Router OS Evaluation: OPNsense vs VyOS¶
This document evaluates the feasibility and utility of migrating from OPNsense to VyOS (or alternatives) for the Tower Fleet homelab network infrastructure.
Evaluation Date: 2025-12-16 Status: Assessed - Not Recommended for Migration Priority: Backlog (if pursued)
Table of Contents¶
- Executive Summary
- Current State
- Candidates Evaluated
- Feature Comparison
- Migration Effort Analysis
- Risk Assessment
- Recommendation
- Roadmap Placement
Executive Summary¶
Question: Should we migrate from OPNsense to VyOS or another router OS?
Answer: No. OPNsense meets current needs effectively. Migration effort and risk outweigh marginal benefits.
Key Findings: - VyOS excels at Infrastructure-as-Code but lacks GUI, requiring CLI-only management - OPNsense provides superior firewall/IDS features and easier management - Migration risk is high due to DNS dependencies (K8s CoreDNS relies on OPNsense) - No compelling driver exists for migration at this time
If IaC is a priority: Consider MikroTik CHR as a better middle-ground alternative.
Current State¶
OPNsense Configuration¶
| Component | Configuration |
|---|---|
| IP Address | 10.89.97.1 (gateway) |
| Subnet | 10.89.97.0/24 |
| DNS | Unbound with local overrides |
| DHCP | Standard pool allocation |
| VPN | WireGuard tunnel to Hetzner VPS (10.22.95.x) |
| Firewall | NAT, LAN allow, WAN deny |
OPNsense Responsibilities¶
Internet
│
├─ Hetzner VPS (5.161.45.147) ──── WireGuard ────┐
│ *.bogocat.com │
│ │
└─ OPNsense (10.89.97.1) ◄────────────────────────┘
│ 10.22.95.1 (WireGuard)
│
├─ Proxmox Host(s) (10.89.97.x)
├─ LXC Containers (10.89.97.97, .101, .239, .241, etc.)
├─ VMs (10.89.97.50, .221-.223, etc.)
└─ Kubernetes Services (MetalLB: 10.89.97.210+)
Critical Integration: Kubernetes DNS¶
OPNsense Unbound serves as the authoritative DNS for internal resolution:
- CoreDNS forwards
.internalzone → OPNsense (10.89.97.1) - CoreDNS forwards
bogocat.comzone → OPNsense (split-horizon DNS) - OPNsense host overrides →
*.bogocat.com→ K8s Ingress (10.89.97.220)
Impact: Any DNS misconfiguration during migration breaks the entire K8s cluster's ability to resolve internal services.
Candidates Evaluated¶
1. VyOS¶
Overview: Open-source network OS based on Debian Linux. Router-first with firewall capabilities.
| Attribute | Assessment |
|---|---|
| License | Open source (rolling release free, LTS requires subscription) |
| Interface | CLI only - no native GUI |
| Resources | Minimal (512MB RAM, 2GB disk) |
| IaC Support | Excellent - text configs, Git-friendly, Ansible/Terraform ready |
| Advanced Routing | Superior - BGP, OSPF, RIP, IS-IS, DMVPN |
| Firewall | Capable but not primary focus |
| DNS Server | Manual setup required (dnsmasq/unbound) |
| Learning Curve | Steep - requires networking expertise |
| Community | Smaller, enterprise-focused |
Best For: Enterprise routing labs, BGP/OSPF learning, strict IaC requirements.
2. MikroTik CHR (Cloud Hosted Router)¶
Overview: Commercial router OS with free tier, excellent routing and API support.
| Attribute | Assessment |
|---|---|
| License | Free (1 Mbps) / Paid licenses ($45-$250 one-time) |
| Interface | WinBox GUI + CLI + API |
| Resources | Light (~256MB RAM) |
| IaC Support | Good - API scripting, exportable configs |
| Advanced Routing | Excellent - BGP, OSPF, MPLS |
| Firewall | Improving, now competitive |
| DNS Server | Built-in |
| Learning Curve | Moderate - unique syntax |
| Community | Large, active forums |
Best For: Balance of IaC capability with usability, budget-conscious.
3. OPNsense (Current)¶
Overview: FreeBSD-based firewall/router with security focus.
| Attribute | Assessment |
|---|---|
| License | Open source (BSD) |
| Interface | Full web GUI |
| Resources | Moderate (~2GB RAM) |
| IaC Support | Limited - API available, XML config export |
| Advanced Routing | Basic - static routes, simple BGP via plugin |
| Firewall | Superior - Suricata IDS/IPS, deep packet inspection |
| DNS Server | Built-in Unbound (excellent) |
| Learning Curve | Gentle - GUI-driven |
| Community | Large homelab community |
Best For: Security-focused deployments, homelabs prioritizing ease of management.
Feature Comparison¶
Feature Matrix¶
| Feature | OPNsense | VyOS | MikroTik CHR |
|---|---|---|---|
| Web GUI | Yes | No | Yes (WinBox) |
| CLI Configuration | Yes | Yes (primary) | Yes |
| REST API | Yes | Yes | Yes |
| Git-friendly Configs | Partial | Excellent | Good |
| Unbound DNS | Built-in | Manual | Built-in |
| WireGuard | GUI-based | CLI | GUI + CLI |
| IDS/IPS (Suricata) | Built-in | No | No |
| BGP/OSPF | Plugin | Native (excellent) | Native |
| VLAN Support | Yes | Yes | Yes |
| HA/CARP | Yes | Yes | Yes |
| Plugin Ecosystem | Extensive | None | RouterOS packages |
| Resource Usage | ~2GB RAM | ~512MB RAM | ~256MB RAM |
Homelab Use Case Fit¶
| Use Case | Best Option |
|---|---|
| General homelab router/firewall | OPNsense |
| Infrastructure-as-Code priority | VyOS or MikroTik |
| Enterprise routing lab (BGP/OSPF) | VyOS |
| Budget with IaC needs | MikroTik CHR |
| Security/IDS focus | OPNsense |
| Minimal CLI experience | OPNsense |
Migration Effort Analysis¶
Migration Scope (OPNsense → VyOS)¶
| Component | Effort | Notes |
|---|---|---|
| DHCP Configuration | Low | Simple CLI translation |
| Static Routes | Low | Direct mapping |
| NAT Rules | Medium | Different syntax |
| Firewall Rules | Medium | Logic similar, syntax different |
| WireGuard Tunnel | Medium | CLI config, peer migration |
| DNS (Unbound) | High | Manual recreation of all host overrides |
| DNS Split-Horizon | High | Critical - must work perfectly for K8s |
| Monitoring Integration | Medium | New exporters needed |
Estimated Total Effort¶
| Phase | Duration |
|---|---|
| Learning VyOS CLI | 4-8 hours |
| Lab environment setup | 2-4 hours |
| Configuration translation | 4-8 hours |
| Testing in isolation | 4-8 hours |
| Cutover preparation | 2-4 hours |
| Cutover execution | 1-2 hours |
| Post-cutover validation | 2-4 hours |
| Troubleshooting buffer | 4-8 hours |
| Total | 23-46 hours |
What You Gain¶
- Text-based configs that version-control cleanly
- Ansible/Terraform automation potential
- Lighter resource footprint
- Enterprise routing protocol experience
What You Lose¶
- Web GUI for quick changes
- Built-in Unbound with easy host override management
- Suricata IDS/IPS integration
- Plugin ecosystem (HAProxy, Nginx, etc.)
- Larger community support for homelab scenarios
Risk Assessment¶
High Risk: DNS Cutover¶
Scenario: Misconfigured DNS during migration.
Impact:
- K8s CoreDNS cannot resolve *.bogocat.com or .internal zones
- All K8s applications become unreachable
- Authentik SSO breaks (auth.bogocat.com unreachable)
- Cascading failures across homelab
Mitigation: 1. Extensive testing in isolated environment 2. Document exact DNS entries before migration 3. Have rollback procedure ready (restore OPNsense) 4. Schedule during low-usage window
Medium Risk: WireGuard Tunnel¶
Scenario: VPS tunnel breaks during migration.
Impact:
- External access to all *.bogocat.com services lost
- Cannot SSH to VPS from homelab
Mitigation: 1. Keep VPS accessible via Hetzner console 2. Pre-configure VyOS WireGuard before cutover 3. Test tunnel connectivity before switching DNS
Medium Risk: Learning Curve¶
Scenario: Unfamiliar CLI leads to misconfigurations.
Impact: - Extended downtime during troubleshooting - Potential security gaps from incomplete firewall rules
Mitigation: 1. Complete VyOS training before attempting migration 2. Use lab VM for all practice 3. Document every configuration decision
Low Risk: Resource Constraints¶
VyOS uses fewer resources than OPNsense - not a concern.
Recommendation¶
Decision: Do Not Migrate¶
Rationale:
- No compelling driver: OPNsense handles current requirements effectively
- High risk, low reward: DNS integration complexity creates significant migration risk
- Better alternatives exist: If IaC is desired, MikroTik CHR offers better balance
- Opportunity cost: Migration effort better spent on higher-value roadmap items
If IaC Becomes a Priority¶
Consider MikroTik CHR instead of VyOS: - Provides API and scriptable configuration - Maintains GUI for emergency troubleshooting - Built-in DNS server simplifies migration - Lower learning curve than VyOS - Free tier sufficient for homelab testing
If Enterprise Routing Learning is Goal¶
VyOS in a lab VM (not production): - Create isolated VM for VyOS experimentation - Practice BGP/OSPF configurations - Keep OPNsense as production router - Graduate to production only after extensive practice
Roadmap Placement¶
Current Status: Not Planned¶
This evaluation recommends against adding router migration to the active roadmap.
If Added (Backlog Only)¶
### ⚪ Backlog
- [ ] **Router OS Migration (VyOS/MikroTik)**
- **Prerequisite:** Complete VLAN segmentation first (reduces blast radius)
- **Lab Phase:** Test VyOS/MikroTik in isolated VM
- **Documentation:** Full DNS, WireGuard, firewall migration plan
- **Risk Level:** High (DNS failure impacts entire homelab)
- **Effort:** 25-50 hours total
- **ROI:** Low unless IaC is critical requirement
Higher Priority Networking Items¶
The roadmap already contains more valuable networking improvements:
- VLANs for Network Segmentation - Reduces blast radius of any future changes
- Network Monitoring (Prometheus exporters) - Works with any router OS
- WireGuard/Tailscale VPN for Remote Access - Improves access regardless of router
These should be completed before considering router migration.
References¶
External Sources¶
- VyOS vs OPNsense Comparison - Tolu Michael
- VyOS vs OPNsense - Atomic Networks
- Why I Use VyOS - Cyber Farm
- VyOS for Home - SNBForums
- OPNsense vs MikroTik - Simple IT
- Best Homelab Networking Ecosystem - Virtualization HowTo
Internal Documentation¶
- Network Infrastructure
- CoreDNS Split-Horizon DNS
- CoreDNS .internal Zone Forwarding
- VPS Reverse Proxy
- Tower Fleet Roadmap
Document Author: Infrastructure Team Review Date: 2025-12-16 Next Review: On-demand (if requirements change)