VyOS Migration: Reference

Runbook Index

Pre-Migration

Runbook	Description	Phase
pfSense Audit & Backup	Backup pfSense config BEFORE migration	Pre-requisite
kvm-02 Deployment	Deploy kvm-02 hypervisor (if not done)	Pre-requisite
kvm-01 Rocky Rebuild	Rebuild kvm-01 with Rocky Linux (reuse kvm-02 network config)	Phase E (before vyos-01)
kvm-01 Migration Plan	VM redistribution strategy for HA	Phase E

Runbook

Description

Phase

pfSense Audit & Backup

Backup pfSense config BEFORE migration

Pre-requisite

kvm-02 Deployment

Deploy kvm-02 hypervisor (if not done)

Pre-requisite

kvm-01 Rocky Rebuild

Rebuild kvm-01 with Rocky Linux (reuse kvm-02 network config)

Phase E (before vyos-01)

kvm-01 Migration Plan

VM redistribution strategy for HA

Phase E

DNS (Phase A + F.3)

Runbook	Description	Phase
BIND Infrastructure Records	43 A + 43 PTR + 9 CNAME records	Phase A
BIND-02 Secondary Deployment	Deploy bind-02 on kvm-02 with AXFR zone transfers	Phase F.3 (DNS HA)
BIND Quick Ref	Daily BIND operations commands	Reference

Runbook

Description

Phase

BIND Infrastructure Records

43 A + 43 PTR + 9 CNAME records

Phase A

BIND-02 Secondary Deployment

Deploy bind-02 on kvm-02 with AXFR zone transfers

Phase F.3 (DNS HA)

BIND Quick Ref

Daily BIND operations commands

Reference

HA Deployment (Phase F.3)

Deploy secondary VMs on kvm-02 for HA foundation:

Runbook	Description	Status
BIND-02 Deployment	DNS HA with AXFR zone transfers	COMPLETE ✓
Vault HA Deployment	Vault Raft cluster (vault-01/02/03)	COMPLETE ✓
Keycloak Rebuild	keycloak-01 corrupted, rebuild from scratch	NEXT
FreeIPA HA	Linux auth HA (ipa-02 replica)	PLANNED
AD DC HA	AD replication (home-dc02)	PLANNED
iPSK Manager HA	MySQL replication (ipsk-mgr-02)	PLANNED
ISE HA	PAN HA (ise-01 reconfigure after ise-02 stable)	DEFERRED

Runbook

Description

Status

BIND-02 Deployment

DNS HA with AXFR zone transfers

COMPLETE ✓

Vault HA Deployment

Vault Raft cluster (vault-01/02/03)

COMPLETE ✓

Keycloak Rebuild

keycloak-01 corrupted, rebuild from scratch

NEXT

FreeIPA HA

Linux auth HA (ipa-02 replica)

PLANNED

AD DC HA

AD replication (home-dc02)

PLANNED

iPSK Manager HA

MySQL replication (ipsk-mgr-02)

PLANNED

ISE HA

PAN HA (ise-01 reconfigure after ise-02 stable)

DEFERRED

Current Single Points of Failure

System	Impact if Down	Mitigation
ISE (ise-02)	All 802.1X stops - wired and wireless auth fails	ise-01 reconfiguration deferred until ise-02 stable
Keycloak	SAML/OIDC SSO broken (ISE admin, Grafana, etc.)	Rebuild priority P3
FreeIPA (ipa-01)	Linux authentication, sudo rules, HBAC	ipa-02 replica planned
AD DC (home-dc01)	Windows auth, Kerberos, GPO	home-dc02 replica planned
iPSK Manager	Self-service PSK portal unavailable	ipsk-mgr-02 with MySQL replication planned

System

Impact if Down

Mitigation

ISE (ise-02)

All 802.1X stops - wired and wireless auth fails

ise-01 reconfiguration deferred until ise-02 stable

Keycloak

SAML/OIDC SSO broken (ISE admin, Grafana, etc.)

Rebuild priority P3

FreeIPA (ipa-01)

Linux authentication, sudo rules, HBAC

ipa-02 replica planned

AD DC (home-dc01)

Windows auth, Kerberos, GPO

home-dc02 replica planned

iPSK Manager

Self-service PSK portal unavailable

ipsk-mgr-02 with MySQL replication planned

VyOS Configuration (Phases B-F)

Runbook	Description	Phase
VyOS Deployment	Complete VyOS deployment with 20 phases	Phases B-F
VyOS Quick Ref	Daily VyOS operations commands	Reference

Runbook

Description

Phase

VyOS Deployment

Complete VyOS deployment with 20 phases

Phases B-F

VyOS Quick Ref

Daily VyOS operations commands

Reference

Emergency Procedures

Runbook	Description	When to Use
VyOS VLAN Fast-Track	Emergency migration of VLANs 20, 30, 40 to vyos-02	Rogue DHCP incident, need immediate VLAN cutover
CR-2026-03-04 VyOS DNS	Add vyos-01/02 A/PTR records to BIND	DNS records prerequisite for VyOS deployment

Runbook

Description

When to Use

VyOS VLAN Fast-Track

Emergency migration of VLANs 20, 30, 40 to vyos-02

Rogue DHCP incident, need immediate VLAN cutover

CR-2026-03-04 VyOS DNS

Add vyos-01/02 A/PTR records to BIND

DNS records prerequisite for VyOS deployment

Network Infrastructure

Runbook	Description	Phase
Switch VyOS Integration	VLAN database, trunk ports, IBNS 2.0/C3PL policies for VyOS migration	Pre-cutover (D.1)
WLC VyOS Integration	WLC HA SSO, VLAN mapping, AP groups for VyOS migration	Pre-cutover (D.1)

Runbook

Description

Phase

Switch VyOS Integration

VLAN database, trunk ports, IBNS 2.0/C3PL policies for VyOS migration

Pre-cutover (D.1)

WLC VyOS Integration

WLC HA SSO, VLAN mapping, AP groups for VyOS migration

Pre-cutover (D.1)

Post-Migration

Runbook	Description	Phase
pfSense Decommission	Clean up pfSense after VyOS validated	Post-migration

Runbook

Description

Phase

pfSense Decommission

Clean up pfSense after VyOS validated

Post-migration

Infrastructure Records

This table shows all DNS records added in Phase A:

Hostname	IP	Category	Status
vyos-01	10.50.1.2	VyOS HA (MASTER)	Active
vyos-02	10.50.1.3	VyOS HA (BACKUP)	Active
vyos	10.50.1.1	VyOS VIP	Active
kvm-01	10.50.1.110	Hypervisor	Active
kvm-02	10.50.1.111	Hypervisor	Active
ipmi-01	10.50.1.200	IPMI/OOB	Active
ipmi-02	10.50.1.201	IPMI/OOB	Planned
home-dc01	10.50.1.50	AD Domain Controller	Active
home-dc02	10.50.1.51	AD Domain Controller	Planned
keycloak-01	10.50.1.80	Identity Provider	Active
keycloak-02	10.50.1.81	Identity Provider	Planned
ipa-01	10.50.1.100	FreeIPA	Active
ipa-02	10.50.1.101	FreeIPA	Planned
vault-01	10.50.1.60	Vault PKI/SSH CA	Active
vault-02	10.50.1.61	Vault HA	Planned
vault-03	10.50.1.62	Vault HA	Planned
ise-01	10.50.1.20	ISE (PAN/MnT/PSN)	Active
ise-02	10.50.1.21	ISE HA Secondary	Active
ipsk-mgr-01	10.50.1.30	iPSK Manager	Active
ipsk-mgr-02	10.50.1.31	iPSK Manager HA	Planned
ipsk-mgr	10.50.1.32	iPSK VIP	Planned
bind-01	10.50.1.90	BIND DNS	Active
bind-02	10.50.1.91	BIND DNS HA	Planned
9800-wlc-01	10.50.1.40	Wireless LAN Controller	Active
9800-wlc-02	10.50.1.41	WLC HA Standby	Active
3560-cx	10.50.1.10	Access Switch	Active
c9300-01	10.50.1.11	Core Switch	Active
nas-01	10.50.1.70	Synology NAS	Active
nas-02	10.50.1.71	NAS HA	Planned
gitea-01	10.50.1.72	Git Server	Active
minio-01	10.50.1.73	S3 Storage	Planned
k3s-master-01	10.50.1.120	k3s Control Plane	Active
k3s-master-02	10.50.1.121	k3s Control Plane	Planned
k3s-master-03	10.50.1.122	k3s Control Plane	Planned
k3s-worker-01	10.50.1.123	k3s Worker	Planned
k3s-worker-02	10.50.1.124	k3s Worker	Planned
k3s-worker-03	10.50.1.125	k3s Worker	Planned
traefik	10.50.1.130	Ingress VIP	Active
wazuh-indexer	10.50.1.131	SIEM Indexer	Active
wazuh-dashboard	10.50.1.132	SIEM Dashboard	Active
wazuh-workers	10.50.1.133	SIEM Workers	Active
wazuh-manager	10.50.1.134	SIEM Manager	Active
zabbix-01	10.50.1.135	Monitoring	Planned

Hostname

Category

Status

vyos-01

10.50.1.2

VyOS HA (MASTER)

Active

vyos-02

10.50.1.3

VyOS HA (BACKUP)

Active

vyos

10.50.1.1

VyOS VIP

Active

kvm-01

10.50.1.110

Hypervisor

Active

kvm-02

10.50.1.111

Hypervisor

Active

ipmi-01

10.50.1.200

IPMI/OOB

Active

ipmi-02

10.50.1.201

IPMI/OOB

Planned

home-dc01

10.50.1.50

AD Domain Controller

Active

home-dc02

10.50.1.51

AD Domain Controller

Planned

keycloak-01

10.50.1.80

Identity Provider

Active

keycloak-02

10.50.1.81

Identity Provider

Planned

ipa-01

10.50.1.100

FreeIPA

Active

ipa-02

10.50.1.101

FreeIPA

Planned

vault-01

10.50.1.60

Vault PKI/SSH CA

Active

vault-02

10.50.1.61

Vault HA

Planned

vault-03

10.50.1.62

Vault HA

Planned

ise-01

10.50.1.20

ISE (PAN/MnT/PSN)

Active

ise-02

10.50.1.21

ISE HA Secondary

Active

ipsk-mgr-01

10.50.1.30

iPSK Manager

Active

ipsk-mgr-02

10.50.1.31

iPSK Manager HA

Planned

ipsk-mgr

10.50.1.32

iPSK VIP

Planned

bind-01

10.50.1.90

BIND DNS

Active

bind-02

10.50.1.91

BIND DNS HA

Planned

9800-wlc-01

10.50.1.40

Wireless LAN Controller

Active

9800-wlc-02

10.50.1.41

WLC HA Standby

Active

3560-cx

10.50.1.10

Access Switch

Active

c9300-01

10.50.1.11

Core Switch

Active

nas-01

10.50.1.70

Synology NAS

Active

nas-02

10.50.1.71

NAS HA

Planned

gitea-01

10.50.1.72

Git Server

Active

minio-01

10.50.1.73

S3 Storage

Planned

k3s-master-01

10.50.1.120

k3s Control Plane

Active

k3s-master-02

10.50.1.121

k3s Control Plane

Planned

k3s-master-03

10.50.1.122

k3s Control Plane

Planned

k3s-worker-01

10.50.1.123

k3s Worker

Planned

k3s-worker-02

10.50.1.124

k3s Worker

Planned

k3s-worker-03

10.50.1.125

k3s Worker

Planned

traefik

10.50.1.130

Ingress VIP

Active

wazuh-indexer

10.50.1.131

SIEM Indexer

Active

wazuh-dashboard

10.50.1.132

SIEM Dashboard

Active

wazuh-workers

10.50.1.133

SIEM Workers

Active

wazuh-manager

10.50.1.134

SIEM Manager

Active

zabbix-01

10.50.1.135

Monitoring

Planned

Table 1. CNAME Aliases
Alias	Target
dc	home-dc01
vault	vault-01
ise	ise-01
wlc	9800-wlc-01
nas	nas-01
wazuh	wazuh-manager
prometheus	traefik
grafana	traefik
alertmanager	traefik

Connectivity Matrix

Source	Destination	A	B	C	D	E
Workstation	vyos-01 (10.50.1.2)	N/A	N/A	N/A	N/A	[ ]
Workstation	vyos-02 (10.50.1.3)	N/A	[ ]	[ ]	[ ]	[ ]
Workstation	VIP (10.50.1.1)	N/A	N/A	N/A	N/A	[ ]
VyOS	bind-01 (10.50.1.90)	N/A	[ ]	[ ]	[ ]	[ ]
VyOS	ise-01 (10.50.1.20)	N/A	[ ]	[ ]	[ ]	[ ]
VyOS	Internet (8.8.8.8)	N/A	[ ]	[ ]	[ ]	[ ]

Source

Destination

Workstation

vyos-01 (10.50.1.2)

N/A

[ ]

Workstation

vyos-02 (10.50.1.3)

N/A

[ ]

Workstation

VIP (10.50.1.1)

N/A

[ ]

VyOS

bind-01 (10.50.1.90)

N/A

[ ]

VyOS

ise-01 (10.50.1.20)

N/A

[ ]

VyOS

Internet (8.8.8.8)

N/A

[ ]