2

I have 5 servers, each has one internet port and one ipmi port, so I am using 10 external IPs. Its a bit problem with a provider to get more IPs and also I want to hide IPMI ports since sometimes there is an bug in them which allows to exploit the server.

will this work?

  1. All 10 ports will be connected to one switch (unmanaged).
  2. internet ports will have the same IPs like today
  3. IPMI ports will have a local IPs (10.0.0.1, 10.0.0.2, etc)
  4. when I will need to connect to IPMI, I will just make an SSH tunel from any of the functioning server like this: ssh -L :: So I can temporarily connect to IPMI...

Will this work? Can the "dumb" switch has two networks? I am using supermicro servers. Do somebody know if they need only one port to function properly?

EDIT: I know about VPN solution, but looking for something else that doesn't need additional HW (that can break and I have no IPMI access at all). The ssh tunnel is proposed also here: Is iLO safe enough to be hung on the WAN

I just need to know if my proposed solution will work. Thank you

Community
  • 1
noescape
  • 21
  • 2

2 Answers2

3

I would really also recommend you to get a solid firewall appliance and use it as a VPN endpoint from the internet. This makes your ILO access independent from a certain server which has to be running, which ILO is actually for and gives you also the necessary protection from bad internet guys.

binaryanomaly
  • 406
  • 1
  • 4
  • 14
  • Thank you binaryanomaly. This was the first think that came to our mind also. But like I have said to TomTom: I think that the small router is a single point of failure. And it cost money and power consumption. Why my proposed solution I think I can make a tunnel trough any working server with external IP within my switch. – noescape Mar 25 '14 at 21:10
  • Tell me then - how do you avoid the single point of failure of the switch, and which model do you have that uses no power? – TomTom Mar 25 '14 at 21:17
  • The switch is already there, since we have got only one cable from our datacenter/isp. So we got the switch and the same switch will be connected with ipmi ports like today only the IPs will change to local ones. – noescape Mar 25 '14 at 21:20
  • Well of course you need power. Quality firewalls have failovers but you would need two of them then.I had a solution for two SMEs with some tiny Zyxel Firewalls that worked perfectly. That was years back so I assume you'd get the same for small money today. – binaryanomaly Mar 25 '14 at 21:22
  • Thank you binaryanomaly. Again, I have already one switch and in my solution I need only one. I dont need dedicated dumb firewall. I use iptables for firewall. I was just asking if it will work or not. VPN is the simple solution, but I dont think the best one. – noescape Mar 25 '14 at 21:34
2

when I will need to connect to IPMI, I will just make an SSH tunel like this

ONLY if you can make sure that this works - i.e. you need to have this possibility on pretty much every server. Because if the server that terminates the SSH tunnel goes down - there goes the IPMI ;)

I Personally would nt put a switch there but a small router (Mikrotik) with a switch chip ;) Then use that router to terminate a VPN.

TomTom
  • 50,857
  • 7
  • 52
  • 134
  • +1 IMHO, iLO/ipmi ports should *never* be accessible to the public internet. – EEAA Mar 25 '14 at 20:59
  • @eeaa well, in his solution they are neither (because the ISP will not route the internal IP addresses that the IPMI ports use).... just.... i wonder where to terminate the SSH ;) Lots more config stuff my solution. – TomTom Mar 25 '14 at 21:00
  • Thank you TomTom for your answer. I think that the small router is a single point of failure. And it cost money and power consumption. Why my proposed solution I think I can make a tunnel trough any working server with external IP within my switch. I just don't know if it will work... – noescape Mar 25 '14 at 21:08
  • Well Just to be clear - the switch you have costs power consumption and is a single point of failure, so nothing changes here. The prioce is a little higher, but then you also geta central firewall, management, ability to monitor traffic centrally and a lot of other things. Routers like that are very sturdy - no hard discs etc. – TomTom Mar 25 '14 at 21:10
  • Thank you TomTom again. We need to have the switch, since all of the servers are connected there. We have only one cable from datacenter. And if some server goes wrong I bet you it will be the time when the microtic will go wrong... – noescape Mar 25 '14 at 21:13
  • 1
    I hold against. See, IF the mikrotik OS fails ;) the switch still will work. THere are nice mikrotiks with embedded switch and - on top - that stuff is super reliable. Get one without moving parts. You have 5 servers running and complain abou a 200 USD difference - i would NEVER run a cluster like that withuot a decent firewall in front so I can see what traffic goes in or out. But your choice. Some peopl are just - too cheap ;) – TomTom Mar 25 '14 at 21:16
  • I would be crazy to put some cheap firewall in front all of the servers. Small DDOS and all my servers are gone. Small/cheap firewalls are basically ideal target to attack. Since it cant handle the pps that 5 servers can manage easily. – noescape Mar 25 '14 at 21:42
  • @noescape Talking like a professional - without a clue what he says. Sorry, but simple truth. – TomTom Mar 26 '14 at 06:00