The Hardware

I went scrounging for no-longer-used equipment I could play with, and found a couple of firewall appliances from yesteryear, originally used at two customer sites before being replaced with something a bit faster. At a previous job, I used several units just like these to implement a mesh-type network between 3 sites over ipsec. With OpenBSD, of course. These are neat little boxes with zero moving parts - they boot off CF cards, and their entire case is one big heatsink. They sport six Intel gigabit ethernet interfaces and one RJ45 serial console port. These are quite old by now (circa 2010) and therefore underpowered by some standards. 2GB of ram, and 4GB CF card. Dual-core Atom (D510) processor running at 1.66GHz. Nothing to write home about, but still plenty for OpenBSD (and possibly VyOS) to provide security and some network services. I was surprised to find that despite its age and relative weakness, Intel shows this to be a 64-bit machine - and I can confirm that it does indeed run 64-bit software.

Initial Issues

This machine still uses a standard-ish bios, which means it still used a curses-based configuration utility. This was neatly presented via serial console, so I had no issues there. The VyOS installer is provided via livecd iso image. Thankfully, the iso is a hybrid image - meaning it can be copied directly to a USB thumb drive and booted that way. Unfortunately, after booting from this USB drive the linux kernel initializes the serial port so I lost all KVM access. And the installer of course did not really support serial console either, so I was a bit stuck.

Installer Workaround

Google turned up several instances of folks performing installation to CF (for Alix, of which I have used many) via virtual machines and such. I had no interest in going that route, but it did prove that the installation could be done without the target hardware. So I plugged the thumb drive into a trusty laptop (nearly as old as the appliances, purchased on the cheap years ago during a Black Friday sale) and booted into the installer. I then installed to the CF, which I had connected via an equally ancient USB CF reader.

First Boot

I popped the CF card back in and powered up the appliance. The default boot item chose standard KVM, but after boot had completed a login was possible via serial port. Of course, I had previously configured the serial port of the appliance for 115200 - but the boot loader and OS were both configured to use 9600. So in order to login, I had to reconnect at 9600. And then when rebooting, I had to reconnect at 115200 to see or operate the bootloader menu. This wouldn’t do. I could have easily dropped the bios back down to 9600, but why would I do that? I wanted to run at 115200, else I wouldn’t have set the bios that way in the first place.

Tweaking Console Speed and Other Things

When in the installer, the install image command wrote a plain vanilla image to the disk. However, install system would include changes made during the install session. Using this, I figured I would be able to change the console speed and then kick off the installer. And while I was at it, I wanted to make other changes so that I’d be good-to-go on the first boot - such as enabling DHCP on the first interface so that I wouldn’t need the console cable at all. Well, it turned out to be tad more complicated, but still easy enough to do. And what I ended up with would be a good candidate for a base image - I could run through this one time, then just blow the image onto as many CF cards as I wanted. Win!

What the Process Looked Like

Login and make changes

First I logged in (default credentials are vyos/vyos), enabled ssh, enabled dhcp for the first interface, and created a new user (totally optional, of course):

vyos login: vyos
Last login: Sun Sep  3 16:51:26 UTC 2017 on ttyUSB0
Linux vyos 3.13.11-1-586-vyos #1 SMP Wed Aug 12 01:58:45 UTC 2015 i686
Welcome to VyOS.
This system is open-source software. The exact distribution terms for
each module comprising the full system are described in the individual
files in /usr/share/doc/*/copyright.
[email protected]:~$ conf
[email protected]# set service ssh
[email protected]# set int eth eth0 address dhcp
[email protected]# set system login user dewey authentication plaintext-password @w3s0m3
[email protected]# set system login user dewey level admin
[email protected]# commit
[ interfaces ethernet eth0 address dhcp ]
Starting DHCP client on eth0 ...

[ service ssh ]
Restarting OpenBSD Secure Shell server: sshd.

[email protected]# save
Saving configuration to '/config/config.boot'...
[email protected]# exit

Remove temporary MAC address

When creating the configuration on the laptop, the MAC address (and wifi interface) from the laptop was commited to the configuration. So I removed the wifi configuration and simplified the ethernet block so that it would match the interface on the new machine. I did this by editing the config ([email protected]:~$ vi /config/config.boot) and changing this block:

interfaces {
    ethernet eth0 {
        address dhcp
        duplex auto
        hw-id e8:11:32:d8:cf:a3
        smp_affinity auto
        speed auto
    loopback lo {
    wireless wlan0 {
        hw-id e8:11:32:e2:76:85
        mode g
        physical-device phy0
        type monitor

… to look like this:

interfaces {
    ethernet eth0 {
        address dhcp
    loopback lo {


Run the actual install. Note that in this particular case, you will see three block devices:

  1. sda / 128035MB - this is the laptop’s own SSD
  2. sdb / 32015MB - this is the USB thumbdrive used to boot the installer
  3. sdc / 4009MB - this is the 4GB CF card to which I want to install VyOS
[email protected]:~$ install system
Welcome to the VyOS install program.  This script
will walk you through the process of installing the
VyOS image to a local hard drive.

Would you like to continue? (Yes/No) [Yes]:
Probing drives: OK
Looking for pre-existing RAID groups...none found.
The VyOS image will require a minimum 1000MB root.
Would you like me to try to partition a drive automatically
or would you rather partition it manually with parted?  If
you have already setup your partitions, you may skip this step.

Partition (Auto/Union/Parted/Skip) [Auto]:

I found the following drives on your system:

WARNING: GPT (GUID Partition Table) detected on '/dev/sda'! The util sfdisk doesn't support GPT. Use GNU Parted.

 sda    128035MB
 sdb    32015MB
 sdc    4009MB

Install the image on? [sda]:sdc

This will destroy all data on /dev/sdc.
Continue? (Yes/No) [No]: yes
How big of a root partition should I create? (1000MB - 4009MB) [4009]MB: 3800

Creating filesystem on /dev/sdc1: OK
Mounting /dev/sdc1
Copying system files to /dev/sdc1:
 99% [==================================================>]
I found the following configuration files
Which one should I copy to sdc? [/opt/vyatta/etc/config/config.boot]:

Enter password for administrator account
Enter password for user 'vyos':
Retype password for user 'vyos':
I need to install the GRUB boot loader.
I found the following drives on your system:

WARNING: GPT (GUID Partition Table) detected on '/dev/sda'! The util sfdisk doesn't support GPT. Use GNU Parted.

 sda    128035MB
 sdb    32015MB
 sdc    4009MB

Which drive should GRUB modify the boot partition on? [sda]:sdc
Setting up grub: OK

Boot Loader

Next, I tweaked the boot loader to match my preferences. First, I started by mounting the CF and editing the bootloader config:

[email protected]:~$ sudo mount /dev/sdc1 /mnt/rootfs/
[email protected]:~$ sudo vi /mnt/rootfs/boot/grub/grub.cfg

Made serial console the default boot item, changed all instances of 9600 to 115200, saved and quit:


Unmounted the card, then powered down (optional):

[email protected]:~$ sudo umount /mnt/rootfs/
[email protected]:~$ sudo poweroff

Booting the Appliance

After reinstalling the CF card into the appliance, I booted it up. I was connected to the console at 115200. The bios screen popped up, I saw the Grub bootloader, verified the serial console boot option was highlighted, and watched the boot proceed via the serial console. All good. Once booted, I logged in to check the status of the ethernet interfaces:

[email protected]:~$ sho int eth
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface        IP Address                        S/L  Description
---------        ----------                        ---  -----------
eth0                        u/u  
eth1             -                                 u/D  
eth2             -                                 u/D  
eth3             -                                 u/D  
eth4             -                                 u/D  
eth5             -                                 u/D  

This shows the first ethernet interface with valid IP address following the initial boot. Success!