Multi-Instance Management Options in the pfSense® software GUI

The pfSense software GUI contains options to manage the Multi-Instance Management (MIM) controller itself. These options are at System > Advanced on the Multi-Instance Management tab.

Enabling Multi-Instance Management

The MIM controller must be enabled and running before it can be accessed by browsers or other instances.

Multi-Instance Management Controller Configuration Options

The default options are acceptable for most environments, but the behavior of the MIM controller daemon can be fine-tuned by the options on the page at System > Advanced, Multi-Instance Management tab.

These options are broken into two sections, General Options and Advanced Options.

General Options

Enable:

Controls whether or not the MIM controller daemon is enabled or disabled.

TLS Certificate:

The TLS certificate the MIM controller will use when acting as a TLS server (e.g. HTTPS).

This is typically the same certificate used by the pfSense software WebGUI, but it can be a different certificate. This can be a local self-signed certificate, a globally trusted certificate imported into the GUI, or even a certificate managed by the ACME package.

Service Ports:

The MIM controller daemon uses multiple ports to accept connections. Two of these are configurable:

API HTTP Port:

The port used for unencrypted communication from browsers and API clients.

Danger

Communication on this port is not encrypted. The best practice is to only use encrypted communication, so avoid using this port outside of local testing and development.

API HTTPS Port:

The port used for encrypted communication from browsers and API clients.

Note

The controller picks a random port to use for the VPN. This port is available for use in firewall rules through the built-in alias named mim_vpn_port.

Advanced Options

Logging:

Controls the behavior of messages logged by the MIM controller daemon.

Level:

The type of messages to log. Each level also includes messages from levels below it in the list.

Verbose:

When checked, increases the verboseness of log messages.

IPv4 Address:

A specific IPv4 address to be used by the MIM controller daemon. If blank, the controller will listen on all available IPv4 addresses.

IPv6 Address:

A specific IPv6 address to be used by the MIM controller daemon. If blank, the controller will listen on all available IPv6 addresses.

Permit Localhost:

When enabled, connections are automatically allowed from localhost to the controller daemon.

JWT Session Expiry Time in Minutes:

Sets the expiration time of session tokens. Lower values are more secure, but require more frequent requests for new tokens.

Allow Cross-Origin API Requests:

When enabled, API requests are allowed from different origins. This allows external sites or daemons on different ports to perform requests, which is less secure.

Viewing Multi-Instance Management Status

The Multi-Instance Management settings tab also includes status information for the controller daemon. This includes links to the MIM GUI as well as an entry indicating the VPN port upon which the controller is listening.

To view this status information:

  • Open the pfSense software GUI on the designated controller device

  • Navigate to System > Advanced, Multi-Instance Management tab

  • Look in the bottom section of the General Options area

../_images/mim-service-status.png

Multi-Instance Management Controller Daemon Status