I have just ordered a CCR2004-1G-2XS-PCIe to be used as the firewall of a single server (and its IPMI) that’s going to end up in a data center for colocation. I would appreciate a sanity check and perhaps some hints as I haven’t had any prior experience with mikrotik and, of course, no experience at all with such a wild thing as a computer in a computer over pcie.

My plan is to manage the router over ssh over the internet with certificates and then open the api / web-configurator / perhaps windows-thinyg only on localhost. Moreover, I was planning to use it as an ssh proxy for managing the server as well as accessing the server IPMI.

I intend to use the pcie-connection for the communication between the server and the router and just connect the IPMI and either physical port.

I have a (hopefully compatible) RJ45 1.25 G transceiver. Since the transceiver is a potential point of failure and loosing IPMI is worse than loosing the only online connection, I guess it makes more sense to connect to the data center via the RJ45-port and the server IPMI via the transceiver. (The data center connection is gigabit copper.) Makes sense? Or is there something about the RJ45-port that should be considered?

I plan to manually forward ports to the server as needed. I do not intend to use the router as some sort of reverse proxy, the server will deal with that.

Moreover, I want to do a site2site wireguard vpn-connection to my homelab to also enable me to manage the router and server without the ssh-jump.

Are there any obstacles I am overlooking or is this plan sound? Is there something more to consider or does anyone have any further suggestions or a better idea?

  • @[email protected]
    link
    fedilink
    English
    27 months ago

    such a wild thing as a computer in a computer over pcie

    That’s pretty much what a graphics card is - it has its own CPU to handle bringing the actual GPU cores up and communicating with the host computer, and for example Nvidia has been moving more and more functionality from drivers to this onboard CPU

    As for the question… I’m sorry, my experience with networking is limited to setting up a small home network with a few Mikrotiks. For what it’s worth though, I don’t see anything wrong with the suggested setup.

    • @dontOP
      link
      English
      27 months ago

      Thanks 😀 But you hardly get to control what that CPU on your graphics card does the same way as you get control over the Linux machine that is this router, do you?

      (Oh, and actually, my first and last discrete GPU was an ati 9600 xt or something from over twenty years ago, so, I guess that statement about my inexperience with it is still standing 😉 Until somebody comes along to tell me that the same could be said about raid controllers etc…)

      • @[email protected]
        link
        fedilink
        English
        27 months ago

        Yeah, that’s a fair point - you only get to pass it a signed firmware from the vendor, it won’t boot anything else. And the provided firmware won’t provide access to anything the vendor didn’t explicitly choose to expose.