Two New Integrations
Flowtriq now supports two new hardware/appliance integrations: pfSense (via the pfSense-API/pfrest package) and MikroTik RouterOS (via the RouterOS REST API, available since RouterOS v7.1). Both integrations are available on all plans and can be configured from Dashboard > Integrations.
The model for both is the same: when Flowtriq detects an active DDoS attack, attacker IPs are pushed into a firewall alias (pfSense) or address-list (MikroTik). Your existing firewall rules that reference that alias or list immediately start blocking. When the incident resolves, Flowtriq removes those IPs — no stale blocks, no manual cleanup.
Prerequisites: pfSense requires the pfSense-API (pfrest) package installed on your firewall. MikroTik requires RouterOS v7.1 or newer with the REST API enabled. Both require network reachability from Flowtriq's agent to your firewall's management interface.
pfSense Integration
pfSense is one of the most widely deployed open-source firewalls. The pfSense-API package (maintained as pfsense-api / pfrest by Jared Hendrickson) exposes a REST API for managing firewall aliases, rules, and configuration. Flowtriq uses this to maintain a dedicated alias populated with attacker IPs during an active incident.
How it works
- Flowtriq creates a firewall alias on your pfSense instance if it does not already exist (default name:
flowtriq_blocked). - When an attack starts, Flowtriq adds each high-confidence attacker IP to the alias via the REST API and calls the apply endpoint to commit the change.
- When the attack ends, those IPs are removed from the alias and the config is applied again.
- Your existing block rule referencing the alias continues to work normally at all times — Flowtriq only manages the alias contents.
Flowtriq uses your existing firewall rules. It does not create or modify rules — only the alias membership. This means you retain full control over what the block rule does: drop, reject, log-and-drop, or anything else your pfSense supports.
Setup: pfSense CE (v1 API)
Install the pfSense-API package
SSH into your pfSense firewall and run:
pkg add https://github.com/jaredhendrickson13/pfsense-api/releases/latest/download/pfSense-pkg-API.pkg
Or install via System > Package Manager > Available Packages if you have internet access from the firewall.
Generate a Bearer token
Make a POST request to your pfSense instance to get an API token:
curl -sk -X POST https://<pfsense-ip>/api/v1/access_token \
-H "Content-Type: application/json" \
-d '{"client_id":"admin","client_token":"<your-password>"}'
Copy the token field from the response. This is your Bearer token for all subsequent API calls.
Create a firewall alias and block rule
In pfSense, go to Firewall > Aliases and create a Host-type alias named flowtriq_blocked (or whatever name you prefer). Then create a floating or interface rule that blocks traffic from that alias on your WAN interface. This rule stays in place permanently — Flowtriq only updates the alias contents.
Add the integration in Flowtriq
Go to Dashboard > Integrations > Add Integration > pfSense. Enter your pfSense host URL, paste the Bearer token, and set the alias name. Select API version v1 for pfSense CE.
Setup: pfSense Plus (v2 API)
pfSense Plus uses pfrest v2, which has a revised endpoint structure and supports JWT authentication. The configuration is identical in Flowtriq — select v2 from the API version dropdown. Token generation uses the same /api/v2/auth/jwt pattern. Both v1 and v2 use Authorization: Bearer <token>.
Optional: TTL-based cleanup
If you want a safety net in case Flowtriq cannot reach pfSense to clean up, you can set a TTL (in minutes) on the integration. Flowtriq will attempt to remove IPs at incident end regardless, but the TTL ensures stale blocks don't accumulate if the connection is interrupted.
MikroTik RouterOS Integration
MikroTik RouterOS v7.1 introduced a native REST API that exposes the full RouterOS command structure over HTTP. Flowtriq uses this to manage a dedicated address-list — the RouterOS equivalent of a firewall alias. A drop rule referencing that list blocks all matching traffic at line rate via the RouterOS firewall filter.
How it works
- When an attack starts, Flowtriq PUTs each attacker IP as a new entry in your address-list (default:
flowtriq_blocked) via/rest/ip/firewall/address-list. - Optional timeout: entries can be created with a RouterOS-format timeout (e.g.,
1d 00:00:00) so they expire automatically even if Flowtriq can't reach the router. - When the attack ends, Flowtriq GETs all entries in the list, matches them against the attacker IPs, and DELETEs each by its RouterOS
.id. - Your existing filter rule referencing the address-list drops matching traffic throughout.
Prerequisites
The RouterOS REST API requires RouterOS v7.1 or newer. It is disabled by default and must be enabled:
/ip service enable www-ssl
Or enable the plain HTTP REST API (not recommended for production):
/ip service enable www
We strongly recommend using HTTPS. Import a valid certificate or use RouterOS's built-in self-signed cert and enable SSL verification bypass only for internal management networks.
Setup: MikroTik RouterOS
Enable the REST API and create a dedicated user
In RouterOS, create a read/write user for Flowtriq with the full or a custom restricted policy:
/user add name=flowtriq password=<strong-password> group=full
Then enable the HTTPS service if not already active:
/ip service set www-ssl disabled=no
Create an address-list and firewall rule
In Winbox or via terminal, create the firewall filter rule that references your address-list. Run this once:
/ip firewall filter add chain=forward \ src-address-list=flowtriq_blocked \ action=drop \ comment="Flowtriq DDoS block" \ place-before=0
The address-list itself (flowtriq_blocked) will be created automatically when the first attack fires. Or create it manually: IP > Firewall > Address Lists.
Verify the REST API is reachable
Test from a machine that can reach your router's management IP:
curl -sk -u flowtriq:<password> \ https://<router-ip>/rest/ip/firewall/address-list
You should receive a JSON array. If you get an SSL error, add -k to skip verification (or import your router cert).
Add the integration in Flowtriq
Go to Dashboard > Integrations > Add Integration > MikroTik RouterOS. Enter the router host URL, username, password, address-list name, and an optional timeout in hours. Enable SSL verification if you have a trusted certificate installed.
What Fires When
Both integrations follow the same event model as all other Flowtriq integrations:
- attack_start — fires when Flowtriq opens a new incident. Attacker IPs (filtered to high-confidence sources) are pushed to the alias/address-list immediately.
- attack_update — if new attacker IPs are identified during an ongoing incident (e.g., the botnet pivots), those additional IPs are pushed. Existing entries are not touched.
- attack_end — fires when the incident resolves. All IPs that Flowtriq added are removed from the alias/address-list.
Only IPs that pass Flowtriq's high-confidence filter are pushed — traffic that resembles the attack signature but doesn't meet the confidence threshold is not included. This significantly reduces false positive blocks on legitimate traffic.
Full List of Supported Integrations
With pfSense and MikroTik, the complete list of Flowtriq integrations is now:
- iptables — push DROP rules directly to the agent host
- pfSense — manage a firewall alias via the pfSense-API/pfrest REST API — new
- MikroTik RouterOS — manage an address-list via the RouterOS REST API — new
- Cloudflare, OVH, Hetzner, Vultr, DigitalOcean, AWS, Google Cloud, Azure, Linode/Akamai — cloud firewall lockdown
- CrowdSec — push ban decisions to your CrowdSec LAPI
- AbuseIPDB — report attacker IPs to the global threat intel database
- Generic Webhook — send signed JSON payloads to any HTTP endpoint
All integrations are included on every plan. There is no add-on fee. Configure them from Dashboard > Integrations or read the setup docs at /docs?section=integrations. Need help setting up? Book a free onboarding call.