11. Direct View

Direct View is DynFi® Manager’s features which allows accessing the Web User Interface (WUI) of attached devices running pfSense™ or OPNsense™.

Instead of connecting to the device directly to use its WUI (which might be tedious if one is not on the LAN side), one can use DynFi Manager as a proxy to access device’s WUI. This is based on the fact, that DynFi Manager is always connected to the devices. This way e.g. no extra VPN connection has to be established when someone wants to access device’s WUI.

11.1. Opening Direct View

To open Direct View for a device, please select the required device. Then in the left menu, please click Direct View. Next, you should click Direct View button if you wish to access device’s WUI in the overlay window or click Direct View in the new tab if you wish to access device’s WUI a separate tab, e.g. to compare two devices’ setups.

_images/opening-direct-view.png — Opening Direct View

11.2. Automatic Login

One of the options is to enter your login credentials not in device’s login screen after opening Direct View, but to enter your login and password in DynFi Manager before. This way the login credentials will be saved for subsequent use.

_images/automatic-login-direct-view.png — Automatic Login in Direct View

Important:

The login and password are saved per DynFi Manager user and per device. E.g. if there are two users of DynFi Manager wishing to open Direct View for the very same device, they both need to provide their login and password. This is because they might be granted different logins and permissions on the device.
If the credentials do not work, they will be removed by DynFi Manager automatically. This is to prevent keeping e.g. passwords which do not work or which no longer work.
The passwords are kept in plain version or encrypted version, depending on the setup of DynFi Manager. Please refer to Storing secrets in DFM database.

11.3. Device Setup

To make Direct View work, DynFi Manager must connect to the device’s WUI on the proper port (80 for HTTP, 443 HTTPS or custom one if set). Therefore, if you see in the Direct View’s message that DynFi Manager cannot connect to the device or timeout took place, it is recommended to check in the first place if the traffic from the DynFi Manager’s host is allowed by the device itself on the specified port. Please see Configuring your remote firewalls for DFM for more details.

11.4. Permissions of Direct View

In order to use Direct View, the user needs to have the permission Direct View: Read assigned. Moreover, even when opening Direct View in a new tab, the users still needs to be logged in to DynFi Manager. Once the user logs out from DynFi Manager, all Direct View tabs are inactivated too.

11.5. Settings of Direct View

Direct View is available in DynFi Manager since version 19.2.0 and it is enabled by default. To disable or enable Direct View or tune other settings, please go to System Settings and select Direct View tab.

_images/direct-view-settings.png — Direct View settings

To disable Direct View globally for all users, please change “Enable Direct View” to Off.

If you are accessing DynFi Manager using IP address, you can skip adding “Hostnames permitted to access Direct View”. However, if your DynFi Manager installation is accessed using a hostname, you need to tell DynFi Manager all the allowed hostnames which can be used.

E.g. if you are running DynFi Manager on your own server with IP address a.b.c.d and access it using your-hostname.local on port xyz, you should add your-hostname.local:xyz to allowed hostnames. If you are already accessing your DynFi Manager instance using your-hostname.local:xyz, you can simply click [Add current hostname] button to have it added for you.

If you would like to disable the check of allowed hostnames totally, you can set “Allow insecure access” to On, but it is NOT RECOMMENDED. When the check is switched off, DynFi Manager cannot check if the requests to Direct View are coming from DynFi Manager or not and e.g. allow CSRF attacks. Therefore even limiting the IP addresses that can access your DynFi Manager server to “safe ones” should not result in disabling this check. Some scenarios which could allow that are: not using any other tabs in browsers (except for DynFi Manager) by all users or using a browser with Same Site cookies feature present.

Note

Please do not forget to submit your changes, else they will not be saved.

11.6. Connectivity issues

In order to access remote firewall with Direct View, DynFi Manager (from its server) needs to be able to connect to the firewall’s Web User Interface The exact port depends on the firewall’s setup, by default this is HTTPS, can also be HTTP or a custom port. In case the connection is not established, please make sure the following (or similar) rule exists:

ALLOW IP_of_DynFi_Manager ACCESS TO FW_Interface ON PORT HTTPS

Please see Creating the right firewall rule for more details. If more information is needed, please check DFM Logs.

It is strongly recommended to access both firewalls and DynFi Manager using HTTPS, not HTTP.

11.7. Configuration options

To tune various configuration options related to Direct View, please refer to Direct View Configuration Options.