I'm a network engineer working as consultant for government. You know what? I ordered a UDM SE. I'm dumping my opnsense (was fortigate before) for this UDM. I know it's not as powerful but it will do 99% of what I need for my network/lab. Network application 8 added a lot of stuff I needed. I already have APs and switches from Unifi so it's nice to have the full stock. Would I install unifi stuff for companies bigger than SMB? Absolutely not. For SMB and home, yes
pfsense+ was the version that was for homelab, and they said from the get go was going to go under their tac lite license for $129, but was initially free. The main feature that people liked with it, was boot environments which is essentially zfs snapshots, so you can restore after breaking something really quickly. pfsense CE, is still free, and it's 99% the same software. You can just restore your pfsense+ config, to pfsense CE, and carry on
Good video overall, but one thing that I think is worth also mentioning is that the mandatory cloud-accessibility of unifi firewalls is a security nightmare waiting to happen. Anyone, anywhere, can potentially log into your firewall. Once they do they own you. Even putting security aside, the fact that these things are managed via their cloud UI means that you are completely beholden to Ubiquiti - if they decide to start charging for any of this, you're SOL. If they decide to deprecate your current firewall model, you're SOL (because it will then stop checking into the cloud UI due to old firmware, and also then no longer be accessible). Also, like you mentioned, stability is a problem with Unifi. Imo even random "netgear" type firewalls are a much better choice for home users given the fact that they aren't externally accessible to the entire world by default like unifi firewalls are. Businesses and more security-conscious home users should be using pfsense/opnsense/sonicwall/etc.
Unifi is great but for my edge device I run a Netgate 8200 Max. With backing unifi switched and AP's. Their network controller (running in a container) is becoming more and more like the UDMP dashboard. To me this is the best of both worlds. I much prefer the "native" HAproxy over having to side load it onto the UDMP. I started running pfsense on my own hardware, to the UDMP for 2 years and now back to Pfsense on their own appliance and couldn't be happier.
So Pfsense FW, unfi sw and WiFi?? Are you doing any home camera system and if so what are you using for that? Any thoughts on using unfi products but not the UDM Pro?
@@canes4ever162 I have their G4 doorbell cams and run Unifi Protect off their NVR with a few G3 Wireless cams. Recently they have come under fire for people logging in to remote view their Cams but end up in someone else's Protect and Live cams. So until that's fixed, I would disable remote access.
pfsense, cheaper to run, has a great built in reverse proxy, much easier to create firewall rules, and generally has lots of great features. I even have a backup one setup in proxmox ready to go incase my main baremetal one craps out. Just move the cables, turn on the system, and I'm back up and running.
You make this statement as if it is fact but it is not hence the video. Sure if you want to provide your own hardware and time to setup for free pfense may be cheaper, but that is discounting a lot. Sure Pfsense has more flexibility but that flexibility isn't needed by the vast majority of use cases.
@@mekko1413 I made the statement as it pertains to me, and pfsense caters to my requirements and unifi doesn't. The statement is factual, as unifi doesn't have the advanced features. If you don't need the advanced features, then you can happily run unifi. I like unifi, I use their switches, but for my use case, their firewalls currently don't meet my needs, so my answer is completely factual. There is no right or wrong answer, it's completely subjective. That went over your head.
You should also take a look at Synology's offerings. They are obviously most well known for their NAS lineup..but they have some really solid wifi and routing gear. I run a synology setup at my house and it works really well. As a professional network engineer/architect..my standards are pretty high and my need to tinker is always a priority..and the synology stuff definitely checks the boxes for me as a home user. I think it would be a very good fit for smaller businesses as well..though admittedly I wouldn't spec it out for anything larger than SOHO/doctor's office/similar applications unless the data flows were pretty limited in complexity to keep the ACLs/policies reasonable. Anyway...just a data point to consider. Have a good one!
I whole heartedly agree. I have 2 Synology routers thanks to Will and Robbie at NASCompares. The RT6600ax as my main router and an RT2600ac as an access point. These routers have the best user interface and feature list of any router that I have ever used. I'm just a home user so have not experience the more commercial types. I love the ability to create profiles for both devices and filter sets. Highly under rated IMHO. We really need for someone like Will to do a really deep dive into one.
I love my Synology RT2600AC router! I has been running for years now with a 4G dongle in the back, and I've always been amazed at how good it was! At one point I was about to exchange it for a Ubiquiti setup because I needed VLANs but while sobbing over how expensive Ubiquiti was/is Synology released an update bringing in VLANs 👌 😂 Synology is a great router/firewall/4G modem and more for very cheap! Very underrated IMO...
For home, this Xmass holiday I will be spending time on PFSense on a 4port 2.5Gb miniPC, Omada AP, 2.5Gb Managed switch and 3 VLANs to improve security
I’m just a simple home user but I find pfSense firewall way easier to configure than Unifi. I used to have a Edreouter X and I just couldn’t get my firewall rules to work. Sure I got internet access but I had big problems to create a separate IoT VLAN that my main LAN could connect to but not the other way around. Then I saw some videos about pfSense and suddenly everything made sense. I could understand what I was doing and make my own rules instead of just trying to copy some others work. And from what I've seen in videos, the Unifi firewall rules seem to be confusing as well. The user interface plus pfBlocker was the main reason that I switched from a Edgerouter to a Netgate 3100 and I haven’t regreat that a single moment.
@@SpaceRexWill If I may. I would like to notate that Edge gear by Ubiquiti does not (Outside of VERY specific functions) utilize Unifi for management, configuration, etc. You CAN however manage slightly more functions on Edge gear, if you are using Ubiquiti's UNMS / UISP cloud / self-hosted service. Otherwise, you would either need to use all Edge gear and that management platform, or Unifi platform gear. Outside of that, the hardware for Edge EQ itself might be close / similar but the software / services are definitely a separate beast altogether. But, I agree as far as setting up Unifi vs Edge... Edge gear is definitely meant for more manual / advanced setups and moderate - larger deployments. Also, Ubiquiti just added "Shadow Mode" for High Availability for failover. May not be as automatic but... It is there now. Within the last month. You JUST missed it! Hehe help.ui.com/hc/en-us/articles/19581768432535-Shadow-Mode-Gateway-High-Availability
Unfortunately, ubiquiti routers are a bit expensive (comparatively) in Europe. The regular dream machine is about $320 (excl sales tax/VAT) and the pro is about $400 which is closer at least (although VAT/sales tax is 23-25% though so for prosumer use it’s a bit heft I think).
With that said, I currently use a ASUS-router which has this annoying “feature” that if you ever dare activate UPnP or QoS, the UPnP-service will always run in the background, regardless of settings used… I feel like getting either a new router altogether or put a firewall before the WAN-port on the router 😅
The change pfsense made with the CE versus Plus was always documented. Most users who jumped on the Plus and did not read about it was shocked. The fee is part of keeping the CE and Plus going rather than allowing it to stagnate. I do not view it as sus, but accept you do. Good video with information about the 2 platforms. They are closer together but still different.
Watchguard only here, the t35cw is pretty nice, configuration is super easy to migrate whenever needed and NBD replacement plus good visualization of traffic
The UDM is not only a firewall it;s a controller and it can contain a HDD for Unifi protect app that i use with camera and G4 Pro doorbell , so it's much more capable then a firewall , it also contains a 8 port switch , so this comparison it luke compare apples with pears
They're great but really harder to set up unless you're well-versed in network administration. I find ubiquity, tp-link, and pf/opnsense easier to set up for a layman.
I was an Unify user. I had the smaller router and there controller. To my suprise Unify went full cloud mode meaning that there will be some sort of subscription. I skipped the router cause it was a hassle to go around the subscription thing. Now looking for an new router that has opensource software on it.
@@MartinTechReviews I am aware of that, but its not as easy as it was. For what i read that you must have a subscription for the first time if you want to manage Unify routers. Here at the shop thy told me that you manage the routers within the cloud. Also i was reading that the Unify router has a speed botleneck at 600Mb/sec.
Great video. I had pfsense on own hardware and dumped it after they pulled the rug on pfsense+. Got a UDM-Pro on Black Friday sale and am excited. Can you do a follow up video on unbound+pihole the gets external DNS (ex cloud flare) over TLS or something secure? Thanks @SpaceRexWill
lol if you can setup two routers with static WAN IP's, plus CARP VIP's for each VLAN interface you need, plus configure your sync interface and then test all of this in 5 min then I should hire you
@@SpaceRexWill Hire me Rex because it shouldnt take 90m. Straight out the box (so to speak) configure individual LAN IPs on both units and set up the pfsync interface should take no more than 5min. 8m if im making a K-cup. After that we are syncing configs from master to backup.
Using firewall and router as one word/item just isn't correct, even when not talking "massive"... A modem sits between the internet and your local network... More routers in one network, yes but you are not talking about a small business here but a rather large when when saying things like this. yeah, not feeling good about the video, and that's only watching the first 3 min
Nowadays it pays to use your isps' router, if anything goes wrong with it, they fix it. Had a netgear and it croaked after 8 months and also created RF interference on my speakers.
I'm a network engineer working as consultant for government. You know what? I ordered a UDM SE. I'm dumping my opnsense (was fortigate before) for this UDM. I know it's not as powerful but it will do 99% of what I need for my network/lab. Network application 8 added a lot of stuff I needed.
I already have APs and switches from Unifi so it's nice to have the full stock. Would I install unifi stuff for companies bigger than SMB? Absolutely not. For SMB and home, yes
As long as don't need a openVPN solution UDM will do just fine in most situations.
The lack of openVPN is a deal breaker for me.
@@arnoldsmit3289 I use openvpn on my UDM SE 🤔
I use it for client and site to site
What are you talking about UDM Pro has OpenVPN option for both server and client side @@arnoldsmit3289
Udm has OpenVPN now and Wireguard but they function abysmally
For VPN why would you not set up a dedicated Wireguard docker or server or even just plug in a GL.Inet router to handle Wireguard?
pfsense+ was the version that was for homelab, and they said from the get go was going to go under their tac lite license for $129, but was initially free. The main feature that people liked with it, was boot environments which is essentially zfs snapshots, so you can restore after breaking something really quickly.
pfsense CE, is still free, and it's 99% the same software.
You can just restore your pfsense+ config, to pfsense CE, and carry on
or just use OPNsense and stop using netgate garbage
how about a OPNsense comparison as well?
Good video overall, but one thing that I think is worth also mentioning is that the mandatory cloud-accessibility of unifi firewalls is a security nightmare waiting to happen. Anyone, anywhere, can potentially log into your firewall. Once they do they own you. Even putting security aside, the fact that these things are managed via their cloud UI means that you are completely beholden to Ubiquiti - if they decide to start charging for any of this, you're SOL. If they decide to deprecate your current firewall model, you're SOL (because it will then stop checking into the cloud UI due to old firmware, and also then no longer be accessible). Also, like you mentioned, stability is a problem with Unifi. Imo even random "netgear" type firewalls are a much better choice for home users given the fact that they aren't externally accessible to the entire world by default like unifi firewalls are. Businesses and more security-conscious home users should be using pfsense/opnsense/sonicwall/etc.
Unifi is great but for my edge device I run a Netgate 8200 Max. With backing unifi switched and AP's. Their network controller (running in a container) is becoming more and more like the UDMP dashboard. To me this is the best of both worlds. I much prefer the "native" HAproxy over having to side load it onto the UDMP. I started running pfsense on my own hardware, to the UDMP for 2 years and now back to Pfsense on their own appliance and couldn't be happier.
So Pfsense FW, unfi sw and WiFi?? Are you doing any home camera system and if so what are you using for that?
Any thoughts on using unfi products but not the UDM Pro?
@@canes4ever162 I have their G4 doorbell cams and run Unifi Protect off their NVR with a few G3 Wireless cams.
Recently they have come under fire for people logging in to remote view their Cams but end up in someone else's Protect and Live cams. So until that's fixed, I would disable remote access.
Same here, only I have the Netgate 6100 Max. Love my setup .
7 Months later I find this video looking at getting a pfsense for HA ... and 5 minutes later I see your new video about unifi now doing HA.
nice :)
That's like comparing apples to oranges.
One of the best breakdowns of networking eq selection I've seen! Thank you!
pfsense, cheaper to run, has a great built in reverse proxy, much easier to create firewall rules, and generally has lots of great features.
I even have a backup one setup in proxmox ready to go incase my main baremetal one craps out. Just move the cables, turn on the system, and I'm back up and running.
You make this statement as if it is fact but it is not hence the video. Sure if you want to provide your own hardware and time to setup for free pfense may be cheaper, but that is discounting a lot. Sure Pfsense has more flexibility but that flexibility isn't needed by the vast majority of use cases.
@@mekko1413 I made the statement as it pertains to me, and pfsense caters to my requirements and unifi doesn't.
The statement is factual, as unifi doesn't have the advanced features. If you don't need the advanced features, then you can happily run unifi. I like unifi, I use their switches, but for my use case, their firewalls currently don't meet my needs, so my answer is completely factual.
There is no right or wrong answer, it's completely subjective. That went over your head.
You should also take a look at Synology's offerings. They are obviously most well known for their NAS lineup..but they have some really solid wifi and routing gear. I run a synology setup at my house and it works really well. As a professional network engineer/architect..my standards are pretty high and my need to tinker is always a priority..and the synology stuff definitely checks the boxes for me as a home user. I think it would be a very good fit for smaller businesses as well..though admittedly I wouldn't spec it out for anything larger than SOHO/doctor's office/similar applications unless the data flows were pretty limited in complexity to keep the ACLs/policies reasonable. Anyway...just a data point to consider. Have a good one!
I whole heartedly agree. I have 2 Synology routers thanks to Will and Robbie at NASCompares. The RT6600ax as my main router and an RT2600ac as an access point. These routers have the best user interface and feature list of any router that I have ever used. I'm just a home user so have not experience the more commercial types. I love the ability to create profiles for both devices and filter sets. Highly under rated IMHO. We really need for someone like Will to do a really deep dive into one.
I love my Synology RT2600AC router! I has been running for years now with a 4G dongle in the back, and I've always been amazed at how good it was! At one point I was about to exchange it for a Ubiquiti setup because I needed VLANs but while sobbing over how expensive Ubiquiti was/is Synology released an update bringing in VLANs 👌 😂 Synology is a great router/firewall/4G modem and more for very cheap! Very underrated IMO...
100% Synology has a great offering.
Unifi is good for a neutered it just works approach. Pfsense is a superior firewall.
Once a UDM can do dynamic routing (OSPF,BGP) and clean up that mess of firewall rules creation...I am fully onboard and ditching my Netgate.
This
I am new to this and just in the decision phase. What mess are you referring to?
There seems to be quite a few forum posters out there that recommend OPNSense after the wireguard situation.
Can I use both?
We skipped over the fact that this video didn't start with "how's it going y'all?"
So how's it going! :D
Whoops!
Exactly! How’s it going! 😊
what ?!! I won't hit play them ! LOL
For home, this Xmass holiday I will be spending time on PFSense on a 4port 2.5Gb miniPC, Omada AP, 2.5Gb Managed switch and 3 VLANs to improve security
I’m just a simple home user but I find pfSense firewall way easier to configure than Unifi.
I used to have a Edreouter X and I just couldn’t get my firewall rules to work. Sure I got internet access but I had big problems to create a separate IoT VLAN that my main LAN could connect to but not the other way around.
Then I saw some videos about pfSense and suddenly everything made sense. I could understand what I was doing and make my own rules instead of just trying to copy some others work. And from what I've seen in videos, the Unifi firewall rules seem to be confusing as well.
The user interface plus pfBlocker was the main reason that I switched from a Edgerouter to a Netgate 3100 and I haven’t regreat that a single moment.
The edge routers really sucked to maintain from a home user perspective
@@SpaceRexWill If I may. I would like to notate that Edge gear by Ubiquiti does not (Outside of VERY specific functions) utilize Unifi for management, configuration, etc. You CAN however manage slightly more functions on Edge gear, if you are using Ubiquiti's UNMS / UISP cloud / self-hosted service. Otherwise, you would either need to use all Edge gear and that management platform, or Unifi platform gear. Outside of that, the hardware for Edge EQ itself might be close / similar but the software / services are definitely a separate beast altogether. But, I agree as far as setting up Unifi vs Edge... Edge gear is definitely meant for more manual / advanced setups and moderate - larger deployments.
Also, Ubiquiti just added "Shadow Mode" for High Availability for failover. May not be as automatic but... It is there now. Within the last month. You JUST missed it! Hehe
help.ui.com/hc/en-us/articles/19581768432535-Shadow-Mode-Gateway-High-Availability
I run away from everything that has subscriptions, I like to buy hardware not rent it.
Great video
hope in future gaving mikrotik router's explaining i think they do decent work
Appreciate your works and videos
Unfortunately, ubiquiti routers are a bit expensive (comparatively) in Europe. The regular dream machine is about $320 (excl sales tax/VAT) and the pro is about $400 which is closer at least (although VAT/sales tax is 23-25% though so for prosumer use it’s a bit heft I think).
With that said, I currently use a ASUS-router which has this annoying “feature” that if you ever dare activate UPnP or QoS, the UPnP-service will always run in the background, regardless of settings used… I feel like getting either a new router altogether or put a firewall before the WAN-port on the router 😅
Thanks for that information with no fluff!
The change pfsense made with the CE versus Plus was always documented. Most users who jumped on the Plus and did not read about it was shocked. The fee is part of keeping the CE and Plus going rather than allowing it to stagnate. I do not view it as sus, but accept you do.
Good video with information about the 2 platforms. They are closer together but still different.
This is the kind of info I was looking for. Thank you.
Plain L3 routing: Mikrotik RouterBoard
NGFW: Fortigate and Sophos XGS
Question for those who went pfsense, what did you do for WiFi?
I went the unifi 16 port switch lite for a L2 switch and 2 unifi APs for wifi. Works great.
I've tried ap solutions from mikrotik, ubiquity, and tp-link and could recommend 6/6e aps of the latter two companies.
@@joshderrick8653 thank you
Watchguard only here, the t35cw is pretty nice, configuration is super easy to migrate whenever needed and NBD replacement plus good visualization of traffic
Excellent thorough review!
Another alternative of pfsense is mikrotik. Tons of options and ia just work
what about firewalla? trying to figure out opnsense vs unfi vs firewalla
I have not had a great time with firewalla personally. Though I have not spent much time with it and this was right when it had first launched
Can you do multiwan (3x ISPs) in ubuiti?
2x only
I opdated our NG4100 one time.. all VPN stop working, and i only find a solution by SSH into it, and reset it.... :/ but good firewall, hard to setup
The UDM is not only a firewall it;s a controller and it can contain a HDD for Unifi protect app that i use with camera and G4 Pro doorbell , so it's much more capable then a firewall , it also contains a 8 port switch , so this comparison it luke compare apples with pears
Software wise UDM doesn't compare to PFsense / OPNsense for firewall / routing functionality. They're in completely different leagues.
How about Firewalla hardware? comments?
I would have compared to a Protectli running PFsense.
What do you think about MikroTik routers?
They're great but really harder to set up unless you're well-versed in network administration. I find ubiquity, tp-link, and pf/opnsense easier to set up for a layman.
What a great video. Thank you
Firewalla is the best!
FWG FTW!
Not available easily in other countries :(
can you make a video talk about the setting on the unifi firewall? i just get the unifi DreamMachine SE, thanks
but then what about opnsense?
PFSense , is free ..
Only if your time is worth nothing. Rocking Firewalla here after using both of them and thrilled at the ease of use with feature set.
@@ystebadvonschlegel3295 That could be said about pretty much any product.
So you like Pf Sense 🤣
I was an Unify user. I had the smaller router and there controller.
To my suprise Unify went full cloud mode meaning that there will be some sort of subscription.
I skipped the router cause it was a hassle to go around the subscription thing.
Now looking for an new router that has opensource software on it.
Dude, you can self host controller on raspberry pi with 2GB RAM
@@MartinTechReviews
I am aware of that, but its not as easy as it was. For what i read that you must have a subscription for the first time if you want to manage Unify routers. Here at the shop thy told me that you manage the routers within the cloud.
Also i was reading that the Unify router has a speed botleneck at 600Mb/sec.
Great video. I had pfsense on own hardware and dumped it after they pulled the rug on pfsense+. Got a UDM-Pro on Black Friday sale and am excited. Can you do a follow up video on unbound+pihole the gets external DNS (ex cloud flare) over TLS or something secure?
Thanks @SpaceRexWill
Nice ❤
OPNsense!
90m to set up High Availability?!? Seriously? Maybe 5m. Once you set up the Master configs are sync'd on each change.
90 minutes???
lol if you can setup two routers with static WAN IP's, plus CARP VIP's for each VLAN interface you need, plus configure your sync interface and then test all of this in 5 min then I should hire you
@@SpaceRexWill Hire me Rex because it shouldnt take 90m. Straight out the box (so to speak) configure individual LAN IPs on both units and set up the pfsync interface should take no more than 5min. 8m if im making a K-cup. After that we are syncing configs from master to backup.
Using firewall and router as one word/item just isn't correct, even when not talking "massive"...
A modem sits between the internet and your local network...
More routers in one network, yes but you are not talking about a small business here but a rather large when when saying things like this.
yeah, not feeling good about the video, and that's only watching the first 3 min
For a layman, that's close enough. And not all internet users have a modem, btw.
Nowadays it pays to use your isps' router, if anything goes wrong with it, they fix it. Had a netgear and it croaked after 8 months and also created RF interference on my speakers.