Back to Blog

Why OPNsense Makes This Easy

If you are comparing pfSense and OPNsense for this integration, OPNsense has one clear advantage: native NetFlow export. OPNsense ships with a built-in flow exporter under Reporting > NetFlow. You do not need to install softflowd or any other package. Just enable it, pick your interface, add a capture target, and flows start moving.

OPNsense also supports multiple capture targets simultaneously. You can send flows to Flowtriq for DDoS detection and to ntopng or Elasticsearch for traffic analytics at the same time. Each target receives identical flow data.

The actual detection quality is identical between pfSense and OPNsense. Both produce standard NetFlow records that ftagent analyzes the same way. The difference is purely in setup convenience.

Setup Guide

Step 1: Install ftagent on a Linux host

ftagent cannot run on OPNsense itself (HardenedBSD). Install it on any Linux machine reachable from your OPNsense box. A VM, container, or existing server all work. Requirements: 1 CPU core, 512 MB RAM.

curl -sL https://get.flowtriq.com | sudo bash

During setup, enter your deploy token (from Flowtriq dashboard > Settings > API) and select "flow" mode with listen port 2055.

Step 2: Enable NetFlow on OPNsense

In the OPNsense web interface:

  1. Go to Reporting > NetFlow
  2. Under Local Settings, check Enable local capture
  3. Select your WAN interface under Listening interfaces
  4. Under Capture Targets, click + to add a new target
  5. Enter the ftagent host IP and port 2055
  6. Set NetFlow version to 9
  7. Click Save, then Apply

That is it on the OPNsense side. No packages to install, no SSH required, no config files to edit.

Use our OPNsense setup generator to get pre-filled instructions for your specific IP addresses and interface names.

Step 3: Verify flows are arriving

On your ftagent host:

sudo ftagent --status

You should see flow counts increasing within a minute or two. If you want to verify at the packet level:

sudo tcpdump -i any -n udp port 2055 -c 10

In the Flowtriq dashboard, your node will show active flow ingestion and traffic graphs will start building.

Step 4: Tune the timeouts (optional)

OPNsense's default NetFlow timeouts work well for most setups. If you want lower detection latency, you can tune them under Reporting > NetFlow:

  • Active timeout: How often long-lived flows are exported. Default 120 seconds. Lower values (30-60s) reduce latency for long connections.
  • Inactive timeout: How quickly idle flows are exported. Default 15 seconds. This is already reasonable for DDoS detection.

Lower timeouts mean more frequent exports, which slightly increases CPU usage on OPNsense and network traffic between OPNsense and ftagent. For most networks, the defaults are fine.

What Attacks It Detects

From OPNsense NetFlow data, Flowtriq detects and classifies:

  • SYN floods: Abnormal rates of TCP SYN packets from many sources
  • UDP amplification: DNS, NTP, memcached, CLDAP, SSDP, SNMP, and other reflection vectors
  • ICMP floods: Ping floods and ICMP-based resource exhaustion
  • GRE floods: Encapsulated traffic floods often used by botnets
  • Fragmentation attacks: IP fragment floods targeting reassembly buffers
  • Carpet bombing: Low-volume attacks spread across many destination IPs

Every detection includes the attack family, confidence score, target IP, source breakdown, and traffic metrics. Alerts fire through your configured channels (Discord, Slack, PagerDuty, email, webhooks) with all this detail included.

Multi-Target Export

One of OPNsense's strengths is multi-target NetFlow export. If you already send flows to ntopng, Grafana, or Elasticsearch, you do not have to choose. Add ftagent as an additional capture target and both collectors receive identical data.

This is particularly useful for organizations that want DDoS detection alongside traffic analytics without duplicating infrastructure or running multiple capture tools on the firewall.

Tradeoffs to Know

Detection latency: NetFlow adds 15-60 seconds of latency. Flows are batched before export. For volumetric DDoS attacks that typically sustain for minutes or hours, this is fast enough. For sub-second detection, install ftagent directly on the servers behind OPNsense.

No PCAP: NetFlow is metadata only. You get connection summaries, not packet payloads. For forensic evidence, add direct ftagent installs on critical servers.

No on-OPNsense blocking: ftagent deploys firewall rules on the Linux host where it runs, not on OPNsense. For OPNsense-level blocking, use BGP FlowSpec to have upstream providers drop traffic before it reaches your firewall, or use Flowtriq webhooks to trigger OPNsense API calls.

Start your free 14-day trial. Real-time DDoS detection for your OPNsense network with no plugins needed. No credit card required. Sign up here.

Back to Blog

Related Articles

Guide

How to add DDoS detection to pfSense in 5 minutes

pfSense-specific setup using softflowd package for NetFlow export.
Guide

VyOS DDoS detection: direct install vs NetFlow

Two approaches to DDoS detection on VyOS routers, compared side by side.
Integration

OPNsense integration overview

Full integration page with architecture diagram, comparison table, and FAQ.