I wouldnāt say pfsense is bad, Iām just moving away from it. VyOS is my favorite networking platform because itās Debian, has a configure/commit/save paradigm that is well-designed as well as a monolithic config file thatās written in json, all of which can be automated.
Unfortunately, Ubiquitiās EdgeOS (downstream of VyOS) is all but abandoned and VyOS itself is a commercial product.
Holy yard sale on a mountainā¦ 8 THOUSAND DOLLARS
Why
Jesus
Just wait until you find out how much Palo Alto admins make 
Itās free, but they charge $8k just to install it?
Weāre like mushrooms.
Fed bullshit and kept in the dark.
Itās free if you want to run rolling nightlies on your network edge. Sounds like a nightmare.
@PhaseLockedLoop here is an example of a host_vars inventory file for a Fedora VM. I have Ansible dump things in there and then I can edit them later, re-run the playbook and the config will be applied.
---
# vim: ts=2:sw=2:sts=2:et:ft=yaml
#
# Host Variables - fedora36.hq.example.com
#
# Generated by the o0_o.inventory role.
#
########################################################################
################### ANSIBLE MANAGED LINES (EDITABLE) ###################
# Ansible variables
ansible_host: 127.0.0.1
ansible_user: vagrant
ansible_python_interpreter: /usr/bin/python3
ansible_become_method: sudo
ansible_port: 2205
ansible_ssh_private_key_file: /Users/o0-o/.vagrant.d/insecure_private_key
ansible_connection: ssh
#ansible_network_os:
#ansible_network_cli_ssh_type:
# Time zone and locale
tz: EST
#locale:
# Mandatory access control (SELinux, AppArmor, etc.)
#
# Set to an empty string to disable, otherwise hardcoded values are used
# according to the OS/distribution.
mac: selinux
# Network management daemon (NetworkManager, systemd-networkd, etc.)
#
# Only applicable to Linux distributions. Use netd for Systemd's
# networkd or nm for NetworkManager.
#net_mgr:
######################## ANSIBLE MANAGED BLOCKS ########################
# BEGIN ANSIBLE MANAGED BLOCK: Local users (Editable)
users:
root:
gecos: root
gid: '0'
group: root
groups:
- root
home: /root
shell: /bin/bash
ssh:
auth: []
id: []
uid: '0'
vagrant:
adm: true
gecos: ''
gid: '1000'
group: vagrant
groups:
- vagrant
home: /home/vagrant
shell: /bin/bash
ssh:
auth:
- pub: AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ==
type: rsa
id: []
uid: '1000'
# END ANSIBLE MANAGED BLOCK: Local users (Editable)
# BEGIN ANSIBLE MANAGED BLOCK: Software repositories (Editable)
#
# Default repositories are configured in the
# o0_o.host.software_management role (see defaults/main/ in that role).
#
repos:
dnf:
fedora:
enabled: true
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
method: metalink
name: Fedora $releasever - $basearch
type: rpm
url: https://mirrors.fedoraproject.org
url_path: /linux/releases/$releasever/Everything/$basearch/os/
url_vars: repo=fedora-$releasever&arch=$basearch
fedora-cisco-openh264:
enabled: false
file: fedora-cisco-openh264
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
method: metalink
name: openh264 (From Cisco)
type: rpm
url: https://mirrors.fedoraproject.org
url_path: /openh264/$releasever/$basearch/os/
url_vars: repo=fedora-cisco-openh264-$releasever&arch=$basearch
fedora-modular:
enabled: true
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
method: metalink
name: Fedora Modular $releasever - $basearch
type: rpm
url: https://mirrors.fedoraproject.org
url_path: /linux/releases/$releasever/Modular/$basearch/os/
url_vars: repo=fedora-modular-$releasever&arch=$basearch
updates:
enabled: true
file: fedora-updates
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
method: metalink
name: Fedora $releasever - $basearch - Updates
type: rpm
url: https://mirrors.fedoraproject.org
url_path: /linux/updates/$releasever/Everything/$basearch/
url_vars: repo=updates-released-f$releasever&arch=$basearch
updates-modular:
enabled: true
file: fedora-updates-modular
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
method: metalink
name: Fedora Modular $releasever - $basearch - Updates
type: rpm
url: https://mirrors.fedoraproject.org
url_path: /linux/updates/$releasever/Modular/$basearch/
url_vars: repo=updates-released-modular-f$releasever&arch=$basearch
updates-testing:
enabled: false
file: fedora-updates-testing
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
method: metalink
name: Fedora $releasever - $basearch - Test Updates
type: rpm
url: https://mirrors.fedoraproject.org
url_path: /linux/updates/testing/$releasever/Everything/$basearch/
url_vars: repo=updates-testing-f$releasever&arch=$basearch
updates-testing-modular:
enabled: false
file: fedora-updates-testing-modular
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
method: metalink
name: Fedora Modular $releasever - $basearch - Test Updates
type: rpm
url: https://mirrors.fedoraproject.org
url_path: /linux/updates/testing/$releasever/Modular/$basearch/
url_vars: repo=updates-testing-modular-f$releasever&arch=$basearch
# END ANSIBLE MANAGED BLOCK: Software repositories (Editable)
Itās pretty easy to build the LTS image Build VyOS ā VyOS 1.3.x (equuleus) documentation
You can also get access by donating through OpenCollective VyOS Project Collective - Open Collective
I personally run bleeding edge since some features I want arenāt in LTS and just report bugs that I find which isnāt really often. Firewall component is getting overhauled to be compatible with nftables so IPS can be integrated via podman and to replace the janky perl scripts of OG Vyatta with much cleaner Python scripts.
Also the 8k is for the type of org that is installing hundreds of routers, there is a 125 per month subscription for two HA routers.
Staying on the theme of Mikrotiks, I OOPSād and made the executive decision to replace all Zyxel and Netgear managed switches with RouterOS based Mikrotiks as we can do RADIUS auth on them and automated config backups and centralised management with Unimus
Ty, this was not on my radar.
THIS HAS BEEN PISSING ME OFF SO MUCH, but Iām still using PFSense anywaysā¦ I canāt get the backups to automate itself to my backup server last I tried, and with it starting to age, Iām worried about it blowing up on me.
Same thing as for @oO.o
Look into Unimus as it supports pfSense as well
Even notifies you via email if something has config change
https://wiki.unimus.net/pages/viewpage.action?pageId=10092755
Alpha 4 of my Ansible collection is up.
Slow but steady wins the raceā¦
Thanks for the heads-up on Unimus. Seems like a cool bit of software for pfsense management.
Rn I have just been downloading backups and then encrypting and storing them on my git repo everytime I do any changes which is obv not smooth.
Wow router OS is a complicated detailed beast. Interesting
Yeah, we werenāt bsāing you about needing to read some documentation.
