2

I have 5 servers, each has one internet port and one ipmi port, so I am using 10 external IPs. Its a bit problem with a provider to get more IPs and also I want to hide IPMI ports since sometimes there is an bug in them which allows to exploit the server.

will this work?

  1. All 10 ports will be connected to one switch (unmanaged).
  2. internet ports will have the same IPs like today
  3. IPMI ports will have a local IPs (10.0.0.1, 10.0.0.2, etc)
  4. when I will need to connect to IPMI, I will just make an SSH tunel from any of the functioning server like this: ssh -L :: So I can temporarily connect to IPMI...

Will this work? Can the "dumb" switch has two networks? I am using supermicro servers. Do somebody know if they need only one port to function properly?

EDIT: I know about VPN solution, but looking for something else that doesn't need additional HW (that can break and I have no IPMI access at all). The ssh tunnel is proposed also here: Is iLO safe enough to be hung on the WAN

I just need to know if my proposed solution will work. Thank you

Community
  • 1
noescape
  • 21

2 Answers2

3

I would really also recommend you to get a solid firewall appliance and use it as a VPN endpoint from the internet. This makes your ILO access independent from a certain server which has to be running, which ILO is actually for and gives you also the necessary protection from bad internet guys.

binaryanomaly
  • 406
2

when I will need to connect to IPMI, I will just make an SSH tunel like this

ONLY if you can make sure that this works - i.e. you need to have this possibility on pretty much every server. Because if the server that terminates the SSH tunnel goes down - there goes the IPMI ;)

I Personally would nt put a switch there but a small router (Mikrotik) with a switch chip ;) Then use that router to terminate a VPN.

TomTom
  • 52,109
  • 7
  • 59
  • 142