How to access firewall nodes without the vpn#

Intended audience

sysadm staff members

Any physical server in the 192.168.100.0/24 network should be able to reach the firewall.

But accessing one of the hypervisor’s iDRAC should allow using the associated serial console of the hypervisor, and then gain access to the firewall node without the vpn.

How?#

From the serial console, use the root account and the virtual ip of one of the fw node (192.168.100.2 or 192.168.100.3):

root@<hypervisor>:/root# ssh root@192.168.100.2
The authenticity of host '192.168.100.2 (192.168.100.2)' can't be established.
Password:
Last login: Fri Dec 10 14:00:00 2021 from 192.168.100.29
----------------------------------------------
|      Hello, this is OPNsense 21.7          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website:      https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook:     https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums:       https://forum.opnsense.org/  |         @@@///   \\\@@@
| Code:         https://github.com/opnsense  |        @@@@         @@@@
| Twitter:      https://twitter.com/opnsense |         @@@@@@@@@@@@@@@
----------------------------------------------

*** pushkin.internal.softwareheritage.org: OPNsense 21.7.6 (amd64/OpenSSL) ***

 ... (redacted) ...

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option:
...

Why?#

In case there is an issue with the firewalls (for example, a VIP election issue resulting to no available gateway) or the vpn.