Intelligent Platform Management Interface (IPMI)

The Netgate 8300 appliance includes a baseboard management controller (BMC) for out-of-band (OOB) access via Intelligent Platform Management Interface (IPMI). Administrators can use this interface to control the hardware itself, such as power on/off, access a serial over LAN (SOL) console, mount virtual media for installation, see hardware status events, and more.

Accessing IPMI

To access IPMI via its web-based GUI, navigate to the IP address of the BMC using a web browser, e.g. https://10.10.10.89. It can also be accessed using ipmitool over the network.

By default, the dedicated IPMI network port (P11) is configured to be a DHCP client but it can be manually configured with a static address.

The address of the BMC set to DHCP can be determined in a few different ways:

  • Enter the BIOS when powering on the device and navigate to Server Mgmt > BMC Network Configuration. That screen displays the current network information for the BMC.

  • From the installed Operating System, run ipmitool lan print 2 to output the current BMC/IPMI network configuration for the dedicated IPMI network port.

  • Check the DHCP server leases to see which lease was allocated to the BMC.

    Tip

    The MAC address of the BMC is printed on the device label for reference.

Default IPMI Credentials

The default IPMI username is root and the default password is root.

In compliance with privacy legislation, the Username and Password to access the IPMI port on the Netgate 8300 must be changed on first access.

The IPMI web interface will present a screen to change the password immediately upon the first login using the default credentials.

../_images/marbella-ipmi-forced-pw-change.png

IPMI Web Console forcing a password change on first login

To change the password:

  • Navigate to the IPMI address using a web browser

  • Log in to the IPMI Web Console with the default credentials.

  • Enter the following items on the Change Password form:

    Old Password

    The current default password (root).

    New Password

    The new password to set. If the password is acceptable, the field will be outlined in green. If the password is invalid, the field will be outlined in red.

    See also

    For a list of password requirements, see the next section. The IPMI Web Console will also print the requirements if a user attempts to set a password it considers too weak.

    Confirm Password

    The same password as in the New Password field. If the passwords match, the field will be outlined in green. If the passwords do not match, the field will be outlined in red.

  • Click Update Password

IPMI Password Requirements

IPMI user account passwords must meet the following criteria:

  • Minimum of 6 characters long

  • Contains only printable ASCII characters

  • Cannot contain the account name (Case insensitive)

  • Meets at least 3 of following criteria:

    • Contains uppercase characters (A through Z)

    • Contains lowercase characters (a through z)

    • Contains numbers (0 through 9)

    • Contains special characters (e.g., $, &)

Changing the IPMI Password

The IPMI password for Netgate 8300 appliances can be changed either through the browser-based IPMI console or by using the ipmitool utility directly in pfSense® software.

Using IPMI Web Console

To change the IPMI password in the web console:

  • Navigate to the IPMI address using a web browser

  • Log in to the IPMI console with the current credentials

    ../_images/marbella-ipmi-login.png

    Log Into IPMI

    Note

    If the username is not known, see the next section for information on how to use ipmitool to view the current user list.

  • Navigate to Configuration > Users

    ../_images/marbella-ipmi-configuration-users.png

    Configuration > Users

  • Select the user to modify by clicking on its row in the list

    This is likely the root user or another user with Administrator privileges, typically the user in the second slot (User ID 2).

  • Click Modify User

    ../_images/marbella-ipmi-modify-user.png

    Modify User

  • Set the form fields as follows:

    User Name

    Change the username from the default root to a personalized name

    This is optional, but a best practice.

    Change Password

    Click to enable the slider

    Password

    Enter the new Password

    If the password is acceptable, the field will be outlined in green. If the password is invalid, the field will be outlined in red.

    See also

    For a list of password requirements, see the previous section.

    Confirm Password

    Enter the new password again in Confirm Password

    If the passwords match, the field will be outlined in green. If the passwords do not match, the field will be outlined in red.

    ../_images/marbella-ipmi-change-pw.png

    Modify User Form

  • Click Modify

  • Click Confirm on the alert that says “Modified user successfully.”

    ../_images/marbella-ipmi-modified-successfully.png

    Click Confirm

Using the ipmitool Utility

If the IPMI web interface is unavailable or the current password is unknown, the ipmitool utility packaged with pfSense software can change the password.

These commands may be performed in the GUI at Diagnostics > Command Prompt or at a console or SSH shell prompt as the root user.

  • Load the IPMI kernel module

    # kldload ipmi
    
  • List the current IPMI users

    # ipmitool user list
    

    Note

    Netgate 8300 appliances use the user name root by default.

    The command prints a list of users, for example:

    ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
    1                    true    false      false      NO ACCESS
    2   root             true    false      true       ADMINISTRATOR
    3                    true    false      false      NO ACCESS
    4                    true    false      false      NO ACCESS
    5                    true    false      false      NO ACCESS
    6                    true    false      false      NO ACCESS
    7                    true    false      false      NO ACCESS
    8                    true    false      false      NO ACCESS
    9                    true    false      false      NO ACCESS
    10                   true    false      false      NO ACCESS
    11                   true    false      false      NO ACCESS
    12                   true    false      false      NO ACCESS
    13                   true    false      false      NO ACCESS
    14                   true    false      false      NO ACCESS
    15                   true    false      false      NO ACCESS
    

    Warning

    Usernames are case-sensitive.

  • Reset the password for a user

    The default root user is User ID 2, and the example below sets the password for this user to NETGATE.

    # ipmitool user set password 2 NETGATE
    

    Warning

    This password is for example purposes only. Use a secure password.

    If successful, the output will be:

    Set User Password command successful (user 2)
    
  • Unload the IPMI kernel module

    # kldunload ipmi
    

Reset IPMI Network Configuration

The ipmitool utility can also change or reset the network configuration of the IPMI interface if it cannot be reached over the network.

These commands may be performed in the GUI at Diagnostics > Command Prompt or at a console or SSH shell prompt as the root user.

Note

The dedicated IPMI port (P11) is on IPMI network channel 2.

  • Load the IPMI kernel module

    # kldload ipmi
    
  • Set the IPMI IP address and subnet mask

    The following commands configure the IP address of the IPMI interface and its corresponding subnet mask in dotted quad notation.

    This example sets the IPMI IP address to 172.31.123.5/24:

    # ipmitool lan set 2 ipsrc static
    # ipmitool lan set 2 ipaddr 172.31.123.5
    # ipmitool lan set 2 netmask 255.255.255.0
    
  • Set the IPMI gateway IP address

    To communicate with IPMI outside of its configured subnet, the IPMI interface must have a default gateway set.

    This example sets the default gateway to 172.31.123.1.

    # ipmitool lan set 2 defgw ipaddr 172.31.123.1
    
  • Enable IPMI access on the interface

    # ipmitool lan set 2 access on
    
  • Unload the IPMI kernel module

    # kldunload ipmi
    

Factory Reset the BMC

It is possible to factory reset the BMC configuration using ipmitool either locally or remotely. In certain cases this may help resolve problems accessing the BMC. For example, if the BMC GUI is inaccessible due to a configuration error or other problem. Performing a factory reset of the BMC will allow an adminitrator to access and reconfigure the BMC.

To factory reset the BMC, use the ipmitool utility. This can be performed locally from a running installation of pfSense software, or remotely from another system across the network.

Using ipmitool Locally

These commands may be performed in the GUI at Diagnostics > Command Prompt or at a console or SSH shell prompt as the root user.

  • Load the IPMI kernel module

    # kldload ipmi
    
  • Factory reset the BMC

    # ipmitool raw 0x30 0x02 0x43 0x4c 0x52 0xaa
    # ipmitool raw 6 2
    
  • Unoad the IPMI kernel module

    # kldunload ipmi
    

Using ipmitool Remotely

The remote BMC factory reset process requires the following items:

  • The client system must have ipmitool installed.

  • The BMC IP address.

  • The BMC IP address must be reachable over the network from the client system.

  • A valid username and password for the BMC with administrator access.

To factory reset the BMC remotely, use the following commands:

$ ipmitool -I lanplus -H <BMC_IP> -U <username> -P <password> raw 0x30 0x02 0x43 0x4c 0x52 0xaa
$ ipmitool -I lanplus -H <BMC_IP> -U <username> -P <password> raw 6 2

Re-arm the Chassis Intrusion Switch

The chassis on Netgate 8300 has an intrusion detection function which can be reset via IPMI. See Re-arm the Chassis Intrusion Switch for details.