Turning to here after many futile attempts to resolve.
I have an OSX server (10.10.5) which has been hosting a Netrestore image over HTTP without issue for some time now. We replaced our firewall in our network with one from another vendor, which has the exact same network configuration (sans VLANs, though that is a moot point. Read below) and yet since the swap, the Macbooks in our organization cannot see the hosted images. Here is what I am facing:
- Systems on same VLAN as the servers (normally not, but doesn't work either way.)
- Firewall not enabled on OSX server
- All required ports (both UDP and TCP) are reachable on the server
- Images are NOT limited to model, and existing machines with known working configurations against the images cannot see them either
- Netinstall service has been restarted, images have not changed, services show online
- Tried delivering images both over HTTP and NFS
- Server is pingable by all machines
- TCP dump for bootpd does not show anything hitting the server
- Server switched from manual IP config to DHCP but retains same IP, Sub and Gateway
The systems which are trying to reach the server exhibit behavior as if the server is not delivering the image. I'm not sure where to go for the next step at this point, or where to look next. Any thoughts?
Best Answer
It sounds like something in the network is blocking nonstandard DHCP traffic, including the requests a NetBoot client uses to find the server(s). When you start a Mac with the Option or N keys held down, it'll first do a normal DHCP transaction to get an IP address, then send a special "BSDP" (Boot Service Discovery Protocol) request, which is really a DHCP Inform request with some special options set. Here's what it looks like with
sudo tcpdump -nv -s0 port bootps
:Note that the source address is a unicast address, not 0.0.0.0 like a normal DHCP request would have; your firewall may think that's hinky and block it. Or it might be blocking it for some other reason. Anyway, if the NetBoot server receives this, it should reply with something like this:
...and if the client receives that, it'd use the information in it to fetch the booter and kernel over TFTP, and then mount the image over either HTTP or NFS and actually boot from it.
BTW, this tends to be a pain to troubleshoot because you have to boot the client over & over to get it to send the requests. But there's a trick: boot a client normally, then open System Preferences -> Startup Disk, and it'll scan for NetBoot images using the same BSDP/DHCP queries. Much easier, plus you can run packet captures on the client as you do it. Only tricky thing is that to make it rescan, you have to fully quit System Preferences, not just leave & reenter the Startup Disk pane.