Frequently Asked Questions

1. I don’t know the password to the webGUI. How do I find out what it is?

The first time the instance boots, it looks for a user-defined password set in the User Data box when the instance was created. If you didn’t set one, it chooses one randomly so that the instance is not accessible via a default password to malicious users. You can find out the random password that was set by choosing Get System Log from the Actions Menu for the instance in the EC2 Management Console. A message should appear after the system boot messages that looks like the following:

*** Admin password changed to: abcdefg

It may take 5-10 minutes after the instance boots for this message to appear in the system log. If you would like to find out the password sooner, you can log in via SSH using the SSH key that was selected when the instance was created. The same message that will be written to the system log will be written to the file /etc/motd. Running the command cat /etc/motd will show you what the password is.

2. I don’t like the random password that was selected. How can I change it?

The password can be changed via the webGUI. Log in with the username admin and the existing password. Under the System category, click on User Manager. The admin account should appear in a list of accounts. Unless you’ve added other accounts, it should be the only account present. Click on the Edit button (the icon with the e in it) to the right of the account listing. Type your choice for a new password into the two boxes labeled Password. Click the Save button at the bottom of the screen.

3. How do I access my instance?

There are several ways that you can manage or use your instance. You should be able to connect via SSH or HTTPS in order to manage the configuration of your instance. If you connect via SSH, you will either need to know the password of the admin account and login with that account, or use the SSH key that was selected when the instance was created. Here is a sample command line to log in with an SSH key from a Unix or Linux host:

ssh -i ~/.ssh/my-ec2-key

You would substitute the actual location of your SSH private key for ~/.ssh/my-ec2-key and the real hostname, which you can retrieve from the EC2 Management Console by looking at the data for the instance, for example If you know the password for the admin account, you could use a command similar to the one above, but omit the -i ~/.ssh/my-ec2-key.

To connect via HTTPS, you need to know the password to the instance, either by setting it explicitly in the User Data when the instance is created or by retrieving it from the instance. Once you know the password, you should be able to connect to the instance with any web browser by typing in the hostname of the instance to the URL field.

4. How do I connect a VPN client to my instance?

See the section in the user guide on Using the remote access IPsec or OpenVPN VPN.

5. Why does the pfSense Plus Dashboard say my WAN address is 10.X.Y.Z?

Amazon AWS instances use DHCP to assign private addresses to the public-facing interfaces of an instance. The publicly routable IP address that you use to access the instance is NATed by Amazon to the private address that you see configured on the WAN interface of your instance.

6. I added custom firewall rules to allow some traffic to my instance, why I am not seeing the packets arrive?

Amazon AWS provides packet filtering in addition to the Netgate® pfSense® Plus Appliance itself being a stateful firewall. If you allowed traffic on the Netgate Appliance but have a security group configuration in the settings for the instance that is restricting traffic, you will need to also add your rules to the security group in the EC2 Management Console.

Given that the Netgate pfSense® Plus Appliance is a fully functional firewall, you may assign an AWS security group that allows all traffic and perform whatever filtering you desire with rules on the Netgate Appliance.

7. How do I route all the traffic from my entire home network over a VPN?

If your home gateway/router has support for OpenVPN, you can connect a site to site tunnel from your home network to the Netgate VPN Appliance and configure your routing so that all Internet traffic is sent over the encrypted tunnel. See the user guide section on Connecting a local Netgate device running pfSense Plus software.

This may provide for simpler administration at home, but your mobile devices and laptops that get used outside the home should have an OpenVPN client installed and configured anyway so that you are always receiving the benefits of sending your traffic through a VPN.