this post was submitted on 24 May 2024
3 points (100.0% liked)

Mikrotik

220 readers
8 users here now

A community-contributed sublemmy for all things Mikrotik. General ISP and network discussion also permitted. Please ensure if you're asking a question you have checked the Wiki First: https://help.mikrotik.com

Mikrotik Rules: Don't post content that is incorrect or potentially harmful to a router/network.

This in itself is not a bannable offence but answers that are verifiably incorrect or will cause issues for other users will be edited or removed.

Examples: Factual errors - "EOIP is always unsecure" Configuration problems - Config that would disable all physical interfaces on a router Trolling - "Downgrade it to 5.26"

founded 1 year ago
MODERATORS
3
submitted 6 months ago* (last edited 6 months ago) by dont to c/mikrotik
 

I have just ordered a CCR2004-1G-2XS-PCIe to be used as the firewall of a single server (and its IPMI) that's going to end up in a data center for colocation. I would appreciate a sanity check and perhaps some hints as I haven't had any prior experience with mikrotik and, of course, no experience at all with such a wild thing as a computer in a computer over pcie.

My plan is to manage the router over ssh over the internet with certificates and then open the api / web-configurator / perhaps windows-thinyg only on localhost. Moreover, I was planning to use it as an ssh proxy for managing the server as well as accessing the server IPMI.

I intend to use the pcie-connection for the communication between the server and the router and just connect the IPMI and either physical port.

I have a (hopefully compatible) RJ45 1.25 G transceiver. Since the transceiver is a potential point of failure and loosing IPMI is worse than loosing the only online connection, I guess it makes more sense to connect to the data center via the RJ45-port and the server IPMI via the transceiver. (The data center connection is gigabit copper.) Makes sense? Or is there something about the RJ45-port that should be considered?

I plan to manually forward ports to the server as needed. I do not intend to use the router as some sort of reverse proxy, the server will deal with that.

Moreover, I want to do a site2site wireguard vpn-connection to my homelab to also enable me to manage the router and server without the ssh-jump.

Are there any obstacles I am overlooking or is this plan sound? Is there something more to consider or does anyone have any further suggestions or a better idea?

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 2 points 6 months ago (2 children)

such a wild thing as a computer in a computer over pcie

That's pretty much what a graphics card is - it has its own CPU to handle bringing the actual GPU cores up and communicating with the host computer, and for example Nvidia has been moving more and more functionality from drivers to this onboard CPU

As for the question... I'm sorry, my experience with networking is limited to setting up a small home network with a few Mikrotiks. For what it's worth though, I don't see anything wrong with the suggested setup.

[โ€“] dont 2 points 6 months ago (1 children)

Thanks ๐Ÿ˜€ But you hardly get to control what that CPU on your graphics card does the same way as you get control over the Linux machine that is this router, do you?

(Oh, and actually, my first and last discrete GPU was an ati 9600 xt or something from over twenty years ago, so, I guess that statement about my inexperience with it is still standing ๐Ÿ˜‰ Until somebody comes along to tell me that the same could be said about raid controllers etc...)

[โ€“] [email protected] 2 points 6 months ago

Yeah, that's a fair point - you only get to pass it a signed firmware from the vendor, it won't boot anything else. And the provided firmware won't provide access to anything the vendor didn't explicitly choose to expose.