I wouldnāt say pfsense is bad, Iām just moving away from it. VyOS is my favorite networking platform because itās Debian, has a configure/commit/save paradigm that is well-designed as well as a monolithic config file thatās written in json, all of which can be automated.
Unfortunately, Ubiquitiās EdgeOS (downstream of VyOS) is all but abandoned and VyOS itself is a commercial product.
@PhaseLockedLoop here is an example of a host_vars inventory file for a Fedora VM. I have Ansible dump things in there and then I can edit them later, re-run the playbook and the config will be applied.
---
# vim: ts=2:sw=2:sts=2:et:ft=yaml
#
# Host Variables - fedora36.hq.example.com
#
# Generated by the o0_o.inventory role.
#
########################################################################
################### ANSIBLE MANAGED LINES (EDITABLE) ###################
# Ansible variables
ansible_host: 127.0.0.1
ansible_user: vagrant
ansible_python_interpreter: /usr/bin/python3
ansible_become_method: sudo
ansible_port: 2205
ansible_ssh_private_key_file: /Users/o0-o/.vagrant.d/insecure_private_key
ansible_connection: ssh
#ansible_network_os:
#ansible_network_cli_ssh_type:
# Time zone and locale
tz: EST
#locale:
# Mandatory access control (SELinux, AppArmor, etc.)
#
# Set to an empty string to disable, otherwise hardcoded values are used
# according to the OS/distribution.
mac: selinux
# Network management daemon (NetworkManager, systemd-networkd, etc.)
#
# Only applicable to Linux distributions. Use netd for Systemd's
# networkd or nm for NetworkManager.
#net_mgr:
######################## ANSIBLE MANAGED BLOCKS ########################
# BEGIN ANSIBLE MANAGED BLOCK: Local users (Editable)
users:
root:
gecos: root
gid: '0'
group: root
groups:
- root
home: /root
shell: /bin/bash
ssh:
auth: []
id: []
uid: '0'
vagrant:
adm: true
gecos: ''
gid: '1000'
group: vagrant
groups:
- vagrant
home: /home/vagrant
shell: /bin/bash
ssh:
auth:
- pub: AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ==
type: rsa
id: []
uid: '1000'
# END ANSIBLE MANAGED BLOCK: Local users (Editable)
# BEGIN ANSIBLE MANAGED BLOCK: Software repositories (Editable)
#
# Default repositories are configured in the
# o0_o.host.software_management role (see defaults/main/ in that role).
#
repos:
dnf:
fedora:
enabled: true
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
method: metalink
name: Fedora $releasever - $basearch
type: rpm
url: https://mirrors.fedoraproject.org
url_path: /linux/releases/$releasever/Everything/$basearch/os/
url_vars: repo=fedora-$releasever&arch=$basearch
fedora-cisco-openh264:
enabled: false
file: fedora-cisco-openh264
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
method: metalink
name: openh264 (From Cisco)
type: rpm
url: https://mirrors.fedoraproject.org
url_path: /openh264/$releasever/$basearch/os/
url_vars: repo=fedora-cisco-openh264-$releasever&arch=$basearch
fedora-modular:
enabled: true
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
method: metalink
name: Fedora Modular $releasever - $basearch
type: rpm
url: https://mirrors.fedoraproject.org
url_path: /linux/releases/$releasever/Modular/$basearch/os/
url_vars: repo=fedora-modular-$releasever&arch=$basearch
updates:
enabled: true
file: fedora-updates
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
method: metalink
name: Fedora $releasever - $basearch - Updates
type: rpm
url: https://mirrors.fedoraproject.org
url_path: /linux/updates/$releasever/Everything/$basearch/
url_vars: repo=updates-released-f$releasever&arch=$basearch
updates-modular:
enabled: true
file: fedora-updates-modular
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
method: metalink
name: Fedora Modular $releasever - $basearch - Updates
type: rpm
url: https://mirrors.fedoraproject.org
url_path: /linux/updates/$releasever/Modular/$basearch/
url_vars: repo=updates-released-modular-f$releasever&arch=$basearch
updates-testing:
enabled: false
file: fedora-updates-testing
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
method: metalink
name: Fedora $releasever - $basearch - Test Updates
type: rpm
url: https://mirrors.fedoraproject.org
url_path: /linux/updates/testing/$releasever/Everything/$basearch/
url_vars: repo=updates-testing-f$releasever&arch=$basearch
updates-testing-modular:
enabled: false
file: fedora-updates-testing-modular
gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
method: metalink
name: Fedora Modular $releasever - $basearch - Test Updates
type: rpm
url: https://mirrors.fedoraproject.org
url_path: /linux/updates/testing/$releasever/Modular/$basearch/
url_vars: repo=updates-testing-modular-f$releasever&arch=$basearch
# END ANSIBLE MANAGED BLOCK: Software repositories (Editable)
I personally run bleeding edge since some features I want arenāt in LTS and just report bugs that I find which isnāt really often. Firewall component is getting overhauled to be compatible with nftables so IPS can be integrated via podman and to replace the janky perl scripts of OG Vyatta with much cleaner Python scripts.
Also the 8k is for the type of org that is installing hundreds of routers, there is a 125 per month subscription for two HA routers.
Staying on the theme of Mikrotiks, I OOPSād and made the executive decision to replace all Zyxel and Netgear managed switches with RouterOS based Mikrotiks as we can do RADIUS auth on them and automated config backups and centralised management with Unimus
THIS HAS BEEN PISSING ME OFF SO MUCH, but Iām still using PFSense anywaysā¦ I canāt get the backups to automate itself to my backup server last I tried, and with it starting to age, Iām worried about it blowing up on me.