What Zenarmor Does
Zenarmor (formerly Sensei) is a Layer 7 application firewall plugin for OPNsense. It uses deep packet inspection to classify traffic by application (YouTube, Netflix, Office 365, social media) and lets you create policies based on application categories. It also provides web filtering, ad blocking, and basic threat intelligence feeds.
Zenarmor is designed for outbound traffic management: controlling what users on your network can access. It is primarily an enterprise/education tool for bandwidth management and compliance.
What Flowtriq Does
Flowtriq detects inbound volumetric DDoS attacks. It monitors traffic rates, builds dynamic baselines, and triggers when traffic patterns deviate from normal. It classifies attack types (SYN flood, UDP amplification, etc.) and deploys automated mitigation ranging from on-server firewall rules to BGP FlowSpec and cloud scrubbing.
Why They Are Not Competing Products
Capability Zenarmor Flowtriq --------------------------------------------------- Application filtering Yes No Web content blocking Yes No DDoS flood detection No Yes Dynamic baselines No Yes BGP FlowSpec No Yes PCAP forensics No Yes Upstream scrubbing No Yes Attack classification No Yes Outbound control Yes No Inbound detection Limited Yes
Zenarmor inspects traffic at the application layer on your OPNsense firewall. Flowtriq monitors traffic at the volume/rate level on your servers. Zenarmor is about controlling what your users access. Flowtriq is about detecting when your infrastructure is under attack.
Using Both Together
The ideal setup for an OPNsense-based network:
Internet
|
v
OPNsense (Zenarmor)
| - Application filtering
| - Web content policies
| - Threat intelligence feeds
| - NetFlow export to Flowtriq
v
Your Servers (ftagent)
| - DDoS detection
| - Traffic baselines
| - Automated firewall rules
| - Incident forensics
OPNsense can also export NetFlow data to Flowtriq for network-level visibility. Configure NetFlow export in Reporting > NetFlow and point it at your Flowtriq flow source. This gives Flowtriq visibility into traffic patterns at the firewall level in addition to server-level kernel counters.
Why Zenarmor Alone Is Not DDoS Protection
Zenarmor's DPI engine inspects packets one at a time. During a volumetric DDoS attack (hundreds of thousands of packets per second), the DPI pipeline becomes a bottleneck. The OPNsense firewall CPU maxes out trying to classify flood traffic that does not need classification. It just needs to be dropped.
Zenarmor also lacks the key capabilities needed for DDoS response:
- No dynamic baselines: It does not learn what normal traffic looks like for your network and flag deviations.
- No upstream mitigation: It cannot trigger BGP FlowSpec or cloud scrubbing when your WAN link saturates.
- No attack classification: It does not identify attack type, calculate confidence, or produce forensic reports.
- No multi-node visibility: If you run servers behind multiple OPNsense firewalls, there is no centralized view.
This is not a criticism of Zenarmor. It was not built for DDoS detection. It is an application firewall, and it does that job well.
FAQ
Can I run ftagent on OPNsense?
OPNsense runs FreeBSD, and ftagent requires Linux. Export NetFlow from OPNsense and install ftagent on the Linux servers behind the firewall. See the OPNsense DDoS protection guide.
Is Zenarmor free?
Zenarmor has a free tier with limited features and paid plans for full application visibility. Flowtriq offers a 14-day free trial with all features at $9.99/node/month after.
What about OPNsense's built-in IDS (Suricata)?
OPNsense includes Suricata as a built-in IDS option. The same considerations from our pfSense Suricata comparison apply: Suricata is signature-based IDS, not volumetric DDoS detection.
Add DDoS detection to your OPNsense network. Keep Zenarmor for application control, add Flowtriq for volumetric detection. Start your free 14-day trial.