pfSense management configuration

This was teased a bit on a few recent Lawerence Systems videos and the suspense is killing me! LOL

Currently testing out various configurations, however nuances are important and its likely there is a cool trick or two I am missing. (or can share)

The challenge: managing many pfSense firewalls (friends, family, home lab, virtual etc)
Any suggestions? Especially around pfSense auto connecting via vpn into a managment network.

Thanks in advance!

You could NAT the web GUI to allow only your home public IP address to access it over the internet.

Thanks! Yes, for sure that is an option. Just trying to optimize a setup that addresses some design goals.

  • keep the remote pfSense WAN with no open ports where possible (ie. management solution does not require opening any ports)
  • auto-adjusts if using DHCP and ip changes (Dynamic DNS)
  • OpenVPN client auto-connects to an isolated management network with a pre-assigned ip address
  • Firewall rules use FQDN so pfsense can pass just the managed units through to OpenVPN
  • Works with both physical “on prem” devices as well as pfSense vm’s.

Above is all working and I think it’s getting pretty close to the final config. Tom and Steve made some great comments on a few vids that really helped.

Love hearing the tips/tricks!

Fun tip!
Install cloudflare connector/tunnel on the isolated management network to provide logon access from outside of the management network. (including email and/or ip restrictions)

Now friends/family can be provided management access without exposing personal public IP’s (just the cloudflare IP) I sometimes install UniFi Controller on the pfSense device so with this setup you can access the UniFi logon as well.

Only drawback so far, is having to create the extra certificates for each pfsense instance. Would be cool if each pfsense instance had the same configuration and only the OpenVPN server needed unique configuration. Currently need the unique cert and common name so the Client Specific Override can assign the desired IP address.