Virtualizing the Network Core with VyOS
Building a network usually forces you into a corner. You either pay thousands for rigid, proprietary hardware from vendors like Cisco, or you spend your weekends wrestling with fragmented Linux scripts and iptables. While a standard Linux server can route packets, managing it at scale becomes a maintenance nightmare. You lack a unified way to view the configuration, and one wrong move with a manual command can drop your entire connection.
VyOS is the sweet spot. It is an open-source Network Operating System (NOS) that provides a unified Command Line Interface (CLI)—heavily inspired by Juniper’s Junos—on top of a rock-solid Debian base. You can turn a lightweight VM or a dusty old bare-metal server into a high-performance router. In production, I have seen VyOS handle 10Gbps throughput on modest hardware, making it a go-to choice for cloud architects who want to avoid vendor lock-in.
Quick Start (5 min): Initial Configuration
After booting the VyOS ISO on VMware, Proxmox, or KVM, you need to install it to the local disk. VyOS uses a dual-mode CLI. You start in Operational Mode (noted by $) for monitoring, then switch to Configuration Mode (noted by #) to change settings.
# Install the OS to your virtual drive
install image
# Enter configuration mode
configure
# Set the basics
set system host-name 'Core-Router-01'
set system domain-name 'itfromzero.local'
set system login user vyos authentication plaintext-password 'YourSecurePassword'
# Enable SSH for remote access
set service ssh port '22'
# Apply and persist changes
commit
save
Unlike standard Linux where changes happen the moment you hit enter, VyOS requires a commit. This is a life-saver. It allows you to build a complex set of changes and apply them all at once. If you don’t run save, the changes disappear after a reboot, acting as a built-in safety net for testing.
Deep Dive: Routing and Interface Management
A router’s primary job is moving data between segments. In most setups, you will manage at least two interfaces: a WAN (Internet) and a LAN (Internal).
Configuring Interfaces
Let’s assign IP addresses to our virtual adapters. We will assume eth0 is your public-facing WAN and eth1 is your private LAN.
set interfaces ethernet eth0 address '203.0.113.10/24'
set interfaces ethernet eth0 description 'WAN-Link'
set interfaces ethernet eth1 address '192.168.10.1/24'
set interfaces ethernet eth1 description 'Internal-LAN'
Setting the Default Gateway
Your router needs to know where to send traffic that isn’t destined for the local network. This is your default route.
set protocols static route 0.0.0.0/0 next-hop 203.0.113.1
This tells VyOS to pass all unknown traffic to your ISP’s gateway at 203.0.113.1. If you are on a dynamic connection, just use set interfaces ethernet eth0 address dhcp and the OS will handle the routing table for you automatically.
DHCP Server for LAN Clients
Don’t waste time manually configuring every laptop on your network. Use a DHCP pool to automate the process.
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.10.0/24 default-router '192.168.10.1'
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.10.0/24 dns-server '8.8.8.8'
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.10.0/24 range 0 start '192.168.10.100'
set service dhcp-server shared-network-name LAN_POOL subnet 192.168.10.0/24 range 0 stop '192.168.10.200'
Advanced Usage: NAT and Stateful Firewall
Security is not optional when your router faces the public internet. We use Source NAT to allow LAN devices to browse the web and firewall rules to block the bad guys.
Source NAT (Masquerade)
Private IPs (192.168.x.x) cannot travel on the public internet. The router must replace the internal source IP with its own public IP.
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '192.168.10.0/24'
set nat source rule 100 translation address 'masquerade'
Building a Stateful Firewall
A stateful firewall is smart. It remembers that your internal PC asked for a website, so it allows the website’s response back through while blocking random incoming probes.
# Drop everything by default on the WAN
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
# Protect the router itself
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL protocol 'icmp'
# Attach the rules to your WAN port
set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
The local direction covers traffic hitting the router’s own IP (like your SSH management), while in covers traffic passing through to your servers.
Pro Tips for Production Stability
Running a router in production requires a different mindset. Use these strategies to avoid self-inflicted downtime:
- The Panic Button: When configuring a remote router, use
commit-confirm 5. This applies the changes but waits 5 minutes for you to confirm. If you lock yourself out, the router will automatically reboot and revert to the old config. - Version Control: VyOS stores a full history. Use
show system committo see who changed what and when. If a change breaks the network,rollback 1will instantly revert to the previous state. - Hardware Sizing: For basic home or small office use, 512MB of RAM is plenty. For a 1Gbps link with heavy NAT and 50+ users, 2GB of RAM and 2 vCPUs is the sweet spot. Priority should always be given to CPU clock speed for better packet processing.
- VLAN Trunking: Don’t add a dozen virtual NICs to your VM. Use 802.1Q tagging to run multiple networks over one cable:
set interfaces ethernet eth1 vif 10 address '10.0.10.1/24' set interfaces ethernet eth1 vif 20 address '10.0.20.1/24'
VyOS offers the power of a $5,000 rack-mounted appliance with the agility of a software package. Once you master the CLI, you can deploy identical network stacks across AWS, Azure, or your local data center without learning new vendor syntax every time.
