VyOS HA Firewall

VRRP pair (vyos-01/02), replaced pfSense 2026-03-07

← INFRASTRUCTURE | Portfolio Index

Category

INFRASTRUCTURE

Status

Complete

Premise

High availability gateway with BGP readiness for k3s integration

Goals

  • VRRP failover < 3 seconds

  • BGP peering with Cilium (AS 65000/65001)

  • Stateful firewall with zone-based policies

Current State

Production - VRRP operational, DNS forwarding active

Next Steps

  • Add BGP peering when k3s HA deployed

  • Enable NetFlow export to Wazuh

Related Documentation

Architecture Notes

Draw VRRP topology: vyos-01 (MASTER) ↔ vyos-02 (BACKUP)

Notes