Add tutorial for Junos ZTP with Dnsmasq DHCP in OPNSense

src/_includes/post.njk

@@ -7,3 +7,4 @@ layout: "layout.njk"
     <br/>
     {{ content | safe }}
 </article>
+<div id="bottom"></div>

src/blog/8.13.25.md

@@ -0,0 +1,167 @@
+---
+title: "Junos ZTP with Dnsmasq DHCP in OPNSense"
+date: "2025-08-13"
+layout: "post.njk"
+tags: "posts"
+excerpt: "Stop configuring your new lab devices manually!"
+---
+
+Most people know that DHCP (Dynamic Host Configuration Protocol) is a protocol used to dynamically allocate IP addresses. But did you know you that it can be used to configure other host device settings? Network device vendors like Junip... *ermm*, HPE Networking... take advantage of DHCP to perform "Zero Touch Provisioning" and even software upgrades for out of the box devices. Here I will show you how to use OPNSense with Dnsmasq DHCP to "auto-provision" your Junos devices.
+
+
+## Requirements
+
+* An OPNSense device with Dnsmasq DHCP enabled
+* An understanding of OPNSense firewall rules
+* An (S)FTP server in your network reachable by the Junos devices
+* A Junos base confiuration file saved on the FTP server.
+* At least one zeroized Junos device
+* A hex converter. [Link to the one I used here](https://www.rapidtables.com/convert/number/ascii-to-hex.html).<sup><a href="#bottom">[1]</a></sup>
+
+
+## Junos Base Cnfiguration
+
+Here is a very simple base config below to allow SSH but I highly recommend you set up your own. Try configuring a Junos device once with some basic configuration then use that to create your own template. Remember this will apply to all out of the box devices that pull a DHCP address.
+
+```conf
+system {
+    root-authentication {
+        encrypted-password "$6$9rdHQ5nJ$ilwzYPYghLkr9mXFVLrXRKnOaj.jhIDwYLT31w0//bunn1JSPUxVNEkGuoBoRinJrMiOKJKLCWsuLmyBcejzD0"; ## SECRET-DATA
+    }
+    services {
+        ssh {
+            protocol-version v2;
+        }
+    }
+}
+interfaces {
+    fxp0 {
+        unit 0 {
+            family inet {
+                dhcp;
+            }
+        }
+    }
+}
+```
+<br>
+
+The root password here is set to `Tut0ria1!`. Feel free to customize your base config as needed! Add non-root users, ssh keys, a management routing instance, name-servers, default routes, the list goes on!
+
+---
+
+## Configuring DHCP Option 43 Suboptions
+
+This is the tricky part that really makes or breaks the setup. So, before we start we have to decide on a few things:
+
+1. The config filename.
+2. The file transfer method. (FTP, SFTP, etc.)
+3. The character length of #1 and #2.
+4. Any other suboptions you're configuring.
+
+For this example we are using the filename `init.conf` and the `FTP` protocol. The filename is 9 characters long and the protocol is 3. Easy enough right?
+<br>
+
+### Playing with hex
+
+Well in order to encode all of this info for DHCP option 43 we will need a hex converter to put it all together. The order we will combine them is as follows: `suboption` + `length` + `value`. This can be repeated for all suboptions you're configuring.
+
+{% callout "Heads up!" %}
+Be sure to convert integers like the suboption and value length from <b>decimal</b> to hex. Using ASCII to hex can provide different results.
+{% endcallout %}
+
+### Suboption 1
+
+Junos uses this suboption to set the config filename. For this example we will use suboption `1` + `9` + `init.conf`. Converting this to hex individually (with colon separators) becomes `01` + `09` + `69:6E:69:74:2E:63:6F:6E:66`
+
+### Suboption 3
+This suboption is used by Junos devices to specify the file transfer protocol. Same thing here, convert and combine. Suboption `3` + `3` + `FTP` becomes `03` + `03` + `66:74:70`
+
+### Putting it all together
+Once you've performed your conversions, combine it all together like so: `01:09:69:6E:69:74:2E:63:6F:6E:66:03:03:66:74:70`. You should be good to move on to the next step. Unless...
+
+### Go the extra mile
+If you have physical Junos devices you can also perform a software upgrade using ZTP. Suboptions 0 or 4 can be used to specify a software image for upgrades. Use the same steps as above to convert the suboptions and combine them. More Junos ZTP [info here](https://www.juniper.net/documentation/us/en/software/junos/junos-install-upgrade/topics/topic-map/zero-touch-provision.html)<sup><a href="#bottom">[2]</a></sup>.
+
+---
+
+## OPNSense Settings
+
+### Dnsmasq DHCP
+
+This guide assumes you have OPNSense in your network already handing out old boring DHCP leases using Dnsmasq on a predetermined VLAN. If you're already there thankfully OPNSense makes it easy to just add some DHCP options.
+
+### DHCP Options Tab
+
+1. Navigate to the DHCP Options tab in OPNSense. In the 'Options' section click the plus to add a your first DHCP option.
+2. Configure Option 150 like shown. Be sure to select the interface that your network devices are using and the IP of your FTP server.
+<img src="/assets/images/8.13.25/option150.png" alt="Option 150">
+3. Click add again and now we add Option 43 like so. Use the hex value you calculated earlier here.
+<img src="/assets/images/8.13.25/option43.png" alt="Option 43">
+
+### Firewall rules
+
+OPNSense will open up the port needed for DHCP but you will need to create your own firewall rule for the file transfer protocol you're using.
+<br>
+<br>
+In this case I am using my NAS to host the FTP server so my config looks like so:
+<img src="/assets/images/8.13.25/firewallrule.png" alt="FTP Firewall Rule">
+<br>
+
+Be sure to apply the changes as needed!
+
+---
+
+## Finally, Zero Touch Provisioning!
+
+Now that you have your configuration file, ftp server, and firewall rules in place you can finally provision your devices!
+<br>
+<br>
+Connect your Junos devices to management and boot them up! Once up, assuming all goes well, then you should get something like this:
+
+```log
+root> 
+Auto Image Upgrade: DHCP INET Options for client interface fxp0.0 ConfigFile:
+init.conf Gateway: 10.0.0.1 DHCP Server: 10.0.0.1 File Server: 10.0.0.254
+ Options state:
+Partial Options::Config File set,Image File not set,File Server set
+Auto Image Upgrade: Active on INET client interface : fxp0.0
+Auto Image Upgrade: Interface::   "fxp0"
+Auto Image Upgrade: Server::      "10.0.0.254"
+Auto Image Upgrade: Image File::  "NOT SPECIFIED"
+Auto Image Upgrade: Config File:: "init.conf"
+Auto Image Upgrade: Gateway::     "10.0.0.1"
+Auto Image Upgrade: Protocol::    "ftp"
+Auto Image Upgrade: FTP timeout set to 7200 seconds
+Auto Image Upgrade: Start fetching init.conf file from server 10.0.0.254 through fxp0 using ftp
+Auto Image Upgrade: File init.conf fetched from server 10.0.0.254 through fxp0
+Auto Image Upgrade: Applying init.conf file configuration fetched from server 10.0.0.254 through fxp0
+Broadcast Message from root@VM689D3B3F6F
+        (no tty) at 19:29 EDT...
+Auto image Upgrade: Stopped
+Auto Image Upgrade: Committed Configuration init.conf received from 10.0.0.254 through fxp0
+
+root@VM689D3B3F6F> 
+
+root@VM689D3B3F6F> 
+```
+<br>
+
+For those with a keen eye you may notice that the base config does not have host-name configured. But with the magic of DHCP the device was able to configure its own unique hostname! Now you can use that hostname or the DHCP IP to SSH to the devices using root and `Tut0ria1!` as the password thanks to our config file!
+
+---
+
+## Conclusion
+
+Getting Junos ZTP set up really helped me create several virtual labs together while pursuing certifications and I hope this tutorial helped you. 
+<br>
+<br>
+This is only the beginning of our automation journey though! In the future I may do a tutorial on how to further automate device-specific settings using other automation tools and inventory files. Stay tuned!!
+
+---
+
+## Sources: 
+
+1. <https://www.rapidtables.com/convert/number/ascii-to-hex.html>
+
+2. <https://www.juniper.net/documentation/us/en/software/junos/junos-install-upgrade/topics/topic-map/zero-touch-provision.html>