6. Configuring your remote firewalls for DynFi

Configuring your remote firewalls to get access to DynFi is very easy. You first need to configure one firewall rule to allow your DynFi server to connect to SSH on your remote firewall. Repeat this on all the firewalls you want to connect to DynFi.

We will teach you how to configure you SSH using password based connexion and after will review the key based SSH access method for enhanced security.

6.1. Getting access to your firewalls using SSH

6.1.1. Ensuring that SSH is enabled

You first need to make sure that your firewall has an SSH service enabled and listening on a default or specific TCP port.

You might want to refer to the pfSense SSH documentation or the OPNSense User Documentation

  1. Login to the firewall you want to manage with DynFi.
Login screen for OPNSense devices
  1. Go to: System >> Settings >> Administration
  2. Make sure that “Enable Secure Shell” is ticked
  3. Make sure that “Permit root user login” is ticked
  4. If you are login using password tick “Permit password login”
  5. Optionally change the default port used by the SSH server on your remote firewall
  6. Save the updated configuration

6.1.2. Creating the right firewall rule

  1. Go to: Firewall >> Rules
  2. Select your WAN interface (or the interface you want to connect to)
  3. Add a rule to allow the IP of the DynFi Server to connect to your remote firewall
Firewall rule configuration for an OPNSense Firewall

You can now add your device using DynFi.

6.2. Adding a remote firewall to DynFi

  1. Login to DynFi using your credentials
  2. Go to >> Devices
  3. On the bottom of the page click on “+ Create Device”
Adding a device in DynFi

4. Fill the various fields of the formula 4.1. Connection address 4.2. SSH port (only if using non-default port number) 4.3. Username (you don’t need to provide a username - DynFi will input “root”[1] by default) 4.4. Authorization type (Select “password”) 4.5. Password (input your password of your admin / root account) 5. Click “Create device” when done

An information pannel on the lower right corner of your window tell you that your device has been successfully created.

6.3. Enhancing the security of your SSH access

SSH is a quite secured protocol, but security can always be enhanced. This is specially important to consider since you will want to maintain the highest possible security level between your DynFi device and your remote firewalls.

6.3.1. Limit access to your firewall on SSH port

The rule we have initially created allows anyone to connect to your remote firewall using SSH. Most of the time, this can be narrowed to a much more precise rule with restricted access to the SSH port.

If your DynFi install benefits from a fixed IP address, you can input this address in the “from” field of your rule. If you need to access your firewall using SSH from more than one address, simply create an Alias with all the remote IPs and use It to filter incoming connexions to your firewall on the default SSH port.

6.3.2. Change access from SSH password to SSH key based

For more security, please consider using the “Key based SSH access” and change the default port of your SSH server.

6.4. Using SSH key based authentication

6.4.1. Background information on SSH Key Based access

Accessing your device with SSH key is a very straightforward process. The DynFi team has developped a helper tool to ease the configuration of SSH key based access.

One has to understand how key based authentication is working. Once you have enabled the SSH server on your remote firewall, an SSH Server is deployed on all you firewalls.

In order to access the firewall every user needs to generate a key pair: a private key that the user will keep secret on his user account and a public key that the user will add to an existing user on the Server side (= on the firewall).

6.4.2. How to enable SSH key based access on DynFi ?

  1. Login to your DynFi Server using your admin account.
  2. Click on the wheel at the top right of the screen and select “Device default”[2]
  3. Select “SSH Settings”
SSH global settings

3.1. Choose if you want to apply default settings for newly created devices 3.2. Set the “Default SSH port” if needed 3.3. Change “Authorization type” and set It to “key pair” 3.4. Input a private key if you already have a public / private key pair at hand 3.5. Alternatively: click the “generate” button (this will automatically generate a key pair for you)

Pop-up windows with a private key auto-generated for you

3.6. Copy / paste the private key displayed in the window and make sure you keep It in a safe place 3.7. Click the “Download Public Key” (this will download the public key to your computer) 3.8. Click “Use this key” in order to use this key 3.9. Click the “Submit” button

You are now ready to copy / paste the public key on your remote firewall(s)

6.4.3. Configuring the public key on your remote Firewall(s)

  1. Login to your remote firewall
  2. Go to: System >> Access >> Users (OPNSense) or System >> User Manager (pfSense)
  3. Edit the “root” account (OPNSense) or the “admin” account (pfSense)
  4. Paste the key you have downloaded in step 3.7 into the “Authorized keys” field
  5. Save

You can now update the settings of your SSH server and untick the “Permit password login” - make sure that you are doing this after proper testing.

In order to make sure that you don’t loose access to your remote device(s), we recomend that you allow a temporary access to your remote firewall(s) on HTTPs port so that in case of emergency you don’t loose all access to your remote device(s).

[1]The pfSense firewall is using the account “admin” - this account is directly tied to the “root” account. Therefore you don’t have to try to change the username to “admin” in the DynFi Edit pannel. Even though “root” is not allowed as a password for GUI login, It is perfectly ok to use it to login with SSH.
[2]You can also perform this operation device by device - we are shocasing how to allow you to set the same settings for all your devices.