November 2023 Archives
Thu Nov 16 11:33:35 +07 2023
Using Out of Band connection to CSIM
Out of Band (OOB) can be used in a case of an incident where CSIM router or fireall is unresponsive and need a reboot (like the incident of November 11th, 2023). It allows to by-pass the router and the firewall and still gain access to CSIM network.
Connect to AIT VPN
Download AIT VPN configuration from https://helpdesk.ait.ac.th/wp-content/uploads/sites/2/downloads/AIT_Net_vpn_ait_ac_th.ovpn
Connect to AIT VPN with a command like (for Ubuntu):
sudo openvpn --config AIT_Net_vpn_ait_ac_th.ovpn
NOTE: You must use your AIT credentials to connect.
More information about AIT VPN at https://helpdesk.ait.ac.th/services/ait-vpn/
Connect to OOB device
ssh -i <key_file> -p 2222 on@oob-ait.cs.ait.ac.th
NOTE: You must authenticate with a key_file.
NOTE: you must use port 2222.
If you need more than a console access, for example if you need to access to the GUI of the firewall:
sudo ssh -i -p 2222 -L 443:firewall:443 on@oob-ait.cs.ait.ac.th
VMware GUI/vmplayer needs port 443.
Proxmox GUI needs port 8006.
I don't think you can use CSIM VPN at this stage.
Because the way iDrac web interface works, you *must* add the name of the iDrac interface to /etc/hosts on your local machine, for example:
127.0.0.1 iDRAC-46VNJJ3.xxx.yyy
and use https://iDRAC-46VNJJ3.xxx.yyy/ in your web browser. [It seems that iDrac web interface expect a header "host: iDRAC-46VNJJ3.xxx.yyy" or "host: IP address" in the HTTP request. With normal SSH tunnel, the header used by your browser if "host: 127.0.0.1" and that causes iDrac to throw a fit.]
Create the OOB system
Instructions for NanoPi R2S can be find at https://wiki.friendlyelec.com/wiki/index.php/NanoPi_R2S#Install_OS
Download Debian from the Google Drive, 01_Official images, 01_SD card images.
The system gets an IP address from DHCP, the exact address can be found in DHCP server lease table. The interface labeled LAN is connected to CSIM network, the interface labeled WAN is connected to AIT network.
The initial username/password is pi/pi.
Configure the network in /etc/network/interfaces:
# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
auto eth1
iface eth1 inet static
address 192.41.170.84
netmask 255.255.255.0
# gateway 192.41.170.23
dns-domain cs.ait.ac.th
dns-nameservers 192.41.170.15 192.41.170.30
auto eth0
iface eth0 inet static
address 203.159.63.20
netmask 255.255.255.240
gateway 203.159.63.17
Disable automatic DNS from /etc/NetworkManager/NetworkManager.conf:
[main]
plugins=ifupdown,keyfile
dns=none
[ifupdown]
managed=true
Configure /etc/resolv.conf:
domain cs.ait.ac.th
nameserver 192.41.170.15
nameserver 192.41.170.30
nameserver 203.159.0.1
Configure /etc/ntpsec/ntp.conf: copy from other servers
Configure /etc/rsyslog.conf: at the end of the file add the line:
*.* @sysl.cs.ait.ac.th
Create local users, add them to the group sudo and delete the user pi. Configure their authentication public key.