VyOS Migration: Field Notes

Deployment Timeline

Date Event

2026-02-26

Project started — DNS records (Phase A) added to BIND

2026-02-27

vyos-02 deployed on kvm-02 — initial configuration

2026-03-01

Zone-based firewall operational, NAT working

2026-03-04

Pre-cutover testing began — parallel with pfSense

2026-03-05

Cutover to VyOS — pfSense removed from forwarding path

2026-03-07

pfSense VM decommissioned — VyOS is sole gateway

2026-03-10

vyos-01 deployed on kvm-01 — VRRP HA active

2026-03-12

VRRP failover tested successfully in both directions

Observations & Gotchas

VyOS Config Commit Model

VyOS uses a Junos-like configure / set / commit model. Key differences from pfSense:

  • Changes are staged and applied atomically on commit

  • rollback N reverts to the Nth previous commit — instant undo

  • compare shows diff between running and candidate config

  • Config is a flat file (/config/config.boot) — easy to diff in git

VRRP Failover Behavior

During failover testing, observed:

  • Failover time: <2 seconds (VRRP advertisement interval)

  • conntrack-sync kept existing TCP sessions alive through failover

  • Return to master after systemctl start vrrp was immediate

  • No packet loss observed during controlled failover

pfSense Decommission Notes

pfSense VM was shut down on 2026-03-07 after 7 days of stable VyOS operation. The VM image was preserved on the NAS for emergency recovery but has not been needed.

Scope Creep & Backlog

Priority Item Notes

P1

Suricata IDS (C.2)

Deferred — need to evaluate VyOS Suricata integration vs standalone

P2

node_exporter (C.3)

Would enable Prometheus scraping of VyOS metrics

P2

Git config tracking (C.6)

Automatic commit of config.boot changes to git

P2

VLAN segmentation (F.4)

Move VMs from flat VLAN 100 to security/services VLANs

P3

API access (C.5)

VyOS HTTP API for automation

P3

WLC HA (F.5)

Nice-to-have, not critical for home lab scale