IPMI access over pfsense OpenVPN?
-
Do you have an OpenVPN interface? go to add interface and add OpenVPN interface by pressing + sign. If you see a + sign there you have an interface that is not configured like OpenVPN tunnel interface. Please follow my last post.
Then try the test again and go to Diagnostic > States and then put the IP of the IPMI and see if any requests come in. If not, that is because you are missing OpenVPN interface and firewall rules in it.
-
Do you have an OpenVPN interface? go to add interface and add OpenVPN interface by pressing + sign. If you see a + sign there you have an interface that is not configured like OpenVPN tunnel interface. Please follow my last post.
Then try the test again and go to Diagnostic > States and then put the IP of the IPMI and see if any requests come in. If not, that is because you are missing OpenVPN interface and firewall rules in it.
Do you think there is a chance it will work this way even though it did not for the tests above?
(setup above: LAN interface to OPT1 interface) -
It MUST work. I am not sure what OPT1 interface is as I don't know your hardware type.
Bridge OPT1 with LAN interface and it will work. Then separate the subnets and still should work. If your problem is reaching through OpenVPN then the right method is to create a tunnel interface and firewall it accordingly (also makes life easier for future vpn tunnel management)
-
How about not bridging or doing anything fancy on the VPN side at all.
Firewall > NAT - Outbound tab
Switch to Manual
Add a rule - LAN interface, source VPN network, destination IPMI IP, translate to the interface address.Save/apply, access it fine.
-
an OPT1 interface is just a third NIC on the firewall. first is WAN, second is LAN, third is OPT1 (generic pfsense name).
This way you can give your LAN 192.168.0.0/24 and your OPT1 interface 192.168.1.0/24 subnets. Over the firewall rules you can control access between the networks. Its basically the same as making an interface out of a ovpnsX or ovpncX adapter.In my test environment both interfaces have full * rules. Anyone can go anywhere. I can confirm that by reaching any system on either network. The exception is the IPMI interface.
My problem is that I cannot reach the IPMI over any sort of "tunnel" through the firewall. The interface is only reachable from within the network. Not even the firewall itself(!) can reach the interface.
That is very odd and from my knowledge cannot be explained by routing or firewall rule errors.I have the feeling that the reason for this not working is the fact that the IPMI interface is on the same NIC as LAN and for some reason the requests are not going out the firewall to get back to the same NIC on a different IP.
I cannot image it being a routing/firewall rules issue. After setting up some VPN networks, this is the only single IP that is always not reachable.
-
0
How about not bridging or doing anything fancy on the VPN side at all.Firewall > NAT - Outbound tab
Switch to Manual
Add a rule - LAN interface, source VPN network, destination IPMI IP, translate to the interface address.Save/apply, access it fine.
Shouldn't it be working without that if its not a VPN network but a second/third NIC on the same firewall?
(as long as there is a firewall rule allowing it) -
That depends on whether or not the IPMI is actually respecting its default gateway, but if it is a shared NIC you may be right it may just not be picking up the packets as they leave, and no amount of trickery on the firewall can help it. You might need to setup a simple bounce daemon on an internal server to reflect the ipmi port back, then connect from the vpn to that port on the internal server.
-
That depends on whether or not the IPMI is actually respecting its default gateway, but if it is a shared NIC you may be right it may just not be picking up the packets as they leave, and no amount of trickery on the firewall can help it. You might need to setup a simple bounce daemon on an internal server to reflect the ipmi port back, then connect from the vpn to that port on the internal server.
Thats exactly what I suspect aswell..
About not respecting the default gateway: Does it not show that its working when I can access the IPMI interface over a site-to-site VPN when the IPMI is not on the firewall itself but on a server within that network?
-
That depends on whether or not the IPMI is actually respecting its default gateway, but if it is a shared NIC you may be right it may just not be picking up the packets as they leave, and no amount of trickery on the firewall can help it. You might need to setup a simple bounce daemon on an internal server to reflect the ipmi port back, then connect from the vpn to that port on the internal server.
I always thought it was because of the gateway.. Never thought because its a shared interface… Makes sense
-
That depends on whether or not the IPMI is actually respecting its default gateway, but if it is a shared NIC you may be right it may just not be picking up the packets as they leave, and no amount of trickery on the firewall can help it. You might need to setup a simple bounce daemon on an internal server to reflect the ipmi port back, then connect from the vpn to that port on the internal server.
Thats exactly what I suspect aswell..
About not respecting the default gateway: Does it not show that its working when I can access the IPMI interface over a site-to-site VPN when the IPMI is not on the firewall itself but on a server within that network?
Yes if you can access it from another subnet, then it is probably using the gateway properly.
