Netgate Nexus Controller Setup

To use the Netgate Nexus GUI, API, or register instances of pfSense Plus software to the Netgate Nexus controller for tasks such as multi-instance management (MIM), there are several setup tasks to complete.

Enable Netgate Nexus Controller

The Netgate Nexus controller must be enabled and running before attempting to access its GUI, API, or register instances.

• Open the pfSense Plus software GUI

• Navigate to System > Advanced, Netgate Nexus tab

• Check Enable

• Configure any other options as needed (Netgate Nexus Controller Configuration Options)

• Click Save

Firewall rules for Netgate Nexus

The Netgate Nexus controller does not automatically add firewall rules for the Netgate Nexus GUI or external controller VPN connectivity. Firewall rules are necessary for administrators to reach the Netgate Nexus GUI and for instances to connect the VPN itself. Configure these firewall rules on the controller host in the pfSense Plus software GUI.

Tip

If not using Netgate Nexus for MIM, skip ahead to Allowing Netgate Nexus GUI Access.

Allowing Incoming Netgate Nexus VPN Connections

Add a rule on WAN to pass connections to the Netgate Nexus VPN port.

Note

The Netgate Nexus controller automatically passes traffic tunneled inside its VPN between the instances and the controller. There is no need to manage rules for that internal communication.

• Open the pfSense Plus software GUI on the designated controller

• Navigate to Firewall > Rules, WAN tab

  Note

  WAN is used as an example. This could also be any other interface to which instances will connect.

• Click to add a new rule at the top of the list:

• Configure the rule with the following options:

  Action:

  Pass

  Protocol:

  UDP

  Source:

  Any

  Note

  This is acceptable if instances have dynamic addresses. If all instances are static, consider creating an alias to allow only those addresses.

  Destination:

  This Firewall (self)

  Note

  This could also be the specific interface or IP address instances use when connecting.

  Destination Port:

  From:

  (Other)

  Custom:

  _nexus_vpn_port_

  Note

  This is a built-in alias which automatically contains the random port the controller selected to use for incoming VPN connections.

• Click Save

• Click Apply Changes

Allowing Netgate Nexus GUI Access

Access to the Netgate Nexus GUI is also restricted by firewall rules. If local interfaces or VPNs are restricted, rules must be added there as well. The ports for those rules are configured in the Netgate Nexus options (Netgate Nexus).

Danger

Do not expose this port to the Internet. Limit access as much as possible. Use a VPN for remote access.

As with the pfSense Plus software GUI, the best practice is to restrict access to specific management hosts, networks, or VPN clients.

Accessing the Netgate Nexus GUI

To access the Netgate Nexus GUI, follow the links in the Netgate Nexus status under System > Advanced, Netgate Nexus tab (Viewing Netgate Nexus Status).

Use the HTTPS link to securely access the Netgate Nexus controller.

Note

If the Netgate Nexus controller is using a self-signed TLS certificate, then it may be necessary to click through an error in the browser warning about the validity of the self-signed certificate.

Netgate Nexus Authentication

After following the link, the controller will display a login screen.

Tip

Bookmark this page for faster access.

Netgate Nexus Controller Login Screen

The Netgate Nexus controller authenticates using the settings in the pfSense Plus software User Manager, so credentials which work for the pfSense Plus software GUI also work for the Netgate Nexus controller.

Enter valid credentials and click Sign In to access the Netgate Nexus GUI.