Multi-Instance Management Controller Setup¶
Before instances of pfSense® Plus software can be registered to the Multi-Instance Management (MIM) controller, there are several setup tasks to complete.
Enable Multi-Instance Management¶
The MIM controller must be enabled and running before registering instances.
Open the pfSense software WebGUI on the designated controller.
Navigate to System > Advanced, Multi-Instance Management tab
Check Enable
Configure any other options as needed (Multi-Instance Management Controller Configuration Options)
Click Save
Firewall rules for Multi-Instance Management¶
The MIM controller does not automatically add firewall rules for the MIM GUI or external controller VPN connectivity. Firewall rules are necessary for instances to connect the VPN itself and for administrators to reach the MIM GUI. Configure these firewall rules on the controller host in the pfSense software WebGUI.
Note
The MIM controller automatically passes traffic tunneled through its VPN between the instances and the controller. There is no need to manage rules for that internal communication.
Allowing Incoming MIM VPN Connections¶
Add a rule on WAN to pass connections to the MIM VPN port.
Open the pfSense software WebGUI on the designated controller.
Navigate to Firewall > Rules, WAN tab
Note
WAN is used as an example. This could also be any other interface to which instances will connect.
Click to add a new rule at the top of the list:
Configure the rule with the following options:
- Action:
Pass
- Protocol:
UDP
- Source:
Any
Note
This is acceptable if instances have dynamic addresses. If all instances are static, consider creating an alias to allow only those addresses.
- Destination:
This Firewall (self)
Note
This could also be the specific interface or IP address instances use when connecting.
- Destination Port:
- From:
(Other)
- Custom:
mim_vpn_port
Note
This is a built-in alias which automatically contains the random port the controller selected to use for incoming VPN connections.
Click Save
Click Apply Changes
Allowing Multi-Instance Management GUI Access¶
Access to the MIM GUI is also restricted by firewall rules. If local interfaces or VPNs are restricted, rules must be added there as well. The ports for those rules are configured in the MIM options (General Options).
Danger
Do not expose this port to the Internet. Limit access as much as possible. Use a VPN for remote access.
As with the pfSense software WebGUI, the best practice is to restrict access to specific management hosts, networks, or VPN clients.
Accessing the Multi-Instance Management GUI¶
To access the MIM GUI, follow the links in the MIM status under System > Advanced, Multi-Instance Management tab (Viewing Multi-Instance Management Status).
Use the HTTPS link to securely access the MIM controller.
Note
If the MIM controller is using a self-signed TLS certificate, then it may be necessary to click through an error in the browser warning about the validity of the self-signed certificate.
Multi-Instance Management Authentication¶
After following the link, the controller will display a login screen.
Tip
Bookmark this page for faster access.
The MIM controller uses the pfSense software User Manager, so the same credentials will work for the MIM controller that work for the pfSense software WebGUI.
Enter valid credentials and click Sign In to access the MIM GUI.