Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
It might be a good idea to describe what it is you want to build.
If this is a production network, you probably don't want to put your management networks where you other stuff is, as is implied by a minimal setup.
If you are requesting IP's from someone else (be it a local network team or even an ISP) keep in mind that you may need more than what your systems require, a minimal subnet takes 4 IP addresses, one for network (as it is called, essentially it is wasted), one for broadcast traffic, one for gateway and one for your system.
It can be a little complex, but don't despair just yet, start by describing what your plans are, then I am sure we can help you.
If this is a production network, you probably don't want to put your management networks where you other stuff is, as is implied by a minimal setup.
If you are requesting IP's from someone else (be it a local network team or even an ISP) keep in mind that you may need more than what your systems require, a minimal subnet takes 4 IP addresses, one for network (as it is called, essentially it is wasted), one for broadcast traffic, one for gateway and one for your system.
It can be a little complex, but don't despair just yet, start by describing what your plans are, then I am sure we can help you.
What if i use a VM like a router/fw/dhcp-svr, then manage access and ip(s) VMs with ports ? ( like at home 
)
Well. My need is not very complex. A server web, a virtual desktop (vnc or like..) and lastly maybe a kind of ERP with access other port than 80 or 443. Voila.
I ll host it as dedicated in datacenter. And each ip is not free exept the one include in package.
)Well. My need is not very complex. A server web, a virtual desktop (vnc or like..) and lastly maybe a kind of ERP with access other port than 80 or 443. Voila.
I ll host it as dedicated in datacenter. And each ip is not free exept the one include in package.
Last edited:
You could set up a router VM and nat all of the IPs behind it and you'll need only 1-2 IPs.What if i use a VM like a router/fw/dhcp-svr, then manage access and ip(s) VMs with ports ? ( like at home
Well. My need is not very complex. A server web, a virtual desktop (vnc or like..) and lastly maybe a kind of ERP with access other port than 80 or 443. Voila.
I ll host it as dedicated in datacenter. And each ip is not free except the one include in package.
But the level of complexity of setting it up [and maintain] goes exponentially higher, far beyond the scope of a few forums posts. just my 2c
I'd be very cautious about putting the IPMI interface on an unsecured network. It's probably safest to assume that anyone who can talk directly to the IPMI interface can take direct control of the system's hardware eventually. There have been a number of remote IPMI exploits over time, and it's pretty clear that none of the IPMI developers did a great job with security. If you need remote access to it, I'd look into VPN options, either via your provider or via an additional piece of hardware.
At least use a small firewall and vpn for your ipmi.
Netgate SG-1100 pfSense Security Gateway Appliance
Something like the pfsenseone would do nicely for an off the shelf option.
Netgate SG-1100 pfSense Security Gateway Appliance
Something like the pfsenseone would do nicely for an off the shelf option.
Hi guys. Thanks for all your suggestions and good advices.
"You could set up a router VM and nat all of the IPs behind it"
Yep, I am doing this
"It's probably safest to assume that anyone who can talk directly to the IPMI interface can take direct control of the system's hardware eventually."
Oh yes. And this is scary for me the most!
"At least use a small firewall and vpn for your ipmi."
Believe me if I have budget, I ll take a entire rack for myself ! Actually for per /year I could only afford host for my SM 1U.
Well in my homelab, I already build and tested Esxi + Firewall-VM + Desktop-VM. (Firewall have 2 NET = WAN and LAN)
That works great. I simulate the data center with a simple router having Internet but NO DHCP. The firewallVM getting the WAN by a NIC 1 's server passthough (SR-IOV). For this I could have as much VM as I want. But so far I dtill need at least 3 IPs and as said above, out of question to expose IPMi or Esxi mngt....
Today I will attemp this : IPMI and Esxi management are accessible by NIC 0(zero). Could they be accessible to/from the Firewall-VM ??
"You could set up a router VM and nat all of the IPs behind it"
Yep, I am doing this
"It's probably safest to assume that anyone who can talk directly to the IPMI interface can take direct control of the system's hardware eventually."
Oh yes. And this is scary for me the most!
"At least use a small firewall and vpn for your ipmi."
Believe me if I have budget, I ll take a entire rack for myself ! Actually for per /year I could only afford host for my SM 1U.
Well in my homelab, I already build and tested Esxi + Firewall-VM + Desktop-VM. (Firewall have 2 NET = WAN and LAN)
That works great. I simulate the data center with a simple router having Internet but NO DHCP. The firewallVM getting the WAN by a NIC 1 's server passthough (SR-IOV). For this I could have as much VM as I want. But so far I dtill need at least 3 IPs and as said above, out of question to expose IPMi or Esxi mngt....
Today I will attemp this : IPMI and Esxi management are accessible by NIC 0(zero). Could they be accessible to/from the Firewall-VM ??
Ok. All works as expected : I use only 1 for all (All VM + ipmi + Esxi). But.... There is a BIG problem with this method as when the firewall (VM) is turn OFF the access IPMI and Esxi are all DOWN....
Sure I can just add 1 IP dedicated for IPMI and Esxi magement to my package but then, I am faced to another dilemma : a direct exposure of IPMI to the NET which is dangerous for the security....
https://www.supermicro.com/products/nfo/files/IPMI/Best_Practices_BMC_Security.pdf
BMC Configuration
a. Customize service ports information on the BMC to your datacenter specifications. For example; you can configure http port to 57880 instead of 80.
b. Change the default password during installation and use strong passwords
c. Create user policies and roles on BMC d. Use the IP Access Policy to enable access rules to BMC from management servers
This will be enough ? Guys who have experienced in datacenter, how you do? Advices needed here please.
I am in Thailand here and even in datacenter, better count on yourself before count on them.....
Sure I can just add 1 IP dedicated for IPMI and Esxi magement to my package but then, I am faced to another dilemma : a direct exposure of IPMI to the NET which is dangerous for the security....
https://www.supermicro.com/products/nfo/files/IPMI/Best_Practices_BMC_Security.pdf
BMC Configuration
a. Customize service ports information on the BMC to your datacenter specifications. For example; you can configure http port to 57880 instead of 80.
b. Change the default password during installation and use strong passwords
c. Create user policies and roles on BMC d. Use the IP Access Policy to enable access rules to BMC from management servers
This will be enough ? Guys who have experienced in datacenter, how you do? Advices needed here please.
I am in Thailand here and even in datacenter, better count on yourself before count on them.....
AHhhhh..... If only it exist a kind of device like just a card insert to a slot then doing the job because I dont have at all a budget for another 1u firewall and not sure datacenter can provide a port in their firewall for free/minimal cost.
There is a few available not much bigger than a match box or a rj45 coupler, just have to hope to have a place to attach to the server at rear. The one I linked earlier in the thread may be small enough.
Hey thanks for good suggestion. I noted that.
I just find here a provider that accept (for free) that i passthough a firewall to ipmi securely
so good !ok. Can you explain me how to fix this behind a 1U. And how to do when have only power plug for the server...??
Ok the old Sg-1000 model needed 5v and was just zip tied to the cable arm. (Grabbing 5v off the psi that was always available)
But new Sg-1100 model needs 12v , it so easy to get that but should still be possible, also a little larger so maybe not as easy to just attach to the cable arm or back of server. Else you will need it out it inside the server and maybe use s not used pcie slot to bring the 2 network connected to.
But new Sg-1100 model needs 12v , it so easy to get that but should still be possible, also a little larger so maybe not as easy to just attach to the cable arm or back of server. Else you will need it out it inside the server and maybe use s not used pcie slot to bring the 2 network connected to.