The Problem
pfSense is a solid firewall. It handles NAT, VPN, traffic shaping, and stateful packet filtering well. But it does not tell you when you are being DDoSed.
If a UDP amplification flood hits your WAN, pfSense will process every packet through its firewall rules. Your states table fills up, latency climbs, and eventually services behind the firewall start dropping. You notice because users complain, not because pfSense raised an alarm.
There is no built-in mechanism in pfSense for traffic anomaly detection, attack classification, or automated alerting. The traffic graphs under Status > Traffic Graphs show bandwidth, but they do not distinguish between a legitimate traffic spike and a SYN flood.
The Solution: NetFlow + Flowtriq
The approach is straightforward: make pfSense export metadata about every connection it sees (NetFlow), then feed that metadata to a DDoS detection engine (Flowtriq) that knows what attack traffic looks like.
pfSense does not have a native NetFlow exporter, but the softflowd package fills that gap. It watches traffic on your WAN interface and generates NetFlow v5 or v9 records. Those records are UDP packets containing flow summaries: source IP, destination IP, ports, protocol, byte count, packet count, and timestamps.
Flowtriq's agent (ftagent) receives these flow records on a Linux host, analyzes them against learned baselines, and detects anomalies. When it spots an attack, it classifies the vector (SYN flood, UDP amplification, DNS reflection, etc.), sends alerts through your configured channels, and can trigger automated mitigation.
Step-by-Step Setup
Step 1: Install ftagent on a Linux host
ftagent needs to run on a Linux machine, not on pfSense itself (which runs FreeBSD). This can be any Linux server on your network: a VM, a container, an existing monitoring box, or even a $5/month VPS. The requirements are minimal: 1 CPU core, 512 MB RAM.
curl -sL https://get.flowtriq.com | sudo bash
The installer detects your OS, installs ftagent, and prompts you for your deploy token (from the Flowtriq dashboard under Settings > API). During setup, select "flow" mode and set the listen port to 2055 (the default NetFlow port).
Step 2: Install softflowd on pfSense
In the pfSense web interface:
- Go to System > Package Manager > Available Packages
- Search for softflowd
- Click Install and confirm
The package installs in seconds. Both pfSense CE and pfSense Plus support it.
Step 3: Configure softflowd
Go to Services > softflowd and configure:
- Interface: WAN
- Host: Your ftagent Linux host IP (e.g., 10.0.0.50)
- Port: 2055
- Max Flows: 8192
- NetFlow Version: 9
- Tracking Level: Full
Click Save. softflowd starts exporting immediately.
Use our pfSense setup generator to get these exact values pre-filled for your environment.
Step 4: Verify flows are arriving
On your ftagent host, run:
sudo ftagent --status
You should see flow ingestion stats within a couple of minutes. You can also use tcpdump to confirm raw NetFlow packets are arriving:
sudo tcpdump -i any -n udp port 2055 -c 10
In the Flowtriq dashboard, your node will show "Flow ingestion: active" and traffic graphs will start populating.
Step 5: Configure alerts
In the Flowtriq dashboard, go to your node settings and configure alert channels: Discord, Slack, PagerDuty, email, SMS, or webhooks. When an attack is detected, you get an alert with the attack type, target IP, traffic volume, and a direct link to the incident timeline.
What Attacks It Catches
Flowtriq classifies attacks into families using flow metadata. From pfSense NetFlow, it detects:
- SYN floods: High rate of new TCP connections with SYN flag
- UDP amplification: DNS, NTP, memcached, CLDAP, SSDP, and other reflection vectors
- ICMP floods: Ping floods and ICMP-based attacks
- GRE floods: Encapsulated traffic floods
- Fragmentation attacks: IP fragment floods designed to exhaust reassembly buffers
- Protocol anomalies: Unusual protocol distributions that deviate from your baseline
Each classification comes with a confidence score and the raw metrics that triggered detection. You do not get a generic "traffic spike" alert; you get "UDP amplification via DNS reflection targeting 203.0.113.10, 4.2 Gbps, 3.1M PPS."
What to Expect
The pfSense integration gives you full volumetric DDoS detection with a couple of tradeoffs to be aware of:
Detection latency: NetFlow export adds 15 to 60 seconds of latency compared to direct packet analysis. softflowd batches flows before exporting. For volumetric attacks that typically last minutes to hours, this is fast enough to trigger useful mitigation. If you need sub-second detection, install ftagent directly on the servers behind pfSense in addition to the NetFlow integration.
No PCAP: NetFlow records are metadata (headers), not full packet captures. You get source, destination, ports, protocol, and volume, but not payload. For forensic-grade evidence, add a direct ftagent install on your critical servers.
No on-pfSense blocking: ftagent runs on a separate Linux host, so its automated firewall rules deploy there, not on pfSense. For pfSense-level blocking, you can use Flowtriq's webhook alerts to trigger pfSense API calls via a custom script, or use BGP FlowSpec to have your upstream drop traffic before it reaches pfSense.
Start your free 14-day trial. Full DDoS detection for your pfSense network in under 5 minutes. No credit card required. Sign up here and use our setup generator to get your exact configuration.