Post

Proxmox + AMT = Resilience?

Posted
Preview Image
By Nelson Gaske
2 min read

I’ve got some trips coming up and will be away from my Homelab over the next few months.

I had an unexpected lockup of my MS-01 about a week ago. Since I migrated my OpnSense router to the MS-01, that locked everything up and my whole network went down.

No idea why the MS-01 lock up happened but it has not happened since.

vPRO/AMT Intro

I have no experience with Out-of-band management interfaces yet on any of my homelab hosts.

The MS-01 has Intel vPRO/AMT, so I had the idea of moving the OpnSense routing function to a different host (cheap MiniPC) and opening up the MS-01 AMT functionality to be able to reboot the server remotely.

Image

Migration of OpnSense

Migrating the OpnSense away from the MS-01 Proxmox instance was surprisingly straightforward. I back up the OpnSense VM to a Proxmox Backup Server on my NAS, which provided an easy thing to restore when I was ready.

The process was relatively straightforward:

  • Setup the MiniPC as a new Proxmox host (install Proxmox not in a cluster, run post-install script)
  • Restore the OpnSense VM from PBS
  • Adjust the network interfaces to align with the MiniPC interfaces (both in Proxmox and inside OpnSense)

Once I was ready to do the OpnSense migration:

  • Take a quick snapshot on the MS-01 -> PBS
  • Turn off OpnSense on the MS-01
  • Move the network cables over to the MiniPC
  • Fire up the OpnSense VM on the MiniPC

Setting up vPRO/AMT on MS-01

I found a super helpful blog post that explained the main process to setup AMT on the MS-01

https://spaceterran.com/posts/step-by-step-guide-enabling-intel-vpro-on-your-minisforum-ms-01-bios/

Since I got the MiniPC going on the edge of my network, where my Wireguard VPN endpoint is, I thought it would be ideal if the MiniPC itself could monitor the MS-01 AMT interface.

I didn’t want to spin up a new VM just to run one docker container on the Mini-PC, but thankfully I found a Proxmox LXC that could do it much easier: MeshCentral

Image

After some screwing around with blacklisting the igc drivers on the MS-01 Proxmox host and figuring out which Intel 226 NIC was which (needs to be L226-LM for AMT, apparently), it fired right up.

Now I have another machine running on the edge of my network that can handle all the routing and help me recover if the MS-01 gets hung up while I am away from the house. Backing it’s LXC and VM to PBS makes me much more confident that I can recover quickly if things decide to have problems.

homelab, Proxmox
Proxmox Opnsense Ubuntu docker