Complete VyOS Configuration for Your Setup
Here’s the entire configuration with all corrections applied:
Initial Installation
# Boot from ISO
install image
# Follow prompts, set password
reboot
Complete Configuration (Copy/Paste Friendly)
# Login and enter configuration mode
configure
# ============================================
# SYSTEM BASICS
# ============================================
set system host-name vyos-router
set system time-zone America/New_York
set system name-server 1.1.1.1
set system name-server 8.8.8.8
# ============================================
# NETWORK INTERFACES
# ============================================
# WAN Interface (eth2) - DHCP
set interfaces ethernet eth2 address dhcp
set interfaces ethernet eth2 description 'WAN'
set interfaces ethernet eth2 offload gso
set interfaces ethernet eth2 offload gro
set interfaces ethernet eth2 offload tso
# LAN Bridge (eth0, eth1, eth3)
set interfaces bridge br0 address 192.168.99.1/24
set interfaces bridge br0 description 'LAN Bridge'
set interfaces bridge br0 member interface eth0
set interfaces bridge br0 member interface eth1
set interfaces bridge br0 member interface eth3
# Enable offloading on LAN ports
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload tso
set interfaces ethernet eth1 offload gso
set interfaces ethernet eth1 offload gro
set interfaces ethernet eth1 offload tso
set interfaces ethernet eth3 offload gso
set interfaces ethernet eth3 offload gro
set interfaces ethernet eth3 offload tso
# ============================================
# DHCP SERVER
# ============================================
set service dhcp-server shared-network-name LAN subnet 192.168.99.0/24 subnet-id 1
set service dhcp-server shared-network-name LAN subnet 192.168.99.0/24 range 0 start 192.168.99.10
set service dhcp-server shared-network-name LAN subnet 192.168.99.0/24 range 0 stop 192.168.99.254
set service dhcp-server shared-network-name LAN subnet 192.168.99.0/24 option default-router 192.168.99.1
set service dhcp-server shared-network-name LAN subnet 192.168.99.0/24 option name-server 1.1.1.1
set service dhcp-server shared-network-name LAN subnet 192.168.99.0/24 option name-server 8.8.8.8
set service dhcp-server shared-network-name LAN subnet 192.168.99.0/24 option domain-name 'lan.local'
set service dhcp-server shared-network-name LAN subnet 192.168.99.0/24 lease 86400
# ============================================
# NAT (Masquerade)
# ============================================
set nat source rule 100 outbound-interface name eth2
set nat source rule 100 source address 192.168.99.0/24
set nat source rule 100 translation address masquerade
# ============================================
# FIREWALL (Simplified Stateful)
# ============================================
# Input filter (traffic TO the router)
set firewall ipv4 input filter default-action drop
set firewall ipv4 input filter rule 10 action accept
set firewall ipv4 input filter rule 10 state established
set firewall ipv4 input filter rule 10 state related
set firewall ipv4 input filter rule 10 description 'Allow established/related'
set firewall ipv4 input filter rule 20 action accept
set firewall ipv4 input filter rule 20 inbound-interface name br0
set firewall ipv4 input filter rule 20 description 'Allow from LAN'
set firewall ipv4 input filter rule 30 action drop
set firewall ipv4 input filter rule 30 state invalid
set firewall ipv4 input filter rule 30 description 'Drop invalid state'
# Forward filter (traffic THROUGH the router)
set firewall ipv4 forward filter default-action accept
set firewall ipv4 forward filter rule 10 action accept
set firewall ipv4 forward filter rule 10 state established
set firewall ipv4 forward filter rule 10 state related
set firewall ipv4 forward filter rule 10 description 'Allow established/related'
set firewall ipv4 forward filter rule 20 action drop
set firewall ipv4 forward filter rule 20 state invalid
set firewall ipv4 forward filter rule 20 description 'Drop invalid state'
# ============================================
# QoS / TRAFFIC SHAPING
# ============================================
# Adjust bandwidth to 95% of your actual upload speed
set qos policy shaper WAN-OUT bandwidth 950mbit
set qos policy shaper WAN-OUT default bandwidth 30%
set qos policy shaper WAN-OUT default ceiling 100%
set qos policy shaper WAN-OUT default priority 7
set qos policy shaper WAN-OUT default queue-type fq-codel
# Class 10: HIGH PRIORITY - Gaming & Video Calls
set qos policy shaper WAN-OUT class 10 bandwidth 25%
set qos policy shaper WAN-OUT class 10 ceiling 80%
set qos policy shaper WAN-OUT class 10 priority 1
set qos policy shaper WAN-OUT class 10 queue-type fq-codel
set qos policy shaper WAN-OUT class 10 description 'Gaming and VoIP'
# Match by DSCP (EF=46 for VoIP, CS5=40 for video)
set qos policy shaper WAN-OUT class 10 match voip-ef ip dscp 46
set qos policy shaper WAN-OUT class 10 match video-cs5 ip dscp 40
# Match common VoIP/video ports
set qos policy shaper WAN-OUT class 10 match zoom1 ip destination port 8801
set qos policy shaper WAN-OUT class 10 match zoom2 ip destination port 8802
set qos policy shaper WAN-OUT class 10 match teams1 ip destination port 3478
set qos policy shaper WAN-OUT class 10 match teams2 ip destination port 3479
set qos policy shaper WAN-OUT class 10 match webrtc1 ip destination port 3480
set qos policy shaper WAN-OUT class 10 match webrtc2 ip destination port 3481
# Class 20: MEDIUM-HIGH - Video Streaming
set qos policy shaper WAN-OUT class 20 bandwidth 30%
set qos policy shaper WAN-OUT class 20 ceiling 90%
set qos policy shaper WAN-OUT class 20 priority 3
set qos policy shaper WAN-OUT class 20 queue-type fq-codel
set qos policy shaper WAN-OUT class 20 description 'Video streaming'
set qos policy shaper WAN-OUT class 20 match https ip destination port 443
set qos policy shaper WAN-OUT class 20 match http ip destination port 80
# Class 30: MEDIUM - General Browsing
set qos policy shaper WAN-OUT class 30 bandwidth 25%
set qos policy shaper WAN-OUT class 30 ceiling 100%
set qos policy shaper WAN-OUT class 30 priority 5
set qos policy shaper WAN-OUT class 30 queue-type fq-codel
set qos policy shaper WAN-OUT class 30 description 'General traffic'
# Class 40: LOW PRIORITY - Torrents & Bulk Downloads
set qos policy shaper WAN-OUT class 40 bandwidth 20%
set qos policy shaper WAN-OUT class 40 ceiling 100%
set qos policy shaper WAN-OUT class 40 priority 7
set qos policy shaper WAN-OUT class 40 queue-type fq-codel
set qos policy shaper WAN-OUT class 40 description 'Bulk/Torrents'
# Common torrent ports
set qos policy shaper WAN-OUT class 40 match torrent1 ip destination port 6881
set qos policy shaper WAN-OUT class 40 match torrent2 ip destination port 6882
set qos policy shaper WAN-OUT class 40 match torrent3 ip destination port 6883
set qos policy shaper WAN-OUT class 40 match torrent4 ip destination port 6889
set qos policy shaper WAN-OUT class 40 match torrent5 ip destination port 51413
set qos policy shaper WAN-OUT class 40 match torrent6 ip source port 6881
set qos policy shaper WAN-OUT class 40 match torrent7 ip source port 6882
# Apply QoS to WAN interface
set qos interface eth2 egress WAN-OUT
# ============================================
# CONNECTION TRACKING (for 50 users)
# ============================================
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules tftp
set system conntrack table-size 262144
set system conntrack expect-table-size 8192
# ============================================
# DNS FORWARDING (Caching)
# ============================================
set service dns forwarding listen-address 192.168.99.1
set service dns forwarding allow-from 192.168.99.0/24
set service dns forwarding name-server 1.1.1.1
set service dns forwarding name-server 8.8.8.8
set service dns forwarding cache-size 10000
# ============================================
# SSH ACCESS (Management)
# ============================================
set service ssh listen-address 192.168.99.1
set service ssh port 22
# ============================================
# PERFORMANCE TUNING
# ============================================
# BBR congestion control
set system sysctl parameter net.core.default_qdisc value fq
set system sysctl parameter net.ipv4.tcp_congestion_control value bbr
# Increase network buffers
set system sysctl parameter net.core.rmem_max value 134217728
set system sysctl parameter net.core.wmem_max value 134217728
set system sysctl parameter net.ipv4.tcp_rmem value '4096 87380 67108864'
set system sysctl parameter net.ipv4.tcp_wmem value '4096 65536 67108864'
# Optimize for many connections
set system sysctl parameter net.ipv4.ip_local_port_range value '1024 65535'
set system sysctl parameter net.ipv4.tcp_tw_reuse value 1
set system sysctl parameter net.ipv4.tcp_fin_timeout value 30
# ============================================
# COMMIT AND SAVE
# ============================================
commit
save
exit
Verification Commands
# Check interfaces
show interfaces
# Check DHCP leases
show dhcp server leases
# Check NAT
show nat source translations
# Check QoS
show qos policy
show qos interface
# Check firewall
show firewall ipv4
# Monitor bandwidth
monitor interfaces ethernet eth2
# Check system resources
show system resources
# Test from LAN client
ping 8.8.8.8
ping google.com
Quick Backup
# Save current config
save /config/backup-initial-setup.config
# List backups
ls -lh /config/*.config
Important Notes
- QoS Bandwidth: Change
950mbitto match 95% of your actual upload speed - Timezone: Change
America/New_Yorkto your timezone - Gaming Ports: Add specific game ports if needed
- Flow Control Warning: Ignore the eth2 flow control warning – it’s harmless
Test Your Setup
# From a LAN client, test speed
speedtest-cli
# Check latency (should be low with QoS)
ping -c 100 8.8.8.8
# Test QoS is working
show qos interface eth2
This complete configuration should work without errors on your VyOS 2025.10.25 rolling release!
Be First to Comment