IPMI security



  • Running a pfSense box behind a uverse router.  The uverse router has a 172.16.x.x network where the TVs are connected.

    Not sure how this is happening but the IPMI interface is obtaining an 172.16.x.x IP address from the uverse router over the WAN interface.  The WAN interface has an external 99.52.x.x address.

    I can't help but to think this is a security problem.  Seems like a connection could be bridged from the WAN interface to the IPMI, it's all bad from there.

    Any thoughts on this?



  • Then you're either bridging LAN and WAN without proper filtering, or have an interconnection between the two elsewhere.



  • @cmb:

    Then you're either bridging LAN and WAN without proper filtering, or have an interconnection between the two elsewhere.

    Nope, not bridging at all. Im not saying I can go from WAN interface to the LAN interface or vice versa. What I am saying is that it seems theoretically possible to access the IPMI from the WAN interface since they are on the same NIC.

    Wondering if anyone can shed any light on this or am I just being paranoid?


  • Rebel Alliance Developer Netgate

    Why not swap the WAN and LAN ports so the IPMI interface will be on your LAN instead of on the WAN? If it's riding on the same physical port as WAN, that seems like a bad idea in general, but one with an easy solution.



  • @jimp:

    Why not swap the WAN and LAN ports so the IPMI interface will be on your LAN instead of on the WAN? If it's riding on the same physical port as WAN, that seems like a bad idea in general, but one with an easy solution.

    Of course, the obvious! Let me try and see if that will work. Although, IPMI may by default be dynamically assigned to the WAN interface depending on what interface you designate as WAN.


Locked