OPNsense
Installation on OPNsense
- Requirements
- Adding Repository for Netify vs Command Line
- OPNsense 24.7 - Thriving Tiger
- OPNsense 24.1 - Savvy Shark
- OPNsense 23.7 - Restless Roadrunner
- Post Installation
- Netify Informatics
- Next Steps
Requirements
OPNsense is an open-source, easy-to-use and feature-rich firewall and routing platform that is based on FreeBSD. It is designed to provide a robust and secure network infrastructure by offering a range of networking and security features. OPNsense is often used as a firewall, router, and VPN (Virtual Private Network) gateway, making it suitable for both home and business environments.
At the time of writing, Netify is a command line installation. There have been no integrations with OPNsense's web-based administration tool. Installing Netify on OPNsense provides administrators with a 'single pane of glass' when used with Netify Informatics.
As a dedicated gateway distribution, it is no surprise that 2 or more network interfaces are required:
- LAN Interface: client devices connecting to the internal network. This is the ideal interfaces for Netify to be configured to listen on as it provides flow analysis at client device resolution (ex. Apple iPhone 14 did X).
- WAN Interface: used to connect upstream to the ISP. Admins may choose to monitor on this interface, however, it's not always that interesting as most of the data is duplicated with "North/South" bound traffic from the LAN.
You will also need to know which version of OPNsense you are running in order to access the correct binaries. If you're not sure, use the opnsense-version
command:
opnsense-version
OPNsense 23.7.12 (amd64/LibreSSL)
Adding the Netify Repository vs Command Line
Adding the Netify repository to your OPNsense server has three main advantages:
- Automatically resolves and install dependencies
- Increases security through the use of signed packages
- Allows for auto or simplified updates in the future
OPNsense 24.7 - Thriving Tiger
Adding Netify Repository
mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/opnsense/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF > /usr/local/etc/pkg/repos/Netify.conf
Netify: {
fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
url: "https://download.netify.ai/5/opnsense/24.7",
signature_type: "fingerprints",
mirror_type: "http",
priority: 11,
enabled: yes
}
EOF
pkg update
After executing this command, you should see:
Updating Netify repository catalogue...
Netify repository is up to date.
..
.
All repositories are up to date.
You can now install the agent with this command:
pkg install netifyd
Command Line Installation
pkg add https://download.netify.ai/5/opnsense/24.7/amd64/netifyd-5.0.44-1.pkg
OPNsense 24.1 - Savvy Shark
Adding Netify Repository
mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/opnsense/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF > /usr/local/etc/pkg/repos/Netify.conf
Netify: {
fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
url: "https://download.netify.ai/5/opnsense/24.1",
signature_type: "fingerprints",
mirror_type: "http",
priority: 11,
enabled: yes
}
EOF
pkg update
After executing this command, you should see:
Updating Netify repository catalogue...
Netify repository is up to date.
..
.
All repositories are up to date.
You can now install the agent with this command:
pkg install netifyd
Command Line Installation
pkg add https://download.netify.ai/5/opnsense/24.1/amd64/netifyd-5.0.44-1.pkg
OPNsense 23.7 - Restless Roadrunner
Adding Netify Repository
mkdir -p /usr/local/etc/pkg/fingerprints/Netify/trusted
curl https://download.netify.ai/5/freebsd/fingerprint -o /usr/local/etc/pkg/fingerprints/Netify/trusted/fingerprint
cat << EOF > /usr/local/etc/pkg/repos/Netify.conf
Netify: {
fingerprints: "/usr/local/etc/pkg/fingerprints/Netify",
url: "https://download.netify.ai/5/freebsd/13.2",
signature_type: "fingerprints",
mirror_type: "http",
priority: 11,
enabled: yes
}
EOF
pkg update
After executing this command, you should see:
Updating Netify repository catalogue...
Netify repository is up to date.
..
.
All repositories are up to date.
You can now install the agent with this command:
pkg install netifyd
Command Line Installation
pkg add https://download.netify.ai/5/opnsense/13.2/amd64/netifyd-5.0.44.pkg
Post Installation
After installing the agent, verify the installation and some path information using the -s
(status) argument.
netifyd -s
Netify Agent/5.0.44-1-HEAD-nnnn-aaaaaaaa (debian; linux-gnu; x86_64; conntrack; netlink; dns-cache; tpv3; tcmalloc; regex)
✗ agent is not running: PID 0
• persistent state path: /etc/netifyd
• volatile state path: /var/run/netifyd
! agent run-time status could not be determined.
Netify Informatics
Netify Informatics is an optional, cloud-based, SaaS service. It uses analytics and Machine Learning to transform telemetry originating from the Netify DPI
Agent into high-level network intelligence and visibility. The solution provides insights into what's happening on the network in areas that include:
- Device Identification and Management
- Cybersecurity Risk
- Forensics
- Regulatory Compliance
To learn more about Netify Informatics, click here.
In addition to the Netify agent being installed, two plugins are required:
If you installed the agent by configuring a Netify software repository, simply run:pkg update
pkg install netify-proc-core netify-sink-http
If you installed the agent manually, you will also need to install the plugin packages manually.
Once the plugins have been installed, run the following two commands:
netifyd --enable-informatics
netifyd -p
The first command will enable and auto configure the two plugins that were installed as well as restarting the Netify agent. The
second command will display your Netify Agent UUID (in the form xx-xx-xx-xx) that will be needed when you provision the agent to your
Netify Informatics account.
netifyd
command with the --enable-informatics
option will result in a Provision code not
found error during the provisioning wizard.