Homelab

371 readers

3 users here now

Rules

Be Civil.
Post about your homelab, discussion of your homelab, questions you may have, or general discussion about transition your skill from the homelab to the workplace.
No memes or potato images.
We love detailed homelab builds, especially network diagrams!
Report any posts that you feel should be brought to our attention.
Please no shitposting or blogspam.
No Referral Linking.
Keep piracy discussion off of this community

founded 1 year ago

MODERATORS

communick@selfhosted.forum

rglullis

OOB mngt question (alien.top)

submitted 11 months ago by RollTide_1717@alien.top to c/homelab@selfhosted.forum

4 comments fedilink hide all child comments

So i am going to re-ip some devices in my network and am looking to make a proper OOB network. For things lke iDrac, ipmi, ups interface, and thinking about the proxmox interface as well.

on my L3 switch ill create the access list for certain machines on my network to gain access to that subnet and nothing else. but then i was thinking about it. if i do that then they will not have any internet access either. which is fine and what i ultimately want. but then how do you manage BIOS, firmware, and any general updates etc?

how are you guys/gals setting up the oob? are you even using one?

top 4 comments

sorted by: hot top controversial new old

[–] kaiwulf@alien.top 1 points 11 months ago

I run a completely separate switch for OOB, a separate vRouter in the firewall, with rules to allow those devices access to their update servers and nothing else

[–] lamesauce00@alien.top 1 points 11 months ago

I just did a separate VLAN for my OOB devices and control the traffic through my pfsense firewall.

[–] MasterCommander300@alien.top 1 points 11 months ago

You could always open up internet for when you need to do updates. I cant imagine youll be letting firmwares update on its own 🤡

[–] Steeler88-12@alien.top 1 points 11 months ago

If the devices have a specific site they need for updates, I will usually allow the traffic to that site (or set of URLs/IPs) restricted to the ports/protocol needed (in the case of an ACL on a router/switch) or the application/port (in the case of a next gen firewall). But if there are a lot of potential destinations, I don't allow the traffic and instead download the needed files from a workstation and transfer them over.