Remote access to NUT

dennypage

General notes on remote access to NUT

If you want to allow access to the NUT daemon from other hosts, there are two options available. You can either use a port forward in the firewall rules, or you can add a listen directive to upsd.conf.

Option 1: To add a port forward, go to Firewall / NAT / Port Forward, and create a port forward with the following attributes:

Interface: The interface you want to allow access from, usually LAN
Protocol: TCP
Destination: The firewall address matching the interface, usually LAN address.
Destination port: The port you want to use for access, usually 3493
Redirect target IP 127.0.0.1
Redirect target port: 3493

In general, this option is simpler because you can easily restrict access by adding a Source Address to the NAT rule.

Option 2: To add a listen directive to NUT, go to Services / UPS / Settings. Use the Display Advanced button to show the Advanced settings section. In the section for upsd.conf, add a line like:

LISTEN 192.168.1.1

where 192.168.1.1 is the address of the interface you want to allow access from. You can also specify IPv6 addresses with the listen directive. Note that if you use this option, you will need to use firewall rules to restrict access to specific source addresses.

It is important to choose one option or the other. DO NOT DO BOTH AT THE SAME TIME.

Regardless of which option above you choose, you will also need to add a user entry in upsd.users. To add the entry, go to Services / UPS / Settings. Use the Display Advanced button to show the Advanced settings section. In the section for upsd.users, add lines like:

[remoteuser]
password = mypassword
upsmon slave

Allowing remote access to NUT on the firewall should not be done casually. If you do allow remote access, it is a good idea to restrict access to trusted source addresses only.

Notes on Synology

Synology's NUT implementation uses hardcoded values for several items:

UPS Name: "ups"
Username: "monuser"
Password: "secret"

If you want pfSense to be able to share a UPS with a Synology system, either as a remote NUT client or a remote NUT server, you must use these values when configuring NUT on pfSense.

Also, if you are connecting pfSense as a client to a NUT server running on a Synology system, you will need to explicitly add the IP address of the pfSense system to the list of "Permitted DiskDstation Devices" in the Synology control panel. Failure to do so will result in a permission denied when attempting the NUT login.

Cloudless Smart Home

@dennypage I am finally getting one of my machines to connect to my nut server running on pfsense, and have followed the instructions here to work with my synology nas's but they give an error. so, ups is connected via usb to pfsense, I am trying to configure the synology dsm using snmp and using the ip address of pfsense but must also configure the snmp community. I guessed at using public. I really don't know what I'm doing, and wish I could find a guide to the settings. not sure it matters for this question, but my UPS is an APC SUA2200.

Screenshot 2024-04-24 at 8.14.12 PM.png

Cloudless Smart Home

also, I added pollfreq 10 in an attempt to fix my notifications firing every minute filling my email and telegram inboxes that "connection was lost" and then "connection was re-established" back and forth.

here are some logs...


Apr 24 20:28:44	upsmon	23200	Communications with UPS ups established
Apr 24 20:28:44	upsd	25497	User local-monitor@127.0.0.1 logged into UPS [ups]
Apr 24 20:28:42	upsd	25497	Connected to UPS [ups]: usbhid-ups-ups
Apr 24 20:28:41	usbhid-ups	25580	Startup successful
Apr 24 20:28:40	upsd	25497	Startup successful
Apr 24 20:28:40	upsd	25404	Found 1 UPS defined in ups.conf
Apr 24 20:28:40	upsd	25404	Can't connect to UPS [ups] (usbhid-ups-ups): No such file or directory
Apr 24 20:28:40	upsd	25404	listening on 10.0.175.1 port 3493
Apr 24 20:28:40	upsd	25404	listening on 10.0.150.1 port 3493
Apr 24 20:28:40	upsd	25404	listening on 10.0.125.1 port 3493
Apr 24 20:28:40	upsd	25404	listening on ::1 port 3493
Apr 24 20:28:40	upsd	25404	listening on 127.0.0.1 port 3493
Apr 24 20:28:39	upsmon	23200	Communications with UPS ups lost
Apr 24 20:28:39	upsmon	23200	UPS [ups]: connect failed: Connection failure: Connection refused
Apr 24 20:28:39	upsmon	22681	Startup successful

dennypage

@Cloudless-Smart-Home said in Remote access to NUT:

I am finally getting one of my machines to connect to my nut server running on pfsense, and have followed the instructions here to work with my synology nas's but they give an error. so, ups is connected via usb to pfsense, I am trying to configure the synology dsm using snmp and using the ip address of pfsense but must also configure the snmp community.

When connecting a Synology client to a remote NUT server (pfSense in this case), in Control Panel the "UPS type" would be "Synology UPS server".

SNMP UPS is used when speaking directly to a UPS that has its own network management system.

Cloudless Smart Home

@dennypage ooohhh. thanks! I actually do have a network card on the ups, but that's not going to work for the rest of my servers to shutdown without running the nut server somewhere, right?

noice! that worked. so the synology dsm will go into hibernation or shutdown if the ups battery is low, or do I still have work to do?

Screenshot 2024-04-24 at 8.37.18 PM.png

dennypage

@Cloudless-Smart-Home said in Remote access to NUT:

noice! that worked. so the synology dsm will go into hibernation or shutdown if the ups battery is low, or do I still have work to do?

Although it will not actually power off, it will go into a low activity safe mode. I guess you could call that hibernation. I don't remember if it recovers automatically when power is restored, or if you have to initiate a reboot.

Josho_SAI

@dennypage any tips for this when there are 2 x pfSense+ appliances config'd in HA?

Currently I only have 1 x APC Smart3000 UPS, but will eventually be hosting 2 with the APC Auto Transfer Switch.

In HA mode, with firewall rules, would you create the NAT rule to point to the LAN CARP VIP?

For testing purposes, I will be looking into Option 2 as the NUT package is installed on the pfSense+ primary and the NUT daemon is running when connected to the UPS via USB cable (thank you!).

As such and for testing, I've added the LISTEN directive to point to the IP address for the pfSense+ primary LAN IPv4 address, not the CARP VIP.

dennypage

@Josho_SAI My personal view is that if you have sufficient need for redundant firewalls, then you would want each firewall to have its own fully independent UPS to avoid single points of failure. YMMV

Josho_SAI

@dennypage No arguments from me on this, however the plan is when installing 2 UPS's, to connect any single-powered device to an Auto Transfer Switch. If 1 UPS is powered off for maintenance, the ATS will maintain power going to all single-powered devices seamlessly.

I'm more interested about your comment relating to NAT firewall rules. Would you use a CARP VIP over the LAN IP address for the primary pfSense device when running in HA?

dennypage

@Josho_SAI said in Remote access to NUT:

I'm more interested about your comment relating to NAT firewall rules. Would you use a CARP VIP over the LAN IP address for the primary pfSense device when running in HA?

If I understand what you’re asking, I think you would have to use the real IP.