Hey Unifi, LISTEN TO THIS MAN, he is actually making sense and taking the time to help you IMPROVE your product! Raid Owl, thanks for your effort. Cheers!
I'm a nobody who is way late to this conversation... BUT I AM circling back to considering your products after getting TOTALLY HOSED after buying your initial black tough router, camera, and WAP.... (of which, ONLY the WAP was worthwhile.... for a while). Soooooo, if Tom's saying fix it.... "FIX IT!!!" ...That stated, Raid Owl made AWESOME points, so they need to be resolved as well.
Yup - put it into the name or description. Ain't pretty but at least it's readable. Takes some discipline to change the description whenever a port is added or removed. Also doesn't work when following the paradigm to have important settings only changed in one place. But until UniFi fixes the interface ... it's probably the best workaround.
UniFi PLEASE Thanks for the review. I’ve been on UDM for a almost 2 years now. Love the ecosystem! I have been slowly migrating to Protect from a hodgepodge of cameras and love being able to see everything in one place. I have been frustrated by some of the things you mentioned but my network is not yet as complex as yours - so I have a heads up on things to come. There have been massive improvements during my time on the system so I have hope that many of the gripes will be addressed. On Protect, it is nice but pricey and is missing some features of my previous setup. Keep on milking the vids for us 😂
I love this video because you didn't love or hate Unifi. For me I love my UDM Pro because it does what I need, how I would like for it to be done. I don't have a lot of firewall rules, vlans etc. I have a few vlans, I have multiple external IP addresses (which weren't supported when I first got my UDM Pro), and have a few basic port forwarding rules. I moved from a PFSense box to the UDM Pro because I didn't want to work on firewalls after spending all day working on firewalls. I wanted something that was nice and easy to manage that did what I needed it to do, the UDM Pro ticked those boxes for me. Having said the above, I don't recommend the UDM Pro/SE to everyone, its about the needs/wants vs the capabilities of each router option.
I purchased a Unifi gateway, and this is the fourth time I'm giving it a try. I love pfSense, but my latest firewall is Sophos, which is also very good. With Unifi, I often feel like I'm not smart enough to operate their firewall. But you're video explain alot of explanation. Thank you ❤
Installed a UDM-SE last year, and I agree with you on the firewall rules part (I forgot what I did with DNS). I managed a lot of different brands of firewalls in my job, so I'm used to configuring firewall rules ... But seeing this GUI, confused me. They should up their game in certain aspects, and it'd be even nicer to use.
I was running a full TP-Link Omada setup, which is basically a Unifi clone at half the price and in some cases I found more stable. The firewall was great to have in a single interface VS using OPNsense and then everything else controlled in Omada. But, they have the same weird static IP, DNS, firewall rules, and VPN issues. Used it for 4 months and then I donated the firewall to local small business and went back to OPNsense. Only thing I changed this time around was to virtualize OPNsense VS bare metal like my original setup since part of the reason I tried to switch was also saving electricity by eliminating a few hundred watt space heater in my collection.
You did a really good job breaking down the pros and cons. Outside my job as a network engineer I like to keep my home simple-ish. I run pfsense with UniFi APs and switching. I did consider a USG recently but holy shit you broke it down as to why I don’t want to do it. I got firewall rules, 6 vlans, IPsec to my OCI instances all running bgp. Did I say simple? Moving to a USG would eliminate my routing, my VPN option. Too much work making that transition. Juice not worth the squeeze. Great video. But cmon…you could’ve self hosted that controller without a cloud key 😂
@@RaidOwl Absolutely, being in total control of your own hardware is important Too many examples out there of companies doing rug-pulls on it's users, either through product retirement or government pressure (yes, tin-hat conspiracy material)
I do agree that it's definitely a great product for those that do want the simple solution. I use it for my family and my networks while I'm moving around a lot (in the Navy) so it's easy to use. When I eventually retire and have a more permanent home I might buy something more "technical"' ; but for now it's very user friendly when at the end of the day I want it to just work.
Please Unifi listen. The firewall is the exact reason why I didn't pull the trigger when I put it in my shopping cart. I ended up only getting AP's. Don't have a large network but I do have a home lab.
Welcome to the world of SDN! The hardware is fully capable of doing all you want but the software is limiting it. I just shut down the last of my SDN (Meraki) even though I still had 2 years licensing left. SDN is great for those that want something easy and don't want pfSense or OPNSense. I don't mind the quirks of pfSense and a managed non-cloud switch. It lets me know i own my data and traffic info and don't have to do stupid stuff to block prying eyes. Doing the setup for firewalls and port forwarding and DHCP reservations is just part for the course because they 2ant you to use the easy way of just not doing it.
I had the same WAN setup, ATT fiber as primary and Xfinity as my backup. Fiber is more reliable than cable so I ditched Xfinity and went with T-Mobile Home internet. I figured a 5G backup made more sense, since cable would be more likely to go out than fiber. Just my thinking. My TMHI isn't bad. I get roughly 180 down 20 up. Enough for a backup internet plan and it's $30/month.
UNIFI does not support IPv6 through its eco system, for example a UDM PRO and down stream we have UNIFI L3 switch, you can only do Layer 3 routing between the UDM PRO and UNIFI switch using IPv4. We are in 2023 and any product family which cannot route IPv6 is a big NO NO NO. When Unifi arrives in the 21st century, maybe I will give their products a try.
100 percent. I work for a very large tech company that may have wanted to do a hardware partnership perhaps but dang the firewall section coupled with the QoS settings and how there devices do NOT allow you to properly configure Dante/NDI traffic.... Unifi has sooooo much potential and could literally softball so easy wins into there platform but who knows. Anyway great video sir. You gained a new follower.
Good video, mate. If "forgetting" devices isn't enough, you could SSH into them and run "set-default Factory Reset". Should pop up for adoption after a while.
Interesting video. I’m a retired IT guy and I’ve been expanding my home network equipment to include Pfsense, Unifi access points and recently moved to using their 2nd generation cloud key where I was using a raspberry pi with unifi’s management software installed. I also have several vlans configured to separate my IOT devices, guest devices, etc. When my Pfsense device dies or needs upgrading I’ll be deciding on whether it makes sense to move to a UDM Pro instead or not. I’m enough of a geek to not mind tinkering in Pfsense but it would be nice to live in just one ecosystem. Ah, decisions. 😂 Thanks for the video and giving me food for thought.
YOU FUCKING NAILED IT ! Unifi is good for the ecosystem, wifi protect, access, etc but thoses firewall rule + VPN stuff is BAD, so now I'll maybe switch the dream machine for dual PFsense firewall with 10g and beefy CPU that could handle the 10G protection as I'm getting 10g at home
We actually deploy UniFi gateways for customers that predominantly use cloud services and infrastructure and as such don’t publish internal resources or only a few of them since they are so set and forget. And should you change or update something we can manage them remotely. It’s also convenient to manage everything in one place including security cameras. When customers need more complex setups in their gateways we use other more granular products.
agree. I’ve deployed 6 different Unifi systems and supported 2 large scale systems. While neither admittedly had any firewall rules, the only thing I really love about unifi vs. other systems is the price and availability. The other pieces you listed as positives I agree with completely. My biggest issue lately is the software updates that break the communication between ubiquiti devices that have been steady for months and months.
lol. I just did the exact opposite. I've been on UDM pro and Unify ecosystem for years and just switched to Pfsense for my firewall. I still use unifi switches, access points and for cameras but no longer use the UDM Pro for firewall and so glad I switched.
Good synopsis. 2 years ago I would have said no to their Gateway products. Now though after having using many firewalls (PFSense and OPNSense included) I would say they can finally compete at that level. Though yes more interface work is needed. I also like the way they have separated out OPENVPN and Wireguard VPN's. Traditional Site to Site is a totally separate animal for creating links to traditional firewalls. The DNS request would be a nice feature add.
Great job on pointing out the pros and cons of using Unifi vs pfSense but I have to add some more to the list, first, I used both systems, but ended up going to pfSense every time although I still have the UDM SE and I love it but, first thing to add to what Unifi lacks is the ability to add a FQDN as FW alias making it very hard to keep track of a website address if the IP addresses will change such as a notification service for a surveillance camera system whereas in pfSense, it is as simple as just adding the FQDN of the notification server and never worry about it again. The other thing is the ability to work on FW rules as a bulk copying multiple ones especially from interface to another just like on pfSense for instance, unable to set a DNS server for an individual client different from other clients on the network, bandwidth proper and detailed QoS as in pfSense, but I still like Unifi even with all those cons and thanks again for the video!
UNIFI PLEASE! Every now and then I think about moving to a UDM-SE/Pro and then I watch something that says, No. Thanks for confirming I should stay on pfsense 😂
I LOVE your analogies and my displeasure and dissatisfaction with this company at this point, and their ridiculous prices (they used to be cheap - really) has definitely compelled me to subscribe and like. Thank you for being comprehensive.
finally you have come on over to the dark side. but seriously I love my Unifi setup, it just keeps growing and I have no complaints. started with basic networking and then added a access point and later a nano. just grew from that.
I just got a UDM SE and I absolutely LOVE it. But yea the UX for setting up the few basic firewall rules I wanted for house was a nightmare. Thank god once it's set up you don't really have to mess with it again.
Lapsed unifi user here thinking about coming back for VLAN deployment. Watching your video's reminded me of why i left. Thanks for saving me some money!
You can move them from the cloud key gen 2 pro to the udm pro, I had to do this at work from a cloud hosted unifi appliance to a cloud key gen 2 pro, the option is kinda hidden, but it's there and it works as long as both unifi network appliances are online and on the same unifi account. Took about 5 minutes to transfer everything then reboot and adopt the devices.
CK to migration UDM only requires you to set the UDM with the CK restore, set the UDM to the same IP as the CK. Unplug the CK and all the device will provision to the UDMP. I’ve done this myself and works
@RaidOwl issue is it's a convoluted mess to figure out for the non-initiated. I also had the benefit of upgrading from a usg so I moved firewall rules as well. Overall good video and a good presentation on the good bad and ugly.
Before 2:30, the migration: The newer controler should have an option to "auto" (with or without authentification) transfert the network configuration and control of the infrastructure. (Home use, without; business, with). The user should have to go to any of the infrastructure devices. Maybe we should get some "Bonjour" protocol, the one apple use (used?) to connect and control the network devices. As Todd howard said "it just works", and yes it just works.
I've been searching everywhere and youve finally answered the port forwarding and reverse proxy questions I've had. Its preventing me from switching over. I have the UDM just sitting there. Unifi plz
I agree it could be easier. I was asked to help my church with their network which has Unifi. I figured out everything from the app or web gui myself just by clicking on the options. Very easy to use. I’ll be moving to Unifi for the ids/idp as nothing else out there has such easy implementation of the feature. Just wish this had the ability to run adguard on it.
If you want to migrate your network devices over from the Cloud Key Gen 2+, it is a matter of backing up the network config and the restoring it to the UDM Pro. If you want to do it a bit harder way, but without having to go to each device to reset it, then just go into your network management console on the CK Gen 2+, before removing it from your network, and go to each network device. The go to the device's management tab, go to the bottom, and 'Forget' the device. That resets it to factory defaults.
I completely agree with the points you make here and would love them to completely redesign their DHCP/DNS and firewall/traffic sections. It would also be nice for consistency across the board.... Its like if apple and microsoft designed something .. looks great but you have to have several different implementations to get what others have out of the box ... But I do love unifi ... just would like for them to figure themselves out.
This is exactly why I didn't go with the UDM, not only that the port forwarding is trash, but you can't even set up an external firewall with the UDM, you either use the UDM and all its goodies or you don't. I ended up going with an edgerouter 4 as my router/firewall and it's worked pretty well but that was only because my pfsense box was a dell optiplex from 2008 and consumed too much power for my liking.
This is what really stops me from replacing PFsense with Unifi, I think I'm gonna stick with the PFsense for what matters, and Unifi for switching and wireless stuff.
Find this fun to watch as the TP-Link videos are why I switched my goals to go the TP-Link route. I have one Unifi NanoHD AP, but when I get enough money, I want to swap it out. TP-Link appears to me to be better budget-friendly for my family.
im planning to buy a udm for my home lab and i really dont play a lot with firewall rules, only blocking some vlans from not accessing my main network so ideally i think udm is a good choice for me. also the 7.5 update i think it changes a lot in firewall rules but i dont have a udm yet so i cant say more.
It really shines for what you all get for free. They could have you buy a key for every application and they do not. Networking, security, phone, entry, NVR, etc. is built in. It is solid and the best deal out there. That said, I would not use them for business. Their biggest downfall is support. When you are down and losing business forums and chat just don't cut it. But for home? Absolutely! I went from UDM to UDM Pro to UDM Pro SE. LOVE the GUI and hanving dual WAN AND a 10G LAN port to tie in my 10G switches is awesome.
Unifi is great for access point and switch. Didn't tested the access and camera thing. But for firewalling, I'm glad this guy has the same feedback than myself. I found it terribly bad. Some features are good but most of them are badly designed or inconsistent. Migrated to fiber connection for my ISP (1 Gbps download and 500 Mbps upload). Noticed that after installing the Unifi Security Gateway, even with latest update available on the market, the hardware capped the bandwidth to 500 Mbps! Was immediately put to sleep and replaced with OPNsense custom made firewall.
Unifi just released v.3.1.16 this week which improves port forwarding! To get it change UniFi OS "Release Channel" from Official to Release Candidate. You might find other improvements for your case as well. At the very least you could get some more content about it for the channel. ;)
Hi! I’m in the Pro UniFi camp for the most part. I do get that some implementations in UniFi are a bit backwards. I love the ecosystem. UniFi is like the Apple of networking now when Apple isn’t making that kind of stuff anymore. Also traffic management is pretty straight forward to use if you use the apps feature. You don’t even need to know a thing of ports of tcp/duo to block since that’s all taken care of for a pretty decent selection of apps and services. Also built in network protections like dark net protection and honey pots paired with deep active packet inspection with great throughput is really good. We deploy UniFi to customers of different sizes but mostly small to medium sized with just a few of no public services hosted on the inside. Most of our customers leverage the cloud and have fewer and fewer reasons for using VPNs now, or hosting services on-prem. Protect is great and also hosting multiple network customers in one controller.
im planning on the exact same upgrade. looking forward to the contents. I really wanted to know the differences between opnsense (fork of pf sense) and UDM which looks really promising.
The Unifi upgrade drama's were big enough for our business to stop deploying the brands products to any of our clients and we just completed the last switchout to cisco again. Stuff costs us a fortune for original outlay but it just works, and works and work...
I looking at converting from a 20 year old half cisco equipment to unifi in a medium to large business. When I say 20 years, i'm serious. One device hasn't been cycled in 7 years and has a copyright date of 2004. I love cisco with a passion but the goal is to make it so less knowledgeable techs can do some basic stuff easier. Will also allow me to get rid of some other devices older than 2010. I am worried about IPSec though. Going with a Dreammachine pro with a handful of promax 48port switches. The RGB will actually be useful for us so vendors and a few others know what things are with a glance. Also a handful of the APs and an outdoor AP. may get a phone, camera and keycontrol to test too. The drawback with Unifi is that most of its cool features are unifi only but still basic functions still will work. Edit: thanks did touch on a couple things I didn't think to much about.
@unifi definitely needs a lot of work but they have also come a long way over this past year. Lots of amazing upgrades that you don't have to worry about SSHing in to modify.
I would not hold your breathe - Even the most simplest of firewall and router features, such as managing NAT, which people have been asking for at 4-5 years! I did the same as you about 4 years ago, spank a load of money on switches, AP, USG etc.. I used the USG for about 4 weeks, then threw it in the "useless gadgets" drawer, where is sat until about 12 months ago, and I flogged it in eBay! I recently brought a UDR for our holiday home, so I could have something set and forget, but I'm already regretting it... and should have brought a GL.Inet router instead!
On the Port Forward + Firewall Rule thing, UniFi does what most users expected: When creating a port forward, traffic to that port is automatically allowed (by one of those grayed-out "Predefined" rules that can't be modified). To restrict it, create your own Accept / Drop rule(s) "Before Predefined." Before CloudFlare Tunnels came along, I ran for years only allowing http(s) traffic from CloudFlare's origin IPs (plus CloudFlare's Authenticated Origin Pulls feature). I don't think it was always the case that UniFi automatically created the Allow rule. When they added the feature to the EdgeRouter is was _optional_ and it's a bit silly that they didn't do the same on UniFi but c'est la vie.
For the portforwarding part (and that you have to open it to the world). It's possible to secure it. Place an internet allow rule (for the IP-addresses you want to allow) and place internet in drop rule after it. I know, it's not great but it works if you place the allow and the drop above the grey out port forwarding rule. For the most part, I gree, the UI from the firewall rules sux pretty bad.
I agree about the firewall. I've been using unifi for a while and the firewall is just a pain in the ass. Why it's not more like the windows firewall, which to me is intuitive, is beyond me.
Last time I upgraded my router I decided against the UDM and built an opnsense box because back then Unify was a privacy nightmare with devices constantly phoning home and sending logs. The pro max seems like a great device, especially the 5Gbit IPS is great for the price. I was wondering if Ubiquiti has finally seized to spy on its customers or at least given them a proper mechanism to opt out, or if they still collect everything you do *anoymized*?
You’re probably going back to PFsense eventually.. Nothing beats the PFsense.. unify looks very slick.. and it’s easy to configure.. that’s one of my reasons I am not moving because PFsense is a different world together
Agree, firewall rules SUCK SO BADLY, I wish we also had an option to default deny, rather than default accept, I like to explicitly allow rather than explicitly deny myself. Also, wish we had access to NAT rules and actual interface level control like pfsense, hopefully with time they will improve it.
You can also get the big cloud version of unified that can manage thousands of unified devices in the lands and all that stuff but you got to pay monthly in the cloud is machine itself to run at your business is pretty freaking expensive but not that expensive if you're a business but for a home user hell yeah
The ancient AT&T DSL router I have to use -- one with the bare minimum effort put into it to qualify as a viable freaking product -- has a better firewall rule UI than the UDM Pro/SE. Someone from Ubiquiti's firewall rule UX team needs to sit down, have a couple beers with this guy, and walk away with a completely new design because the one we've had to deal with for years is a bucket of dog vomit. Or maybe visit a former customer's site and take a look at the UI of the device that inevitably replaced the whatever Ubiquiti device they had before, because I can't imagine anyone would have the patience to deal with that mess for that long.
Same experiences here: I'd like to have everything in one UI, but actually special, granular settings are hard to implement in Unifi. In the end for professional use cases the Unifi firewall is not recommendable. And having a good amount of practice with pfSense is always a good deal. That's why I switched from pfSense to Unifi - and back again. 😎
You can make a "cloudflare rule" by creating a new Drop rule for the NAT rule, and the create a new rule Under Source, create a "Port/IP group" and destination as you prefer, port 80 and 443 or what you prefer here. Just remember that, the rules you create is "internet in" type rules And last, remenber to put them in the right order first the cloudflare rule, end the the Drop rule...
From my perspective, the unifi firewall, dhcp, and dns is complete garbage from the feature and management perspective. This is why I still use the pfsense + unifi AP/Switches combo.
I migrated to UDMP from a regular controller by backing up and restoring during the wizard phase. But even starting fresh doesn't mean you have to physically reset all units... When you "forget" a unit from the old controller you reset it and it's waiting to be adopted. Looking at the rest of the video now but this was a very weird thing to do tbh...
I have a similar opinion of Unifi, their switches and APs are good, but their firewall offering is mediocre at best. I'm going to keep rocking my Unifi networking equipment + pfSense firewall setup. Thanks for taking the bullet and try the Unifi firewall.
11:25 This rule doesn't do what you think it does. It will only do anything for traffic entering pfSense on the LAN3 interface, and that means it likely does nothing except for requests from LAN3 net to route to LAN3 net, essentially to it's own network (which if network local direct traffic isn't blocked everywhere, would instead just be point to point without going through the firewall). For example a device connecting to LAN2 will essentially only check rules on LAN2 when entering pfSense (exception to this are floating rules), and traffic will not check again any rules on the interface where it is exiting (i.e. it bypasses any rules on LAN3).
@@RaidOwlI can only cheer to that! :D Good video btw, just finished it, took some paused as I was comparing it with my all TP-Link network (Hardware controller, switches, router, AP's, you name it, it's here). I thought about Unify, but to be honest, here in AT it's a bit expensive, compared to other systems. Although my TP-Link setup was not cheap either, it was for sure cheaper then the Unify setup.
Take backup on of UniFi network only and suck that in. UCK2 to UDM is a headache. Stop using the front 8 ports for LAN uplink/downlink. Use port 8 for secondary WAN2 if copper needed (as you have done). Use the SFP+ ports for LAN's. You can create PF rules for each IP to same ports. Go to settings, Advanced and select legacy interface. Now you can rename the "Default" LAN name to what does make sense.
I think you'll be back with pfsense over Unifi. I flip between pfsense and Sophos XG Home. I remember utterly hating the UDM-Pro I ordered in spring 2020, I sold it within a month and fortunately for more than I paid.
You should have been able to migranter the Network config via backup and restore from the cloud even. Or from a dowloaded config backup file. But you would have to change VLANs in your firewall replacement step since VLANs are handled differently in UniFi and you probably had them set up as VLANs only VLANs on the cloud key.
I'm going the opposite route. Moving from a udm pro to virtualized opnsense. Got a brocade switch. Going with ruckus ap's. Tired of the unifi bs. Going to be selling that udm pro soon.
Hey Unifi, LISTEN TO THIS MAN, he is actually making sense and taking the time to help you IMPROVE your product! Raid Owl, thanks for your effort. Cheers!
It’s plenty of folks doing that. Remember ubnt is Apple 🍎 like
They don’t care.
You could say, he is acually making PfSense
UNIFI PLZ! They are finally getting the VPN features more like other firewall but how they did those firewall rules is just a mess!
You hear that Unifi? THE Tom Lawrence agrees with me...so fix it!
Also, please add multiple PPPoE as you have on EdgeRouter.
I just want to be in this conversation. So yeah UNIFI FIX IT!!
I’d like to add to the tally 😅
I'm a nobody who is way late to this conversation... BUT I AM circling back to considering your products after getting TOTALLY HOSED after buying your initial black tough router, camera, and WAP.... (of which, ONLY the WAP was worthwhile.... for a while).
Soooooo, if Tom's saying fix it.... "FIX IT!!!"
...That stated, Raid Owl made AWESOME points, so they need to be resolved as well.
Glad to see someone finally call out the dhcp & dns limitations.
Great overview. The port thing is a little annoying in the firewall rule. I always just add it to the description
There he is, our Unifi Jesus ❤️
@@RaidOwl 😂
He is the Messiah@@RaidOwl
Yup - put it into the name or description. Ain't pretty but at least it's readable. Takes some discipline to change the description whenever a port is added or removed. Also doesn't work when following the paradigm to have important settings only changed in one place. But until UniFi fixes the interface ... it's probably the best workaround.
2:00 Instead of moving the devices one by one, there is an option to do a site migration to move them all over at once seamlessly.
UniFi PLEASE
Thanks for the review. I’ve been on UDM for a almost 2 years now. Love the ecosystem! I have been slowly migrating to Protect from a hodgepodge of cameras and love being able to see everything in one place. I have been frustrated by some of the things you mentioned but my network is not yet as complex as yours - so I have a heads up on things to come. There have been massive improvements during my time on the system so I have hope that many of the gripes will be addressed.
On Protect, it is nice but pricey and is missing some features of my previous setup.
Keep on milking the vids for us 😂
100% agree with the awful firewalling UX. I had to make a DMZ with a UDM Pro and absolutely struggled.
I love this video because you didn't love or hate Unifi.
For me I love my UDM Pro because it does what I need, how I would like for it to be done.
I don't have a lot of firewall rules, vlans etc. I have a few vlans, I have multiple external IP addresses (which weren't supported when I first got my UDM Pro), and have a few basic port forwarding rules.
I moved from a PFSense box to the UDM Pro because I didn't want to work on firewalls after spending all day working on firewalls.
I wanted something that was nice and easy to manage that did what I needed it to do, the UDM Pro ticked those boxes for me.
Having said the above, I don't recommend the UDM Pro/SE to everyone, its about the needs/wants vs the capabilities of each router option.
I purchased a Unifi gateway, and this is the fourth time I'm giving it a try. I love pfSense, but my latest firewall is Sophos, which is also very good. With Unifi, I often feel like I'm not smart enough to operate their firewall. But you're video explain alot of explanation. Thank you ❤
Installed a UDM-SE last year, and I agree with you on the firewall rules part (I forgot what I did with DNS). I managed a lot of different brands of firewalls in my job, so I'm used to configuring firewall rules ... But seeing this GUI, confused me. They should up their game in certain aspects, and it'd be even nicer to use.
I was running a full TP-Link Omada setup, which is basically a Unifi clone at half the price and in some cases I found more stable. The firewall was great to have in a single interface VS using OPNsense and then everything else controlled in Omada. But, they have the same weird static IP, DNS, firewall rules, and VPN issues. Used it for 4 months and then I donated the firewall to local small business and went back to OPNsense. Only thing I changed this time around was to virtualize OPNsense VS bare metal like my original setup since part of the reason I tried to switch was also saving electricity by eliminating a few hundred watt space heater in my collection.
4:50 what a clean little visual transition!
Big fan of the channel (new discovery for me!) and information presentation skills
You did a really good job breaking down the pros and cons. Outside my job as a network engineer I like to keep my home simple-ish. I run pfsense with UniFi APs and switching. I did consider a USG recently but holy shit you broke it down as to why I don’t want to do it. I got firewall rules, 6 vlans, IPsec to my OCI instances all running bgp. Did I say simple? Moving to a USG would eliminate my routing, my VPN option. Too much work making that transition. Juice not worth the squeeze. Great video.
But cmon…you could’ve self hosted that controller without a cloud key 😂
Haha yeah def but I’m a sucker for dedicated controller hardware 🙃
@@RaidOwl
Absolutely, being in total control of your own hardware is important
Too many examples out there of companies doing rug-pulls on it's users, either through product retirement or government pressure (yes, tin-hat conspiracy material)
Thank you for sharing your experience with it! 👍
Upvoting this video, because unifying Unifi haters and fans alike should award you with the nobel peace price.
I do agree that it's definitely a great product for those that do want the simple solution. I use it for my family and my networks while I'm moving around a lot (in the Navy) so it's easy to use. When I eventually retire and have a more permanent home I might buy something more "technical"' ; but for now it's very user friendly when at the end of the day I want it to just work.
The ship rolling across the screen at 06:28 absolutely killed me
Good content as usual, keep up the efforts
Please Unifi listen. The firewall is the exact reason why I didn't pull the trigger when I put it in my shopping cart. I ended up only getting AP's. Don't have a large network but I do have a home lab.
Agree with you on the DNS really need it.
Welcome to the world of SDN! The hardware is fully capable of doing all you want but the software is limiting it. I just shut down the last of my SDN (Meraki) even though I still had 2 years licensing left. SDN is great for those that want something easy and don't want pfSense or OPNSense. I don't mind the quirks of pfSense and a managed non-cloud switch. It lets me know i own my data and traffic info and don't have to do stupid stuff to block prying eyes. Doing the setup for firewalls and port forwarding and DHCP reservations is just part for the course because they 2ant you to use the easy way of just not doing it.
"Holy Shit the Firewall Rules..." Had me 😂💀😂💀
Essential video. Thank you
I had the same WAN setup, ATT fiber as primary and Xfinity as my backup. Fiber is more reliable than cable so I ditched Xfinity and went with T-Mobile Home internet. I figured a 5G backup made more sense, since cable would be more likely to go out than fiber. Just my thinking. My TMHI isn't bad. I get roughly 180 down 20 up. Enough for a backup internet plan and it's $30/month.
UNIFI does not support IPv6 through its eco system, for example a UDM PRO and down stream we have UNIFI L3 switch, you can only do Layer 3 routing between the UDM PRO and UNIFI switch using IPv4. We are in 2023 and any product family which cannot route IPv6 is a big NO NO NO. When Unifi arrives in the 21st century, maybe I will give their products a try.
100 percent. I work for a very large tech company that may have wanted to do a hardware partnership perhaps but dang the firewall section coupled with the QoS settings and how there devices do NOT allow you to properly configure Dante/NDI traffic....
Unifi has sooooo much potential and could literally softball so easy wins into there platform but who knows.
Anyway great video sir. You gained a new follower.
Good video, mate. If "forgetting" devices isn't enough, you could SSH into them and run "set-default Factory Reset". Should pop up for adoption after a while.
Interesting video. I’m a retired IT guy and I’ve been expanding my home network equipment to include Pfsense, Unifi access points and recently moved to using their 2nd generation cloud key where I was using a raspberry pi with unifi’s management software installed. I also have several vlans configured to separate my IOT devices, guest devices, etc. When my Pfsense device dies or needs upgrading I’ll be deciding on whether it makes sense to move to a UDM Pro instead or not. I’m enough of a geek to not mind tinkering in Pfsense but it would be nice to live in just one ecosystem. Ah, decisions. 😂 Thanks for the video and giving me food for thought.
YOU FUCKING NAILED IT ! Unifi is good for the ecosystem, wifi protect, access, etc but thoses firewall rule + VPN stuff is BAD, so now I'll maybe switch the dream machine for dual PFsense firewall with 10g and beefy CPU that could handle the 10G protection as I'm getting 10g at home
Interesting topic, you did exactly the thing I´m thinking about, thank you for the opinions and information!
Objectivity!!! Very helpful, thank you!!
We actually deploy UniFi gateways for customers that predominantly use cloud services and infrastructure and as such don’t publish internal resources or only a few of them since they are so set and forget. And should you change or update something we can manage them remotely. It’s also convenient to manage everything in one place including security cameras. When customers need more complex setups in their gateways we use other more granular products.
agree. I’ve deployed 6 different Unifi systems and supported 2 large scale systems. While neither admittedly had any firewall rules, the only thing I really love about unifi vs. other systems is the price and availability. The other pieces you listed as positives I agree with completely. My biggest issue lately is the software updates that break the communication between ubiquiti devices that have been steady for months and months.
Completely agree about the firewall. I too fun pfSense at home and Unifi for my church. Yes, Unifi please make it better.
You could've done a backup of the "site" from the cloud key and restored it during the setup of the UDM PRO
Great video!
lol. I just did the exact opposite. I've been on UDM pro and Unify ecosystem for years and just switched to Pfsense for my firewall. I still use unifi switches, access points and for cameras but no longer use the UDM Pro for firewall and so glad I switched.
OMG I THOUGHT I WAS GOING INSANE thank you for making this video
Good synopsis. 2 years ago I would have said no to their Gateway products. Now though after having using many firewalls (PFSense and OPNSense included) I would say they can finally compete at that level. Though yes more interface work is needed. I also like the way they have separated out OPENVPN and Wireguard VPN's. Traditional Site to Site is a totally separate animal for creating links to traditional firewalls. The DNS request would be a nice feature add.
Great job on pointing out the pros and cons of using Unifi vs pfSense but I have to add some more to the list, first, I used both systems, but ended up going to pfSense every time although I still have the UDM SE and I love it but, first thing to add to what Unifi lacks is the ability to add a FQDN as FW alias making it very hard to keep track of a website address if the IP addresses will change such as a notification service for a surveillance camera system whereas in pfSense, it is as simple as just adding the FQDN of the notification server and never worry about it again.
The other thing is the ability to work on FW rules as a bulk copying multiple ones especially from interface to another just like on pfSense for instance, unable to set a DNS server for an individual client different from other clients on the network, bandwidth proper and detailed QoS as in pfSense, but I still like Unifi even with all those cons and thanks again for the video!
UNIFI PLEASE!
Every now and then I think about moving to a UDM-SE/Pro and then I watch something that says, No.
Thanks for confirming I should stay on pfsense 😂
I LOVE your analogies and my displeasure and dissatisfaction with this company at this point, and their ridiculous prices (they used to be cheap - really) has definitely compelled me to subscribe and like. Thank you for being comprehensive.
finally you have come on over to the dark side. but seriously I love my Unifi setup, it just keeps growing and I have no complaints. started with basic networking and then added a access point and later a nano. just grew from that.
Yeah I like mine too, but nothing is safe from criticism ;)
I just got a UDM SE and I absolutely LOVE it. But yea the UX for setting up the few basic firewall rules I wanted for house was a nightmare. Thank god once it's set up you don't really have to mess with it again.
Lapsed unifi user here thinking about coming back for VLAN deployment. Watching your video's reminded me of why i left. Thanks for saving me some money!
The firewall system would bother me too. I might just say screw it and put the UDM behind a dedicated appliance if it was supported.
You can move them from the cloud key gen 2 pro to the udm pro, I had to do this at work from a cloud hosted unifi appliance to a cloud key gen 2 pro, the option is kinda hidden, but it's there and it works as long as both unifi network appliances are online and on the same unifi account. Took about 5 minutes to transfer everything then reboot and adopt the devices.
CK to migration UDM only requires you to set the UDM with the CK restore, set the UDM to the same IP as the CK. Unplug the CK and all the device will provision to the UDMP. I’ve done this myself and works
I just migrated cloud key to udm pro se last week. It's possible and easy once you find where to upload the backup.
Glad that’s actually an option!
@RaidOwl issue is it's a convoluted mess to figure out for the non-initiated. I also had the benefit of upgrading from a usg so I moved firewall rules as well. Overall good video and a good presentation on the good bad and ugly.
Before 2:30, the migration:
The newer controler should have an option to "auto" (with or without authentification) transfert the network configuration and control of the infrastructure. (Home use, without; business, with). The user should have to go to any of the infrastructure devices.
Maybe we should get some "Bonjour" protocol, the one apple use (used?) to connect and control the network devices.
As Todd howard said "it just works", and yes it just works.
I've been searching everywhere and youve finally answered the port forwarding and reverse proxy questions I've had.
Its preventing me from switching over. I have the UDM just sitting there.
Unifi plz
I agree it could be easier. I was asked to help my church with their network which has Unifi. I figured out everything from the app or web gui myself just by clicking on the options. Very easy to use. I’ll be moving to Unifi for the ids/idp as nothing else out there has such easy implementation of the feature.
Just wish this had the ability to run adguard on it.
If you want to migrate your network devices over from the Cloud Key Gen 2+, it is a matter of backing up the network config and the restoring it to the UDM Pro. If you want to do it a bit harder way, but without having to go to each device to reset it, then just go into your network management console on the CK Gen 2+, before removing it from your network, and go to each network device. The go to the device's management tab, go to the bottom, and 'Forget' the device. That resets it to factory defaults.
I like the port grouping, I have alot of servers and labelled all the ports that reference a server is easy.
I like that.
I completely agree with the points you make here and would love them to completely redesign their DHCP/DNS and firewall/traffic sections. It would also be nice for consistency across the board.... Its like if apple and microsoft designed something .. looks great but you have to have several different implementations to get what others have out of the box ... But I do love unifi ... just would like for them to figure themselves out.
This is exactly why I didn't go with the UDM, not only that the port forwarding is trash, but you can't even set up an external firewall with the UDM, you either use the UDM and all its goodies or you don't. I ended up going with an edgerouter 4 as my router/firewall and it's worked pretty well but that was only because my pfsense box was a dell optiplex from 2008 and consumed too much power for my liking.
This is what really stops me from replacing PFsense with Unifi, I think I'm gonna stick with the PFsense for what matters, and Unifi for switching and wireless stuff.
Unifi plz! BTW, great 45Drives summit
Thanks! It’s probably cuz I wasn’t there haha
Find this fun to watch as the TP-Link videos are why I switched my goals to go the TP-Link route. I have one Unifi NanoHD AP, but when I get enough money, I want to swap it out. TP-Link appears to me to be better budget-friendly for my family.
im planning to buy a udm for my home lab and i really dont play a lot with firewall rules, only blocking some vlans from not accessing my main network so ideally i think udm is a good choice for me. also the 7.5 update i think it changes a lot in firewall rules but i dont have a udm yet so i cant say more.
Yeah my final thoughts were just that, if you’re not running a huge network or need the firewall rules at all…it’s awesome.
You could have gone into your cloud key and selected each device and pressed forgot and they would factor reset for you
Thank you. I have a unify access point. I am not going any further. I got a headache just listening to you
It really shines for what you all get for free. They could have you buy a key for every application and they do not. Networking, security, phone, entry, NVR, etc. is built in. It is solid and the best deal out there. That said, I would not use them for business. Their biggest downfall is support. When you are down and losing business forums and chat just don't cut it. But for home? Absolutely! I went from UDM to UDM Pro to UDM Pro SE. LOVE the GUI and hanving dual WAN AND a 10G LAN port to tie in my 10G switches is awesome.
Unifi is great for access point and switch. Didn't tested the access and camera thing.
But for firewalling, I'm glad this guy has the same feedback than myself. I found it terribly bad. Some features are good but most of them are badly designed or inconsistent.
Migrated to fiber connection for my ISP (1 Gbps download and 500 Mbps upload). Noticed that after installing the Unifi Security Gateway, even with latest update available on the market, the hardware capped the bandwidth to 500 Mbps! Was immediately put to sleep and replaced with OPNsense custom made firewall.
Unifi just released v.3.1.16 this week which improves port forwarding! To get it change UniFi OS "Release Channel" from Official to Release Candidate. You might find other improvements for your case as well. At the very least you could get some more content about it for the channel. ;)
Eagerly waiting for that to be released proper. Watched a few reviews and it appears to fix quite a few pain points. Cheers! JM
Hi! I’m in the Pro UniFi camp for the most part. I do get that some implementations in UniFi are a bit backwards. I love the ecosystem. UniFi is like the Apple of networking now when Apple isn’t making that kind of stuff anymore. Also traffic management is pretty straight forward to use if you use the apps feature. You don’t even need to know a thing of ports of tcp/duo to block since that’s all taken care of for a pretty decent selection of apps and services. Also built in network protections like dark net protection and honey pots paired with deep active packet inspection with great throughput is really good.
We deploy UniFi to customers of different sizes but mostly small to medium sized with just a few of no public services hosted on the inside. Most of our customers leverage the cloud and have fewer and fewer reasons for using VPNs now, or hosting services on-prem. Protect is great and also hosting multiple network customers in one controller.
im planning on the exact same upgrade. looking forward to the contents. I really wanted to know the differences between opnsense (fork of pf sense) and UDM which looks really promising.
The Unifi upgrade drama's were big enough for our business to stop deploying the brands products to any of our clients and we just completed the last switchout to cisco again. Stuff costs us a fortune for original outlay but it just works, and works and work...
I looking at converting from a 20 year old half cisco equipment to unifi in a medium to large business. When I say 20 years, i'm serious. One device hasn't been cycled in 7 years and has a copyright date of 2004. I love cisco with a passion but the goal is to make it so less knowledgeable techs can do some basic stuff easier. Will also allow me to get rid of some other devices older than 2010. I am worried about IPSec though.
Going with a Dreammachine pro with a handful of promax 48port switches. The RGB will actually be useful for us so vendors and a few others know what things are with a glance. Also a handful of the APs and an outdoor AP. may get a phone, camera and keycontrol to test too.
The drawback with Unifi is that most of its cool features are unifi only but still basic functions still will work.
Edit: thanks did touch on a couple things I didn't think to much about.
you can plugin a unifi poe adapter directly to an AP then hit the reset button on the poe adapter
0:37 deserves a like
@unifi definitely needs a lot of work but they have also come a long way over this past year. Lots of amazing upgrades that you don't have to worry about SSHing in to modify.
I would not hold your breathe - Even the most simplest of firewall and router features, such as managing NAT, which people have been asking for at 4-5 years!
I did the same as you about 4 years ago, spank a load of money on switches, AP, USG etc.. I used the USG for about 4 weeks, then threw it in the "useless gadgets" drawer, where is sat until about 12 months ago, and I flogged it in eBay!
I recently brought a UDR for our holiday home, so I could have something set and forget, but I'm already regretting it... and should have brought a GL.Inet router instead!
On the Port Forward + Firewall Rule thing, UniFi does what most users expected: When creating a port forward, traffic to that port is automatically allowed (by one of those grayed-out "Predefined" rules that can't be modified). To restrict it, create your own Accept / Drop rule(s) "Before Predefined." Before CloudFlare Tunnels came along, I ran for years only allowing http(s) traffic from CloudFlare's origin IPs (plus CloudFlare's Authenticated Origin Pulls feature).
I don't think it was always the case that UniFi automatically created the Allow rule. When they added the feature to the EdgeRouter is was _optional_ and it's a bit silly that they didn't do the same on UniFi but c'est la vie.
For the portforwarding part (and that you have to open it to the world). It's possible to secure it. Place an internet allow rule (for the IP-addresses you want to allow) and place internet in drop rule after it. I know, it's not great but it works if you place the allow and the drop above the grey out port forwarding rule.
For the most part, I gree, the UI from the firewall rules sux pretty bad.
I agree about the firewall. I've been using unifi for a while and the firewall is just a pain in the ass. Why it's not more like the windows firewall, which to me is intuitive, is beyond me.
Last time I upgraded my router I decided against the UDM and built an opnsense box because back then Unify was a privacy nightmare with devices constantly phoning home and sending logs. The pro max seems like a great device, especially the 5Gbit IPS is great for the price.
I was wondering if Ubiquiti has finally seized to spy on its customers or at least given them a proper mechanism to opt out, or if they still collect everything you do *anoymized*?
You’re probably going back to PFsense eventually.. Nothing beats the PFsense.. unify looks very slick.. and it’s easy to configure.. that’s one of my reasons I am not moving because PFsense is a different world together
Agree, firewall rules SUCK SO BADLY, I wish we also had an option to default deny, rather than default accept, I like to explicitly allow rather than explicitly deny myself. Also, wish we had access to NAT rules and actual interface level control like pfsense, hopefully with time they will improve it.
NAT rules... Yes please!!!
@Raid Owl pls do a long term review of this and see if they fix those firewall rules
You can also get the big cloud version of unified that can manage thousands of unified devices in the lands and all that stuff but you got to pay monthly in the cloud is machine itself to run at your business is pretty freaking expensive but not that expensive if you're a business but for a home user hell yeah
The ancient AT&T DSL router I have to use -- one with the bare minimum effort put into it to qualify as a viable freaking product -- has a better firewall rule UI than the UDM Pro/SE. Someone from Ubiquiti's firewall rule UX team needs to sit down, have a couple beers with this guy, and walk away with a completely new design because the one we've had to deal with for years is a bucket of dog vomit.
Or maybe visit a former customer's site and take a look at the UI of the device that inevitably replaced the whatever Ubiquiti device they had before, because I can't imagine anyone would have the patience to deal with that mess for that long.
Same experiences here: I'd like to have everything in one UI, but actually special, granular settings are hard to implement in Unifi.
In the end for professional use cases the Unifi firewall is not recommendable. And having a good amount of practice with pfSense is always a good deal.
That's why I switched from pfSense to Unifi - and back again. 😎
You can make a "cloudflare rule" by creating a new Drop rule for the NAT rule, and the create a new rule
Under Source, create a "Port/IP group" and destination as you prefer, port 80 and 443 or what you prefer here.
Just remember that, the rules you create is "internet in" type rules
And last, remenber to put them in the right order first the cloudflare rule, end the the Drop rule...
On a serious note, I'd be happy to take that pfsense 4100 appliance of your hands if you're looking to part with it.
From my perspective, the unifi firewall, dhcp, and dns is complete garbage from the feature and management perspective. This is why I still use the pfsense + unifi AP/Switches combo.
How does the pfesne manage the ubiquiti devices?
@@blondeguy08 it doesn’t. It a completely separate device, managed separately.
I migrated to UDMP from a regular controller by backing up and restoring during the wizard phase. But even starting fresh doesn't mean you have to physically reset all units... When you "forget" a unit from the old controller you reset it and it's waiting to be adopted. Looking at the rest of the video now but this was a very weird thing to do tbh...
I have a similar opinion of Unifi, their switches and APs are good, but their firewall offering is mediocre at best. I'm going to keep rocking my Unifi networking equipment + pfSense firewall setup. Thanks for taking the bullet and try the Unifi firewall.
@Raid Owl Which one is you favorite, Unifi or Omada? Keep up your great work.
It now shows you what's in the port group by hovering over the fw rule... So slowly improving
11:25 This rule doesn't do what you think it does. It will only do anything for traffic entering pfSense on the LAN3 interface, and that means it likely does nothing except for requests from LAN3 net to route to LAN3 net, essentially to it's own network (which if network local direct traffic isn't blocked everywhere, would instead just be point to point without going through the firewall). For example a device connecting to LAN2 will essentially only check rules on LAN2 when entering pfSense (exception to this are floating rules), and traffic will not check again any rules on the interface where it is exiting (i.e. it bypasses any rules on LAN3).
But more importantly, I could milk it to make videos like this one. You deserved my like sir!
Honesty is the policy
@@RaidOwlI can only cheer to that! :D Good video btw, just finished it, took some paused as I was comparing it with my all TP-Link network (Hardware controller, switches, router, AP's, you name it, it's here). I thought about Unify, but to be honest, here in AT it's a bit expensive, compared to other systems. Although my TP-Link setup was not cheap either, it was for sure cheaper then the Unify setup.
Take backup on of UniFi network only and suck that in. UCK2 to UDM is a headache.
Stop using the front 8 ports for LAN uplink/downlink. Use port 8 for secondary WAN2 if copper needed (as you have done). Use the SFP+ ports for LAN's. You can create PF rules for each IP to same ports. Go to settings, Advanced and select legacy interface. Now you can rename the "Default" LAN name to what does make sense.
I would love to see a way to direct a specific VLAN out through a specific WAN port. Haven't seen a way to do that yet.
Under the Network config. Internet Source IP lets select the WAN interface and IP the VLAN uses.
I think you'll be back with pfsense over Unifi. I flip between pfsense and Sophos XG Home. I remember utterly hating the UDM-Pro I ordered in spring 2020, I sold it within a month and fortunately for more than I paid.
You should have been able to migranter the Network config via backup and restore from the cloud even. Or from a dowloaded config backup file. But you would have to change VLANs in your firewall replacement step since VLANs are handled differently in UniFi and you probably had them set up as VLANs only VLANs on the cloud key.
I'm going the opposite route. Moving from a udm pro to virtualized opnsense. Got a brocade switch. Going with ruckus ap's. Tired of the unifi bs.
Going to be selling that udm pro soon.
I run all Unifi hardware, except their firewall and cctv equipment. I just cannot leave pfSense. They seriously are dropping the ball on this front.
I giggled in less than 60s. Have the UV :)
10:35 got me cracked up 😂