Detection is easy. Installing OPNSense and configuring NetFlow

Continuing the series of articles. - Detection is easy, dedicated to Detection engineering (DE), which I write about in the eponymous Telegram channel. Today we will look at installing OPNSense on Proxmox and configuring NetFlow sending to the ElastiFlow collector, which we set up in the previous article.

First, connect to Proxmox VE and create a virtual machine with two network interfaces.

qm create 110 --name OPNsense --memory 2048 --cores 2 --net0 virtio,bridge=vmbr0 --net1 virtio,bridge=vmbr200 --scsihw virtio-scsi-pci --scsi0 local-lvm:10

Download the ISO image archive from the official OPNsense website and unpack it.

wget https://mirror.ams1.nl.leaseweb.net/opnsense/releases/24.7/OPNsense-24.7-dvd-amd64.iso.bz2 && bzip2 -d OPNsense-24.7-dvd-amd64.iso.bz2

Connect the ISO image to the created virtual machine.

qm set 110 --cdrom local:iso/OPNsense-24.7-dvd-amd64.iso

Start OPNSense.

qm start 110

Enter the PVE console and configure the two WAN and LAN interfaces. Log in with the username and password installer:opnsense. The installation process will begin.

After that, connect to the web interface with root:. To configure NetFlow, go to the Reporting -> NetFlow tab.

We have several parameters available:
Listening interfaces - from which interfaces to send NetFlow
WAN interfaces - interfaces used for WAN to avoid double counting NAT traffic
Capture local - store statistics locally (we don't need this)
Version - NetFlow version, select v9
Destinations - specify the address of the NetFlow collector we created last time.

This completes the installation of OPNSense and the configuration of NetFlow. Here it looks quite simple, but when you have hundreds and thousands of network equipment in your network, the main task is to choose the places to capture traffic and metadata.