Intelligent Platform Management Interface (IPMI)¶
The Netgate 8300 appliance includes a baseboard management controller (BMC) for out-of-band (OOB) access via Intelligent Platform Management Interface (IPMI). Administrators can use this interface to control the hardware itself, such as power on/off, access a serial over LAN (SOL) console, mount virtual media for installation, see hardware status events, and more.
Accessing IPMI¶
To access IPMI via its web-based GUI, navigate to the IP address of the BMC
using a web browser, e.g. https://10.10.10.89
. It can also be accessed using
ipmitool over the network.
By default, the dedicated IPMI network port (P11) is configured to be a DHCP client but it can be manually configured with a static address.
The address of the BMC set to DHCP can be determined in a few different ways:
Enter the BIOS when powering on the device and navigate to Server Mgmt > BMC Network Configuration. That screen displays the current network information for the BMC.
From the installed Operating System, run
ipmitool lan print 2
to output the current BMC/IPMI network configuration for the dedicated IPMI network port.Check the DHCP server leases to see which lease was allocated to the BMC.
Tip
The MAC address of the BMC is printed on the device label for reference.
Default IPMI Credentials¶
The default IPMI username is root
and the default password is root
.
In compliance with privacy legislation, the Username and Password to access the IPMI port on the Netgate 8300 must be changed on first access.
The IPMI web interface will present a screen to change the password immediately upon the first login using the default credentials.
To change the password:
Navigate to the IPMI address using a web browser
Log in to the IPMI Web Console with the default credentials.
Enter the following items on the Change Password form:
- Old Password
The current default password (
root
).- New Password
The new password to set. If the password is acceptable, the field will be outlined in green. If the password is invalid, the field will be outlined in red.
See also
For a list of password requirements, see the next section. The IPMI Web Console will also print the requirements if a user attempts to set a password it considers too weak.
- Confirm Password
The same password as in the New Password field. If the passwords match, the field will be outlined in green. If the passwords do not match, the field will be outlined in red.
Click Update Password
IPMI Password Requirements¶
IPMI user account passwords must meet the following criteria:
Minimum of 6 characters long
Contains only printable ASCII characters
Cannot contain the account name (Case insensitive)
Meets at least 3 of following criteria:
Contains uppercase characters (
A
throughZ
)Contains lowercase characters (
a
throughz
)Contains numbers (
0
through9
)Contains special characters (e.g.,
$
,&
)
Changing the IPMI Password¶
The IPMI password for Netgate 8300 appliances can be changed either through the browser-based IPMI console or by using the ipmitool utility directly in pfSense® software.
Using IPMI Web Console¶
To change the IPMI password in the web console:
Navigate to the IPMI address using a web browser
Log in to the IPMI console with the current credentials
Note
If the username is not known, see the next section for information on how to use
ipmitool
to view the current user list.Navigate to Configuration > Users
Select the user to modify by clicking on its row in the list
This is likely the
root
user or another user with Administrator privileges, typically the user in the second slot (User ID 2).Click Modify User
Set the form fields as follows:
- User Name
Change the username from the default
root
to a personalized nameThis is optional, but a best practice.
- Change Password
Click to enable the slider
- Password
Enter the new Password
If the password is acceptable, the field will be outlined in green. If the password is invalid, the field will be outlined in red.
See also
For a list of password requirements, see the previous section.
- Confirm Password
Enter the new password again in Confirm Password
If the passwords match, the field will be outlined in green. If the passwords do not match, the field will be outlined in red.
Click Modify
Click Confirm on the alert that says “Modified user successfully.”
Using the ipmitool Utility¶
If the IPMI web interface is unavailable or the current password is unknown, the
ipmitool
utility packaged with pfSense software can change the password.
These commands may be performed in the GUI at Diagnostics > Command Prompt
or at a console or SSH shell prompt as the root
user.
Load the IPMI kernel module
# kldload ipmi
List the current IPMI users
# ipmitool user list
Note
Netgate 8300 appliances use the user name
root
by default.The command prints a list of users, for example:
ID Name Callin Link Auth IPMI Msg Channel Priv Limit 1 true false false NO ACCESS 2 root true false true ADMINISTRATOR 3 true false false NO ACCESS 4 true false false NO ACCESS 5 true false false NO ACCESS 6 true false false NO ACCESS 7 true false false NO ACCESS 8 true false false NO ACCESS 9 true false false NO ACCESS 10 true false false NO ACCESS 11 true false false NO ACCESS 12 true false false NO ACCESS 13 true false false NO ACCESS 14 true false false NO ACCESS 15 true false false NO ACCESS
Warning
Usernames are case-sensitive.
Reset the password for a user
The default
root
user is User ID2
, and the example below sets the password for this user toNETGATE
.# ipmitool user set password 2 NETGATE
Warning
This password is for example purposes only. Use a secure password.
If successful, the output will be:
Set User Password command successful (user 2)
Unload the IPMI kernel module
# kldunload ipmi
Reset IPMI Network Configuration¶
The ipmitool
utility can also change or reset the network configuration of
the IPMI interface if it cannot be reached over the network.
These commands may be performed in the GUI at Diagnostics > Command Prompt
or at a console or SSH shell prompt as the root
user.
Note
The dedicated IPMI port (P11) is on IPMI network channel 2.
Load the IPMI kernel module
# kldload ipmi
Set the IPMI IP address and subnet mask
The following commands configure the IP address of the IPMI interface and its corresponding subnet mask in dotted quad notation.
This example sets the IPMI IP address to
172.31.123.5/24
:# ipmitool lan set 2 ipsrc static # ipmitool lan set 2 ipaddr 172.31.123.5 # ipmitool lan set 2 netmask 255.255.255.0
Set the IPMI gateway IP address
To communicate with IPMI outside of its configured subnet, the IPMI interface must have a default gateway set.
This example sets the default gateway to
172.31.123.1
.# ipmitool lan set 2 defgw ipaddr 172.31.123.1
Enable IPMI access on the interface
# ipmitool lan set 2 access on
Unload the IPMI kernel module
# kldunload ipmi
Factory Reset the BMC¶
It is possible to factory reset the BMC configuration using ipmitool
either
locally or remotely. In certain cases this may help resolve problems accessing
the BMC. For example, if the BMC GUI is inaccessible due to a configuration
error or other problem. Performing a factory reset of the BMC will allow an
adminitrator to access and reconfigure the BMC.
To factory reset the BMC, use the ipmitool
utility. This can be performed
locally from a running installation of pfSense software, or remotely from
another system across the network.
Using ipmitool Locally¶
These commands may be performed in the GUI at Diagnostics > Command Prompt
or at a console or SSH shell prompt as the root
user.
Load the IPMI kernel module
# kldload ipmi
Factory reset the BMC
# ipmitool raw 0x30 0x02 0x43 0x4c 0x52 0xaa # ipmitool raw 6 2
Unoad the IPMI kernel module
# kldunload ipmi
Using ipmitool Remotely¶
The remote BMC factory reset process requires the following items:
The client system must have
ipmitool
installed.The BMC IP address.
The BMC IP address must be reachable over the network from the client system.
A valid username and password for the BMC with administrator access.
To factory reset the BMC remotely, use the following commands:
$ ipmitool -I lanplus -H <BMC_IP> -U <username> -P <password> raw 0x30 0x02 0x43 0x4c 0x52 0xaa
$ ipmitool -I lanplus -H <BMC_IP> -U <username> -P <password> raw 6 2
Re-arm the Chassis Intrusion Switch¶
The chassis on Netgate 8300 has an intrusion detection function which can be reset via IPMI. See Re-arm the Chassis Intrusion Switch for details.