diff --git a/sysadm/network-architecture/how-to-access-firewall-nodes-without-vpn.rst b/sysadm/network-architecture/how-to-access-firewall-nodes-without-vpn.rst new file mode 100644 index 0000000..f98c615 --- /dev/null +++ b/sysadm/network-architecture/how-to-access-firewall-nodes-without-vpn.rst @@ -0,0 +1,59 @@ +.. _firewall_access_no_vpn: + +How to access firewall nodes without the vpn +============================================ + +.. admonition:: Intended audience + :class: important + + sysadm staff members + +Any physical server in the ``192.168.100.0/24`` network should be able to reach the +firewall. + +But accessing one of the hypervisor's :ref:`iDRAC ` should allow +using the associated serial console of the hypervisor, and then gain access to the +:ref:`firewall ` node without the vpn. + +How? +---- + +From the serial console, use the root account and the virtual ip of one of the fw node +(``192.168.100.2`` or ``192.168.100.3``): + +.. code:: + + root@:/root# ssh root@192.168.100.2 + The authenticity of host '192.168.100.2 (192.168.100.2)' can't be established. + Password: + Last login: Fri Dec 10 14:00:00 2021 from 192.168.100.29 + ---------------------------------------------- + | Hello, this is OPNsense 21.7 | @@@@@@@@@@@@@@@ + | | @@@@ @@@@ + | Website: https://opnsense.org/ | @@@\\\ ///@@@ + | Handbook: https://docs.opnsense.org/ | )))))))) (((((((( + | Forums: https://forum.opnsense.org/ | @@@/// \\\@@@ + | Code: https://github.com/opnsense | @@@@ @@@@ + | Twitter: https://twitter.com/opnsense | @@@@@@@@@@@@@@@ + ---------------------------------------------- + + *** pushkin.internal.softwareheritage.org: OPNsense 21.7.6 (amd64/OpenSSL) *** + + ... (redacted) ... + + 0) Logout 7) Ping host + 1) Assign interfaces 8) Shell + 2) Set interface IP address 9) pfTop + 3) Reset the root password 10) Firewall log + 4) Reset to factory defaults 11) Reload all services + 5) Power off system 12) Update from console + 6) Reboot system 13) Restore a backup + + Enter an option: + ... + +Why? +---- + +In case there is an issue with the firewalls (for example, a VIP election issue +resulting to no available gateway) or the vpn. diff --git a/sysadm/network-architecture/idrac.rst b/sysadm/network-architecture/idrac.rst index 3d30a42..e362ee7 100644 --- a/sysadm/network-architecture/idrac.rst +++ b/sysadm/network-architecture/idrac.rst @@ -1,116 +1,118 @@ .. _idrac: iDRAC ===== .. admonition:: Intended audience :class: important sysadm staff members The **integrated Dell Remote Access Controller** is the remote console that's to control servers (e.g DELL, ...). We currently have :ref:`5 iDRACs `: * banco * beaubourg * hypervisor3 * orsay * uffizi These instructions are not really vendor-specific and can also be useful for generic IPMI access or even other kinds of out-of-band management system implementations. .. _connection_how_to: Connection how to ----------------- You will need to install the following packages on your local machine: * `sshuttle `_ * `icedtea-8-plugin `_ On debian like machines: .. code:: apt install sshuttle icedtea-8-plugin sshuttle ~~~~~~~~ sshuttle uses firewall rules to redirect traffic to a set of ip addresses via a SSH tunnel. By default, you can run sshuttle as your own user. This will forward all TCP packets to any hosts through the tunnel. To be able to use UDP (e.g. for the IPMI SoL), you need to run sshuttle as root with the tproxy method. This may need some `specific routing setup `_ to work; for instance, in ``/etc/network/interfaces``: .. code:: # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback up ip route add local default dev lo table 100 up ip rule add fwmark 1 lookup 100 up ip -6 route add local default dev lo table 100 up ip -6 rule add fwmark 1 lookup 100 Once this is setup and the marked packets are properly routed, sshuttle's tproxy method can do its work: .. code:: $ ssh-add .ssh/id_ed25519.inria # or whatever your ssh key is $ sudo SSH_AUTH_SOCK="$SSH_AUTH_SOCK" sshuttle --python python3 \ --method tproxy \ -r ${username}@sesi-ssh.inria.fr 128.93.162.142 128.93.134.0/27 +.. _idrac_authentication: + Authentication -------------- Usernames and passwords for logging in are in the :ref:`credentials storage `, under ``infra/HOSTNAME/idrac`` If not found, check the default DELL or Supermicro/IPMI credentials which are under ``infra/idrac/{dell,supermicro-ipmi}``. .. _management_network: Management network ------------------ Look up the hostname of the management interface you want to access in the `inventory `_. The machines hosted in the main Software Heritage bay at Rocquencourt use the 128.93.134.0/27 network. The first usable IP address is **128.93.134.1** and the last one **128.93.134.29**. **128.93.134.30** is a gateway. .. _connect_to_the_serial_console: Connect to the serial console ----------------------------- The console can be unavailable on the webui on servers with an expired license. The serial console can still be used. Example: .. code:: ipmitool -I lanplus -H swh-es3-adm.inria.fr -U root -P sol activate NOTE: This command is available on the ``ipmitool`` package. diff --git a/sysadm/network-architecture/index.rst b/sysadm/network-architecture/index.rst index 3cf05ac..77c3583 100644 --- a/sysadm/network-architecture/index.rst +++ b/sysadm/network-architecture/index.rst @@ -1,15 +1,16 @@ .. _infrastructure: Network architecture ==================== .. toctree:: :titlesonly: reference-network-configuration how-to-access-firewall-settings + how-to-access-firewall-nodes-without-vpn how-to-upgrade-firewall-os service-urls idrac dns