Out-of-Band & Physical Access

Emergency access procedures for the Owl gateway (DEC700, Urbandale, Iowa) when all remote connectivity is lost.

Physical Site Details

Attribute	Value
Location	Urbandale, Iowa
Hardware	DEC700 mini-PC (3× Intel igb NICs)
ISP	Metronet (static IP: 46.110.77.34/26)
Console	Serial (RS-232 / USB-serial) or monitor + keyboard
Remote OOB	None — DEC700 has no BMC/IPMI/iDRAC

When Physical Access Is Needed

Physical console is the last resort when:

• WAN SSH (ssh joe@46.110.77.34) is unreachable
• ZeroTier SSH (ssh joe@192.168.194.10) is unreachable
• API (https://46.110.77.34/api/...) returns nothing
• Web UI is inaccessible from all interfaces

Common causes requiring physical access:

• Config corruption (firewall locked out SSH)
• Boot failure (disk error, bad upgrade)
• Network interface misconfiguration
• Total power or ISP outage requiring manual intervention after restoration

Console Access

Serial Console

Connect a serial cable or USB-serial adapter to the DEC700's serial port.

Baud rate: 115200
Data bits: 8
Parity: None
Stop bits: 1
Flow control: None

Terminal emulator on macOS:

# Find the USB-serial device
ls /dev/cu.usbserial-*

# Connect with screen
screen /dev/cu.usbserial-XXXX 115200
# To disconnect: Ctrl-A then K, confirm with Y

Monitor + Keyboard

Alternatively, connect an HDMI/VGA monitor and USB keyboard directly to the DEC700. The OPNsense console menu appears on the primary display.

OPNsense Console Menu

Once connected, the console displays:

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface(s) IP address         9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reboot
  5) Power off system                   12) Upgrade from console
  6) Restore a configuration

Key options:

Option	When to use
1 — Assign interfaces	NICs are wrong or unassigned after hardware change
2 — Set IP address	LAN IP missing, need basic connectivity for SCP/SSH
3 — Reset root password	Locked out of root (use sparingly, then re-harden)
6 — Restore configuration	Load a config.xml from USB or local file
8 — Shell	Full FreeBSD shell for diagnostics and recovery
11 — Reboot	After config restore or fix

Interface Mapping

The DEC700 has three Intel igb NICs. The correct assignment is:

Port	Interface	Assignment	IP
igb0	LAN	Primary LAN	10.7.0.1/16
igb1	WAN	Metronet uplink	46.110.77.34/26
igb2	OPT1	Unused	—

If interfaces are wrong after reinstall:

1. Console option 1 — Assign interfaces
2. Map igb1 → WAN, igb0 → LAN, skip igb2
3. Console option 2 — Set LAN IP to 10.7.0.1/16
4. Do NOT set a LAN gateway (it's the gateway itself)

Serial Console Automation Scripts

Automation scripts for serial console operations are in gateways/owl/scripts/:

Script	Purpose
serial-bootstrap.py	Automated initial OPNsense setup via serial
serial-create-apikey.py	Create API key via serial console shell
serial-password-reset.py	Reset passwords via serial console

These require a serial connection from a host with Python 3 and pyserial:

pip install pyserial
python3 gateways/owl/scripts/serial-bootstrap.py /dev/cu.usbserial-XXXX

Recovery Workflow

Quick recovery (config restore)

1. Connect to console (serial or monitor)
2. Console option 8 (Shell)
3. Check if config is the problem:

cat /conf/config.xml | head -5   # Should show <?xml and <opnsense>

1. Restore from USB or network — see Disaster Recovery
2. Console option 11 (Reboot)
3. Verify remotely from luna

Full rebuild (hardware replacement)

1. Install OPNsense from USB installer
2. Console option 1 — Assign interfaces (igb1=WAN, igb0=LAN)
3. Console option 2 — Set LAN IP 10.7.0.1/16
4. Either:
   • Fast: SCP a config.xml and reboot (see Disaster Recovery)
   • Clean: Create joe user + SSH key, then run Ansible: ./scripts/run-opnsense.sh owl --wan

Remote Access Escalation Path

Before traveling to the physical site, exhaust all remote options:

1. ssh joe@192.168.194.10          # ZeroTier (preferred)
   ↓ failed
2. ssh joe@46.110.77.34            # WAN IPv4
   ↓ failed
3. ssh joe@owl.scandora.net        # IPv6 (HE tunnel, if up)
   ↓ failed
4. curl -sk https://46.110.77.34/  # Check if web UI responds
   ↓ failed
5. ping 46.110.77.34               # Check if host is alive at all
   ↓ failed
6. Check ISP status (Metronet)     # Outage?
   ↓ confirmed up or unknown
7. Physical console at Iowa site   # Last resort

Travel Kit

Items to bring when traveling to the Iowa site for physical access:

• Laptop with serial terminal software (screen, minicom)
• USB-to-serial adapter (if laptop lacks RS-232)
• USB drive (FAT32) with emergency-restore configs
• USB drive with OPNsense installer ISO (current version)
• Ethernet cable
• Copy of this runbook (printed or on phone)
• 1Password access on phone (for API key + secret if needed)

Power Considerations

The DEC700 does not have redundant power supplies. If the site loses power:

• UPS: Document UPS model and estimated runtime here
• Auto-start: DEC700 BIOS should be set to "power on after power loss" — verify this is configured
• After power restoration: OPNsense should boot automatically and restore all services
• If it doesn't come back: Physical console required — check BIOS settings, disk integrity

See Also

• Disaster Recovery Runbook — Full DR procedures with severity levels
• Emergency Access — SSM/IAP for cloud instances (not applicable to Owl)
• Owl Gateway — Full gateway documentation
• Troubleshooting — Common issues and fixes