decryption

need something very basic, but very reliable to run a tailscale subnet router on - my first thought was just a VM on a proxmox box, but if that shits the bed, i can't access the LOM because the subnet router is on it!

so probably need something standalone, but i dont want it sucking too much power (or too expensive)

Feb 24 at 10:34pmWeb
Show threadDaniel CarosoneFeb 24
@decryption usff ftw
Show threaddecryptionFeb 24
@uep those have VPro/Intel AMT too, so if shit's really fucked i can go into the DC and not have to drag a monitor with me on a crash cart
Show threadDaniel CarosoneFeb 24
@decryption yep
Show threadJason Tubnor 🇦🇺Feb 24
@decryption @uep Good DCs will have a a few crash carts in each data hall so typically isn’t an issue.
Show threadraspberryFeb 24
@uep @decryption Yeah, id have two usff optiplex's and have one as a cold spare (preferably with the config on there) so then you can just swap
Show threaddecryptionFeb 24
@theraspb @uep hmmmm, i wonder if there's a way to have a HA style setup of those little guys - so if for some reason one craps out the other one takes over - maybe I can do it in the Arista switch? (ping the interface and if it stops responding, disable that port and enable the other SFF's port)
Show threadraspberryFeb 24
@decryption @uep dont even need to do that, talescale should look after that for ya https://tailscale.com/docs/features/subnet-routers#set-up-high-availability
Subnet routers · Tailscale Docs

Use subnet routers to give devices outside your local network access to services within specific subnets. Extend your private network with Tailscale.

Tailscale
Show threadraspberryFeb 24
@decryption @uep though im not sure if that's required, those boxes are pretty reliable regardless and well.. you've got 1 internet connection, not too sure if two tailscale boxes to access your OOB will do much if your net is down. I just meant that those boxes can be swapped out relatively painlessly if it does shit the bed.
Show threaddecryptionFeb 25
@theraspb @uep yeah, a day or two of downtime to the OOB network shouldn't hurt anyone - cold spare makes a lot of sense
Show threadraspberryFeb 25
@decryption @uep i love cold spares, i reckon people dont use them enough.
Show threadDaniel CarosoneFeb 24

@decryption @theraspb lots of options, including just two separate sessions on two sets of IPs so you pick one or the other as OOB access. The less cleverness the better.

My personal choice would be even simpler (though it's not necessarily mutually exclusive). Just wireguard on the mikrotik router or switch, protecting ssh to same. Then I can tunnel, send WoL packets, and more from there as needed to recover.

Show threadPhillip Feb 25
@decryption @theraspb @uep at that point, you could do a Proxmox HA cluster of 2 (or more if you really want) nodes so the Tailscale VM can fail over between them
Show threadJonathan TrottFeb 25
@decryption do you have a static IP at home? Allow your IP direct to LOM in case of emergency. Or if no static, use a VPS.
Show threaddecryptionFeb 25
@jonathantrott hmm, that's a good idea - i wonder if i can even enable that rule with something like a dead man's switch? like if the usual interface can't be reached, turn that rule from disabled to enabled
Show threadJonathan TrottFeb 25
@decryption Possibly. Also, if you don't have LOM on the hardware, get an APC PDU - network controlled power board for racks!
Show thread Shlee fooled around &Feb 25

@decryption sounds like a job for a tiny 5G router https://www.gl-inet.com/ or similar

holy crap.. they've made a 5G KVM  

https://www.gl-inet.com/products/gl-rm10rc/

Homepage

We bring secure network hardwares and softwares to homes, office buildings and industrial facilities, inspiring a smarter lifestyle for the world.

Show threaddecryptionFeb 25
@shlee ooh 5G is a nice backup - i wonder what the signal is like inside the datacenter
Show thread Shlee fooled around &Feb 25

@decryption I get 5G in ME2... having a KVM connected to local network with 5G fallback actually sounds great

*buys*

Show threaddecryptionFeb 25
@shlee yeah it's super handy if the internet is down and you want to know if it's your fault or theirs, lol
Show thread Shlee fooled around &Feb 25

@decryption as a brand, I love gl inet... plus they regularly run openwrt so you can mod it to hell (at least the models I've used previously)

the KVM might not use openwrt...

Show threadhaydioFeb 25
@shlee @decryption I got some Comet PoEs for work and they run some kind of Linux. Work pretty damn well across windows, macOS and iPadOS - I love gl inet too