Frequently Asked Questions¶
How can the GUI password for an instance be located?¶
The first time the instance boots it looks for a user-defined password set in the User Data box when the instance was created. If there is no custom password, it chooses one randomly so that the instance is not accessible via a default password to malicious users.
The random password can be located by choosing Get System Log from the Actions Menu for the instance in the EC2 Management Console.
A message should appear after the system boot messages that looks like the following:
*** *** *** Admin password changed to: abcdefg *** ***
It may take 5-10 minutes after the instance boots for this message to appear in
the system log. To find out the password sooner, log in via SSH using the SSH
key selected when the instance was created. The same message that will be
written to the system log will be written to the file
Running the command
cat /etc/motd-passwd will show the password.
If the output of Get System Log is empty or does not contain the expected output, try Get Instance Screenshot instead.
How can the random password selected during provisioning be changed?¶
The password can be changed via the GUI:
Log in with the username
adminand the existing random password
Navigate to System > User Manager in the menu
adminaccount in the list of accounts
Click the icon on the row for the
adminaccount to edit the account
Enter a new secure Password in both boxes to confirm the new value
Click the Save button at the bottom of the screen
How can an instance be accessed?¶
In order to manage the configuration of the instance, connect to it via HTTPS or SSH. A limited set of configurations is possible through the SSH interface, the preferred method for managing most of the configurations or viewing data on the status of the Netgate® pfSense® Plus instance is through the HTTPS GUI.
Connecting via SSH¶
Connecting via SSH requires knowing the password of the admin account and logging in with that account or using the SSH key selected when the instance was created. Here is a sample command line to log in with an SSH key from a Unix or Linux host:
ssh -i ~/.ssh/my-ec2-key admin@ec2-A-B-C-D.compute-1.amazonaws.com
Substitute the actual location of the SSH private key for
~/.ssh/my-ec2-key and the real hostname, which can be retrieved from the EC2
Management Console by looking at the data for the instance, for example
To login with a known password for the
admin account, use a command
similar to the one above, but omit the
Connecting via HTTPS¶
Connecting via HTTPS requires the password for the instance, either by setting
it explicitly in the User Data when the instance is created or by retrieving
it from the instance. Connect to the instance with any web browser by typing in
the hostname of the instance to the URL field and login using the
account and the password.
How can a VPN client connect to an instance?¶
Why does the GUI Dashboard say the WAN address is 10.X.Y.Z?¶
Amazon AWS instances use DHCP to assign private addresses to the public-facing interfaces of an instance. Amazon applies NAT between the publicly routable IP address clients use to access the instance and the private address configured on the WAN interface of the instance.
Why do packets not arrive at the firewall even with custom firewall rules in place to allow the traffic?¶
Amazon AWS provides packet filtering in addition to the Netgate® pfSense® Plus Appliance itself being a stateful firewall. If the Netgate Appliance allows traffic but there is a security group configuration in the AWS settings for the instance that is restricting traffic, then the security group in the EC2 Management Console must also be configured with rules similar to those on the Netgate Appliance.
Given that the Netgate pfSense® Plus Appliance is a fully functional firewall, it is generally safe to assign an AWS security group which allows all traffic so that the Netgate Appliance can perform any necessary filtering of inbound traffic.
How can a VPN client route all of the traffic from an entire home network over a VPN?¶
If a client home gateway/router has support for OpenVPN, it can connect using a site-to-site tunnel between the home network and the Netgate VPN Appliance. The VPN can then route all Internet traffic over the encrypted tunnel. See the user guide section on Connecting a local Netgate device running pfSense® Plus software.
This may provide for simpler administration at home, but any mobile devices and laptops that get used outside the home should have an OpenVPN client installed and configured anyway so that they can always receive the benefits of sending traffic through a VPN.
Backup & Recovery¶
Backing up and restoring the config directions are available in the backup section of the pfSense documentation.
The pfSense Plus software offers a wide range of different monitoring and metrics, see the monitoring section of the pfSense documentation for more information.
Information on upgrading the pfSense Plus software is availble in the upgrading section of the pfSense documentation.