What is Reddit's opinion of VyOS?

Anybody looking at this as a chance to evaluate other options for routing/firewalling should consider vyos. It's linux based and CLI-only, but very straightforward, extremely fast, highly configurable, and lightweight. https://vyos.io/

Another option to consider if you want a GUI and less of the "industrialness" of vyos is openwrt. It's geared more towards firmware replacement of home routers, but there's an X86 build available and it works just fine. Also linux based. https://openwrt.org/

OPNsense I have no idea about. The GUI looks decent but I've heard people have a beef with them for allegedly "stealing" code from PfSense. (no idea if it's true and they're in violation of some code license or if it's the usual opensource "distro fanboyism", and frankly, I'd rather not get into that discussion).

Personally, I use openwrt on my "consumer" routers (and APs), and have recently switched my main router to a vyos VM (because my Internet connection got upgraded to beyond what my reflashed consumer routers could handle.)

Have you taken a look at VyOS?

It's an open-source Linux-based routing/firewall. (It's Debian under the hood).

I have been playing around with it for some, and looking to move some of my pfSense boxes to it. (Unrelated to this recent Netgate changes, this was just for my own fun/learning).

This is a pretty good guide to getting started:

https://blog.kroy.io/2020/05/04/vyos-from-scratch-edition-1/

(Or read the offical VyOS docs)

Well, here is a good place to start for an all in one home made 10G firewall / router / DHCP / NAT / switch solution:

https://www.youtube.com/watch?v=p39mFz7ORco

Granted, the overall project won't be cheap but it won't be $4K either. As of this post, prices for the Chelsio dual port NIC's on eBay start at $63 and the Supermicro motherboard is $390 new at Amazon, the two most expensive parts of the build if you were to use the same hardware as used in the video.

This would be perfect for anything within the network rack that could take advantage of 10G speeds and 1G to the rest of the house.

More info on VyOS here:

https://vyos.io/

This is not a simple turn key solution but it can be done for considerably less money as demonstrated above if you are willing to roll up your sleeves and dig in and learn on your own.

OP, +1 for FreeBSD. I'm getting hands on experience with it, and am really liking what I'm seeing. For the "vmbox" are you using Bhyve, Jails, or something else?

Also, I'd recommend adding the following to the list of options for replacing DD-WRT:

VyOS for its DMVPN support (hub-spoke, with dynamic spoke-spoke tunnels). Very very full featured, just no GUI. Active development towards a 2.0 Release.
The BSD Router Project using FreeBSD with Quagga & Bird
SecurityRouter (SR) OpenBSD based by Halon, and single revision controlled file for all configuration.

I've used both VyOS and OpenWRT for home. VyOS was really rock solid and something I would definitely use in a more professional environment, but OpenWRT has so much potential, especially since it does a really good job with Cake sqm/qos and the latest releases support Docker. OpenWRT has been my go to for deploying x86 wireguard servers and small routers using the Nano Pi R4S. VyOS may seem rudimentary in comparison but I was pretty happy with it when I was using it, especially once DHCPv6-PD support was released for it.

I always keep an eye on the VyOS roadmap: https://vyos.io/roadmap/. There are a lot of promising features planned. I'm currently waiting on the IDS/IPS Integration, DNS Firewall, and Cake/FQ-PIE. It looks like the GUI is under development, but it's in it's pretty early stages, hopefully they're aiming for a modular based design like OpenWRT so 3rd party applications can integrate in without modifying the original GUI code.

I've also always considered the real-life performance complaints about Realtek to be based on mostly anecdotes and hearsay. I'm sure people have problems with them, but they definitely aren't unusable levels of problematic. To add my bit of annecdotal evidence to the pile, Realtek is fine - Every modern realtek setup I've tested performs at it's advertised throughput and has never caused me any issues.

As for pfsense itself, I love BSD as a system (I think BSD is superior to Linux for many reasons except for mainstream rate of adoption), but for my routing/firewalling needs, I've noticed that pfsense just doesn't perform as well as linux based systems in terms of throughput (with firewall rules in place). It's why I've personally switched to VyOS for my routing/firewalling needs.

Highly recommend checking it out - it's insanely powerful (and FAST!). CLI-only, but what homelabber can call themselves a homelabber while being afraid of learning a text-based interface? https://vyos.io/

>How can I make the 2 NICs act as 2 separate ports on a conventional switch would?

I've been in your situation---you're looking to extend the vSwitch bridge out to the physical NICs, but unfortunately ESXi just doesn't work like that. There's a lot of reasons that it doesn't, and most of them are along the lines of "because computers normally don't behave like switches" or "because switching packets with x86 CPUs is extremely resource intensive."

What you'll need to do is create two vswitches, assign a NIC to each one, and then connect something like a VyOS VM to both vSwitches. Or use PCI Passthrough to put the 10G NIC into the VyOS VM, give it a vmxnet3 NIC attached to your regular vSwitch... something like that.

If VyOS is too tough to configure, you can do bridging like this in pfSense too, but I never got it to work right under full load.

The other option is vyos. EdgeOS is UBNT's commercial variant of Vyos (well technically, they're both forks of a prior OS called Vyatta). EdgeOS adds the web interface and a some improvements around IPv6. I have an atom-based dual-gbic pc running Vyos and it's awesome. Doing iperf tests, I can get line speed.

I migrated to Vyos from pfsense. My reasons for moving is because I've never really been able to upgrade pfsense across major versions without something bad happening. I end up having to roll back, write down/screenshot all my rules, and then re-build pfsense on a new version, then re-enter all my firewall rules.

The web interface for pfsense is probably one of the best ones out there. But unless you want to essentially write a php program, it doesn't have a nice command line to input rules. I basically have 4 vlans: public, home, guest, lab. I have a set of firewall rules for each. I only let certain traffic between my lab and the home, and guest is even more restrictive. Entering all those rules all the time sucks. But with VyOS and EdgeOS, it's just a text file for the entire config.

I do have an edgerouter, but I haven't set it up yet. I'd like to try switching over to it because it will work with IPv6 PD, which is what Comcast supplies. There's just enough differences between vyos and edgeos that I can't simply copy my config over. I think once I get the basic vlan, dhcp, and routing setup, I'll be able to just drop in the firewall rules. But I need to somehow schedule a maintenance window with the family to do so. Wife is home all day doing college work, and in the evening, the son watches Paw Patrol on Plex, which crosses the vlan into the lab.

> I'm a software engineer

me too.

> ... vs. Ubiquiti Edge Router Lite

DIY costs a bit more, but is a lot more performant and versatile. ie. you can run plex in one VM on your DIY machine, and plex in another, and you'll still be able to traffic shape and IPsec at gigabit rates.

EdgeOS is a fork of Vyatta from before Vyatta was bought by brokade. Another fork is Vyos. All of them are basically debian + JUNOS-ish IOS-ish looking configuration CLI. Key feature it gives you is snapshots of configurations after every edit that contain everything.

You don't need EdgeOS to do routing or shaping or vpn or anything really, all can be done using just regular linux. It's really just about configuration management. You could just backup your router VM (debian ubuntu arch, whatever) you'd get the same thing.

edgerouter-lite or even edgerouter-x are cheaper and smaller than a nuc or some thin client box. I'd recommend you go with a thin client box, unless you already have an always on machine at home.

Hello, check out VyOS, I seen that many users doing that kind of interconnects in AWS like this, VyOS is very flexible and most probably can cover your case.

Probably, especially for troubleshooting and learning practical issues like cabling.

I bought a couple of SRX100 firewalls new (they were cheap!) and a couple of old Cisco switches and routers. There are failure modes in the physical world that you just don't see in simulations, like partially-inserted cables - trust me, you'll run into this sooner or later. The more I think about it, the more I see the value of physical lab gear as being what it teaches you about the practical and troubleshooting side of things, like how you realise that the unexpected result you just got is because this cable was plugged into the wrong socket - sounds dumb, but it's another real-world screwup that you _will_ run into eventually.

But for learning the protocols themselves? Virtualisation's gotten pretty good these days. GNS3 is another option in this space. Then there's https://vyos.io/ for something not too far removed from the Junos experience.

I separate my traffic using a vyos virtual router. My primary router, connected to the cable modem, routes traffic based on static routing I setup. When inbound public traffic traverses my primary network (10.0.0.X) and hands it off to my virtual router "public" network (192.168.147.X), it cannot touch the rest of my network.

Check it out - https://vyos.io/

Check out VyOS, formally Vyatta, for a great little virtual appliance. Nice feature set and you should be able to do Ipsec on it. Intuitive with a JuneOS feel to the CLI. I love them. https://vyos.io/

Know you said no new hardware/VMs, but if BSD isn't your cup of tea, I would be remiss if I didn't show you VyOS.

Linux router OS with a heavy focus on command line for config/admin. Seems they spend a LOT of time making the command line a breeze to use for configuring (pfSense feels the opposite, almost always easier to use the WebUI).

Both home labbers, small business and big enterprise will use VMs for a majority (if not entirety) of their infrastructure, so you're good on that front. A server is just a greater resource provisioned in suitable form factor (at it's most basic level).

As /u/CBRjack and /u/damiankw have already identified there're a few options available to you, with VirtualBox and Hyper-V costing you nothing. It's work noting that Hyper-V may be a better option if you start on a client machine and want to migrate to a server instance of Hyper-V further down the track without rebuilding your VMs; paying a bit of coin for Workstation if the intent is to migrate to ESXi later.

GNS3 is a network emulator you may be interested in looking at as well. It's not functional like VyOS which is an entire network operating system, but used by professionals for certification and solution design and doesn't have massive resource requirements.

As far as projects are concerned:

Setup DHCP
- DHCP reservations
Setup DNS
- Forward lookup zone
- Reverse lookup zone
Setup domain
- Active Directory for primarily Windows environment
- LDAP for primarily Linux environment
- Authenticate using network credentials vs local accounts
- Define rights, permissions for different users

I spent a LONG time trying to get Routing working on a Windows VM for a lab setup, but eventually decided it was too complicated for a simple LAN setup.

Instead I started using VyOS (free and open source) as my virtual LAN router in my lab environments. It's surprisingly easy to use and very lightweight. Unless your setting up direct access the Windows Routing role is probably overkill.

https://vyos.io/

Completely free, no Cisco licenses needed! Done using VyOS, Ubuntu and Cumulus RoH. hope you like!

You could use another VLAN, configure it on the existing vSwitches and run the SVI and access-list that would govern then network on the Cisco Catalyst switches. Alternatively you could download a free virtual router to separate the networks: https://vyos.io

Hello, check out VyOS It currently don't have VRF but it fits perfectly for most IaaS. Just check yourself. It free and open source, so possibly can save some money for other things.

You can grab VyOS for example. We served like 400mb/s of VoIP on virtualized systems. For HA, you can make VRRP pair, if you want to go with physical, you may use some SuperMicro 1U supertwin and have VRRP between physical nodes, just make sure you put intel NICs

We(at /r/sentrium) also providing commercial support for VyOS i

To separate traffic from your main network, you will need to create a new VLAN or broadcast domain on your network. This means you will need to configure the ports on your switch to carry VLAN tagged traffic from one node to the next. If your switches do not support VLAN traffic (unmanaged switches), then you will need to use a separate physical switch and separate physical uplinks per host to the new switch, each attached to a new vSwitch or DvSwitch on your hosts. If you're talking about a single host, then you don't need to worry about switching at all, just create a new vSwitch or DvSwitch with no uplinks on your single host.

Then, if you want the VMs on this network to have internet access, you will need to create or connect a router to the new network. The router can be a physical router attached to the switch, and tagged on the same VLAN as the new network. Or, you can deploy a VM. In both cases, the router will need two interfaces. One interface in the main network that can reach your router at 192.168.0.1, and one interface within the new network that VMs can use as their gateway. I suggest something like pfSense or VyOS. Also, you can even add an interface or virtual interface to your existing router if it supports VLAN tagging.

Good luck!

Indeed they do! https://vyos.io/subscriptions/support/

I don't blame you re: the one throat to choke. But at my footprint, it does not matter much. If I had 50 cabinets or an otherwise more expansive footprint, then one vendor makes sense

Is this for home use or for a small business?

Is the 10-second gap actually causing inconvenience, or is it more of a project type scenario where you are curious to see how fast you can make the failover before it starts responding to minor blips?

The failover would only be unnoticeable in a scenario where you are streaming something or any other usage that isn't session-based because if it's not the 10 seconds become irrelevant.

If you become really obsessed with shaving seconds out of this type of stuff (no judgement, I understand the need to dig deeper), then look into Vyos, it's as close to the metal as I think you'll get without delving into some pretty complex carrier-grade stuff.

Mmmm the only thing similar to IP inside another IP is GRE. Gre is another unencrypted tunnelling protocol

Even in this cases after setting up the gre tunnel IPsec is used to encrypt stuff...

The specific tunnelling protocol is anyway GRE.

https://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html

Have a look at vyos as open source operating system that is very huge at networking ( you can do gre, ipsec and all the other stuff)

https://vyos.io/ this is even available on public cloud providers

I use VyOS. It’s free, available as an OVF, has a Juniper-like CLI and well supported by Ansible.

See https://vyos.io and r/VyOS.

If you particularly like Cisco the CSR1000V is free but with limited throughout.

I share your same thoughts and troubles. Let's not forget the various ethical controversies surrounding Robert Pera. Inspiration for your next post?

My homelab is pretty simple. Two houses, a site-to-site VPN, and a cloud controller. However, one site is behind a GCNAT. I had to write a custom config.gateway.json file to get this working with wireguard-vyatta-ubnt. Absolutely no official support from Ubiquiti there. This is also how I, too, discovered DDNS is not functional. Additionally, the wireguard debian package is removed each time the cloud controller provisions my USG. I have resorted to opening the Debug Terminal of a UniFi Switch to rescue the USG.

You mentioned Juniper. Is there another hardware vendor based on Vyatta? I have spent time with VyOS and found it much more stable than UBNT. The project is limited to a router appliance at this time.

I found links in your comment that were not hyperlinked:

vyos.io

I did the honors for you.

^delete ^| ^information ^| ^<3

There is an open-source option called VyOS which is a fork of Vyatta vRouter. The Ubiquiti Edgerouter and UniFi USG are a fork from Vyatta vRouter as well if I remember it correctly.

VyOS is an Enterprise-grade router/firewall. However, it is CLI only, but if you are familiar with Cisco and Juniper, you will feel at home.

I misread this page: https://vyos.io/subscriptions/

In the free subscription, I read 'security fixes & workarounds' instead of 'security hotfixes & workarounds'. I'll take a look but I'm set on using something that's already built, no need for added complexity at home.

The only trusted version is from vyos.io or from their git repo.

I recommend looking at their build instructions, they provide a docker container to perform the build that makes it pretty easy to do.

If you don't feel well with security - learn it. Just buy some used Cisco CCNA Security and read it.

You should also focus on network automation and virtualization. For first - just try to develop a few Ansible scripts and learn how to store them on GitHub. For virtualization - just try to install VirtualBox on your PC and try to deploy some virtual routers (like https://vyos.io/) and make a small virtual network

Thanks for the inputs/feedbacks everybody.

It looks like my undertaking remains wishful thinking. I will therefore likely stick to https://vyos.io/ and ubiquiti products for the time being as the first one is open source and the latter are affordable.

Edit: Managed to get a cheap 30E and will evaluate further from there and keep vyos and ubiquiti as alternatives.

I'd like to note that EdgeOS is actually a fork of the now "dead" (closed after the Brocade purchase, then gobbled by AT&T) distro known as Vyatta. Which is where its JunOS-like CLI comes from, with Vyatta itself inheriting it from the XORP project. Vyatta's list of children also includes VyOS, which I make (heavy) use of. Check out https://vyos.io/ if you're interested for something similar to EdgeOS, but unbound from UBNT hardware.

I installed and used Vyos - https://vyos.io/ (Debian) for a few days to exercise these cards before going ahead with my plan and they all performed as advertised.

At first I thought maybe windows was limited to only 8 network adapters because they did the same thing on a windows 10 pro install. So I installed Server 2016 and the same thing. I assume it's not a limitation of how many adapters can be present. The device manager code 43 is a standard code for driver related issues. But I've gone through several drivers now and nothing has changed which is why I think it's something I don't know about or I'm overlooking.

If your network has multiple computers, its generally a good idea to keep the router separate from other servers. (security, less likely to break, need software/configuration updates, run random software, have exploitable software, better upgrade paths, etc).

I still have room in my heart for the $100 EdgeMax Lite. There's a reasonable GUI, but I tend to drop down to their CLI-- which is basically a Linux CLI + Networking CLI. (Standard-ish Linux shell until you enter configure mode). Its organized as a base-image + modifications (unionfs). You can install and run standard Debian MIPS packages on the MIPS

Its built on Vyatta, a Debian/Linux based network OS (basically VyOS, now). Its a bit of an integration of how network-pros configure routers and how Linux users use a command line. (you have both, simultaneously, when in configure mode)

Its a nice little box that runs quiet and doesn't take up much power. SSH access is easy to configure, among other things. You get network 3 ports, plus some hardware accelerated features not usually available in x86. Power usage should be low. The storage is a standard USB key (Opening the case probably voids the warranty, though).

Downsides?

The fork seems slow to integrate new Vyatta/VyOS options.
Only 512MB RAM
The unionfs setup can be a bit confusing, if you're not used to it.
If it ever seems bricked, a console-port is probably harder for most than a keyboard/monitor.
It uses a lot of Linux-standard tools (e.g: users, ssh, iptables), but it can be tricky to map things to the configuration.
NAT can be a bit confusing to set up right-- though the GUI has a wizard to set it up quickly.
The default USB keys seemed to get finicky (I've worked with several, and the old one seem to degrade in performance/reliability after a few years-- its possible this has changed).
Probably some VPN things, but I could say that about any VPN "solution."