6. Configuring your remote firewalls for DFM

Configuring your remote firewalls to get access to DynFi Manager is very easy. You first need to configure one firewall rule to allow your DynFi Manager server to connect to SSH on your remote firewall. Repeat this on all the firewalls you want to connect to DynFi Manager.

We will teach you how to configure you SSH using password based connexion and after will review the key based SSH access method for enhanced security.

6.1. Getting access to your firewalls using SSH

6.1.1. Ensuring that SSH is enabled

You first need to make sure that your firewall has an SSH service enabled and listening on a default or specific TCP port.

You might want to refer to the pfSense SSH documentation or the OPNSense User Documentation

  1. Login to the firewall you want to manage with DynFi Manager.

Login screen for OPNSense devices
  1. Go to: System >> Settings >> Administration

  2. Make sure that “Enable Secure Shell” is ticked

  3. Make sure that “Permit root user login” is ticked

  4. If you are login using password tick “Permit password login”

  5. Optionally change the default port used by the SSH server on your remote firewall

  6. Save the updated configuration

6.1.2. Creating the right firewall rule

  1. Go to: Firewall >> Rules

  2. Select your WAN interface (or the interface you want to connect to)

  3. Add a rule to allow the IP of the DynFi Manager Server to connect to your remote firewall

Firewall rule configuration for an OPNSense Firewall

You can now add your device using DynFi Manager.

Note

If you plan to use Direct View, please repeat the above for port HTTPS(443) and/or HTTP(80), depending on your setup.

6.2. Adding a remote firewall to DynFi Manager

  1. Login to DynFi Manager using your credentials

  2. Go to >> Devices

  3. On the bottom of the page click on “+ Create Device”

Adding a device in DynFi Manager

4. Fill the various fields of the formula 4.1. Connection address 4.2. SSH port (only if using non-default port number) 4.3. Username (you don’t need to provide a username - DynFi Manager will input “root”[1] by default) 4.4. Authorization type (Select “password”) 4.5. Password (input your password of your admin / root account) 5. Click “Create device” when done

An information pannel on the lower right corner of your window tell you that your device has been successfully created.

6.3. Enhancing the security of your SSH access

SSH is a quite secured protocol, but security can always be enhanced. This is specially important to consider since you will want to maintain the highest possible security level between your DynFi Manager device and your remote firewalls.

6.3.1. Limit access to your firewall on SSH port

The rule we have initially created allows anyone to connect to your remote firewall using SSH. Most of the time, this can be narrowed to a much more precise rule with restricted access to the SSH port.

If your DynFi Manager install benefits from a fixed IP address, you can input this address in the “from” field of your rule. If you need to access your firewall using SSH from more than one address, simply create an Alias with all the remote IPs and use It to filter incoming connexions to your firewall on the default SSH port.

6.3.2. Change access from SSH password to SSH key based

For more security, please consider using the “Key based SSH access” and change the default port of your SSH server.

6.4. Using SSH key based authentication

6.4.1. Background information on SSH Key Based access

Accessing your device with SSH key is a very straightforward process. The DynFi Manager team has developed a helper tool to ease the configuration of SSH key based access.

One has to understand how key based authentication is working. Once you have enabled the SSH server on your remote firewall, an SSH Server is deployed on all you firewalls.

In order to access the firewall every user needs to generate a key pair: a private key that the user will keep secret on his user account and a public key that the user will add to an existing user on the Server side (= on the firewall).

6.4.2. How to enable SSH key based access on DynFi Manager?

  1. Login to your DynFi Manager Server using your admin account.

  2. Click on the wheel at the top right of the screen and select “Device default”[2]

  3. Select “SSH Settings”

SSH global settings
  • Choose if you want to apply default settings for newly created devices

  • Set the “Default SSH port” if needed

  • Change “Authorization type” and set It to “key pair”

  • Input a private key if you already have a public / private key pair at hand

  • Alternatively: click the “generate” button (this will automatically generate a key pair for you)

Pop-up windows with a private key auto-generated for you
  • Copy / paste the private key displayed in the window and make sure you keep It in a safe place

  • Click the “Download Public Key” (this will download the public key to your computer)

  • Click “Use this key” in order to use this key

  • Click the “Submit” button

You are now ready to copy / paste the public key on your remote firewall(s)

6.4.3. Generating ECDSA keys for OPNsense ≥ 21.7.5

In OPNsense v. ≥ 21.7.5 which uses OpenSSL v. 8.8 - RSA keys have been deprecated. In order for keys to still work with your OPNsense install, you must generate an ECDSA key pair and copy / paste them into the DynFi Manager GUI.

ECDSA keys will probably be the default keys generated in DynFi Manager upcoming releases. For the time being, please follow these steps :

  1. Open a terminal using your favorite Linux system

  2. Generate the key pair using the following commands :

    root@demo:~# ssh-keygen -t ecdsa

    This shall generate a key pair with the private ecdsa key id_ecdsa and the public ecdsa key id_ecdsa.pub.

  3. Copy / paste the private ecdsa key inside DynFi Manager either in the Preference >> Device defaults >> SSH settings or in the pannel Private key pannel available when adding a new device.

  4. Copy / paste the public ecdsa key in the SSH keys of the root user account inside your firewall device.

You will then be able to add your devices smoothly in DynFi Manager.

Note

Make sure that you do not copy / paste wrongly formated keys in the pannels, this will lead to a broken key.

6.4.4. Configuring the public key on your remote Firewall(s)

  1. Login to your remote firewall

  2. Go to: System >> Access >> Users (OPNSense) or System >> User Manager (pfSense)

  3. Edit the “root” account (OPNSense) or the “admin” account (pfSense)

  4. Paste the key you have downloaded in step 3.7 into the “Authorized keys” field

  5. Save

You can now update the settings of your SSH server and untick the “Permit password login” - make sure that you are doing this after proper testing.

In order to make sure that you don’t loose access to your remote device(s), we recomend that you allow a temporary access to your remote firewall(s) on HTTPs port so that in case of emergency you don’t loose all access to your remote device(s).