VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS Project May 2020 Update

Yuriy Andamasov
Posted 26 May, 2020

As usual, May was a busy month for VyOS. Originally we’ve planned a soft freeze of the 1.3 branches for early May, but it didn’t work as planned—in reality May brought us a lot of new features from both community contributors and maintainers. However, it also brought us a lot of fixes, refactoring, and polish, so we are actually closer to the stable 1.3 release than before.

Before we start talking about development, few non-tech topics...

VyOS Certifications

We are happy to tell you that the certification exam is now automated. First of all, there is no need to fill the waitlist form anymore and can just register on the website!

The first twelve people already passed the exam successfully and received their VCNE badges.

The line that formed in the waitlist times may seem to move slowly, but that’s because people tend to schedule their exam sessions well in advance so that they have time to prepare (and rightfully so—the exam isn’t easy!). Thus the relatively small number of already certified people doesn’t mean you’ll have to wait long for a slot. If you feel ready, you can easily get your session scheduler within a week.

VyOS Foundation

Some time ago we have announced that we are starting VyOS Foundation and collecting membership applications now. Glad to tell you that we already have a group of companies that are ready to join the effort and initial meetings where we will discuss next steps will take place in the early June

VyOS images for labs and geeks

Just a reminder for all community members who want to support the project but don’t have enough time to contribute as described here and those who simply run self-training labs for Citrix NSX or any other complex solutions and require advanced networking.

You now can support the VyOS project and get access to prebuilt images, check details here.

Now to the development news...

Multicast is here

IP multicast was supposed to be the next big thing, but in practice it remains a rather niche technology and few applications support it. However, it’s also a frequently requested feature and for some users, notably in the stock exchange and IPTV fields, lack of it is a real blocker.

We’ve had IGMP proxy for a while which does the trick for IPTV clients, but otherwise it still needs someone to do the actual routing.

We are starting with PIM-SM and configurable IGMP settings. PIMd has existed as a Quagga addon for a while and we experimented with it in the past, but at the time we left it for later. In FreeRangeRouting it’s an integrated part, and now there’s CLI for it in the rolling release.

They are not documented yet, but you can browse the tab completion under “protocols igmp” and “protocols pim”.

New NAT implementation

Firewall and NAT remained more or less unchanged for a long while. That’s for two reasons: first, the Netfilter/iptables subsystem itself didn’t change much so the code didn’t break, and second, that’s a lot of code to rewrite, so we’ve been saving it for later. There were long-standing issues such as lack of support for groups in NAT, but since nftables was “on the horizon”, we thought it’s better to make a switch to nftables and switch to XML and Python at the same time.

Now nftables is fully functional, in many regards, it’s already better than iptables, and the code has to be completely rewritten to support that. From the user perspective, the syntax remains the same though, so you should be able to take advantage of it without re-learning anything.

In the latest rolling release you will find the new implementation, and it needs your testing!

MACsec support

Thanks to Rammon Semekrot for the idea and Christian Poessinger for the patch, VyOS now supports 802.1ae MACsec. It’s an extension of 802.1x that allows connectionless, authenticated, and secure communication over Ethernet. Great way to secure your L2 communications


The HTTP API server is now based on the Flask framework instead of Bottle, and it’s seen some refactoring (thanks to John Estabrook).

DHCP-PD and other IPv6 improvements

DHCP-PD client has been one of the most frequently requested features. The sad part is that just implementing it isn’t going to magically solve the IPv6 problem for many people because many ISPs are outright hostile to customers running their own networks and will impose frequent, possibly daily prefix changes.

Still, implementing it is a start. Now it’s here and if your ISP offers prefix delegation, you can give it a try. Thanks to Christian Poessinger for working on it!

Example for PPPoE:

interfaces {
pppoe pppoe0 {
authentication {
password vyos
user vyos
dhcpv6-options {
prefix-delegation {
interface eth1 {
address 1
sla-id 0
sla-len 8
ipv6 {
address {
source-interface eth1

It also works for ethernet, with the same “dhcpv6-options” subtree.

Another improvement in the IPv6 area is the correct behavior of SLAAC client on all interfaces. Rewritten interfaces scripts got that part somewhat wrong, so 'ipv6 address autoconf' and 'address dhcpv6' didn’t work as expected due to missing sysctl flags. Thanks to Jernej Jakob for fixing it!

On the PPPoE server-side, there’s now SLAAC enabled if you setup an IPv6 address pool too.

Bug fixes and other enhancements 

The “source-ip” option in NetFlow works again (T2456).

The bug with VTI interfaces occasionally going down forever and not getting back up was tracked down and fixed by Taras Pudiak.

Thanks to Thomas Mangin, commit errors are more descriptive, and debug logs are better too.

Thanks to Jerney Jakob, “address”, “bridge-group”, and “vrf” are mutually exclusive for all interfaces and will cause a descriptive error.

The traceroute command is now VRF-aware and you can run “traceroute vrf MyVRF …”.

Internal versioning string

The version string you see at the bottom of config files, that is used by migration scripts to check if syntax migration is needed, is using a new format now. Historically VyOS config used /* */ syntax for comments created with the “comment” command (that are a proper part of the config file) and for that version string.

Now configs that are meant to be ignored by the config parser start with // instead.

Last but not least

More updates are coming soon—partner program announcement, official support for several additional platforms and more.

If you are using VyOS in production, please share your experience with community and leave your review at  Trustpilot or Distrowatch or Altertnativeto or if you using VyOS on AWS Cloud or Azure cloud

Thanks to all of you who work with us on VyOS!  

The post categories: