Hi guys. Thanks for all your suggestions and good advices.
"You could set up a router VM and nat all of the IPs behind it"
Yep, I am doing this
"It's probably safest to assume that anyone who can talk directly to the IPMI interface can take direct control of the system's hardware eventually."
Oh yes. And this is scary for me the most!
"At least use a small firewall and vpn for your ipmi."
Believe me if I have budget, I ll take a entire rack for myself ! Actually for per /year I could only afford host for my SM 1U.
Well in my homelab, I already build and tested Esxi + Firewall-VM + Desktop-VM. (Firewall have 2 NET = WAN and LAN)
That works great. I simulate the data center with a simple router having Internet but NO DHCP. The firewallVM getting the WAN by a NIC 1 's server passthough (SR-IOV). For this I could have as much VM as I want. But so far I dtill need at least 3 IPs and as said above, out of question to expose IPMi or Esxi mngt....
Today I will attemp this : IPMI and Esxi management are accessible by NIC 0(zero). Could they be accessible to/from the Firewall-VM ??