Hi guys,
I wanted to net-boot my Raspi’s on a VLAN from a NAS on another VLAN, like is described here https://www.definit.co.uk/2020/03/pxe-b ... dgerouter/. I get it working when I put Raspi’s and NAS in same VLAN or when I disable rule 30 (Drop Raspi to LAN) and the Raspi is in VLAN_Raspi and the NAS in VLAN1. When Raspi and NAS are in a different VLAN with all firewall rules on it is starting up erratic and very slow. Does anyone have any suggestions?
Are the firewall rules in general the problem?
Are there ports I forget? Does port order make a difference?
Is there any other way to fix the problem?
Network setup:
ZTE H369A: internet modem-router; 192.168.2.254
DNS (Pi-Hole): 192.168.2.3
Ubiquity Edgerouter X with VLAN1 for native LAN and VLAN_Raspi VLAN10 for the Raspberry Pi’s. Setup following this video https://www.youtube.com/watch?v=SKeFqFhBwJY based on this Ubiquity guide https://help.ui.com/hc/en-us/articles/2 ... ewall-Rule. I don’t have a real webserver, so I used the IP address of the router. The VLAN_Raspi is configured as a guest-VLAN with a special firewall rule.
WAN: 192.168.2.2
Native VLAN: VLAN1; 192.168.1.1/24
VLAN_Raspi; VLAN10; 192.168.10.1/24
Switch0.1: 192.168.1.1
Synology NAS: 192.168.1.100
RaspberryPi: 192.168.10.7; Pi4-8GB
Firewall rules:
Ruleset: Raspi_LAN_IN
default-action: accept
description "Raspi to LAN"
rule 10: Allow webserver
action accept
destination: address 192.168.1.1
port 80,443
protocol tcp
rule 20: Allow NAS
action: accept
destination: address 192.168.1.100
port: 69,2049,80,111,139,443,445,892,5001,5005
protocol: tcp_udp
state: established, new, related
rule 30: Drop Raspi to LAN
action: drop
destination: network-group: Local-network
protocol: all
Ports
When I do a portscan with nmap from VLAN10 to the NAS in VLAN1 with all firewall rules I made, I get the following:
(.venv) pi@raspi5:~ $ sudo nmap -n -PN -sT -sU -p- --top-ports 1000 192.168.1.100
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-04 10:04 CET
Nmap scan report for 192.168.1.100
Host is up (0.00076s latency).
Not shown: 994 filtered tcp ports (no-response), 993 open|filtered udp ports (no-response)
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
5001/tcp open commplex-link
69/udp open tftp
80/udp closed http
111/udp open rpcbind
139/udp closed netbios-ssn
445/udp closed microsoft-ds
2049/udp open nfs
5001/udp closed commplex-link
In rule 20 I added some more ports, like 892 for nfs, 5005 for WebDAV (read that SMB isn’t working between VLANs, WebDAV does work).
I came to this list by this page https://kb.synology.com/nl-nl/DSM/tutor ... y_services. Filled in on-by-one and watched what happened. When I filled in 69 and 2049 alone, it booted quickly but stopped at bootcode.bin:
done.
Begin: Mounting root file system … Begin: Running /scripts/nfs-top… done.
Begin: Running /scripts/nfs-premount … done.
Begin: Waiting up to 180 secs for any network device to become available …done.
IP-Config: etho hardware address dc:a6:32:4c:ed:cb mtu 1500 DHCP
IP-Config: eth0 guessed broadcast address 192.168.10.255
IP-Config: eth0 complete (dhcp from 192.168.10.1):
address: 192.168.10.7 broadcast: 192.168.10.255 netmask: 255.255.255.0
gateway: 192.168.10.1 dns0. : 192. 168.2.3 dns. : 1 0.0.0.0
rootserver: 192.168.1.100 rootpath:
filename bootcode .bin
connect: Connection timed out.
I tried different combinations of ports and so, but no avail. The total of ports lets the Raspi boot from LAN, but it takes more than 10minutes or so.
Thanks.
Bart.
I wanted to net-boot my Raspi’s on a VLAN from a NAS on another VLAN, like is described here https://www.definit.co.uk/2020/03/pxe-b ... dgerouter/. I get it working when I put Raspi’s and NAS in same VLAN or when I disable rule 30 (Drop Raspi to LAN) and the Raspi is in VLAN_Raspi and the NAS in VLAN1. When Raspi and NAS are in a different VLAN with all firewall rules on it is starting up erratic and very slow. Does anyone have any suggestions?
Are the firewall rules in general the problem?
Are there ports I forget? Does port order make a difference?
Is there any other way to fix the problem?
Network setup:
ZTE H369A: internet modem-router; 192.168.2.254
DNS (Pi-Hole): 192.168.2.3
Ubiquity Edgerouter X with VLAN1 for native LAN and VLAN_Raspi VLAN10 for the Raspberry Pi’s. Setup following this video https://www.youtube.com/watch?v=SKeFqFhBwJY based on this Ubiquity guide https://help.ui.com/hc/en-us/articles/2 ... ewall-Rule. I don’t have a real webserver, so I used the IP address of the router. The VLAN_Raspi is configured as a guest-VLAN with a special firewall rule.
WAN: 192.168.2.2
Native VLAN: VLAN1; 192.168.1.1/24
VLAN_Raspi; VLAN10; 192.168.10.1/24
Switch0.1: 192.168.1.1
Synology NAS: 192.168.1.100
RaspberryPi: 192.168.10.7; Pi4-8GB
Firewall rules:
Ruleset: Raspi_LAN_IN
default-action: accept
description "Raspi to LAN"
rule 10: Allow webserver
action accept
destination: address 192.168.1.1
port 80,443
protocol tcp
rule 20: Allow NAS
action: accept
destination: address 192.168.1.100
port: 69,2049,80,111,139,443,445,892,5001,5005
protocol: tcp_udp
state: established, new, related
rule 30: Drop Raspi to LAN
action: drop
destination: network-group: Local-network
protocol: all
Ports
When I do a portscan with nmap from VLAN10 to the NAS in VLAN1 with all firewall rules I made, I get the following:
(.venv) pi@raspi5:~ $ sudo nmap -n -PN -sT -sU -p- --top-ports 1000 192.168.1.100
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-04 10:04 CET
Nmap scan report for 192.168.1.100
Host is up (0.00076s latency).
Not shown: 994 filtered tcp ports (no-response), 993 open|filtered udp ports (no-response)
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
5001/tcp open commplex-link
69/udp open tftp
80/udp closed http
111/udp open rpcbind
139/udp closed netbios-ssn
445/udp closed microsoft-ds
2049/udp open nfs
5001/udp closed commplex-link
In rule 20 I added some more ports, like 892 for nfs, 5005 for WebDAV (read that SMB isn’t working between VLANs, WebDAV does work).
I came to this list by this page https://kb.synology.com/nl-nl/DSM/tutor ... y_services. Filled in on-by-one and watched what happened. When I filled in 69 and 2049 alone, it booted quickly but stopped at bootcode.bin:
done.
Begin: Mounting root file system … Begin: Running /scripts/nfs-top… done.
Begin: Running /scripts/nfs-premount … done.
Begin: Waiting up to 180 secs for any network device to become available …done.
IP-Config: etho hardware address dc:a6:32:4c:ed:cb mtu 1500 DHCP
IP-Config: eth0 guessed broadcast address 192.168.10.255
IP-Config: eth0 complete (dhcp from 192.168.10.1):
address: 192.168.10.7 broadcast: 192.168.10.255 netmask: 255.255.255.0
gateway: 192.168.10.1 dns0. : 192. 168.2.3 dns. : 1 0.0.0.0
rootserver: 192.168.1.100 rootpath:
filename bootcode .bin
connect: Connection timed out.
I tried different combinations of ports and so, but no avail. The total of ports lets the Raspi boot from LAN, but it takes more than 10minutes or so.
Thanks.
Bart.
Statistics: Posted by katoen58 — Mon Feb 05, 2024 6:55 pm — Replies 1 — Views 39