-
@markster Two things:
-
In addition to approving each source IP address in Control Panel -> Hardware & Power -> UPS -> Permitted DiskStation Devices, you also have to use specific values for the username and password. See post #2 in the NUT support https://forum.netgate.com/post/1134946.
-
If possible, you should move to having pfSense as the NUT primary and Synology as the secondary to reduce risk to the Synology. See discussion in the NUT support thread.
-
-
@dennypage Thanks for the tips.
I read the post you recommended and on Synology upds.conf I had only one entry - LISTEN 127.0.0.1:3493I added new entry LISTEN 192.168.50.200:3493 and restarted Synology service with disable/enable checkbox.
Then I restarted pfsense NUT client but the same message is still showing. I may have to check with Synology support and see what they say about this error.The system is working as intended so it makes me wonder is this may be more of a warning rather than an error.
-
@markster The LISTEN directive would be to support remote connection wherein pfSense were operating as primary/master, rather than pfSense operating as a secondary/slave connecting to a remote system (such as Synology).
It's not a warning. It means that the secondary was not successful logging into the primary. This means that the primary will not take the secondary into consideration in initiating a shutdown. That's bad.
Most likely you have an error in username ("nonuser") or password ("secret").
Regardless, highly recommend that you swap the primary/secondary between Synology and pfSense.
-
@markster said in NUT errors on connect:
I had only one entry - LISTEN 127.0.0.1:3493
Look :
The LISTEN isn't needed.
( it's the default entry in the config file - see the links proposed here for every configuration box )I've addd some users, the last one is the one for the Synology, as this device uses the hard coded user and password as shown.
What you DO need is : a NAT rule :
because devices on LAN can not access the pfSense "127.0.0.1". A classic firewall won't help you here, you need the power of NAT.
So I redirected the default 3493 NUT UDP port from LAN:3493 to 127.0.0.1:3493
Add other NAT rules if toy need other interfaces to access the NUT server on pfSense. -
@Gertjan but I am using Synology as NUT server. I think you are thinking that I am runing NUT server (master) on pfsense.
I use Synology as NUT server (master) and pfsense is the NUT slave (client). Below is my pfsense UPS config
This data is matched on my Synology upsd.users. Please remember that what I have is currently fully functional configuration, and tested.
When I pull the power plug on the APC UPS after 20 minutes (configured time on synology) the Synology master NUT sends a command to pfsense to initiate the shutdown. This all works. See log belowWhat I cannot figure out is this error during connect. Remember that this if pfsense slave connecting to Synology UPS master. Here is tcpdump from Synology.
*****09:58:00.631765 IP 192.168.50.1.1262 > 192.168.50.200.3493: Flags [P.], seq 10:27, ack 28, win 514, options [nop,nop,TS val 3566698764 ecr 2167175], length 17
E..E..@.@.T...2...2........ML.%F.....f.....
.....!..USERNAME monuser09:58:00.631792 IP 192.168.50.200.3493 > 192.168.50.1.1262: Flags [P.], seq 28:31, ack 27, win 114, options [nop,nop,TS val 2167175 ecr 3566698764], length 3
E..7..@.@.=...2...2.....L.%F...^...r.C.....
.!......OK09:58:00.631900 IP 192.168.50.1.1262 > 192.168.50.200.3493: Flags [.], ack 31, win 514, options [nop,nop,TS val 3566698764 ecr 2167175], length 0
E..4..@.@.T...2...2........^L.%I....MY.....
.....!..
09:58:00.631909 IP 192.168.50.1.1262 > 192.168.50.200.3493: Flags [P.], seq 27:48, ack 31, win 514, options [nop,nop,TS val 3566698764 ecr 2167175], length 21
E..I..@.@.T...2...2........^L.%I....6......
.....!..PASSWORD gghgs77sh09:58:00.631933 IP 192.168.50.200.3493 > 192.168.50.1.1262: Flags [P.], seq 31:34, ack 48, win 114, options [nop,nop,TS val 2167175 ecr 3566698764], length 3
E..7..@.@.=...2...2.....L.%I...s...r.C.....
.!......OK*****Here the user "monouser" is authenticated and Synology UPS server response is OK.
09:58:00.632019 IP 192.168.50.1.1262 > 192.168.50.200.3493: Flags [.], ack 34, win 514, options [nop,nop,TS val 3566698764 ecr 2167175], length 0
E..4..@.@.T...2...2........sL.%L....MA.....
.....!..
09:58:00.632028 IP 192.168.50.1.1262 > 192.168.50.200.3493: Flags [P.], seq 48:58, ack 34, win 514, options [nop,nop,TS val 3566698764 ecr 2167175], length 10
E..>..@.@.T...2...2........sL.%L...........
.....!..LOGIN ups09:58:00.632053 IP 192.168.50.200.3493 > 192.168.50.1.1262: Flags [P.], seq 34:52, ack 58, win 114, options [nop,nop,TS val 2167175 ecr 3566698764], length 18
E..F..@.@.=...2...2.....L.%L...}...r.R.....
.!......ERR ACCESS-DENIEDOk, so here I dont understand why NUT slave/client on pfsense is running this command "LOGIN ups" since the user monunser has already connected.
This was the original question.
-
@markster said in NUT errors on connect:
but I am using Synology as NUT server. I think you are thinking that I am runing NUT server (master) on pfsense.
I get it
Which means that you have to use the NAS Syno GUI to add 'external' NUT clients accounts, like the one pfSEnse is using.
This in most probably not 'monuser' (with the password "secret") as this pair is used by the Sno NUT when it works as a NUT-client.
You've set up you Syno as a NUT server - so you need to create user name and password info.
.... using the config files ..... as the GUI doesn't allow you to do this.And as usual, like pfSEnse, when yu edit config files manually, they will get recreated upn system boot etc (or NUT Syno package upgrade etc).
This is why pfSense NUT Master chief @dennypage advised you to use pfSense as a NUT server.
" and live will be easier".Not that I'm saying that it isn't possible of course.
But this will be a Syno NAS support forum thing.
On the pfSense isde of things, you only need the classic 3 :
The NAS IP : it's 192.168.50.200
The user name, that you've created on the NAS
The password for this NUT user.The port number is 3493 (UDP) ( but don't presume this : check with Syno ... or create a SSH admin access on your Syno, and ask it )
My neurons are in a decaying phase for decades now, so I'm not sure the 'monuser'+"secret" is the on to use. By default, I "doubt that".
In fact, I've been using my own Syno NAS as a NUT server in the past, it did work, I had to change 'files manually. The officila NUT documentation did help me out, AFAIK.
But DSM does change 'things' all the time. -
@markster said in NUT errors on connect:
I read the post you recommended and on Synology upds.conf I had only one entry - LISTEN 127.0.0.1:3493
I added new entry LISTEN 192.168.50.200:3493 and restarted Synology service with disable/enable checkbox.
Editing config files by hand on Synology does not work. When you re-enable the UPS service Synology, it overwrites the active config files again. You must make all changes in the Control Panel.
If the upsd.conf on Synology only has 127.0.0.1, it means that the network server is not actually enabled. You need to check the box Control Panel -> Hardware & Power -> UPS -> Enable network UPS server. And you need the IP address (not hostname) of the pfSense system in Permitted DiskStation Devices.
I still recommend that you swap Synology and pfSense as primary and secondary if you can. Being a secondary is safer for the Synology.
-
You can test Synology access outside of the driver using nc (or telnet, etc.).
This is what it looks like when Synology has been configured to allow a NUT connection from the IP address and the username/password is correct:
# nc -v 192.168.1.10 3493 Connection to 192.168.1.10 3493 port [tcp/nut] succeeded! USERNAME monuser OK PASSWORD secret OK LOGIN ups OK
This is what it looks like when Synology has not been configured to allow a NUT connection:
# nc -v 192.168.1.10 3493 Connection 192.168.1.10 3493 port [tcp/nut] succeeded! USERNAME monuser ERR ACCESS-DENIED
This is what is looks like when the connection is allowed but the password incorrect:
# nc -v 192.168.1.10 3493 Connection to 192.168.1.10 3493 port [tcp/nut] succeeded! USERNAME monuser OK PASSWORD badpass OK LOGIN ups ERR ACCESS-DENIED
Note that with an incorrect password you do not receive an access denied message until the login is attempted. An incorrect username behaves the same way.
-
So, its TCP after all.
Thanks for the detailed guide. -
@dennypage thanks for helping me with this.
I have my reasons to stick with Synology as master/primary and like to keep it this way.I am on the latest DSM 7.2 and was modifying the upsd configuration files in /usr/syno/etc/ups directory.
Things like users passwords and even LISTEN directives. These values did not change when I disabled and enabled back Synology UPS server or the whole service. Thats a good news. Maybe Syno guys figured that would help or there is something else going on with Synology code I dont know about.Anyway, your latest post got me thinking and I reverted to default password "secret" for user monuser and be hold the error is not longer there.
Thank guys for helping :)-cheers
Mark -
@markster said in NUT errors on connect:
I am on the latest DSM 7.2 and was modifying the upsd configuration files in /usr/syno/etc/ups directory.
Things like users passwords and even LISTEN directives. These values did not change when I disabled and enabled back Synology UPS server or the whole service.They were not overwritten because those config files are not the ones used by the running DSM config.
In fact, I think /usr/syno/etc/ups is a leftover from a DSM 6 install. For DSM 7.2, the running config files are found in /etc/ups. But as I said, don't try to modify them by hand as they are automatically overwritten with each update.
-
@dennypage Today out of nowhere my pfsense decided to shutdown. Here is the message I cannot understand.
I checked Synology logs and there is nothing there that would let me believe that Synology detected the outage and send a command to pfsense to shutdown. It has been up and running since we talked last time.
Never seen the message "administratively OFF or asleep". But it seems that this caused the shutdown.I wanted to point out that I never had this issue with previous version of pfsense and ups monitoring would work for month without outages. This however has happened few times already. I started the thread believing that the configuration is wrong.
But that that we made sure the setup is correct something else is at play that causes that. -
-