{"id":3379,"date":"2026-01-28T09:01:29","date_gmt":"2026-01-28T13:01:29","guid":{"rendered":"https:\/\/arielantigua.com\/weblog\/?p=3379"},"modified":"2026-01-28T09:01:29","modified_gmt":"2026-01-28T13:01:29","slug":"vyos-all-in-to-improve-the-network-and-keep-my-sanity","status":"publish","type":"post","link":"https:\/\/arielantigua.com\/weblog\/2026\/01\/vyos-all-in-to-improve-the-network-and-keep-my-sanity\/","title":{"rendered":"VyOS all-in, to improve the network and keep my sanity!"},"content":{"rendered":"

My network is overcomplicated on purpose. starting with my local network all the way to Linux machines in Miami, New York, Frankfurt, and Netherland working as BGP routers. I\u2019ve been playing with VRF and iprules, looking for a reliable way to separate traffic generated towards my \/24 and traffic that originates machine-to-machine for tunneling. Tunnels, this is where I always find issues, routing tables fighting each other, killing the traffic, and taking the tunnels down.<\/p>\n

I know that VyOS has been around for more than 10 years, and I have used it before for my home-network but decide to go with plain Linux because of BIRD, I love that thing!
\nVyOS comes with FRR, it\u2019s a powerful platform, but I know how to do things in BIRD (v1 or v2) using Pathvector. For my current configuration, the issues come with the traffic separation; VRF makes it so much easier than iprules or other networking tricks.<\/p>\n

How did the whole reconfiguration of my network begin?
\nI read you ask\u2026.<\/p>\n

history time!<\/strong><\/p>\n

For almost 2 years a Peplink Balance 30X<\/strong> was the responsible of my Internet access at home, managing 2 WAN and a tunnel to Miami using SpeedFusion<\/strong>, it was flawlessly, no issues, but it cost money. At first I was ok paying the \u201ctax\u201d for a working solution that you as a user don\u2019t have to be messing around with it to work, but besides the cost, the lack of customization was limiting my tinkering brain from playing more with the router, it does his thing great but you cannot add your stuff like an Opensource Router, and it was lacking IPv6 support<\/strong>. Before moving to Peplink, an OPNSense was working as a firewall\/loadbalancer, but the LB stuff was a hit and miss for me, with the Peplink it was rock-solid so I moved, them decide that I don\u2019t want to pay for something that I can configure myself, put OPNSense back on an old Sophos XG125, and the pain began.<\/p>\n

Here is the list of stuff that only worked when the moon aligned with the sun.<\/p>\n

Load Balancing:<\/strong> this was very frustrating to make it work as I want it, I am not an expert on OPNSense, but coming from pfSense (used it for years!!), This doesn\u2019t look like a hard configuration to make. Sometimes the failover\/failback took forever, it wasn\u2019t the biggest issue, and I started to accept that I didn\u2019t know how to make it work.<\/p>\n

Wireguard Tunnels:<\/strong> This was the killer. Looks like Wireguard has issues on OPNSense and sometimes it just dies. One thing I wish was working is the option to pin a WG connection on an interface, I know this works on Linux, but it looks like the version ported to *BSD has issues.<\/p>\n

Tailscale Support:<\/strong> Another hit and miss, I have to reconfigure the tailnet related stuff two times without any reason, the config just disappears.<\/p>\n

GUI:<\/strong> This thing was so slow on my hardware, and I didn\u2019t want to buy a new one. Remember, moving away from Peplink was to save money, no spend it on new hardware.<\/p>\n

OPNSense was running for almost three months, but I wasn\u2019t happy with how things were going. Started looking around, didn\u2019t want to use pfSense (just a personal decision).<\/p>\n

What I considered:<\/strong><\/p>\n

Using a Mikrotik<\/em> as an Internet router again. I use MT as my core router in my network and another one as the internal router for public traffic using public addresses advertised by AS207036<\/strong><\/a> and routed to services hosted at home. I know my way on RouterOS.<\/p>\n

Using OpenWRT<\/em>, more for the WAN capabilities than firewall\/routing.<\/p>\n

Using VyOS<\/em>. I didn\u2019t want to learn the syntax to manage this; I was busy with other stuff, but I want to make this network easy to \u201cmanage\u201d.<\/p>\n

This is the list of things that I want to have; the platform with the most checkmarks will be selected.<\/p>\n

    \n
  1. Support for BGP\/OSPF, my home network relies on this to learn and announce prefixes, it\u2019s been this way for more than 5 years, so I\u2019m not moving away from this configuration.<\/li>\n
  2. WAN Load Balancing, working from home, this is a must. My primary WAN is CLARO, which is stable as a rock, but you know, even the best has issues.<\/li>\n
  3. Native Wireguard support. This is the way I want to connect to a remote VyOS machine in Miami; the same is achieved using Peplink + Speedfusion.<\/li>\n
  4. Using the same WG tunnel, I expose internal services to the Internet.<\/li>\n
  5. VRF support, putting this on the list makes VyOS almost the default winner. Yes, Mikrotik supports VRF, but I don\u2019t like how RouterOS runs the multiwan logic.<\/li>\n
  6. Tailscale support. This one looks to be supported on all three devices that I want to use.<\/li>\n<\/ol>\n