best practices for remotely administering a pfSense machine after remote install?
Edit: oops, I didn't read enough docs or I overlooked this option. It seems I can get access to the webConfigurator by using option 12 (PHP shell + pfSense tools) in the pfSense system console menu, and then running the enableallwanallow script. I'm not sure if this is the "best practices" solution, but it's the only "built-in" solution I can find so far...
So, I'm setting up pfSense on a remote server.
The remote server is running ESXi and pfsense is running as a VM on that server.
Therefore, I have local console access to the pfSense machine through the ESXi webUI.
Now, I need to setup a way to access the pfSense webConfigurator remotely. By default, the pfSense webConfig is only accessible to other machines via the LAN interface, but as this pfSense instance is on a remote server, there are no local machines that I could use to access the webConfig (and even if there were, I would have to configure those machines to be accessible through the pfSense firewall first, which I can't do because I can't access the pfSense webConfig).
So, the pfSense docs recommend that best practices are to perform remote management via OpenVPN (makes sense and is most preferable) or via a restricted firewall rule (for example, only from a single trusted remote source IP) or via a reverse SSH tunnel.
All of these are great options, but how do I set them up in the first place without access to the webConfig? I need the webConfig to access the OpenVPN tab and fill out and generate certificates. I need access to the webConfig to create a new firewall rule for webConfig access over the WAN. I can start SSHD from the little pfSense system console menu, but it seems that doesn't automatically create rules to allow SSHD to pass through the WAN firewall, so I again need access to the webConfig to create the necessary rules.
So, the only answer left seems to be, obviously, that I need to use the true console to manually enable remote access to the webConfig, at least temporarily until I can setup a better solution (like OpenVPN).
What would be the best practices way to enable via console the initial remote access to the pfSense webConfig?
My concern is that, since pfSense seems designed to be administered entirely via the webConfig, that it might cause some "conflict" if I set things up "manually" via the console.
Can you create another VM on the remote ESXi server? IMO quickest option would be to install a unix based O/S with a webgui (my preferred option is Ubuntu) and use that to configure the OpenVPN on the pfsense then delete the unix VM.
So, the pfSense docs recommend that best practices are to perform remote management via OpenVPN
That would be the most secure approach. You don't want to open any management ports directly to the internet.
Thanks. I ended up taking your advice and setting up another light linux VM to use as simply a browser client.