Page MenuHomeVyOS Platform

VyOS 1.2 tftp issue, NAT client could not boot via tftp server, same setup on VyOS 1.1.8 works fine
Closed, ResolvedPublic

Description

Network topology, cobbler tftp server, vyos gateway and pxe client are KVM guests,

tested on VyOS 1.2 RC2 and RC10, pxe boot fail.
rollback to VyOS 1.1.8, pxe boot work alright.

192.168.1.250

   +--------+        +---------+              +-------+
   |        |        |         |              |       |
   |Cobbler +--------+  VyOS   +--------------+ PXE   |
   | tftp   |    eth0|         |eth1          | Client|
   | ser^er |        |NAT gw   |              +-------+
   +--------+        +---------+
                                               10.1.0.0/24

NAT, DHCP configuration:

nat {
    source {
        rule 100 {
            outbound-interface eth0
            source {
                address 10.1.0.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name LAN {
            subnet 10.1.0.0/24 {
                bootfile-name pxelinux.0
                bootfile-server 192.168.1.250
                default-router 10.1.0.254
                dns-server 10.1.0.254
                range 0 {
                    start 10.1.0.100
                    stop 10.1.0.200
                }

tcpdump sample on VyOS 1.2

root@test-gw:~# tcpdump -n host 192.168.1.250
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:10:14.315335 ARP, Request who-has 192.168.1.250 tell 192.168.1.174, length 28
23:10:14.315766 ARP, Reply 192.168.1.250 is-at 08:00:27:77:05:fb, length 46
23:10:14.315769 IP 192.168.1.174.30612 > 192.168.1.250.69:  40 RRQ "pxelinux.0" octet blksize 1432 tsize 0
23:10:14.317468 IP 192.168.1.250.41384 > 192.168.1.174.30612: UDP, length 27
23:10:14.317480 IP 192.168.1.174 > 192.168.1.250: ICMP 192.168.1.174 udp port 30612 unreachable, length 63
23:10:14.587568 IP 192.168.1.174.30612 > 192.168.1.250.69:  40 RRQ "pxelinux.0" octet blksize 1432 tsize 0
23:10:14.589575 IP 192.168.1.250.53310 > 192.168.1.174.30612: UDP, length 27
23:10:14.589589 IP 192.168.1.174 > 192.168.1.250: ICMP 192.168.1.174 udp port 30612 unreachable, length 63
23:10:15.136817 IP 192.168.1.174.30612 > 192.168.1.250.69:  40 RRQ "pxelinux.0" octet blksize 1432 tsize 0
23:10:15.138706 IP 192.168.1.250.41158 > 192.168.1.174.30612: UDP, length 27
23:10:15.138718 IP 192.168.1.174 > 192.168.1.250: ICMP 192.168.1.174 udp port 30612 unreachable, length 63
23:10:16.180483 IP 192.168.1.174.30612 > 192.168.1.250.69:  40 RRQ "pxelinux.0" octet blksize 1432 tsize 0
23:10:16.182293 IP 192.168.1.250.37207 > 192.168.1.174.30612: UDP, length 27
23:10:16.182309 IP 192.168.1.174 > 192.168.1.250: ICMP 192.168.1.174 udp port 30612 unreachable, length 63
23:10:18.212668 IP 192.168.1.174.30612 > 192.168.1.250.69:  40 RRQ "pxelinux.0" octet blksize 1432 tsize 0
23:10:18.214695 IP 192.168.1.250.51731 > 192.168.1.174.30612: UDP, length 27
23:10:18.214711 IP 192.168.1.174 > 192.168.1.250: ICMP 192.168.1.174 udp port 30612 unreachable, length 63
23:10:19.329165 ARP, Request who-has 192.168.1.174 tell 192.168.1.250, length 46
23:10:19.329173 ARP, Reply 192.168.1.174 is-at 76:83:f2:9e:6e:15, length 28
23:10:22.277107 IP 192.168.1.174.30612 > 192.168.1.250.69:  40 RRQ "pxelinux.0" octet blksize 1432 tsize 0
23:10:22.279021 IP 192.168.1.250.47269 > 192.168.1.174.30612: UDP, length 27
23:10:22.279040 IP 192.168.1.174 > 192.168.1.250: ICMP 192.168.1.174 udp port 30612 unreachable, length 63
23:11:15.439028 ARP, Request who-has 192.168.1.250 tell 192.168.1.254, length 46
^C
23 packets captured
23 packets received by filter

tcpdump sample on VyOS 1.1.8

root@test-gw:~# tcpdump -n host 192.168.1.250 -c 30
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:21:27.236837 ARP, Request who-has 192.168.1.250 tell 192.168.1.164, length 28
23:21:27.237290 ARP, Reply 192.168.1.250 is-at 08:00:27:77:05:fb, length 46
23:21:27.237292 IP 192.168.1.164.10027 > 192.168.1.250.69:  40 RRQ "pxelinux.0" octet blksize 1432 tsize 0
23:21:27.239465 IP 192.168.1.250.50991 > 192.168.1.164.10027: UDP, length 27
23:21:27.239968 IP 192.168.1.164.10027 > 192.168.1.250.50991: UDP, length 4
23:21:27.240438 IP 192.168.1.250.50991 > 192.168.1.164.10027: UDP, length 1384
23:21:27.240488 IP 192.168.1.164.10027 > 192.168.1.250.50991: UDP, length 4
23:21:27.240932 IP 192.168.1.250.50991 > 192.168.1.164.10027: UDP, length 1384
23:21:27.240981 IP 192.168.1.164.10027 > 192.168.1.250.50991: UDP, length 4
23:21:27.241412 IP 192.168.1.250.50991 > 192.168.1.164.10027: UDP, length 1384
23:21:27.241480 IP 192.168.1.164.10027 > 192.168.1.250.50991: UDP, length 4
23:21:27.241926 IP 192.168.1.250.50991 > 192.168.1.164.10027: UDP, length 1384
23:21:27.241975 IP 192.168.1.164.10027 > 192.168.1.250.50991: UDP, length 4
23:21:27.242443 IP 192.168.1.250.50991 > 192.168.1.164.10027: UDP, length 1384
23:21:27.242891 IP 192.168.1.164.10027 > 192.168.1.250.50991: UDP, length 4
23:21:27.243359 IP 192.168.1.250.50991 > 192.168.1.164.10027: UDP, length 1384
23:21:27.243409 IP 192.168.1.164.10027 > 192.168.1.250.50991: UDP, length 4
23:21:27.244319 IP 192.168.1.250.50991 > 192.168.1.164.10027: UDP, length 1384
23:21:27.244368 IP 192.168.1.164.10027 > 192.168.1.250.50991: UDP, length 4
23:21:27.245269 IP 192.168.1.250.50991 > 192.168.1.164.10027: UDP, length 1384
23:21:27.245318 IP 192.168.1.164.10027 > 192.168.1.250.50991: UDP, length 4
23:21:27.246219 IP 192.168.1.250.50991 > 192.168.1.164.10027: UDP, length 1384
23:21:27.246268 IP 192.168.1.164.10027 > 192.168.1.250.50991: UDP, length 4
23:21:27.247170 IP 192.168.1.250.50991 > 192.168.1.164.10027: UDP, length 1384
23:21:27.247218 IP 192.168.1.164.10027 > 192.168.1.250.50991: UDP, length 4
23:21:27.247699 IP 192.168.1.250.50991 > 192.168.1.164.10027: UDP, length 1384
23:21:27.248135 IP 192.168.1.164.10027 > 192.168.1.250.50991: UDP, length 4
23:21:27.248616 IP 192.168.1.250.50991 > 192.168.1.164.10027: UDP, length 1384
23:21:27.248676 IP 192.168.1.164.10027 > 192.168.1.250.50991: UDP, length 4
23:21:27.249340 IP 192.168.1.250.50991 > 192.168.1.164.10027: UDP, length 238
30 packets captured
31 packets received by filter
0 packets dropped by kernel

Details

Difficulty level
Unknown (require assessment)
Version
1.2rc
Why the issue appeared?
Will be filled on close

Event Timeline

shadowyw updated the task description. (Show Details)
shadowyw updated the task description. (Show Details)

Not sure, but try this:

echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper

Have you tried set system conntrack modules tftp ?

zsdc assigned this task to Unknown Object (User).Apr 6 2020, 10:09 AM
Unknown Object (User) closed this task as Resolved.Apr 7 2020, 8:02 PM

The automatic helper assignment is enabled in both the LTS and the current rolling releases. The only thing that is needed to make the TFTP working is to allow the udp/69 and "related" traffic.