Multi-Instance Management Options in the pfSense® software WebGUI

The pfSense software WebGUI contains options to manage the Multi-Instance Management (MIM) controller itself. These options are at System > Advanced on the Multi-Instance Management tab.

Enabling Multi-Instance Management

The MIM controller must be enabled and running before it can be accessed by browsers or other instances.

Multi-Instance Management Controller Configuration Options

The default options are acceptable for most environments, but the behavior of the MIM controller daemon can be fine-tuned by the options on the page at System > Advanced, Multi-Instance Management tab.

These options are broken into two sections, General Options and Advanced Options.

General Options

Enable:

Controls whether or not the MIM controller daemon is enabled or disabled.

TLS Certificate:

The TLS certificate the MIM controller will use when acting as a TLS server (e.g. HTTPS).

This is typically the same certificate used by the pfSense software WebGUI, but it can be a different certificate. This can be a local self-signed certificate, a globally trusted certificate imported into the WebGUI, or even a certificate managed by the ACME package.

Service Ports:

The MIM controller daemon uses multiple ports to accept connections:

API HTTP Port:

The port used for unencrypted communication from browsers and API clients.

Danger

Communication on this port is not encrypted. The best practice is to only use encrypted communication, so avoid using this port outside of local testing and development.

API HTTPS Port:

The port used for encrypted communication from browsers and API clients.

Note

The controller picks a random port to use for the VPN. This port is available for use in firewall rules through the built-in alias named mim_vpn_port. This port may be set to a specific value by setting Listening Port in the Advanced Options.

Advanced Options

Logging:

Controls the behavior of messages logged by the MIM controller daemon.

Level:

The type of messages to log. Each level also includes messages from levels below it in the list.

Verbose:

When checked, increases the verboseness of log messages.

Listening Address:

A specific address the MIM controller daemon will use to listen for incoming VPN connections from remote instances.

When set to Any (default), the controller listens on all available addresses.

Note

This does not control binding of the MIM GUI service, only the VPN used for communication between instances and the controller.

Listening Port:

A specific port the MIM controller daemon will use to listen for incoming VPN connections from remote instances.

Advertised Addresses:

One or more IP addresses or fully qualified domain names (FQDNs), optionally with a port number, which the controller will advertise to instances. When blank (default), the controller advertises all of its IP addresses for auto-discovery.

Tip

Using an FQDN here in combination with some form of Dynamic DNS can enable instances to reach the controller in cases where the controller host does not have a static IP address on any WAN interface.

JWT Session Expiry:

Sets the expiration time of session tokens. Lower values are more secure, but require more frequent requests for new tokens.

Custom Options:

Custom controller options. Each option must be on a separate line.

Warning

Do not use this section unless requested to do so by developers or TAC.

Viewing Multi-Instance Management Status

The Multi-Instance Management settings tab also includes status information for the controller daemon while the daemon is running. This includes links to the MIM GUI as well as an entry indicating the VPN port upon which the controller is listening.

To view this status information:

  • Open the pfSense software WebGUI on the designated controller device

  • Navigate to System > Advanced, Multi-Instance Management tab

  • Look in the bottom section of the General Options area

../_images/mim-service-status.png

Multi-Instance Management Controller Daemon Status