How do I connect IPMI on my firewall to my network?

Reyhn

New Member
Jul 29, 2017
5
1
3
40
Sweden
Newbie-question here. :)

I've just purchased a used Supermicro A1SRi-2358F that I intend to use as a firewall on my home network, but I'm not clear on how to use the dedicated IPMI-port.

I'll probably use IPFire with their multicolored setup:

eth0: RED (WAN)
eth1: GREEN (LAN)
eth2: BLUE (WiFi)
eth3: ORANGE (DMZ)

I'll connect a simple NetGear ProSafe GS108Tv2 switch to the GREEN port, and use it as my main switch for my home network. I'll then connect my PC to that switch.

What should I do with the dedicated IPMI-ethernet port?

I would like to be able to use my regular PC to administrate the server via IPMI, but I'm not sure if that is a secure setup. IPMI does not need to be accessible from WAN (Internet).

  1. Should I connect the IPMI to the main switch (and do nothing else)?
  2. Should I connect the IPMI to the main switch, and set up a VLAN for that port and allow only my PC to communicate with the IPMI-interface (to make it more secure)?
  3. Should I connect the IPMI to a totally separate switch (physically separated from my home network) and disconnect my PC's LAN-cable and connect another cable between my PC and the IPMI-switch every time I want to administrate the server?
Note:
As I understand it, and please do correct me if I go about it the wrong way, I'll still be able to administrate the firewall from my LAN - the IPMI-port is just for administrating the physical machine.
 

EffrafaxOfWug

Radioactive Member
Feb 12, 2015
1,197
403
83
Depends on how/if you're segregating your network.

Out of the box, IPMI will be available over the regular network ports. You use the dedicated IPMI NIC, and turn off the IPMI-over-regular-network, if you're using a dedicated management network - since it's possible the regular network might be exposed to users and clients who shouldn't have access to the IPMI function. If you're using this board as a firewall box and the NICs on this board will basically be exposed to the internet, you will DEFINITELY want to disable the IPMI sharing and set up a dedicated management network, else you will risk exposing the IPMI interface to the entire internet (and one of the reasons that most boards designed for firewall use don't come with IPMI at all since it's such a powerful attack surface).

Options 1, 2 and 3 are all valid here; but since you've got a nice VLAN-capable switch and are building a capable firewall/router then personally I'd set up a management VLAN + network that the dedicated IPMI NIC can be plugged into, and then optionally opened up to your man PC.
 

Reyhn

New Member
Jul 29, 2017
5
1
3
40
Sweden
Thanks for a great reply!
I experimented with a setup similar to your suggestion, and it seemed to work well, so I think I'll go this route.