PXE Boot on multivlan with dhcp rely?
Hello everyone
I'm a bit lost here after reprogramming my watchguard.
I have switched to multivlan on my trusted network.
I have created 4 VLANs so far: 1,2,3,999 on etherface2 tagged all but 999 untagged. I have added dhcp relay of 1,2,3 and add any in firewall filter so all VLANs except 999 talk together.
It seems to work as it should except PXE Boot I run F12 over. The DHCP server and my sccm are on VLAN 1 until I redesign my network. PXE Boot works on VLAN 1 but not on 2 and 3.
I thought if I added any then it will work?
Is there anyone who can say what I'm missing? I would not think I should create more filter rules when using any in the firewall?
Regards
Jimmy
0
Sign In to comment.
Comments
DHCP/BOOTP packets are broadcast packets, and those do not cross firewall routed interfaces, such as for VLANs.
There is a DHCP Relay option in XTM to forward DHCP/BOOTP packets to an IP addr. Try setting up that on VLAN 2 & 3 to the BOOTP server IP addr.
Hi bruce_briggs
i already have dhcp relay on them and it also works with the scopes i have on the dhcp server on domain. I had also counted on when you activated inter routing on xtm so you did not need any rules either. but dhcp relay does not take pxe over. everything else works like it should just not pxe boot?
Hmm do i nede to make a static route from each vlan suppet to dhcp server?
No. XTM knows how to route.
Looks like XTM does not support BOOTP relays
Can i make a filter rule for that?
No.
As I said earlier "DHCP/BOOTP packets are broadcast packets, and those do not cross firewall routed interfaces, such as for VLANs."
do not cross - means that broadcast packets are denied and dropped.
There is no policy which can change that.
You can open a support incident to see if there is any way to do BOOTP relay.
There is none that I have seen.
Hmm ok i Will try open a case then
The for replay
A simple solution to this.
Watchguard can have up to 3 dhcp relays assigned.
I run with 2 dhcp servers with failover. Add the 3 dhcp relay on the vlan where WDS, SCCM or whatever it is that an extra dhcp server and PXE Boot works
Thanks Jimmy, I can prove the solution above, as Watchguard correctly fowards the DHCP-broadcast as a unicast to all three Relay-Servers (both DCs and the PXE). The PXE-server is getting to know the DHCP-client and forwards his DHCP-options as an addition to the DHCP-offer coming from DCs. This also works over BOVPN.