(netflow) add egress_only option to ui and netflow setup script. for most downstream interfaces it's a good idea to inspect both traffic going to the firewall (proxy usage for example) as going through it, for wan type interfaces however you don't want to count the traffic going to local for nat processing (no ingress).

src/etc/rc.d/netflow

@@ -40,6 +40,7 @@ status_cmd="${name}_status"
 extra_commands="status"
 
 [ -z "$netflow_enable" ] && netflow_enable="NO"
+[ -z "$netflow_egress_only" ] && netflow_egress_only=""
 
 # setup_interface (interface)
 # - use netgraph + ng_netflow in combination with samplicate to record netflow data and send it to multiple locations
@@ -58,7 +59,16 @@ setup_interface()
         echo "error : interface $interface not found"
         return
     fi
-    echo "setup $interface"
+    # disable ingress (traffic to this host) for selected interfaces
+    # avoids counting traffic going through this firewall double when using nat
+    if [ ! -z "`echo " $netflow_egress_only " | grep " $interface "`" ]; then
+        conf="10"
+        echo "setup $interface [egress only]"
+    else
+        conf="11"
+        echo "setup $interface"
+    fi;
+
     # make sure netgraph is attached
     /usr/local/sbin/ngattach $interface
     # remove earlier setup (if any)
@@ -69,7 +79,7 @@ setup_interface()
        name	$interface:lower netflow_$interface
        connect $interface: netflow_$interface: upper	out$ifIndex
        mkpeer netflow_$interface: ksocket export$nfversion inet/dgram/udp
-       msg netflow_$interface: setconfig {iface=$ifIndex conf=11}
+       msg netflow_$interface: setconfig {iface=$ifIndex conf=$conf}
        msg netflow_$interface:export$nfversion connect inet/$netflow_int_destination
 SEQ
 }

src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/forms/netflow_capture.xml

@@ -7,6 +7,14 @@
         <help><![CDATA[Select interface(s) to enable netflow on.]]></help>
         <hint>Type or select interface.</hint>
     </field>
+    <field>
+        <id>netflow.capture.egress_only</id>
+        <label>Egress only</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <help><![CDATA[Select interfaces used for wan traffic to avoid counting nat traffic twice]]></help>
+        <hint>Type or select interface.</hint>
+    </field>
     <field>
         <id>netflow.collect.enable</id>
         <label>Capture local</label>

src/opnsense/mvc/app/models/OPNsense/Diagnostics/Netflow.xml

@@ -13,6 +13,14 @@
                     <enable>/^(?!0).*$/</enable>
                 </filters>
             </interfaces>
+            <egress_only type="InterfaceField">
+                <Required>N</Required>
+                <default>wan</default>
+                <multiple>Y</multiple>
+                <filters>
+                    <enable>/^(?!0).*$/</enable>
+                </filters>
+            </egress_only>
             <version type="OptionField">
                 <Required>Y</Required>
                 <default>v9</default>

src/opnsense/service/templates/OPNsense/Netflow/netflow.conf

@@ -11,6 +11,11 @@
   OPNsense.Netflow.capture.targets.strip()
   %}
 netflow_interfaces="{% for interface in OPNsense.Netflow.capture.interfaces.split(',')
+%}{{
+    physical_interface(interface)
+}} {%
+  endfor%}"
+netflow_egress_only="{% for interface in OPNsense.Netflow.capture.egress_only.split(',')
 %}{{
     physical_interface(interface)
 }} {%