Frequently Asked Questions

How can the GUI password for an instance be located?

The first time the instance boots it looks for a user-defined password set in the User Data box when the instance was created. If there is no custom password, it chooses one randomly so that the instance is not accessible via a default password to malicious users.

The random password can be located by choosing Get System Log from the Actions Menu for the instance in the EC2 Management Console.

A message should appear after the system boot messages that looks like the following:

*** Admin password changed to: abcdefg

It may take 5-10 minutes after the instance boots for this message to appear in the system log. To find out the password sooner, log in via SSH using the SSH key selected when the instance was created. The same message that will be written to the system log will be written to the file /etc/motd-passwd. Running the command cat /etc/motd-passwd will show the password.


If the output of Get System Log is empty or does not contain the expected output, try Get Instance Screenshot instead.

How can the random password selected during provisioning be changed?

The password can be changed via the GUI:

  • Log in with the username admin and the existing random password

  • Navigate to System > User Manager in the menu

  • Locate the admin account in the list of accounts

  • Click the fa-pencil icon on the row for the admin account to edit the account

  • Enter a new secure Password in both boxes to confirm the new value

  • Click the Save button at the bottom of the screen

How can an instance be accessed?

In order to manage the configuration of the instance, connect to it via HTTPS or SSH. A limited set of configurations is possible through the SSH interface, the preferred method for managing most of the configurations or viewing data on the status of the Netgate® pfSense® Plus instance is through the HTTPS GUI.

Connecting via SSH

Connecting via SSH requires knowing the password of the admin account and logging in with that account or using the SSH key selected when the instance was created. Here is a sample command line to log in with an SSH key from a Unix or Linux host:

ssh -i ~/.ssh/my-ec2-key

Substitute the actual location of the SSH private key for ~/.ssh/my-ec2-key and the real hostname, which can be retrieved from the EC2 Management Console by looking at the data for the instance, for example


To login with a known password for the admin account, use a command similar to the one above, but omit the -i ~/.ssh/my-ec2-key.

Connecting via HTTPS

Connecting via HTTPS requires the password for the instance, either by setting it explicitly in the User Data when the instance is created or by retrieving it from the instance. Connect to the instance with any web browser by typing in the hostname of the instance to the URL field and login using the admin account and the password.

How can a VPN client connect to an instance?

See the section in the user guide on Using the remote access IPsec or OpenVPN VPN.

Why does the GUI Dashboard say the WAN address is 10.X.Y.Z?

Amazon AWS instances use DHCP to assign private addresses to the public-facing interfaces of an instance. Amazon applies NAT between the publicly routable IP address clients use to access the instance and the private address configured on the WAN interface of the instance.

Why do packets not arrive at the firewall even with custom firewall rules in place to allow the traffic?

Amazon AWS provides packet filtering in addition to the Netgate® pfSense® Plus Appliance itself being a stateful firewall. If the Netgate Appliance allows traffic but there is a security group configuration in the AWS settings for the instance that is restricting traffic, then the security group in the EC2 Management Console must also be configured with rules similar to those on the Netgate Appliance.

Given that the Netgate pfSense® Plus Appliance is a fully functional firewall, it is generally safe to assign an AWS security group which allows all traffic so that the Netgate Appliance can perform any necessary filtering of inbound traffic.

How can a VPN client route all of the traffic from an entire home network over a VPN?

If a client home gateway/router has support for OpenVPN, it can connect using a site-to-site tunnel between the home network and the Netgate VPN Appliance. The VPN can then route all Internet traffic over the encrypted tunnel. See the user guide section on Connecting a local Netgate device running pfSense® Plus software.

This may provide for simpler administration at home, but any mobile devices and laptops that get used outside the home should have an OpenVPN client installed and configured anyway so that they can always receive the benefits of sending traffic through a VPN.

Backup & Recovery

Backing up and restoring the config directions are available in the backup section of the pfSense documentation.


The pfSense Plus software offers a wide range of different monitoring and metrics, see the monitoring section of the pfSense documentation for more information.


Information on upgrading the pfSense Plus software is availble in the upgrading section of the pfSense documentation.

Further troubleshooting

More information about troubleshooting pfSense Plus software can be found in the troubleshooting section of the pfSense documentation.