Store for open software security devices in Australia, pre-loaded with OPNsense® or pfSense® software
Cart 0
Cart 0

Configure pfSense® to provide DHCP option 43 cookie for APC UPS and PDU device

pfsense

Overview

APC PDU, UPS, and other devices when first unboxed require a special "cookie" in DHCP responses in order to accept the offered IP address and settings. This is a good default, which helps prevent accidentally exposing devices that can control power. It's easy to configure pfSense with this cookie and get on with properly configuring the new device.

The cookie seems to be used in just about every APC device, and is:

APC Cookie. Tag 1, Len 4, Data "1APC"
Or, as hex...
Option 43 = 0x010431415043

Read more about this here

Configure DHCP Cookie

Select DHCP Server from top menu

  • Log in to your pfSense web interface
  • From the top bar, select Services then click DHCP Server

Enter option 43 

  • Scroll down, next to Additional BOOTP/DHCP Options click the Display Advanced button. New options will appear
  • For Option type 43
  • For Type select String
  • For Value type 01:04:31:41:50:43
  • Click Save
  • Optionally, restart the DHCP service

That's it, your device should now accept the DHCP offer, and you can connect to it's IP address via Telnet or your web browser. The default username and password are typically apc and apc.

You may now wish to configure the APC device to accept normal DHCP, then remove the APC cookie from your pfSense firewall.

Note: unfortunately in pfSense this option cannot be provided on a per device basis, only per interface. So after configuring the above, every DHCP offer will include the cookie.

Additional Recommended Settings

Use a Secure Network

We strongly recommend that your PDU, UPS, and other "Out of Band" devices be connected to their own network segment, and not connect in the same segment as servers or desktops.

Access to these devices should be controlled tightly both on your firewall and through each device's configuration.

This could be achieved using VLAN's with a VLAN interface on your pfSense firewall, or an inexpensive dedicated switch connected to it's own interface on your pfSense firewall.

You may also like to configure the device to use SSH and/or HTTPS rather than Telnet and HTTP.

Configure DHCP for Static IP's only

We recommend the following DHCP settings for OOB networks. These settings may provide some "security" but are mainly designed to avoid mistakes.

DHCP Settings

  • Enable DHCP
  • Ignore BOOTP queries, unless you have some older devices
  • Deny unknown clients, so that IP's aren't handed out to new devices unless they are configured with a static lease. This will force you to plan the IP space and prevent devices getting an IP address if accidentally connected to the network.
  • Ignore denied clients, so that the server doesn't send NACK responses.

Stuck?

We offer commercial support, why not contact us

Older Post Newer Post

Leave a comment

Please note, comments must be approved before they are published