11. Direct View

Direct View is DynFi’s features which allows accessing the Web User Interface (WUI) of attached devices running pfSense™ or OPNsense™.

Instead of connecting to the device directly to use its WUI (which might be tedious if one is not on the LAN side), one can use DynFi as a proxy to access device’s WUI. This is based on the fact, that DynFi is always connected to the devices. This way e.g. no extra VPN connection has to be established when someone wants to access device’s WUI.

11.1. Opening Direct View

To open Direct View for a device, please select the required device. Then in the left menu, please click Direct View. Next, you should click Direct View button if you wish to access device’s WUI in the overlay window or click Direct View in the new tab if you wish to access device’s WUI a separate tab, e.g. to compare two devices’ setups.

_images/opening-direct-view.png

Opening Direct View

11.2. Automatic Login

One of the options is to enter your login credentials not in device’s login screen after opening Direct View, but to enter your login and password in DynFi before. This way the login credentials will be saved for subsequent use.

_images/automatic-login-direct-view.png

Automatic Login in Direct View

Important:

  • The login and password are saved per DynFi user and per device. E.g. if there are two users of DynFi wishing to open Direct View for the very same device, they both need to provide their login and password. This is because they might be granted different logins and permissions on the device.
  • If the credentials do not work, they will be removed by DynFi automatically. This is to prevent keeping e.g. passwords which do not work or which no longer work.
  • The passwords are kept in plain version or encrypted version, depending on the setup of DynFi. Please refer to Storing secrets in DynFi database.

11.3. Device Setup

To make Direct View work, DynFi must connect to the device’s WUI on the proper port (80 for HTTP, 443 HTTPS or custom one if set). Therefore, if you see in the Direct View’s message that DynFi cannot connect to the device or timeout took place, it is recommended to check in the first place if the traffic from the DynFi’s host is allowed by the device itself on the specified port. Please see Configuring your remote firewalls for DynFi for more details.

11.4. Permissions of Direct View

In order to use Direct View, the user needs to have the permission Direct View: Read assigned. Moreover, even when opening Direct View in a new tab, the users still needs to be logged in to DynFi. Once the user logs out from DynFi, all Direct View tabs are inactivated too.

11.5. Settings of Direct View

Direct View is available in DynFi since version 19.2.0 and it is enabled by default. To disable or enable Direct View or tune other settings, please go to System Settings and select Direct View tab.

_images/direct-view-settings.png

Direct View settings

To disable Direct View globally for all users, please change “Enable Direct View” to Off.

If you are accessing DynFi using IP address, you can skip adding “Hostnames permitted to access Direct View”. However, if your DynFi installation is accessed using a hostname, you need to tell DynFi all the allowed hostnames which can be used.

E.g. if you are running DynFi on your own server with IP address a.b.c.d and access it using your-hostname.local on port xyz, you should add your-hostname.local:xyz to allowed hostnames. If you are already accessing your DynFi instance using your-hostname.local:xyz, you can simply click [Add current hostname] button to have it added for you.

If you would like to disable the check of allowed hostnames totally, you can set “Allow insecure access” to On, but it is NOT RECOMMENDED. When the check is switched off, DynFi cannot check if the requests to Direct View are coming from DynFi or not and e.g. allow CSRF attacks. Therefore even limiting the IP addresses that can access your DynFi server to “safe ones” should not result in disabling this check. Some scenarios which could allow that are: not using any other tabs in browsers (except for DynFi) by all users or using a browser with Same Site cookies feature present.

Note

Please do not forget to submit your changes, else they will not be saved.

11.6. Connectivity issues

In order to access remote firewall with Direct View, DynFi (from its server) needs to be able to connect to the firewall’s Web User Interface The exact port depends on the firewall’s setup, by default this is HTTPS, can also be HTTP or a custom port. In case the connection is not established, please make sure the following (or similar) rule exists:

ALLOW IP_of_DynFi_Manager ACCESS TO FW_Interface ON PORT HTTPS

Please see Creating the right firewall rule for more details. If more information is needed, please check Logs.

It is strongly recommended to access both firewalls and DynFi using HTTPS, not HTTP.

11.7. Configuration options

To tune various configuration options related to Direct View, please refer to Direct View Configuration Options.