Multi-Instance Management Controller Setup

Before instances of pfSense® Plus software can be registered to the Multi-Instance Management (MIM) controller, there are several setup tasks to complete.

Enable Multi-Instance Management

The MIM controller must be enabled and running before registering instances.

Firewall rules for Multi-Instance Management

The MIM controller does not automatically add firewall rules for the MIM GUI or external controller VPN connectivity. Firewall rules are necessary for instances to connect the VPN itself and for administrators to reach the MIM GUI. Configure these firewall rules on the controller host in the pfSense software WebGUI.

Note

The MIM controller automatically passes traffic tunneled through its VPN between the instances and the controller. There is no need to manage rules for that internal communication.

Allowing Incoming MIM VPN Connections

Add a rule on WAN to pass connections to the MIM VPN port.

  • Open the pfSense software WebGUI on the designated controller.

  • Navigate to Firewall > Rules, WAN tab

    Note

    WAN is used as an example. This could also be any other interface to which instances will connect.

  • Click fa-turn-up to add a new rule at the top of the list:

  • Configure the rule with the following options:

    Action:

    Pass

    Protocol:

    UDP

    Source:

    Any

    Note

    This is acceptable if instances have dynamic addresses. If all instances are static, consider creating an alias to allow only those addresses.

    Destination:

    This Firewall (self)

    Note

    This could also be the specific interface or IP address instances use when connecting.

    Destination Port:
    From:

    (Other)

    Custom:

    mim_vpn_port

    Note

    This is a built-in alias which automatically contains the random port the controller selected to use for incoming VPN connections.

  • Click Save

  • Click Apply Changes

Allowing Multi-Instance Management GUI Access

Access to the MIM GUI is also restricted by firewall rules. If local interfaces or VPNs are restricted, rules must be added there as well. The ports for those rules are configured in the MIM options (General Options).

Danger

Do not expose this port to the Internet. Limit access as much as possible. Use a VPN for remote access.

As with the pfSense software WebGUI, the best practice is to restrict access to specific management hosts, networks, or VPN clients.

Accessing the Multi-Instance Management GUI

To access the MIM GUI, follow the links in the MIM status under System > Advanced, Multi-Instance Management tab (Viewing Multi-Instance Management Status).

Use the HTTPS link to securely access the MIM controller.

Note

If the MIM controller is using a self-signed TLS certificate, then it may be necessary to click through an error in the browser warning about the validity of the self-signed certificate.

Multi-Instance Management Authentication

After following the link, the controller will display a login screen.

Tip

Bookmark this page for faster access.

../_images/mimgui-login.png

Multi-Instance Management Controller Login Screen

The MIM controller uses the pfSense software User Manager, so the same credentials will work for the MIM controller that work for the pfSense software WebGUI.

Enter valid credentials and click Sign In to access the MIM GUI.