VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS Stream 2025.11 is available for download

Daniil Baturin
Posted 17 Nov, 2025

Hello, Сommunity!

VyOS Stream 2025.11 and its corresponding source tarball are now available for download. You can find them at the end of this post. This is the third VyOS Stream release on the way to the upcoming 1.5/Circinus LTS release and includes many of its features for you to test — most notably, a VPP-based accelerated dataplane.

Highlights

Versioning scheme update

Previously, we called our VyOS Stream releases after the LTS release line they are from and the quarter of the year when they were released: 1.5-Q1, 1.5-Q2, etc. That scheme has two problems, though.

First, it assumes that we have already decided upon the next LTS version number. That was the case for 1.5 when we decided to introduce VyOS Stream, but that may not be the case in the future — there's no decision yet whether the next release will be called VyOS 1.6 or something else, for example VyOS 2.0.

Second, it assumes there can be only one VyOS Stream release per quarter and that its development never takes longer than a quarter. This time it took longer — we decided to hold the image back due to stability issues, and now it's 2025 Q4 already, but we may want to make a new VyOS Stream in December as well — calling it 1.5-Q4 would make that impossible, unless we were willing to use an awkward version like 1.5-Q4-2

Now VyOS Stream images are named after the year and the month when they were released — this one is 2025.11, and if we release one in December as well, it will be 2025.12. Next year, we'll be building VyOS Stream from the branch that will eventually become the next LTS release after 1.5, but the versioning scheme for Stream images will remain uniform. 

VPP

As we promised in an earlier post, an accelerated dataplane based on VPP is now available in VyOS Stream on the way to the stable 1.5 release. It's been available in rolling release images for a while, but we spent a lot of time fixing bugs and stabilizing it to prepare it for inclusion in an upcoming LTS version. Feel free to consult its documentation, test it in your environment, and let us know if you see any issues.

As a bonus, the source code of the VPP configuration subsystem is now a proper part of the mainline vyos-1x repository rather than a separate package.

Fastnetmon removal

Earlier versions of VyOS used to include Fastnetmon as a DDoS detection tool. It's been deprecated for a while and already removed from rolling release images — the main reason is that it was never deeply integrated into the system, and most new features aren't available in the open-source version that we can distribute.

It has also been removed from VyOS Stream to signify that it will not be available in VyOS 1.5 either. 

New NetFlow implementation

Previous VyOS versions used to use pmacct for the NetFlow sensor implementation. Unfortunately, its performance is insufficient for modern networks, and many people kept asking for a more performant implementation — it was literally one of the oldest open tasks we had with a two-digit number T75. Many users even took the issue in their own hands and started installing ipt-netflow — a kernel-mode implementation — on their VyOS routers.

Now ipt-netflow is the officially built-in implementation, and its performance is literally orders of magnitude better. The good thing is that the CLI remains the same, so your NetFlow setup will continue working as before, just much faster. Only a few obscure options removed, and we have a migration script that automatically removes them from configs on upgrade — since they were specific to pmacct and not applicable to ipt-netflow, that should have no impact on your system's operation.

Firewall group support in WAN load balancing

There is another long-standing feature request that has now been fulfilled — support for matching firewall groups in WAN load balancing rules (T114). We had to completely rewrite both the firewall subsystem and WAN load balancing to solve deep design problems in the implementation we inherited from Vyatta, but now the CLI is there, and for the user it's trivial. For example:

set load-balancing wan rule 10 source group network-group SomeGroup

You can match all available group types in those rules, including port, address, network, and domain groups.

Changelog

Security

  • Include microcode update packages for both Intel and AMD64 CPUs (T6322).

Configuration syntax changes (automatically migrated)

  • Update dynamic dns configuration path to be consistent with other areas of VyOS (T5791).
  • Remove Fastnetmon from the image (T7241).
  • Move "vpp settings host-resources" to "system option host-resources" (T7678).

New features and improvements

  • Allow wan load-balancing rules to match against groups (T114).
  • Support BGP prefix origin validation state extended community as per RFC 8097) (T1124).
  • Migrate SSH fingerprints to the new image on upgrade (T5455).
  • Add support for RPKI source IP (T5810).
  • Failover route using DHCP provided gateway (T5942).
  • Add BGP solo option for peer groups (T6438).
  • VPP add sFlow plugin (T7175).
  • Macvlan support for podman containers (T7186).
  • Add "show log conntrack" op command (T7370).
  • Make the raw image build more robust (T7453).
  • Add description to vlan-to-vni mappings (T7468).
  • Add the option "timeout" for DPD in IKEv2 (T7504).
  • Add reset ip bgp all soft in out (T7516).
  • Move "clear connection" to "reset connection" (T7540).
  • VRRP plugin for VPP (T7577).
  • SRv6 uSID IS-IS capability (T7639).
  • Add user-defined MAC address to dummy interfaces (T7686).
  • Add op-mode for VLAN-to-VNI mapping (T7687).

Bug fixes

  • BGP large-community-list regex validation is incomplete (T5069).
  • MSS clamping not applied to VRF interface from MPLS cloud (T5797).
  • Static dhcp-interface routes not installed (T5811).
  • "show dhcp server" leases not showing all leases (T5992).
  • ISIS advertise-passive-only not install route in the RIB (T6516).
  • Unexpected error when restarting containers via native Podman command (T6673).
  • unlimited _noteworthy in vyos.airbag cause memory leak (T6704).
  • Commit command does not validate its arguments (T6769).
  • Operational mode command "show bridge vni" is broken (T6770).
  • QoS match filter by interface doesn't work (T6796).
  • Ruleset information for ipv6 firewall "prerouting raw" shows wrong default action (T6857).
  • FRR zebra: Kernel routes are not updated properly (T6962).
  • VPP CPU workers should be calculated and verified (T7066).
  • VPP CPU corelist-workers should be calculated and verified (T7067).
  • VPP unix poll-sleep-usec should be verified and fixed for correct range of values (T7068).
  • VPP CPU main-core should be verified (T7069).
  • VPP CPU inverted range of corelist-workers has to be verified and not applied (T7071).
  • VPP CPU skip-cores should be verified (T7072).
  • VPP buffers page size should be verified (T7073).
  • VPP interface mode interrupt or polling does not work (T7074).
  • VPP xdp-options should check the driver before applying (T7075).
  • VPP verify and calculate memory default-hugepage-size (T7077).
  • VPP verify memory main-heap-page-size allocation (T7079).
  • VPP statseg page-size verify (T7080).
  • Firewall default action drop fails (T7112).
  • VPP sometimes a recursive error may occur (T7117).
  • VyOS cloud init fails with "No such file or directory: /opt/vyatta/etc/config.boot.default" (T7206).
  • ACME certificate updates fail due to missing timezone info (T7295).
  • FRR 9.1.x 10.2.x does not redistribute OSPF kernel table x routes (T7297).
  • Firewall rules allow empty nodes (T7366).
  • container: cannot remove image when used by more then one tag (T7403).
  • Zone-based firewall with VRF causes issues (T7452).
  • ARM64 config fails to commit due to ttyS0 console (T7484).
  • Fix the output command "show vpn ipsec connection" for passthrough tunnels (T7489).
  • FRR does not redistribute BGP table x routes (T7495).
  • Command 'show vpn debug peer ' does not work correctly (T7545).
  • Command 'set vpn ipsec disable-uniqreqids' does nothing (T7562).
  • Inconsistent MAC address behaviour on bond interfaces (T7571).
  • IPsec service fails after upgrading from 1.3.8 to 1.4.2 if protocol all is configured (T7581).
  • WAN Load Balancer Default SNAT Behaviour (T7584).
  • Vyconf: Call libvyosconfig functions from main thread under http-api (T7588).
  • IPSec traffic-selectors without prefixes are rendered incorrectly in the swanctl.conf (T7593).
  • WAN load balancer always has nftables limit configured (T7625).
  • Configuration encryption doesn’t work with no TPM present (T7628).
  • Fix missing import and incorrect check in nat64 (T7645).
  • IPv6 default route disappears after upgrade (T7646).
  • VPP configuration after upgrade cannot be loaded immediatelt and requires a second reboot (T7649).
  • If VPP crashes, the system loads without hugepages (T7651).
  • VPP HugePages calculation is incorrect (T7655).
  • Op-mode command show system memory cache does not work (T7657).
  • VPP fails to load XDP on AWS with ena driver (T7661).
  • QAT support is not detected on Intel C62x virtual function devices (T7662).
  • FRR 10.2 build binaries fail (T7663).
  • Smoke test cli/test_vpn_ipsec.py typo makes DPD check always pass (T7667).
  • Update fails if the system does not have system options kernel (T7668).
  • VPP verify does not rely on the 1G hugepages (T7670).
  • Move AWS GLB CLI configuration to a separate package (T7671).
  • Smoketests for DHCP Server can falsely fail (T7676).
  • Settings multiple DNS resolvers for containers prevents container start (T7681).
  • Incorrect sla-len in DHCPv6 client prefix delegation (T7682).
  • WAN load balancing rule fails when using comma-separated ports (T7685).
  • VPP IPsec traffic stops working after the reboot (T7689).
  • "show nat source/destination rules" proto column is inaccurate (T7696).
  • Commit fails to apply configuration: /run/nftables-ct.conf on conntrack timeout rule removal (T7700).

Other resolved issues

  • pmacct-based NetFlow implementation's performance is insufficient for modern networks (T75).
  • Update dynamic dns configuration path to be consistent with other areas of VyOS (T5791).
  • Upgrade Linux Kernel to 6.6.y (2023 LTS edition) (T5887).
  • Remove Fastnetmon from the image (T7241).
  • Update Kea to 3.0 (T7281).
  • Pass credentials to download commands in environment variables (T7420).
  • Use PCRE2 in validation utilities (T7450).
  • Do not include "dirty" in build commit IDs (T7576).
  • Add a test for DHCP default route with VRF (T7623).
  • Fix vyos-build makefile target test-no-interfaces (T7636).
  • Set up a linter check to check complete files for syntax errors and missing imports (T7648).
  • Merge vyos-vpp repo into vyos-1x (T7697).

Download

You can also find the links in the download section of the community website.

What's next?

ARM64 support is coming

You may notice some issues related to ARM64 in the changelog. That is correct — we plan to make the upcoming VyOS 1.5 available for Aarch64, in addition to x86-64. The plan is to start from cloud images, since there are ARM64 instances in major clouds now and they are often more cost-effective, so we think it's important to allow VyOS users to benefit from that.

We currently have no plans to support specific bare metal devices; however, if you have any suggestions, please let us know.

 
The post categories: firewall fastnetmon vpp 1.5 load balancing vyos-stream netflow

Comments

Blog Categories

RSS Feed arrow
See All Categories