DEPLOY-2026-03-07 VyOS HA Migration

1. Executive Summary

Deployment Type: Infrastructure Migration

Problem Statement: Single pfSense firewall/router was a SPOF. Needed HA routing with VRRP for zero-downtime failover.

Solution: Deployed VyOS HA cluster (vyos-01 + vyos-02) with VRRP VIP, replaced pfSense as primary router/firewall/DHCP.

Environment	Production (Home Lab)
Runbook	VyOS Migration Master Runbook
Risk Level	Low (parallel deployment, instant rollback)

Environment

Production (Home Lab)

Runbook

VyOS Migration Master Runbook

Risk Level

Low (parallel deployment, instant rollback)

2. Deployment Information

Field	Value
Deployment Date	2026-03-07
Previous State	pfSense 2.7.2 (single instance, SPOF)
Target State	VyOS 1.4 HA cluster with VRRP
Deployment Window	4 hours (planned), 2 hours (actual)
Rollback Plan	Switch default gateway back to pfSense (10.50.1.1)
Affected Systems	All infrastructure (routing, DHCP, firewall)

Field

Value

Deployment Date

2026-03-07

Previous State

pfSense 2.7.2 (single instance, SPOF)

Target State

VyOS 1.4 HA cluster with VRRP

Deployment Window

4 hours (planned), 2 hours (actual)

Rollback Plan

Switch default gateway back to pfSense (10.50.1.1)

Affected Systems

All infrastructure (routing, DHCP, firewall)

3. Infrastructure Deployed

Component	Primary	Backup
Router/Firewall	vyos-01 (10.50.1.2) on kvm-01	vyos-02 (10.50.1.3) on kvm-02
VRRP VIP	10.50.1.1 (same IP as old pfSense - transparent cutover)
DHCP	vyos-01 (master)	vyos-02 (backup via VRRP)
DNS Forwarding	Points to bind-01/bind-02
Hypervisor Distribution	kvm-01 (primary)	kvm-02 (secondary)

Component

Primary

Backup

Router/Firewall

vyos-01 (10.50.1.2) on kvm-01

vyos-02 (10.50.1.3) on kvm-02

VRRP VIP

10.50.1.1 (same IP as old pfSense - transparent cutover)

DHCP

vyos-01 (master)

vyos-02 (backup via VRRP)

DNS Forwarding

Points to bind-01/bind-02

Hypervisor Distribution

kvm-01 (primary)

kvm-02 (secondary)

4. Migration Sequence

Phase 1-6: VyOS VM deployment on both hypervisors
Phase 7-10: Interface configuration, zones, firewall rules
Phase 11-14: DHCP, DNS forwarding, NAT
Phase 15-16: VRRP HA configuration
Phase 17: Cutover - update DHCP to point gateway to VyOS VIP
Phase 18: pfSense decommission

5. Validation Results

Test	Result	Evidence
VRRP failover	✅ PASS	Killed vyos-01, vyos-02 assumed VIP in <3 seconds
DHCP lease issuance	✅ PASS	New clients received correct gateway/DNS
Outbound NAT	✅ PASS	Internet connectivity from all VLANs
Firewall rules	✅ PASS	Inter-VLAN traffic blocked as expected
DNS resolution	✅ PASS	Internal and external resolution working

Test

Result

Evidence

VRRP failover

✅ PASS

Killed vyos-01, vyos-02 assumed VIP in <3 seconds

DHCP lease issuance

✅ PASS

New clients received correct gateway/DNS

Outbound NAT

✅ PASS

Internet connectivity from all VLANs

Firewall rules

✅ PASS

Inter-VLAN traffic blocked as expected

DNS resolution

✅ PASS

Internal and external resolution working

6. Lessons Learned

Category	Lesson
Planning	Parallel deployment allowed testing without disruption. Kept pfSense running until VyOS validated.
VRRP	Use different VRID per interface. Same VRID on multiple interfaces caused conflicts.
DHCP	VyOS DHCP uses ISC dhcpd config syntax. Migrated pfSense DHCP reservations manually.
Documentation	Master runbook pattern (orchestrator + sub-runbooks) worked well for complex migration.

7. Post-Deployment Status

Item	Status
pfSense	Decommissioned 2026-03-07, VM deleted
VyOS HA	Operational, monitored via Wazuh
BIND DNS	Updated A/PTR records for vyos-01, vyos-02, vyos-vip
Documentation	17-phase runbook in domus-infra-ops

Item

Status

pfSense

Decommissioned 2026-03-07, VM deleted

VyOS HA

Operational, monitored via Wazuh

BIND DNS

Updated A/PTR records for vyos-01, vyos-02, vyos-vip

Documentation

17-phase runbook in domus-infra-ops