VyOS Migration: Rollback Procedures

DNS Rollback (Phase A)

If DNS changes cause issues, restore from the pre-migration zone file backups:

# Find backup timestamp
ssh bind-01.inside.domusdigitalis.dev "ls -la /var/named/*.bak.*"

# Restore (replace TIMESTAMP with actual value)
ssh bind-01.inside.domusdigitalis.dev "sudo cp /var/named/inside.domusdigitalis.dev.zone.bak.TIMESTAMP /var/named/inside.domusdigitalis.dev.zone"
ssh bind-01.inside.domusdigitalis.dev "sudo cp /var/named/10.50.1.rev.bak.TIMESTAMP /var/named/10.50.1.rev"
ssh bind-01.inside.domusdigitalis.dev "sudo rndc reload"

VyOS Config Rollback (Phases B-E)

VyOS maintains a commit history. Roll back to the previous configuration:

# Option 1: Switch back to pfSense (if not yet shutdown)
# Update client default gateways to 10.50.1.1 (pfSense) instead of VyOS

# Option 2: Restore VyOS from previous config
ssh vyos-01.inside.domusdigitalis.dev "configure"
ssh vyos-01.inside.domusdigitalis.dev "rollback 1"  # Rollback to previous commit
ssh vyos-01.inside.domusdigitalis.dev "commit"
ssh vyos-01.inside.domusdigitalis.dev "exit"

Complete Rollback (Return to pfSense)

Nuclear option — restore pfSense as the primary gateway:

# 1. Start pfSense if stopped
sudo virsh start pfSense-FW01

# 2. Shutdown VyOS VMs
sudo virsh shutdown vyos-01
sudo virsh shutdown vyos-02

# 3. Verify pfSense has route
ping -c3 10.50.1.1  # Should respond (pfSense)

# 4. Update client DNS if needed (DNS records remain valid)

As of 2026-03-07, pfSense has been decommissioned. This rollback path is no longer available without restoring the pfSense VM from backup.