VyOS 1.4 installation on Hunsn 4 port I225 ethernet interfaces

Updated
Fri Oct 14 16:31:54 EDT 2022

Started years ago with Ubiquity EdgeRouters and did pretty well with them. Ignored the GUI and used the commandline and the config.boot file. Wanted an "upgrade" so installed a full UniFi system.

Ran UniFi USG for 3 or 4 years. Every time the user interface got prettier it seemed something was removed from the router functionality. The side-load of config.gateway.json worked but more and more had to be put into it. The last straw was the removal of the configure command funcitonality used to test the commands included in the side-load.

Ran pfSense Community Edition for a couple weeks. Had lots of options but had to figure out the tricks of the GUI to make the low level configuration files such as radvd.conf and dhcpc6.conf work.

Currently installing VyOS (sagitta 1.4) on Hunsn J4125-4L-I225 Hardware. It works and its not complitcated with a GUI. The command line works and the low level files can be observed immediately after the commit. So far so good. Someone said VyOS is a router with some firewall capability and pfSense is a firewall with some router capability. That's seems to be a good assesment.

Here are some notes that might help solve some problems.

Unknowns

• Are the AES-NI capabilities of the Hunsn are being used.
• How to configure offloading. For example: show interfaces ethernet eth0 physical offload
• How to be happy with wan load balancing.

DHCPv6

• isc-dhcp-relay6.service frequently dies

Dynamic DNS

• Multiple instances are possible. The service "name" can be any text. It does not have to be one of the listed services such as dyndns.
• Only one instance of use-web is possible. Don't use use-web to get the IP address directly from the interface.
• The interface completion is the interface with the IP address that is desired in the dynamic DNS record.
• set service dns dynamic generates a config file at /run/ddclient/ddclient.conf
• Note: The ddclient daemon is capable of setting an IPv6 address. The option set service dns dynamic interface ethx ipv6-enable reads the first IPv6 address from the interface. However, this prevents IPv4 addresses. Its 4 or 6 not both. If they had made the IPv6 patch based on the service level instead of the interface level, both IPv4 and IPv6 updates could be accomodated.

IPsec VPN Tunnels

• Do not use multiple proposals in the esp-group or the ike-group.
• Its best to dedicate an ike or esp group to each tunnel. The tunnel may come up but it will drop one vti interface after a while.
• Multiple proposals seem valid in VyOS and in the resulting /etc/swanctl/swanctl.conf file but the tunnel will not be reliable.

Load Balancing Failover

• See Details

ssh

• Odd way to load public ssh keys starts with an op-mode command which produces configuration commands that can be copied and pasted into configure mode.
• From op-mode generate public-key-command user vyos path <public_key_filename>
• SSH Operation

References:

• VyOS Documentation Release 1.4.x (sagitta)
• Generic Overview of DHCPv6-PD on VyOS 1.3
• Not accurate Release 1.4 Docs
• Hunsn 4 Port I225 Ethernet from Amazon

• show hardware cpu
  CPU socket: 0
  CPU Vendor:       GenuineIntel
  Model:            Intel(R) Celeron(R) J4125 CPU @ 2.00GHz
  Cores:            4
  Current MHz:      800.000