I have just ordered a CCR2004-1G-2XS-PCIe to be used as the firewall of a single server (and its IPMI) that’s going to end up in a data center for colocation. I would appreciate a sanity check and perhaps some hints as I haven’t had any prior experience with mikrotik and, of course, no experience at all with such a wild thing as a computer in a computer over pcie.

My plan is to manage the router over ssh over the internet with certificates and then open the api / web-configurator / perhaps windows-thinyg only on localhost. Moreover, I was planning to use it as an ssh proxy for managing the server as well as accessing the server IPMI.

I intend to use the pcie-connection for the communication between the server and the router and just connect the IPMI and either physical port.

I have a (hopefully compatible) RJ45 1.25 G transceiver. Since the transceiver is a potential point of failure and loosing IPMI is worse than loosing the only online connection, I guess it makes more sense to connect to the data center via the RJ45-port and the server IPMI via the transceiver. (The data center connection is gigabit copper.) Makes sense? Or is there something about the RJ45-port that should be considered?

I plan to manually forward ports to the server as needed. I do not intend to use the router as some sort of reverse proxy, the server will deal with that.

Moreover, I want to do a site2site wireguard vpn-connection to my homelab to also enable me to manage the router and server without the ssh-jump.

Are there any obstacles I am overlooking or is this plan sound? Is there something more to consider or does anyone have any further suggestions or a better idea?

  • dont@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    7 months ago

    Thanks 😀 But you hardly get to control what that CPU on your graphics card does the same way as you get control over the Linux machine that is this router, do you?

    (Oh, and actually, my first and last discrete GPU was an ati 9600 xt or something from over twenty years ago, so, I guess that statement about my inexperience with it is still standing 😉 Until somebody comes along to tell me that the same could be said about raid controllers etc…)

    • Markaos
      link
      fedilink
      English
      arrow-up
      2
      ·
      7 months ago

      Yeah, that’s a fair point - you only get to pass it a signed firmware from the vendor, it won’t boot anything else. And the provided firmware won’t provide access to anything the vendor didn’t explicitly choose to expose.