxrwxrwx 1 root root   35 Mar  4 14:38 pxelinux.cfg -> debian-installer/amd64/pxelinux.cfg
-rw-r--r-- 1 root root   79 Apr 18 00:41 test
-rw-rw-r-- 1 root root   62 Mar  4 14:38 version.info

/config/config.boot:

dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.1.0/24 {
                bootfile-name pxelinux.0
                bootfile-server 192.168.1.94
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.1 {
                    stop 192.168.1.127
                }
                unifi-controller 192.168.1.225
            }
        }
        use-dnsmasq disable
    }
...
}
SuperAdmin
  • 209
  • 3
  • 10

1 Answers1

0
--secure, -s
    Change root directory on startup. This means the remote host does not
    need to pass along the directory as part of the transfer, and may add 
    security. When --secure is specified, exactly one directory should be 
    specified on the command line. The use of this option is recommended 
    for security as well as compatibility with some boot ROMs which cannot 
    be easily made to include a directory name in its request.

The only point where the former parameter can be related to your problem is the use of a different DHCP server bootfile parameter.

A Wireshark traffic capture will tell you:

  1. How many DHCP servers you have working on the same segment (it should be only one)
  2. The booting client's TFTP request showing its full path/file
Pat
  • 3,339
  • 2
  • 16
  • 17