So I've been using a Supermicro 5018A-FTN4 system as my shiny new pfsense router.
I have crap Att U-verse internet, which requires setting up a double NAT. I was debugging a port forwarding issue and I noticed on the att router there was another machine connected. This made no sense, as the only thing on the att network should be my pfsense router WAN.
The 5018A-FTN4 has a dedicated IPMI network port, but it turns out by default that IPMI is set to failover mode. What this means is that if you don't connect the IPMI port to your network, it will default to sharing it with Network port 0. This also happens to be igb0, the default WAN port chosen by a fresh pfsense install. The result is that you could be exposing the IPMI access on your router to the whole internet!
Luckily, the much hated uverse double NAT is the only thing that saved me here. I had no idea this failover feature existed and simply assumed the dedicated IPMI port was the only one. I thought I was being prudent leaving IPMI disconnected but instead I was inadvertently exposing my whole network to a massive security hole.
The fix is to change the setting from "Failover" to "Dedicated". You can do this by connecting to IPMI using a web browser. Go to Configuration -> Network and then change Lan Interface: to "Dedicated".
Maybe I'm just inexperienced and made a noob mistake, but this seems like a pretty dumb default setting. Especially for a system which is built specifically for low power applications like routing.
I have crap Att U-verse internet, which requires setting up a double NAT. I was debugging a port forwarding issue and I noticed on the att router there was another machine connected. This made no sense, as the only thing on the att network should be my pfsense router WAN.
The 5018A-FTN4 has a dedicated IPMI network port, but it turns out by default that IPMI is set to failover mode. What this means is that if you don't connect the IPMI port to your network, it will default to sharing it with Network port 0. This also happens to be igb0, the default WAN port chosen by a fresh pfsense install. The result is that you could be exposing the IPMI access on your router to the whole internet!
Luckily, the much hated uverse double NAT is the only thing that saved me here. I had no idea this failover feature existed and simply assumed the dedicated IPMI port was the only one. I thought I was being prudent leaving IPMI disconnected but instead I was inadvertently exposing my whole network to a massive security hole.
The fix is to change the setting from "Failover" to "Dedicated". You can do this by connecting to IPMI using a web browser. Go to Configuration -> Network and then change Lan Interface: to "Dedicated".
Maybe I'm just inexperienced and made a noob mistake, but this seems like a pretty dumb default setting. Especially for a system which is built specifically for low power applications like routing.