I have just ordered a CCR2004-1G-2XS-PCIe to be used as the firewall of a single server (and its IPMI) that’s going to end up in a data center for colocation. I would appreciate a sanity check and perhaps some hints as I haven’t had any prior experience with mikrotik and, of course, no experience at all with such a wild thing as a computer in a computer over pcie.

My plan is to manage the router over ssh over the internet with certificates and then open the api / web-configurator / perhaps windows-thinyg only on localhost. Moreover, I was planning to use it as an ssh proxy for managing the server as well as accessing the server IPMI.

I intend to use the pcie-connection for the communication between the server and the router and just connect the IPMI and either physical port.

I have a (hopefully compatible) RJ45 1.25 G transceiver. Since the transceiver is a potential point of failure and loosing IPMI is worse than loosing the only online connection, I guess it makes more sense to connect to the data center via the RJ45-port and the server IPMI via the transceiver. (The data center connection is gigabit copper.) Makes sense? Or is there something about the RJ45-port that should be considered?

I plan to manually forward ports to the server as needed. I do not intend to use the router as some sort of reverse proxy, the server will deal with that.

Moreover, I want to do a site2site wireguard vpn-connection to my homelab to also enable me to manage the router and server without the ssh-jump.

Are there any obstacles I am overlooking or is this plan sound? Is there something more to consider or does anyone have any further suggestions or a better idea?

  • Markaos
    link
    fedilink
    English
    arrow-up
    2
    ·
    7 months ago

    Yeah, that’s a fair point - you only get to pass it a signed firmware from the vendor, it won’t boot anything else. And the provided firmware won’t provide access to anything the vendor didn’t explicitly choose to expose.