At work the SD cards lasted for about 1,5 year and then gave up.
I now disabled Ext4 journaling and am considering using the F2FS filesystem which is designed for flash storage.
Ubiquiti maintains a fork of Vyatta (which is related to VyOS in ways I'm admittedly not quite clear on) that also has a web interface. It's for their hardware, but the EdgeRouter series is quite decent in terms of both performance and cost. (The Lite platform will do gigabit line speed for about $100.)
I've used Vyos and was generally impressed. The part where we used Vyos was not exercised to capacity. One thing that confused me was how most (all?) networking hardware of today makes use of custom ASICs (e.g. chips from Broadcom) to get line speed in routing etc. How does Vyos/Vyatta compare? If you had your VMs on the same host as the software router, I understand it is going to be really fast. But if you have a separate box, don't you see a significant slowdown?
That depends on if your network card supports TOE. If your network card supports full TCP offload then your routing latency can be as low as .6-1.4 us. If you have to go through the entire TCP software stack it's around 20-40 us, on 10Gb hardware. Full TCP offload puts it in the same ballpark a hardware router.
Smallwall (http://smallwall.org), the successor of M0n0wall: not many 'moving parts', rock-solid. Saves a lot of time comparing to building it yourself (software-wise).
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT
and how does it get security patches more often than Debian or FreeBSD or OpenBSD?
As an answer to the second, I checked the site and the last release was 51 weeks ago and the last beta was 3 weeks ago. Compare that to Debian archive runs a couple times a day, has a couple hundred devs, and a couple mirrors, and full security teams.
Here's a list to security related bugs that Debian has patched since the last beta of smallwall.
One has large formal teams and procedures and FAST updates.
The other ... doesn't.
If there's a problem found and released today, the first will have a patch in hours. The second will have a new beta every couple weeks, or maybe a stable release every couple years. That's a long time to wait.
One aims to do one thing and do it well (in this case, to provide a means to use an embedded PC as a secure firewall), while the other aims to provide a complete solution to make use of a vast repository of free software for many platforms.
The developer of SmallWall follows the same philosophy put in place by the developer of m0n0wall that preceeded it:
> SmallWall is a firewall, and the purpose of a firewall is to provide security. The more functionality is added, the greater the chance that a vulnerability in that additional functionality will compromise the security of the firewall.
SmallWall is barebones FreeBSD with about 10 utilities strung together to provide the functionality one would expect of a commercial-grade firewall. That's not to say that SmallWall is impenetrable, of course, but it does mean that its attack surface is a few orders of magnitude smaller than Debian's, which attempts to make possible virtually anything that can be done today with free software, on multiple architectures.
You don't have to rush to patch the latest vulnerability in a piece of software if you've made a conscious decision to avoid using that software in the first place. For instance, while people on Debian's security team scrambled to patch Shellshock, m0n0wall was unaffected because it doesn't provide shell access.
