Doesn't VyOS run an EOL operating system with core packages that are years out of date? I spun up a test server to check it out. I don't see anything on their website about updating it and running "apt-get update/upgrade" just throws errors.

Why would I want an edge security device running something like that?

you can add debian repos but be careful you may break something updating packages. They are currently working on an update to the current version 1.1.7 to 1.2.0. Development was pretty active but as of the last year it's been slower.

Do you think running 1.1.7 is a bad idea security wise?

Yeah. They are working on transitioning to Jessie. But not sure when this will happen.

I am open for switching to something else. Do you know anything good?

Can't answer the first question, but for me the pf syntax for firewall rules, NAT and inbound port forwarding is much simpler.

I don't trust any box running 300 out-of-date packages plus a PHP GUI, so my edge device is simply a dual-ethernet 8W device that runs OpenBSD with the following rules:

    set skip on lo0
    block all
    pass out on en0 inet from en1:network to any nat-to (en0) // source NAT