BMC Forwarding Gateways

BMC Forwarding Gateways #

SynergyCP’s BMC Forwarding feature can be used to move IPMI IPs onto a private LAN where they do not take up IP space and are not accessible to the public (ACL by IP). There are two options for running SynergyCP Forwarding Servers: Port to Port and IP to IP.

The port-to-port method is deprecated as of SynergyCP 5.2 and will be removed in a future release. New installations should not use the port-to-port method, and troubleshooting will not be provided for new installs.

Port to Port forwarding means that SynergyCP will automatically assign new ports to forward that correspend to ports we know the IPMI device uses. The benefit of this approach is that you only need one public IP for the gateway. There are two limitations with this approach. First, it can be confusing for end users if they access the IPMI web control panel as some features there (e.g. launching KVM) that depend on additional ports may not work. We do have a Launch KVM button in the application which can be used to access KVM, though. Second, we must know all the ports that the device uses and the API for KVM access is not standardized across devices, so there are more likely to be devices that we have not added support for.

IP to IP forwarding means that SynergyCP will allow a user to forward all traffic from a specific source IP through to the BMC IP, without changing what ports are used. The benefit of this approach is that everything should work as if the user had direct IP access to the BMC. The downside of this approach is that you would typically want more public IP addresses on the forwarding server. You only need as many IP addresses as you would have users from the same Source IP accessing the same forwarding server at the same time. So the only case where this really becomes an issue is if you have a significant number of staff on the same VPN where they would all have the same Source IP. In practice, you should probably have one to two times as many public IPs on each Gateway server as you have staff accessing KVM devices. This is because when a user ACL’s their IP, we add a forward of all traffic matching <user’s source IP> AND ===> . Each time the same source IP adds a new ACL, it uses a different usable IP from the gateway, until those run out at which point one of the conflicting ACLs would need to be expired.

To setup Port Forwarding, first decide which approach you want to use from the above options, and allocate IPs accordingly: just one IP for Port to Port or as many IPs as you think you will need for IP to IP. You can always add more IPs later if needed. Then, if you don’t have one already, add a subnet for IPMI devices on your router that is internal only (e.g. 10.0.1.1/24). Make sure this subnet is accessible only to other devices in the same VLAN, i.e. your customers cannot access any IPMI device directly using the internal IP. Provision a server with Debian 11 that has public IP access and also has access to the private IPMI LAN. It is fine if these are on two different ethernet ports as long as the routing is setup in the OS so that it can connect to the private LAN. Make sure to install a fresh Debian 11 server - do not reuse another server as there may be port conflicts. Then run this command on the new forwarding server as the root user (add “sudo” before “apt-get” and “bash” if you are running as a sudo user):

cd /tmp
rm -f gateway-installer.sh
apt-get install -yq wget
wget https://install.synergycp.com/bm/gateway-installer.sh
bash gateway-installer.sh

Next, copy the details at the end into the form on the next page. To enable Port Forwarding on a server, pick a server at the location that you added the Port Forwarding Gateway to. If it is still using a public IP, go to its IPMI control panel and change its static IP to one from the internal subnet. Edit the server on SynergyCP so that it has the internal IPMI IP and port forwarding set to whichever setting you choose. Port Forwards will be automatically generated for you when a user ACLs themself to the device. Go to the manage server page for that server and click Launch KVM to test that the port forwarding is working.