I have an OpenBSD firewall where I have to change the IP on the admin interface (including changing subnet/gateway) and I'm looking for how to do this remotely without losing my SSH (so I can fix things if there are problems).
Here is how I imaging being able to do it:
Add the new IP as an alias to my network interface. (Question: How do I properly add an IP on a different subnet than the orignal IP? http://www.openbsd.org/faq/faq6.html#Setup.aliases is unclear on whether there is anything special to do for a different subnet besides specify the netmask)
Add the new gateway with route. (Question: Should I add it as a 'default' gateway or just for the new subnet?)
SSH to the new IP.
Write a script to if down both the old and new IPs and up the new IP as the main interface IP, At this point I most definitely need to add the new gateway as a default gw right? Run it from within screen so it keeps going if network temporarily drops. (Question: Should this do the job? Are there any special gotchas I should keep my eye out for? Any tips on what commands to run to do this properly?)
Using
tmux
orscreen
open a shell session forsleep NSECS && reboot
(NSECS 300 is often quite ok but YMMV) — this would allow re-gain access with previous settings if re-configuring went wrong. Yeah, that's an outage but better one. You can useshutdown -r +min
if you like reboot alarming on the console :-)In other shell session assign alias to the interface. Nothing special if the networks aren't overlapping, just use proper mask (not /32). Then use
route change default
(see manual). Actually, you can use a shell scriptping
ing some remote host and makingroute change default old-gw
in case there were no echoes). This would save you rebooting in case new gateway settings aren't working.Basically that's it.
P. S. Don't forget canceling rebooting if mission succeeded. ;-) Don't forget saving new settings in configs as well.
I would configure the serial port for a terminal and have it hooked up to a laptop or something else out of band. Make all your changes from this entry point.
Use your redundancy
If you're so concerned about outage, I assume you have at least two firewalls running CARP and related services.
If you don't have two, you're going to have an outage whenever a disk or a PSU dies or when you upgrade to OpenBSD 5.0 in a few months.
Edit the relevant /etc/hostname.if(5) and /etc/mygate on box1 with the new IP address. Reboot box1. When it comes back up, ensure everything works.
When you're sure it's ok, edit /etc/hostname.if(5) and /etc/mygate on box2 with the new IP address. Reboot box2 and ensure everything works when it comes back up.
SPoF
If you really only have one box, edit hostname.if and mygate with the new IP address and reboot when there are fewest users on.
You'll want to reboot the system anyway to ensure the right IP is configured. If you wait 6 months and your change is broken, you won't remember why and you might spend hours on the problem instead of just fixing the problem right away.