APC PDU, UPS, and other devices when first unboxed require a special "cookie" in DHCP responses in order to accept the offered IP address and settings. This is a good default, which helps prevent accidentally exposing devices that can control power. It's easy to configure pfSense with this cookie and get on with properly configuring the new device.
The cookie seems to be used in just about every APC device, and is:
APC Cookie. Tag 1, Len 4, Data "1APC"
Or, as hex...
Option 43 = 0x010431415043
Read more about this here
Configure DHCP Cookie
- Log in to your pfSense web interface
- From the top bar, select Services then click DHCP Server
- Scroll down, next to Additional BOOTP/DHCP Options click the Display Advanced button. New options will appear
- For Option type 43
- For Type select String
- For Value type 01:04:31:41:50:43
- Click Save
- Optionally, restart the DHCP service
That's it, your device should now accept the DHCP offer, and you can connect to it's IP address via Telnet or your web browser. The default username and password are typically apc and apc.
You may now wish to configure the APC device to accept normal DHCP, then remove the APC cookie from your pfSense firewall.
Note: unfortunately in pfSense this option cannot be provided on a per device basis, only per interface. So after configuring the above, every DHCP offer will include the cookie.
Additional Recommended Settings
Use a Secure Network
We strongly recommend that your PDU, UPS, and other "Out of Band" devices be connected to their own network segment, and not connect in the same segment as servers or desktops.
Access to these devices should be controlled tightly both on your firewall and through each device's configuration.
This could be achieved using VLAN's with a VLAN interface on your pfSense firewall, or an inexpensive dedicated switch connected to it's own interface on your pfSense firewall.
You may also like to configure the device to use SSH and/or HTTPS rather than Telnet and HTTP.
Configure DHCP for Static IP's only
We recommend the following DHCP settings for OOB networks. These settings may provide some "security" but are mainly designed to avoid mistakes.
- Enable DHCP
- Ignore BOOTP queries, unless you have some older devices
- Deny unknown clients, so that IP's aren't handed out to new devices unless they are configured with a static lease. This will force you to plan the IP space and prevent devices getting an IP address if accidentally connected to the network.
- Ignore denied clients, so that the server doesn't send NACK responses.
We offer commercial support, why not contact us
If these steps have helped you, please put a 5 star review on our Facebook page