Basic Configuration
Basic Configuration
Section titled “Basic Configuration”Version key: 🟢 = 1.3+ (all versions) · 🟡 = 1.4+ (Sagitta/Circinus) · 🟣 = 1.5+ (Circinus/Stream only)
Every VyOS configuration starts in configuration mode — a sandboxed session. No changes take effect until you commit.
vyos@vyos:~$ configurevyos@vyos#The # means you’re in config mode. Changes are not live until committed.
The Commit Model
Section titled “The Commit Model”VyOS uses a candidate configuration model:
| Command | What it does |
|---|---|
set | Stage a change |
delete | Remove a config node |
show | View candidate config |
compare | Diff candidate vs running |
commit | Apply candidate to running |
save | Persist to /config/config.boot |
rollback | Revert to last saved config |
discard | Discard all uncommitted changes |
# Safe workflowconfigureset system host-name wrong-namecompare # see what changeddiscard # nope, start overset system host-name correct-namecommitsaveSystem Settings
Section titled “System Settings”set system host-name vyos-gwset system domain-name home.lanset system time-zone Asia/Jakarta
# NTPset system ntp server 0.pool.ntp.orgset system ntp server 1.pool.ntp.org
# Login bannerset system login banner pre-login "Authorized use only"
# Syslogset system syslog host 192.168.1.100 facility all level infoUsers & Authentication
Section titled “Users & Authentication”# Create admin userset system login user admin authentication plaintext-password 'Str0ngP@ss!'set system login user admin full-name 'Network Admin'
# SSH key authentication (preferred)set system login user admin authentication public-keys mykey key 'AAAAB3...'set system login user admin authentication public-keys mykey type ssh-rsa
# Disable default vyos userdelete system login user vyosInterfaces
Section titled “Interfaces”Loopback
Section titled “Loopback”set interfaces loopback lo address 10.255.255.1/32Ethernet
Section titled “Ethernet”# WAN — DHCPset interfaces ethernet eth0 description WANset interfaces ethernet eth0 address dhcpset interfaces ethernet eth0 dhcp-options default-routeset interfaces ethernet eth0 dhcp-options name-server
# WAN — Staticset interfaces ethernet eth0 description WANset interfaces ethernet eth0 address 203.0.113.10/24set interfaces ethernet eth0 gateway 203.0.113.1
# LANset interfaces ethernet eth1 description LANset interfaces ethernet eth1 address 192.168.1.1/24VLAN (802.1Q)
Section titled “VLAN (802.1Q)”# Create VLAN 10 on eth1set interfaces ethernet eth1 vif 10 description 'Guest Network'set interfaces ethernet eth1 vif 10 address 10.0.10.1/24
# VLAN 20 — Managementset interfaces ethernet eth1 vif 20 description 'Management'set interfaces ethernet eth1 vif 20 address 10.0.20.1/24Bonding / LAG
Section titled “Bonding / LAG”# LACP bondset interfaces bonding bond0 description 'Uplink LAG'set interfaces bonding bond0 member interface eth0set interfaces bonding bond0 member interface eth1set interfaces bonding bond0 mode 802.3adset interfaces bonding bond0 address 192.168.1.1/24Bridge
Section titled “Bridge”set interfaces bridge br0 description 'LAN Bridge'set interfaces bridge br0 member interface eth1set interfaces bridge br0 member interface eth2set interfaces bridge br0 address 192.168.1.1/24SSH Access
Section titled “SSH Access”# Basic SSHset service ssh port 22set service ssh listen-address 192.168.1.1
# Restrict to specific users/groupsset service ssh disable-password-authenticationset service ssh access-control allow-users admin operator
# Enable on specific interfaces onlyset service ssh listen-address 192.168.1.1# System DNS (for the router itself)set system name-server 1.1.1.1set system name-server 8.8.8.8
# DNS forwarding for LAN clients (covered in dhcp-dns guide)IPv6 Basics 🟡 1.4+
Section titled “IPv6 Basics 🟡 1.4+”# Enable IPv6 globallyset system ipv6 disable-forwarding false
# SLAAC + DHCPv6 on WANset interfaces ethernet eth0 address dhcpv6
# Static IPv6 on LANset interfaces ethernet eth1 address 2001:db8:1::1/64Verify & Troubleshoot
Section titled “Verify & Troubleshoot”# Operational mode (exit config first)show interfacesshow interfaces ethernet eth0show ip routeshow ipv6 routeshow system uptimeshow version
# Ping/traceroute from routerping 8.8.8.8traceroute 8.8.8.8
# Monitor interfacesmonitor interfaces ethernet eth0Configuring Remotely? READ THIS 🟢 1.3+
Section titled “Configuring Remotely? READ THIS 🟢 1.3+”Use commit-confirm instead of commit when working remotely. The router auto-rolls back if you lose connectivity:
commit-confirm 5 # auto-rollback in 5 minutes# verify connectivity# if good:confirm # make it permanentThis has saved more network engineers than any other single command.