Messages

Similar thing I found: https://www.reddit.com/r/opnsense/comments/1g67pgg/is_it_possible_to_use_opnsense_as_a_nut_server/

But they didn´t really find a solution...

Background:
I am using a UPS that sends a shutdown signal (via the killpower file) to multiple devices, including OPNsense (the firewall). However, I only want my two servers to shut down, not the firewall.

I need a persistent solution that survives reboots and updates, so OPNsense doesn't automatically shut down when the UPS triggers the shutdown event.

Steps Attempted:
Modified /usr/local/etc/nut/upsmon.conf to change the shutdown command (SHUTDOWNCMD) to a custom script that blocks shutdowns based on the presence of the killpower file. Unfortunately, this file gets overwritten on every reboot or NUT service restart.

Created custom scripts to block shutdowns when the killpower file is present, but OPNsense still shuts down immediately when the UPS triggers the shutdown event.

Used the OPNsense Web UI tunables feature to set environment variables for custom shutdown logic, but the changes don't persist or prevent the shutdown.

Modified /usr/local/etc/rc.shutdown to include logic for blocking shutdowns, but the shutdown still happens immediately when the UPS signal is triggered.

Desired Outcome:
OPNsense should NOT shut down when the UPS sends a killpower shutdown signal.

The solution should be persistent and should work across reboots and updates.

The solution should only block shutdowns for OPNsense while allowing the two servers to shut down as normal.


Thanks in advance for your help guys!

Try adding "pollonly=enabled" in USBHID-Driver settings as a first tweak.  I remember reading somewhere that it helps with certain models, and this option can be set directly from the NUT plugin UI.

Some other suggestions I came across might require you to go into config files:

ups.conf: Add the global driver options to the top of the file: "pollinterval = 2" and "maxretry = 3".  The former might be default but the latter defaults to 1 (at least in the Debian nut package).  Might have to play with these.

upsmon.conf: Add "DEADTIME 25" (again might have to play with this, it should be a multiple of POLLFREQ) and try toggling "RUN_AS_USER root" by commenting/uncommenting it. The latter is mentioned in https://forum.netgate.com/topic/149032/must-the-ups-nut-daemon-be-run-as-root/3.

Sorry if these waste your time. I had initial instability connecting my CyberPower to a Raspberry Pi with usbhid (connection kept flapping), but a combination of these fixed it.  I haven't taken the time to isolate.

With this in ups.conf it´s running now :-) - Thanks for your help!

Code Select Expand

[USV-Keller]
driver=usbhid-ups
pollonly=enabled
port=auto
Just one more thing where can I setup the user I can access NUT? I want to add it to Homeassistant now, but it asks for a user.

Thanks!

Nvm found it under: /usr/local/etc/nut/upsd.users

Thanks for the help to all of you :-)

Try adding "pollonly=enabled" in USBHID-Driver settings as a first tweak.  I remember reading somewhere that it helps with certain models, and this option can be set directly from the NUT plugin UI.

Some other suggestions I came across might require you to go into config files:

ups.conf: Add the global driver options to the top of the file: "pollinterval = 2" and "maxretry = 3".  The former might be default but the latter defaults to 1 (at least in the Debian nut package).  Might have to play with these.

upsmon.conf: Add "DEADTIME 25" (again might have to play with this, it should be a multiple of POLLFREQ) and try toggling "RUN_AS_USER root" by commenting/uncommenting it. The latter is mentioned in https://forum.netgate.com/topic/149032/must-the-ups-nut-daemon-be-run-as-root/3.

Sorry if these waste your time. I had initial instability connecting my CyberPower to a Raspberry Pi with usbhid (connection kept flapping), but a combination of these fixed it.  I haven't taken the time to isolate.

With this in ups.conf it´s running now :-) - Thanks for your help!

Code Select Expand

[USV-Keller]
driver=usbhid-ups
pollonly=enabled
port=auto
Just one more thing where can I setup the user I can access NUT? I want to add it to Homeassistant now, but it asks for a user.

Thanks!

Check the usb-type, only one entry must be ticked.

Best regards
Stefan

These are my settings, and I only ticked one, but it still doesn´t work. LAso with port auto it didn´t work.


Best regards
Paul

If you configure it as standalone you can use it as a server for other clients.

Use a NAT port forwarding rule for port 3493 on the interface where you have clients, forward to 127.0.0.1. Works great.

I configured it like this, but still I can´t see anything in Diagnostics...Port Forwarding is also configured

Hi everyone,

I have a new APC BR900G-GR UPS, and I want to set up my OPNsense as the NUT server to manage shutdowns for my two servers and the firewall in the event of a power outage. I've tried configuring it with both the USBHID-Driver and APCSMART-Driver, but neither seems to provide any data, and the Diagnostics page remains empty.
What I can see is that nut_daemon isn´t starting(see attached picture) - is there any log I could check?

If anyone has any suggestions or insights, it would be greatly appreciated.

Thanks & best regards,
Paul

Thanks for this info. I will give it a try and report back...

My understanding of what this can/should enable is a bit more flexibility around internal IP redirection so i can point *.rpi.mydns.duckdns.org to 192.168.1.3 and *.mpc.mydns.duckdns.org to 192.168.1.5 (for example)


I have adguard in my config so I think the setup for me is adguard (port 53) --> unbound (port 5335) --> BIND (port 8053)

Hi,

I don´t know about Adguard very much maybe you can set dns zones and custom redirects in there also, it´s worth a try!

Or you could also try to just redirect *.mpc.mydns.duckdns.org via unbound to your 192.168.1.5 and *.rpi.mydns.duckdns.org to 192.168.1.3.

I think that should work too.

Can you explain a little more about exactly how/what you did using BIND please @paul_

I am not sure what to start...

First, go to the Overrides section in Unbound and create a subdomain, sub.mydomain.net, and point it to the IP address you want it to resolve to.

Next, install BIND by navigating to the Plugins section and selecting the BIND plugin. After installation, set the listen port for BIND to 8053.

Then, create a primary zone for mydomain.net in BIND. Be sure to add NS records for your domain by setting ns1.mydomain.net as the nameserver. You'll also need to create an A record for ns1.mydomain.net and point it to the IP address of your OPNsense firewall.

Afterward, create a wildcard DNS record (*.mydomain.net) and point it to the additional IP address you want it to resolve to.

Once all the necessary records are created, save the configuration in BIND.

Finally, return to Unbound and go to the Query Forwarding section. Add mydomain.net as a domain to forward, and set it to forward queries for mydomain.net to the OPNsense IP at port 8053.

Hope this works for you too :-)

BIND? BIND definitely supports wildcard A records - I don't know if the OPNsense UI permits it, though.

Wonderful idea, and it works like a charm! I've set BIND to listen on address 8053 and created a primary zone for mydomain.net. I've also set up query forwarding from Unbound to BIND for mydomain.net. The sub.mydomain.net is still configured as a host override on Unbound, and everything works as expected. Thanks for your help!

I mean, the idea isn't that bad, haha! 😂 Somehow, I can't create a wildcard host override in DNSMasq...

Any ideas?

No, I´m afraid not...It can just forward to a DNS-Server if i got that right and I only have nginx running where i need this *.mydomain.net to point to and sub1.mydomain.net should point to another nginx server with another ip...

Hi everyone,

I'd like to briefly explain my setup: I'm running an internal reverse proxy, and I use Unbound to resolve all DNS queries for *.mydomain.net via host overrides, forwarding them to my Nginx proxy. Now, I'd like to forward only a specific subdomain, e.g., sub1.mydomain.net, to a different IP, while all other subdomains (e.g., sub2.mydomain.net) should resolve to the default wildcard DNS IP.

Unfortunately, I haven't been able to achieve this with Unbound. Does anyone have an idea how to implement this? If switching to another DNS plugin is necessary, that's not a problem—my main requirement is that I can use upstream DNS servers via DoT or DoH.

Any suggestions would be greatly appreciated!

Thanks in advance and BR
Paul