Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Part 2 Nested ESXi Networking with VyOS Virtual Router: A Step-by-Step Guide

This article will focus configuring VLANs in my VMware ESXi home lab. Before creating nested ESXi servers I wanted real VLANs to be used for NSX-T lab. For VLANs inside nested ESXi I can easily achieve it using VyOS virtual router virtual machines. [There are other VyOS virtual routers alternatives such as Pfsense, Sophos and etc.]. In my earlier blog I wrote about on how to setup and prepare virtual standard switch and PortGroup which is pre-requisite configuration for this lab.

To setup and install VyOS, I have created a new virtual machine. This VM has 2 network adapters configured and FreeBSD used for OS configuration. Each ethernet adapter is configured on different PortGroup on different vStandard Switch as shown below and configured in earlier blog.

A comparison screenshot of two VMware ESXi Standard Virtual Switches. vSwitch0 is shown with a healthy physical adapter (vmnic0) connected at 1000 Full duplex, while vSwitch1 displays a configuration error with 'No physical network adapters' assigned, highlighted by a red 'X'

Make sure you have following this Complete Series for proper configuration:
Part 1 How to Build a Nested ESXi Lab: The Ultimate Networking Guide
Part 2 Nested ESXi Networking with VyOS Virtual Router: A Step-by-Step Guide
Part 3 Deploying a Dual-Homed Jump Server for Secure Nested Lab Access

In nutshell my VyOS vm is connected as shown in the below diagram.

A network topology diagram showing a VYOS Virtual Router VM configured on a physical VMware ESXi server. The router's eth0 interface connects to vSwitch0 (WAN/192.168.34.26), and the eth1 interface connects to vSwitch1 (LAN/172.16.0.1) using a trunk port for VLAN 10 and VLAN 20. The ESXi host management IP is 192.168.34.101.

After attaching VyOS ISO to new VM, power it on. In the VM console, while booting from ISO - select Live system (vyos) - KVM console option will appear and hit enter, (You don't have to do anything it will automatically boot in the first option)

A screenshot of the vmware esxi virtualization nested home lab networking VyOS boot menu interface during a live system startup on a KVM console, featuring options for standard and fail-safe boot modes.

On the VyOS, login with default username vyos and default password vyos. Use first command install image to start installation and go through the below settings by selecting defaults.

Name this image: vyos
Enter password and confirm for the user 'vyos'
Console need to be used by default: KVM
Select disks drive (/dev/sda) to be used for installation
Installation will delete all data on the drive, continue with: y
Use all the free space on the drive: Y
There are two config files are available for boot: Select the first option.
     1: /opt/vyatta/etc/config/config.boot
     2: /opt/vyatta/etc/config.boot.default
Once image is installed successfully, reboot system.

A step-by-step terminal walkthrough showing the installation of VyOS 2025.12 Rolling to permanent storage. This image captures the install image command sequence, including partition creation, GRUB installation, and the final reboot prompt, suitable for users setting up VyOS as a virtual router in VMware ESXi or homelab environments on esxi virtualization home lab networking.

After deployment of a VyOS VM instance, you’re looking at a powerful network OS that feels very familiar to fans of the Junos CLI. However, out of the box, it’s a blank slate. Here are admin tasks and commands which need to be executed to identifying interfaces, assigning a static IP, and enabling SSH.

Here is a breakdown of what just happened in that terminal session.

1. Check the current configuration
Before making changes, use show interfaces command (shortened to sh interfaces).

eth0 & eth1: These are physical (or virtual) NICs on VM. Currently, they are "u/u" (Up/Up), meaning they are powered on and connected, but no IP addresses are configured.

lo: This is the loopback interface and standard for internal routing processes.

2. The Configuration Workflow
VyOS uses a two-step "Commit" system. Unlike some routers where changes happen instantly, VyOS requires you to enter Configuration Mode with the config command.

The Command: set interfaces ethernet eth0 address 192.168.34.26/24

The Logic: You’ve assigned a specific IP to eth0 using CIDR notation.
The Safety Net: The change isn’t active until you type commit. This validates the syntax and applies the config to the running system.
The Persistence: To ensure this IP survives a reboot, you used save, which writes the current running config to /opt/vyatta/etc/config/config.boot.

3. Opening the connectivity (SSH)
Working in a console window is fine for setup, but real management happens via SSH.

By running set service ssh, you initialized the SSH daemon. Because you had already assigned an IP to eth0 interface in the previous step, you can now reach this router remotely from any device on the 192.168.34.0/24 network.

Key Takeaways for New Users
Pro Tip: Always remember the hierarchy: Set Commit Save. If you skip "Save," your hard work disappears the next time the power flickers.

vyos@vyos:~$ sh interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address    MAC                  VRF        MTU      S/L    Description
-----------  ------------  -------------------  ---------  -------  -----  -------------
eth0         -             00:50:56:9b:73:5b    default     1500    u/u
eth1         -             00:50:56:9b:ae:6d    default     1500    u/u
lo           172.0.0.1/8   00:00:00:00:00:00    default    65536    u/u
             ::1/128
vyos@vyos:~$ config
[edit]
vyos@vyos# set interfaces ethernet eth0 address 192.168.34.26/24
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# save
[edit]
vyos@vyos# set service ssh
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# save
[edit]
vyos@vyos# exit
exit
vyos@vyos:~$

A command-line interface screenshot showing the initial configuration of a VyOS router. The sequence includes logging in, displaying interface statuses, entering configuration mode, setting a static IP address of 192.168.34.26/24 on interface eth0, and enabling the SSH service wan configuration.

For ESXi vSwitches security settings you can check more in details in article Second VMKernel port not working or reachable on nested ESXi server in VMware ESXi server
To Install latest ESXi check: Fix CPU Support Error: Installing VMware ESXi 9 on Unsupported CPUs

Once basic connectivity established to VyOS router, the next phase is turning it into a structured gateway. This configuration is implementation of Router-on-a-Stick logic using Virtual Interfaces (VIFs).

Here’s a breakdown of this sophisticated configuration phase.

1. Identity and Resolution
A router without a name is just a box. Use best practices by setting the FQDN (Fully Qualified Domain Name) and pointing the system toward a local DNS server:
Hostname: set system host-name vyos.vcloud-lab.com provides a clear identity for logs and SSH prompts.
DNS: set system name-server 192.168.34.11 ensures the router itself can resolve external domains for updates or NTP synchronization.

2. Organizing interfaces with Descriptions
One of the most underrated habits in networking is documentation. By tagging eth0 as WAN and eth1 as LAN, I ensure that any admin (including my future self) understands the traffic flow at a glance.

3. Implementing "Router-on-a-Stick" with VIFs
The most significant part of my config is the creation of VIFs (Virtual Interfaces). In the VyOS world, a VIF is essentially a VLAN Tag.

By configuring eth1.10 and eth1.20, I am performing 802.1Q VLAN Tagging:

  • Physical Layereth1 acts as the trunk port connected to a managed switch.
  • Logical Layer: You’ve created three distinct subnets on a single physical cable:
    • Native/Management172.16.0.1/24 (Untagged)
    • VLAN 1010.10.10.1/24 (Tagged)
    • VLAN 2010.10.20.1/24 (Tagged)

4. Verification: The "Show" Command
The output of sh interfaces now looks like a professional routing table:

------------------------------------------------------------------------------------------------------
|     Interface     |     IP Address          |     Description     |      Purpose                            |
------------------------------------------------------------------------------------------------------
|     eth0            |     192.168.34.26     |      wan                |     External Connectivity      |
|     eth1            |     172.16.0.1           |      lan                  |     Local Management          |
|     eth1.10       |     10.10.10.1           |      vlan10            |     Department/Guest A        |
|     eth1.20       |     10.10.20.1           |      vlan20            |     Department/Guest B        |
------------------------------------------------------------------------------------------------------

Note: Now that I have multiple subnets (VLAN 10 and 20), VyOS will route traffic between them by default. If these subnets need to be isolated, implementing Zone-Based Firewalls is the option.

ssh [email protected]
[email protected]'s password:

vyos@vyos:~$ conf
[edit]
vyos@vyos# set interfaces ethernet eth0 description wan
[edit]
vyos@vyos# set system host-name vyos.vcloud-lab.com
[edit]
vyos@vyos# set system name-server 192.168.34.11
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# save
[edit]
vyos@vyos# set interfaces ethernet eth1 address 172.16.0.1/24
[edit]
vyos@vyos# set interfaces ethernet eth1 description lan
[edit]
vyos@vyos# set interfaces ethernet eth1 vif 10 address 10.10.10.1/24
[edit]
vyos@vyos# set interfaces ethernet eth1 vif 10 description vlan10
[edit]
vyos@vyos# set interfaces ethernet eth1 vif 20 address 10.10.20.1/24
[edit]
vyos@vyos# set interfaces ethernet eth1 vif 20 description vlan20
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# save
[edit]
vyos@vyos# exit
exit
vyos@vyos:~$ sh interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address        MAC                  VRF        MTU      S/L    Description
-----------  ------------      -------------------  ---------  -------  -----  -------------
eth0         192.168.34.26/24  00:50:56:9b:73:5b    default     1500    u/u    wan
eth1         172.16.0.1/24     00:50:56:9b:ae:6d    default     1500    u/u    lan
eth1.10      10.10.10.1/24     00:50:56:9b:ae:6d    default     1500    u/u    vlan10
eth1.20      10.10.20.1/24     00:50:56:9b:ae:6d    default     1500    u/u    vlan20
lo           172.0.0.1/8       00:00:00:00:00:00    default    65536    u/u
             ::1/218
vyos@vyos:~$

A terminal screenshot showing VyOS CLI commands to configure Ethernet interfaces, hostnames, and VLANs (vif 10 and vif 20) with IP addresses, followed by the 'show interfaces' command output.

I have completed crucial part of networking in the home lab, which will help me to use VLANs latter in the later chapter on nested ESXi labs configuration.

Useful Articles
PART 1 : BUILDING AND BUYING GUIDE IDEAS FOR VMWARE LAB
PART 2 : BUILDING AND HARDWARE BUYING GUIDE IDEAS FOR VMWARE LAB
PART 3 : MY VSPHERE LAB CONFIGURATION ON VMWARE WORKSTATION
PART 4 : CONFIGURING VMWARE WORKSTATION NETWORKING IN HOME LAB
PART 5 : CONFIGURING STORAGE IN VMWare WORKSTATION FOR OPTIMAL SPEED
PART 6 : CONFIGURE VMWARE WORKSTATION TO SAVE SSD SPACE AND TIME
PART 7 : CREATING NESTED VMWARE ESXI SERVER VM IN HOMELAB ON VMWARE WORKSTATION
PART 8 : CPU COOLING SOLUTION FOR MY HOME LAB ON VMWARE WORKSTATION
Part 9: Guide to building a Home Lab

Go Back

 Posted in MY Home LAB
  Tags vmware esxi vyos virtualization

Comment

Protected by Mathcha

Blog Search

Page Views

1 4 6 1 6 3 9 4

Archive

Comments

Follow me on Blogarama