PERFECT timing! I just got a UDM Pro Max and a Unifi Pro HD 24 POE switch as my first Unifi devices besides U7 Pro Max and trying to migrate from OPNsense firewall rules to the Unifi Zone Firewall rules has been a complete headache. The OPNsense/Pfsense way of doing firewall rules was way easier to understand but maybe this video is exactly what I need.
sweet! have exactly the same devices + unas pro. @lawrencesystems awesome. please with 2 new zones for secure (vlans for just management of the unifi devices & one for personal hardware) & unsecure devices (IoT, cams, etc.) firewall rules for the unas pro would be amazing too. most just show how the device works but never touch the FW rules. thank you!
Thanks Tom. I made the change from pfsense to UDM- SE about 12 months ago. I agree the new firewall layout is way more intuitive than the old way. Looking forward to more videos.
Switched from pfSense to a UDM Pro well over a year ago now, and it's been good. Step learning curve, and certainly there were firewall limitations at the time. But the updates in Network v9 have been awesome, and you're completely correct Tom that they are a bit fiddly to understand to begin with, but Unifi has made the firewall quite easy to use.
I have 2 questions: 1) How will other firewall brands (Sonicwall, Sophos, etc) be able to compete when even the Proofpoint add-on is 1/10th their price? Are they just milking the end of a dying business? 2) As great as Unifi products are, do we really trust these guys enough to hinge our whole business on their software staying free and great? What if they get bought out?
1. Look up a checkpoint machine. They're selling to a different grade of Enterprise. Sophos and others are fine for some people who like/are used to them 2. Same is true of any company you pick.
@@JamisonStaysAtHome One of the reasons why I use open source firewall on my own hardware. If they no longer support it or something should happen I can easily switch to another open source firewall. Can't do that easily with proprietary hardware such as Unifi's.
1) I do feel those companies are over charging 2) With their current founder. CEO I don't see them selling soon, but that risk is always there. I MUCH prefer open source, but when there is not a good open source solution with all the features I want available, I have to make some hard choices.
Tom, could you make a video about your implementation of nginx and how you are using that in your Unifi environment? I could use some clarification on how to implement this in my home environment. As you stated, Unifi doesn't have a full featured solution for certificates. I really only do this kind of thing on the weekends as a hobby, so I would love to see a video taking about the why's and how's. - Chris
@@LAWRENCESYSTEMS That's perfect, thank you so much! I would also be interested in that topic. We recently moved into a new home and I set up everything up from scratch with Unify gear. The addition of the Proxy Manager would be the next logical step.
They intentionally don't update to extort their users and leave them vulnerable. Netgate is absolute slimeballs for 100 different reasons. Use OpnSense.
Netgate wants you to buy their overpriced hardware, which are off the shelf boxes one can buy direct from Silicom. They lured homelabbers onto pfSense Plus from CE and then pulled the rug out. Even if one does pay yearly for pfSense Plus it will deactivate itself if one adds or removes a NIC. Once it deactivates they'll graciously do a "one time favor" by letting one continue using their subscription. Management is generally hostile to its user base especially on Reddit. It's a good product that's being ruined by poor business practices.
Man I just swapped a Netgate 6100 for a UDM-Pro Max at my house/homelab. Have quite a few Netgates out there but network 9 is very enticing. Already have unifi switching and aps everywhere. Love the single panel for everything. And easy central management. As for wire guard site to site. I created a wire guard server in unifi and pfsense as a “client” works great. Basically reverse of how you are doing OpenVPN in this video.
They’re trying to encourage you to use VPN instead of exposing SSH on your WAN IP. Granted, it’s aggressive to void a warranty, but is a good way to have people strongly consider alternatives
that‘s not true. When enabling SSH it‘s not exposed automatically to WAN and if not enabled you can’t access it from local network either. And I‘m using SSH just for debugging purposes, so if I just enable it on the new EFG at customer site and a port stops physically working or worse the mainboard fails I can pay for a new EFG out of my pocket 1899€
@@Zaim-S I agree that is a no go for me. Not sure if that is even legal in Europe. A manufacturer has the burden of proof if it is the customer's fault when denying a warranty (this applies to b2b too since a few years). Even if that pop-up doesn't exist in Europe (bc im from there), I would still be wary of companies that have vastly different warranty policies across regions, especially when showing hostility towards advanced users. You can deny my warranty if I break something using SSH thank you very much, a pop-up telling me "Hey, if you use SSH you could void your warranty. Be careful!" would be a much better solution. I don't even know what they are scared of, users turning fanspeed to 0 and overheating devices? If you break the config, a factory wipe would just fix whatever it was that you broke. Exposing SSH to WAN is dumb, but having access to it at all is basic functionality IMO
I totally agree on that. I‘m from EU too, AT. And I do get the popup while trying to activate SSH on any console. I don’t think this depends where you are located.
6:25 That's the reason why I want to keep my DHCP server separate. This would make migration a lot easier except for firewall rules. 7:40 I like how the zone table is made where we can see what goes in (source) and what goes out (destination). Nice touch.
yeah agreed with your points. I also prefer a separation in functions. I keep DHCP/DNS and Reverse Proxy all on separate systems which makes migrations to any platform easy. Firewall rule translations will always be a pain but that's alright.
@ Oh nice! Are you running an evaluation version? Because I cannot afford one at all in a home environment. I would love to have one for Active Directory if I don't want to re-arm every 180 days or so and reinstall every couple of years...
@ A standard isc-dhcp-server. I can easily migrate the DHCP server to a different machine if I want to make any network structural/infrastructural changes as it's just a configuration file. I have it in my firewall appliance that's running Debian with nftables for my router.
@@Destroyer954 I don't think they'll ever get their sh!t together. As good as pfSense is their development, especially the transparency of it, is a joke.
Normally i have used Sophos Firewalls but they have increased their prices 3 times a year. So i have a customer where i will use and test the unifi Pro. (i have a lot of small customers where i use the UDM already)
Hey Tom, great video! If you end up doing a follow up video with more advanced features, something else to consider. I know your personal take is to do ad blocking/DNS filtering at the client, but many people like using pihole w/ unbound as their local DNS server. Would be cool if you can set that up and see if it plays nicely with the advanced filtering, tracking and blocking built-in to unifi.
I have a sm dedicated appliance that runs OPNSense to my desktop and NAS then a passthrough to a UNifi Dreammachine SE with its own firewall and wireless both workiing great. OPNSense is way easier to figure out than Pfsense, i always had trouble with Pfsense.
Great video. Looking forward to more unifi firewall videos as I think I'm going to switch for at least the foreseeable future also. I wish you released this 3 days ago, so I didn't create all my firewall rules and routes etc., that will now get wiped when I import my current site from my self hosted controller so I keep my switch and AP settings. 😂 or I might just redo switch and AP settings, as there's less of that compared to, firewall rules, routing etc.
Really interesting video, thanks Tom. One thing that Unifi needs to work on is their documentation although it seems extremely easy to get things the way you want.
I just hope pfSense finally gets their act together in the near future. As good as pfSense is their development team still hasn't heard about timelines, point releases or transparency even. Good on UniFI to be on the right way. Still need pfBlockerNG though. And a decent Certificate management. Maybe 10.0 is the charm ;) Thanks for sharing
Did you try some ipv6 too? Unifi still lagged behind while pfsense handled combined ipv4, ipv6 rules beautifully. I didn't see anyone cover it yet for the new firewall update on the Unifi side.
The fact that you even made this video shows how far Unifi has come. Still not perfect but Network 9.0 is a big deal. I finally got my internal network right and it took less time.
Perfect timing for me, too! I have a cloud gateway box I want to migrate a self-hosted controller and pfSense implementation to. I was desperately hoping that you might have found an easy way to import a whole bunch of DHCP reservations in one easy import... but NO! This is the major impediment to my starting the migration and it's disappointing this still isn't possible after all this time. There's hints that an API exists to do this, so maybe time to give that a try and hack up a quick and dirty python script or something.. Thanks for the video, perfectly timed for me!
Unifi is neat for simple setups - I installed a UDM at my works office. At home no way id give up things like running Haproxy, tailscale, custom lists etc directly on the firewall. At home Ive found Pfsense on an old i3-7100 build with a dual sfp+ nic, mikrotik switches, and unifi APs does me well
I may eventually move from pfsense to Unifi Firewall. Won't happen anytime soon as I'm still happy with pfsense. Just I like the GUI that Unifi provides. Just not too crazy getting locked in with some hardware that I can't do anything with after it's EOL. It's one of the reasons why I use open source firewall on my own hardware.
13:54 we use about 20 WG S2S setups between Unifi Gateways and OPNSense gateways. It’s definitely possible but there are a few annoyances: 1. every IP that communicates via the tunnel needs to be allowed via FW rule (Tunnel, local, and site network) 2. static route on Unifi GW for site network to next hop WG tunnel ip of the other site 3. every traffic from a WG client has the source ip of the tunnel interface so you need FW rules and routes to consider this fact Other than that it works very stable and a lot faster than our IPsec tunnels. One other nice fact is that you don’t need a continuous connection between the two sites so if a customer has a very bad internet connection the experience is a lot better with WG tunnels
@ yes that would be great but I haven’t heard anything about a complete S2S wireguard implementation. This feature is requested for a long time without any timeline from ubiquiti. Interestingly their mobile routers have a native S2S wireguard implementation
Really great video here and i like the options specifically around logging. I use graylog to inject not just syslog but IPFix flows as well. Additionally, as stated, the ability to track down connections (blocks or permits) from the firewall rules is important for compliance or just basic troubleshooting so that area for me needs improvement Lastly, I will say that Unifi has a cohesive experience which for me is the biggest draw. pfSense , specifically its support for 3rd party packages, is jumbled and not clear and most important, its not supported. FRR on pfsense is broken. Dynamic routing with more than one peer does not work. (Redmine 14630). There is an IPsec bug where any modifications to the configuration results in all tunnels dropping traffic (Redmine 14483). There are more examples but the point I'm trying to illustrate is that there is seemingly more support and a willingness to fix broken things on the Unifi side then the pfsense side. Its a much more polished experience from Unifi and I'm looking forward to the improvements. All that to say, for now, Im still on pfSense.
As someone who has worked with Interface rule based firewalls (i.e. Cisco ASA, pFsense, smoothwall) but also worked with PaloAlto for 9+ years the Zone method is such a better way. All rules, one place, multiple subnets in one zone etc. Block by default is a better method to work by. PaloAlto has this too on Interzone rules (traffic in and out of zones) blocked by default. On PaloAlto you can also configure Interzone rules (different subnets on same zone), allowed by default, I assume you can do this too on the Network v9 ?? I'm really debating to go Unifi or pFsense now as I only have Protect and my all switches are Aruba 2530's with Aruba APs and a few MikroTiks. I did have Unifi wifi and switching some years back but no desire to go back yet.
17:31 I have had a case opened with them since shortly after 9.0.8 came out asking for a state tracking table, coming from pfsense as well, can’t believe this feature was overlooked. It makes it much harder to troubleshoot when you need to run packet captures to see the traffic. This feature can’t come soon enough.
I just did this migration in the new year. Migrated my pfsense to the Unifi Express. Overall I'm pretty happy with it. The UX is pretty underpowered though and i plan to upgrade to the UCG Max asap.
Do you use the UDM Pro as your VLAN router or did you use the L3 capabilities of the unifi switch? In the video it shows "LTS Studio" for router... what device is LTS Studio? Curious about your VLAN to VLAN setup
If I am going to use unifi what do I do with my hikvision cameras? Unifi uses the same port as hikvision. I have tried a bit but they don't work together but can I easily change ports and if so what? hik or unifi for best results? I have about 40 hikvision cameras.
21:47 The eMMC on my ST-4100 was nearing EOL so I picked up a UCG Max while I see about swapping in a M.2. Seems to be doing everything I need well enough. I was able to export my HAProxy config file and drop it into a LXC container with HAProxy. All is well. Did take a while for my pf brain to adjust.
One thing Im really missing is in the Geo section, I can block traffic to a country, but I cannot just view and filter all that traffic directly from the Geo tab, to be able to just directly find what traffic is talking to a specific country. Lets hope that comes, just an easy use to see and filter that country traffic.
My current pfsense install uses several pfblocker-ng lists, can I use those SAME block lists and load in my own list of entries? Everything is kinda set up the way I want it from a block vs. whitelist perspective.
@@LAWRENCESYSTEMS D'oh! That's one of my favorite parts about my current setup. Yes, I could run a pihole instead, but I'm not convinced it will afford me the same flexibility, but that's only based upon comments I read online related to HA and VLANs.
Hi Tom, Great video! Would you recommend replacing clients routers with Unifi firewall? I work at an MSP and looking into other options for our clients.
13:20 I need to comment to say that at this moment the Fallback option does not work properly. On my machine (UCG Max) the Fallback option does NOT block traffic when VPN connection is lost. To prevent it there are a few firewall rules you can use in the Internet Out section, or (what I did) was set up 2 custom NAT rules (one allowing nat from the vlan to VPN, one blocking vlan from primary Gateway), similar to how I had it in PFSense.
I prefer Sophos XG - I think it's way more intuitiv and more feature rich than unifi firewall. I think unifi took many features and options from sophos (zone settings, application policies e.g.).
Hi beginner question here. Does any of this setup matter whether is the devices trying to connect to the web through the setup are iOS, Mac, Windows etc.? Is this all fully agnostic? Or are there some specific quirks? Thank you!
Did you already do a video on Unifi Teleport? Problem i have with that is that all teleport devices come in their own ip range and there seems to be NO possibility to define any firewall rules for those. Basically rendering teleport totally unusable for me. (am using two internal networks: one for all wifi devices (ie phones and laptops) and my homelab. Access to homelab should be limited to listed devices only, but teleported devices just have access :( )
I too switched my setup for a UDM Pro Max in last December and I am not very please with what I thought 9.x would be. I miss my Fortinet setup which was much more mature (even with their flaws - updates do the trick). 1st: The fact UDM is still using IP tables limits (or complexify) the firewall rules ease to work with it. We're in 2025 now, and I wish Unifi could part by doing firewalling like we did pre-2010. Having to setup return traffic and explicitly having to block inter-vlan traffic is just dumb when it should be by default - reminds me of L3-switch that do routing where you need to add ACLs to block inter-vlan traffic. 2nd: doing simple inter-vlan NAT is a nightmare and doesn't really work - a thing that is easy with real NGFWs (or 4th gen firewall - UDM is more of a 2.5ish gen firewall IMO). 3rd: UDP Streaming (even on wire) get some hiccups from time to time. Never had that before with the same ISP and bandwidth under pfsense and Fortigate that were using the same Unifi switches and APs. All in all, it is a nice "toy", but I do not feel I have full control over what is going on and I hate that. Great video Tom!
UniFi need to seriously just have a section to show firewall logs, allow deny all that stuff domain name resolution to help with managing the firewall in a cooperate setting
I have a restaurant that needs a new firewall and switch. They will have WiFi for internal and guests. I am familiar with Meraki, Netgate, Cisco, extreme, unifi (but nothing fairly new with unify) Any suggestions of what to install?
why do they need a new firewall and switch, does unifi solve a need ? I always prefer a good firewall on the router, and then a machine running the DNS/DHCP, and connect that too a good quality switch,
I have a Netgate 6100 right now. I got it after I got rid of my first UDMP quite awhile ago, however with the changes it looks enticing to maybe explore again. With everyone jumping off the BSD bandwagon how long before pfsense is abandoned?
I'd like to see the packet capture, also on my pfSense I have several VoIP phones and had to enable the STUN option, and I'd like to know how this works in Unifi. My Cloud Max arrives tomorrow, I have a couple of Unifi switches already, and I'm replacing my lovely Zyxel APs with a couple of U6 or U7 APs. I think you have to be all-in to see all the stats and manage it all from one place.
@@LAWRENCESYSTEMS So when I change the IP address of my nginx proxy manager host, I don't have to individually change all the internal services I have pointed at it as well.
Considering using OPNSense for transparent filtering IPS/IDS etc. and keeping UniFi for internal routing, vlan, fw rules. Primarily to offload IPS/IDS from Unifi. Would this make sense?
Only if you are going to do full traffic inspection by installing SSL certs which is a pain to manage so I wouldn't do it, but it could be fun if you want to learn how that works.
@@LAWRENCESYSTEMS Thanks. I guess I was thinking more of offloading IPS from UniFi as I'm seeing my UDMPro hit fairly high on the CPU, and that's without enabling all the IPS features.
Man I would love to be able to just run unifi but my problem is this. I have a wireguard tunnel between me and a datacenter, where I have 5 static IPs. I have VMs at home that I send over the tunnel (like plex, some game servers, and etc) and port forward on the far end thus giving them the external IP in the DC even though they're hosted at home. I am assuming I am not going to be able to replicate this even using this but I may try it out.
My genuine question is the following, firewall and their features exist since ages. Why unifi is implementing basic stuff in their products bit by bit and brand it like it’s incredible? It’s like their L3 support in their switches, it exists since decades in enterprise world and they add stuff little by little on a hardware supposed to support those features (enterprise means enterprise right ?).
Have noticed there is a bug with the sfp ports on the udm models now. If for some reason there is a restart needed or a power loss they can lose function. For some reason they get stuck and wont renew the ip's unless you physically unplug the power from the back and let it sit for a few minutes to discharge the capacitor. Once you do this they function normally again.
Do they still require you to keep the native VLAN at 1? I prefer pfSense still even if Netgate is evil, the packages are what keeps me. The configuration UI is also well organized as opposed to a deep maze.
Dang What Are The Odds.. I Just Switched From PfSense To a Unifi USG Pro 4 like 24-36 Hours ago..lol. Wish i could Get a UDM Pro SE But That's just not possible ..I Can Only Live on Roman Noodles for So Long ! I Really Want/Need To Know How To Do Add Blocking & a Separate IOT Network ! I Would Love to see a Follow Up !
In Germany there are a lot of ISP with VLANs on WAN (e.g. one VLAN for Internet, one for VoIP). As far as I know, UniFi Firewall can't handle multiple VLAN on WAN, I'm I right?
@@LAWRENCESYSTEMS then multiple VLANs on WAN must be new. Several threads and posts in the UI support forum are about this topic. Obviously UI can/could only have one VLAN on WAN.
@@imraz0r I am not sure how many are supported since this is not a common requirement I find here in the USA. Of course the work around is putting a managed switch in front of the WAN to split the VLANs but obviously it would be better to have it built into the UniFi firewall.
@@LAWRENCESYSTEMS Putting a managed switch in front of the WAN can be a solution, right. But in this case, I prefer to stick with my OPNsense, which can handle multi-VLAN on WAN. ;-) Nevertheless, thank you for your answer and your great videos!
The only thing now holding me back from moving to a UDM pro from PfSense at one customer is their IPSEC VPN tunnel to a business partner’s SonicWall. Trying to get the UDM Pro to manage a IKEv2 connection just doesn’t work. I know it’s labelled differently in the UDM Pro but I’ve tested everything exhaustively and no dice. I don’t have direct access to the SonicWall so have to rely on less than helpful third-party IT provider. Essentially, I have to transpose manually from the PfSense box to the UDM Pro. All my tests fail and it needs to be IKEv2. If this resolved in the v9 of the network application I would be very happy.
The Wireguard client on Unifi uses PBR's for routing instead of adding "allowed IP's", careful though as the wireguard interface is put into the external FW zone instead of the site-to-site FW zone. The Unifi GUI also forces you to add a DNS server to the wireguard config, this results all your DNS traffic being forced across the tunnel. If the tunnel goes down DNS stops working for all LAN clients. It will be nice when Unifi add wireguard under site-to-site as it should resolve these issues. The Unifi GUI looks nice but lacks core functionality as it always has and likely always will, this is why ill never use a Unifi firewall regardless of how shiny it is.
I finally have a PFsense wireguard tunnel and unifi wireguard vpn client as an added peer working OK after I set it up manually using optional preshared key (not sure if I needed to us the optional key but I did and I am not breaking it again to find out 🙂) Couldn’t seem to get the file based config to work though, at least not when exporting from pfsense and trying to import in unifi controller. Manually setting up works just fine though, I treated it much the same as setting up a normal desktop client.
I recently did a site to site wireguard, and was able to hit the opposing network reasoures by connecting as a client (wireguard server on opposing end on a pi) and used "policy-based routes" under routing, to send sepecfic traffic, to destination of ip range of opposing network, via vpn tunnel. Only downside is when i go into a device on that network it cant get back (im going to have them connect as a client to me at somepoint, and basically just run two tunnels, but i havent yet)
I went from a Meraki firewall to a UDM Pro, and went back to Meraki. The through put was horrible, got Tech support involved, they agreed something was wrong with the unit but never offered to swap it. Less than 6 months it was given to recycling. What a waste of money.
I am switching my current pfsense plus fw to a new device, just to remember there is no free (or in my opinion affordable) plus for home anymore. Well, apart from the boot environments, CE should also be fine .... except that it has not received an update over a very long time, has a bug with igmp proxy in the 2.7.2 version and also no beta access for 2.8 This will probably be the end for my time with CE 😢 Looking for alternatives and now playing with of course opnsense, but also sophos XG that is also free for home use. Sophos is also using zones and i am still trying to get my head around that concept
UNifi hardware needs a upgrade, for the price all this stuff should be 2.5g /10g+ sfp and should start seeing 25g, Alta labs route10 soon as they work all the little issues out has way better hardware for 200 bucks, and they don't add 70 for a AC adapter that you can buy for ~10... Software seems solid though, Just call me old fashion i dont need all the graphics though.
Unifi is great for home lab. Not good for enterprise management and support. I bought a uxg-pro and struggled for 3 days only to find out that changing the default submet causes issues on this specific device.
The hardware is crazy reliable, I don't think we've sold any other hardware that just keeps chugging along. Maybe those old HP Laserjets were more reliable. And at the price, the warranty doesn't even matter, for the price of a Meraki, I can just buy two Ubiquiti. Support is basically DIY, which is a downside if you can't diagnose and troubleshoot it yourself. We've probably sold 400 units and I can think of maybe two or three that have failed. Also gone into many locations and replaced old unifi that was still working just fine just in need of a refresh.
“Unifi has terrible support” I always wonder what the purpose of such a non-specific complaint is. Is everyone just supposed to say “Well okay, he said they have terrible support. Guess I better buy “X” instead. What were you expecting? How did they let you down? What hardware problem did you have? 🤷🏻♂️
When I saw this title, my first thoughts were: "What about the performance??" pfSense+ is much faster with all security added, has much higher throughput when running on a bare metal server (like Proliant Micro or Proliant DL20)
Funny, I moved from UI to OPNSense and Omada. I was sick of the constant 2FA bullshit to locally manage stuff. The constant security warnings about no certificate. I don't manage my Omada stuff remotely, so I turned off HTTPS. I still have a Unifi NVR, and that's a pain in the ass every few days. I don't know WHY I can't, in ANY browser, add some sort of exception to not bug me.
It’s frustrating seeing so many influencers pushing Unifi products just because they’re getting paid to do so. Sure, they make it sound great, but the reality is that Unifi can be a nightmare for many users. The setup isn’t as smooth as they make it seem, and the software can be buggy, especially for home users who don’t have the technical know-how. A lot of these influencers don’t mention the hidden costs or the headaches that come with the system. It feels more like they're selling convenience for a paycheck than genuinely recommending the best option for their audience
I’m about to remove pfsense CE from my parents and drop in a Unifi Cloud Gateway Ultra. 900/900 connection, IPV4 CGNAT and IPV6. There is currently an IPsec vpn to my home for Synology sync.
PERFECT timing! I just got a UDM Pro Max and a Unifi Pro HD 24 POE switch as my first Unifi devices besides U7 Pro Max and trying to migrate from OPNsense firewall rules to the Unifi Zone Firewall rules has been a complete headache. The OPNsense/Pfsense way of doing firewall rules was way easier to understand but maybe this video is exactly what I need.
I will soon have a dedicate UniFi Zone Based Firewall video.
sweet! have exactly the same devices + unas pro. @lawrencesystems awesome. please with 2 new zones for secure (vlans for just management of the unifi devices & one for personal hardware) & unsecure devices (IoT, cams, etc.) firewall rules for the unas pro would be amazing too. most just show how the device works but never touch the FW rules. thank you!
Thanks Tom.
I made the change from pfsense to UDM- SE about 12 months ago. I agree the new firewall layout is way more intuitive than the old way.
Looking forward to more videos.
Switched from pfSense to a UDM Pro well over a year ago now, and it's been good. Step learning curve, and certainly there were firewall limitations at the time.
But the updates in Network v9 have been awesome, and you're completely correct Tom that they are a bit fiddly to understand to begin with, but Unifi has made the firewall quite easy to use.
Thank you for the explanation about Return Traffic
I have 2 questions: 1) How will other firewall brands (Sonicwall, Sophos, etc) be able to compete when even the Proofpoint add-on is 1/10th their price? Are they just milking the end of a dying business?
2) As great as Unifi products are, do we really trust these guys enough to hinge our whole business on their software staying free and great? What if they get bought out?
1. Look up a checkpoint machine. They're selling to a different grade of Enterprise. Sophos and others are fine for some people who like/are used to them
2. Same is true of any company you pick.
@@JamisonStaysAtHome One of the reasons why I use open source firewall on my own hardware. If they no longer support it or something should happen I can easily switch to another open source firewall. Can't do that easily with proprietary hardware such as Unifi's.
1) I do feel those companies are over charging
2) With their current founder. CEO I don't see them selling soon, but that risk is always there. I MUCH prefer open source, but when there is not a good open source solution with all the features I want available, I have to make some hard choices.
@@LAWRENCESYSTEMS I think alot of us are in the same boat when it comes to features.
Tom, could you make a video about your implementation of nginx and how you are using that in your Unifi environment? I could use some clarification on how to implement this in my home environment. As you stated, Unifi doesn't have a full featured solution for certificates. I really only do this kind of thing on the weekends as a hobby, so I would love to see a video taking about the why's and how's. - Chris
There is an NGINX Proxy Manager Video in the works.
@@LAWRENCESYSTEMS That's perfect, thank you so much! I would also be interested in that topic.
We recently moved into a new home and I set up everything up from scratch with Unify gear. The addition of the Proxy Manager would be the next logical step.
Nginx proxy manager is really easy to setup (can spin it up in a docker container) and the UI is very intuitive
What happen to Pfsense CE update?
They intentionally don't update to extort their users and leave them vulnerable. Netgate is absolute slimeballs for 100 different reasons. Use OpnSense.
¯\_(ツ)_/¯
Yhea, people are going elsewhere...
Netgate wants you to buy their overpriced hardware, which are off the shelf boxes one can buy direct from Silicom. They lured homelabbers onto pfSense Plus from CE and then pulled the rug out. Even if one does pay yearly for pfSense Plus it will deactivate itself if one adds or removes a NIC. Once it deactivates they'll graciously do a "one time favor" by letting one continue using their subscription. Management is generally hostile to its user base especially on Reddit. It's a good product that's being ruined by poor business practices.
Thanks for the update video Tom, very informative!
Man I just swapped a Netgate 6100 for a UDM-Pro Max at my house/homelab. Have quite a few Netgates out there but network 9 is very enticing. Already have unifi switching and aps everywhere. Love the single panel for everything. And easy central management.
As for wire guard site to site. I created a wire guard server in unifi and pfsense as a “client” works great. Basically reverse of how you are doing OpenVPN in this video.
18:22
They‘re not blocking you to access SSH but I hate the popup that your warranty will be void if activating SSH on the console. This is ridiculous
They’re trying to encourage you to use VPN instead of exposing SSH on your WAN IP.
Granted, it’s aggressive to void a warranty, but is a good way to have people strongly consider alternatives
that‘s not true. When enabling SSH it‘s not exposed automatically to WAN and if not enabled you can’t access it from local network either. And I‘m using SSH just for debugging purposes, so if I just enable it on the new EFG at customer site and a port stops physically working or worse the mainboard fails I can pay for a new EFG out of my pocket 1899€
@@Zaim-S I agree that is a no go for me. Not sure if that is even legal in Europe. A manufacturer has the burden of proof if it is the customer's fault when denying a warranty (this applies to b2b too since a few years). Even if that pop-up doesn't exist in Europe (bc im from there), I would still be wary of companies that have vastly different warranty policies across regions, especially when showing hostility towards advanced users. You can deny my warranty if I break something using SSH thank you very much, a pop-up telling me "Hey, if you use SSH you could void your warranty. Be careful!" would be a much better solution.
I don't even know what they are scared of, users turning fanspeed to 0 and overheating devices? If you break the config, a factory wipe would just fix whatever it was that you broke. Exposing SSH to WAN is dumb, but having access to it at all is basic functionality IMO
I totally agree on that. I‘m from EU too, AT.
And I do get the popup while trying to activate SSH on any console. I don’t think this depends where you are located.
6:25 That's the reason why I want to keep my DHCP server separate. This would make migration a lot easier except for firewall rules.
7:40 I like how the zone table is made where we can see what goes in (source) and what goes out (destination). Nice touch.
yeah agreed with your points. I also prefer a separation in functions. I keep DHCP/DNS and Reverse Proxy all on separate systems which makes migrations to any platform easy. Firewall rule translations will always be a pain but that's alright.
what dhcp server do you use?
@@GodAtum Im lucky enough to have Windows Server 2019.
@ Oh nice! Are you running an evaluation version? Because I cannot afford one at all in a home environment. I would love to have one for Active Directory if I don't want to re-arm every 180 days or so and reinstall every couple of years...
@ A standard isc-dhcp-server. I can easily migrate the DHCP server to a different machine if I want to make any network structural/infrastructural changes as it's just a configuration file. I have it in my firewall appliance that's running Debian with nftables for my router.
Netgate will be losing their minds right now.
Plus rolling up their sleeves to welcome the competition. Or welcome, but, outdo the competition. Hopefully
would be nice if they finally pushed the ce update
They are fine, unifi hardware is lacks, controller based stuff has extra points of failure/attack, old guys like to run stable tested stuff...
@@Destroyer954 I don't think they'll ever get their sh!t together. As good as pfSense is their development, especially the transparency of it, is a joke.
Normally i have used Sophos Firewalls but they have increased their prices 3 times a year. So i have a customer where i will use and test the unifi Pro. (i have a lot of small customers where i use the UDM already)
Hey Tom, great video! If you end up doing a follow up video with more advanced features, something else to consider. I know your personal take is to do ad blocking/DNS filtering at the client, but many people like using pihole w/ unbound as their local DNS server. Would be cool if you can set that up and see if it plays nicely with the advanced filtering, tracking and blocking built-in to unifi.
I JUST DID THIS YESTERDAY!!!! Where was this video!!! LOL the migrating sucked for me!!!
Awesome, ordered a UCG-Ultra a few days ago and i'm planning on switching from OPNsense!
We moved off Netgate firewalls to unifi firewalls about six months ago.
I have a sm dedicated appliance that runs OPNSense to my desktop and NAS then a passthrough to a UNifi Dreammachine SE with its own firewall and wireless both workiing great. OPNSense is way easier to figure out than Pfsense, i always had trouble with Pfsense.
Great video. Looking forward to more unifi firewall videos as I think I'm going to switch for at least the foreseeable future also.
I wish you released this 3 days ago, so I didn't create all my firewall rules and routes etc., that will now get wiped when I import my current site from my self hosted controller so I keep my switch and AP settings. 😂 or I might just redo switch and AP settings, as there's less of that compared to, firewall rules, routing etc.
Really interesting video, thanks Tom.
One thing that Unifi needs to work on is their documentation although it seems extremely easy to get things the way you want.
I just hope pfSense finally gets their act together in the near future. As good as pfSense is their development team still hasn't heard about timelines, point releases or transparency even. Good on UniFI to be on the right way. Still need pfBlockerNG though. And a decent Certificate management. Maybe 10.0 is the charm ;) Thanks for sharing
Did you try some ipv6 too? Unifi still lagged behind while pfsense handled combined ipv4, ipv6 rules beautifully. I didn't see anyone cover it yet for the new firewall update on the Unifi side.
Pretty neat! Might be a great option for someone that doesn't have stringent security or regulatory requirements.
The fact that you even made this video shows how far Unifi has come. Still not perfect but Network 9.0 is a big deal. I finally got my internal network right and it took less time.
Perfect timing for me, too! I have a cloud gateway box I want to migrate a self-hosted controller and pfSense implementation to. I was desperately hoping that you might have found an easy way to import a whole bunch of DHCP reservations in one easy import... but NO! This is the major impediment to my starting the migration and it's disappointing this still isn't possible after all this time. There's hints that an API exists to do this, so maybe time to give that a try and hack up a quick and dirty python script or something..
Thanks for the video, perfectly timed for me!
Unifi is neat for simple setups - I installed a UDM at my works office. At home no way id give up things like running Haproxy, tailscale, custom lists etc directly on the firewall. At home Ive found Pfsense on an old i3-7100 build with a dual sfp+ nic, mikrotik switches, and unifi APs does me well
Just moved to Unifi from pfsense ce due to the lapse in updates from Netgate
I may eventually move from pfsense to Unifi Firewall. Won't happen anytime soon as I'm still happy with pfsense. Just I like the GUI that Unifi provides. Just not too crazy getting locked in with some hardware that I can't do anything with after it's EOL. It's one of the reasons why I use open source firewall on my own hardware.
13:54 we use about 20 WG S2S setups between Unifi Gateways and OPNSense gateways.
It’s definitely possible but there are a few annoyances:
1. every IP that communicates via the tunnel needs to be allowed via FW rule (Tunnel, local, and site network)
2. static route on Unifi GW for site network to next hop WG tunnel ip of the other site
3. every traffic from a WG client has the source ip of the tunnel interface so you need FW rules and routes to consider this fact
Other than that it works very stable and a lot faster than our IPsec tunnels.
One other nice fact is that you don’t need a continuous connection between the two sites so if a customer has a very bad internet connection the experience is a lot better with WG tunnels
Interesting and sounds like more work than it should be. I might do some testing or wait until their updated WG get's out of beta.
@ yes that would be great but I haven’t heard anything about a complete S2S wireguard implementation.
This feature is requested for a long time without any timeline from ubiquiti.
Interestingly their mobile routers have a native S2S wireguard implementation
look forward to video about creating and setting up security zones from scratch, not from past backup
Really great video here and i like the options specifically around logging. I use graylog to inject not just syslog but IPFix flows as well.
Additionally, as stated, the ability to track down connections (blocks or permits) from the firewall rules is important for compliance or just basic troubleshooting so that area for me needs improvement
Lastly, I will say that Unifi has a cohesive experience which for me is the biggest draw. pfSense , specifically its support for 3rd party packages, is jumbled and not clear and most important, its not supported. FRR on pfsense is broken. Dynamic routing with more than one peer does not work. (Redmine 14630).
There is an IPsec bug where any modifications to the configuration results in all tunnels dropping traffic (Redmine 14483).
There are more examples but the point I'm trying to illustrate is that there is seemingly more support and a willingness to fix broken things on the Unifi side then the pfsense side. Its a much more polished experience from Unifi and I'm looking forward to the improvements. All that to say, for now, Im still on pfSense.
As someone who has worked with Interface rule based firewalls (i.e. Cisco ASA, pFsense, smoothwall) but also worked with PaloAlto for 9+ years the Zone method is such a better way. All rules, one place, multiple subnets in one zone etc. Block by default is a better method to work by. PaloAlto has this too on Interzone rules (traffic in and out of zones) blocked by default. On PaloAlto you can also configure Interzone rules (different subnets on same zone), allowed by default, I assume you can do this too on the Network v9 ?? I'm really debating to go Unifi or pFsense now as I only have Protect and my all switches are Aruba 2530's with Aruba APs and a few MikroTiks. I did have Unifi wifi and switching some years back but no desire to go back yet.
17:31 I have had a case opened with them since shortly after 9.0.8 came out asking for a state tracking table, coming from pfsense as well, can’t believe this feature was overlooked. It makes it much harder to troubleshoot when you need to run packet captures to see the traffic. This feature can’t come soon enough.
I just did this migration in the new year. Migrated my pfsense to the Unifi Express. Overall I'm pretty happy with it. The UX is pretty underpowered though and i plan to upgrade to the UCG Max asap.
Do you use the UDM Pro as your VLAN router or did you use the L3 capabilities of the unifi switch? In the video it shows "LTS Studio" for router... what device is LTS Studio? Curious about your VLAN to VLAN setup
LTS Studio is the UDM Pro Max
@@LAWRENCESYSTEMS ok, thanks. Curious if you considered using the switch as your VLAN router and, if so, why you chose not too?
Is there reoccurring cost with the Dream machine pro?
No
If I am going to use unifi what do I do with my hikvision cameras? Unifi uses the same port as hikvision. I have tried a bit but they don't work together but can I easily change ports and if so what? hik or unifi for best results? I have about 40 hikvision cameras.
21:47 The eMMC on my ST-4100 was nearing EOL so I picked up a UCG Max while I see about swapping in a M.2. Seems to be doing everything I need well enough. I was able to export my HAProxy config file and drop it into a LXC container with HAProxy. All is well. Did take a while for my pf brain to adjust.
One thing Im really missing is in the Geo section, I can block traffic to a country, but I cannot just view and filter all that traffic directly from the Geo tab, to be able to just directly find what traffic is talking to a specific country. Lets hope that comes, just an easy use to see and filter that country traffic.
My current pfsense install uses several pfblocker-ng lists, can I use those SAME block lists and load in my own list of entries? Everything is kinda set up the way I want it from a block vs. whitelist perspective.
Nope, they don't have custom lists.
You can always add a Pi-Hole to your network.
@@LAWRENCESYSTEMS D'oh! That's one of my favorite parts about my current setup. Yes, I could run a pihole instead, but I'm not convinced it will afford me the same flexibility, but that's only based upon comments I read online related to HA and VLANs.
Hi Tom, Great video! Would you recommend replacing clients routers with Unifi firewall? I work at an MSP and looking into other options for our clients.
I would say they are fine for an MSP
VirtualWANs would be cool, so you could set a vpn interface as a lan interface. So you can port forward to it.
13:20 I need to comment to say that at this moment the Fallback option does not work properly. On my machine (UCG Max) the Fallback option does NOT block traffic when VPN connection is lost. To prevent it there are a few firewall rules you can use in the Internet Out section, or (what I did) was set up 2 custom NAT rules (one allowing nat from the vlan to VPN, one blocking vlan from primary Gateway), similar to how I had it in PFSense.
I prefer Sophos XG - I think it's way more intuitiv and more feature rich than unifi firewall. I think unifi took many features and options from sophos (zone settings, application policies e.g.).
Hi beginner question here. Does any of this setup matter whether is the devices trying to connect to the web through the setup are iOS, Mac, Windows etc.? Is this all fully agnostic? Or are there some specific quirks?
Thank you!
It does not matter if it is Mac, Windows, or Linux
Did you already do a video on Unifi Teleport? Problem i have with that is that all teleport devices come in their own ip range and there seems to be NO possibility to define any firewall rules for those. Basically rendering teleport totally unusable for me.
(am using two internal networks: one for all wifi devices (ie phones and laptops) and my homelab. Access to homelab should be limited to listed devices only, but teleported devices just have access :( )
Teleport is probably fine for basic use, but the other VPN option are better for people with more advanced use cases.
I too switched my setup for a UDM Pro Max in last December and I am not very please with what I thought 9.x would be. I miss my Fortinet setup which was much more mature (even with their flaws - updates do the trick).
1st: The fact UDM is still using IP tables limits (or complexify) the firewall rules ease to work with it. We're in 2025 now, and I wish Unifi could part by doing firewalling like we did pre-2010. Having to setup return traffic and explicitly having to block inter-vlan traffic is just dumb when it should be by default - reminds me of L3-switch that do routing where you need to add ACLs to block inter-vlan traffic.
2nd: doing simple inter-vlan NAT is a nightmare and doesn't really work - a thing that is easy with real NGFWs (or 4th gen firewall - UDM is more of a 2.5ish gen firewall IMO).
3rd: UDP Streaming (even on wire) get some hiccups from time to time. Never had that before with the same ISP and bandwidth under pfsense and Fortigate that were using the same Unifi switches and APs.
All in all, it is a nice "toy", but I do not feel I have full control over what is going on and I hate that.
Great video Tom!
can we now set the priority of queues? or is it still smart queues only?
help.ui.com/hc/en-us/articles/12648661321367-UniFi-Gateway-Smart-Queues
Cam, wifi and router together is better for management. I hope this system keep going steady and don't be like the "edge router system".
Waiting for that wireguard site to site before I make the leap.
UniFi need to seriously just have a section to show firewall logs, allow deny all that stuff domain name resolution to help with managing the firewall in a cooperate setting
I have a restaurant that needs a new firewall and switch. They will have WiFi for internal and guests. I am familiar with Meraki, Netgate, Cisco, extreme, unifi (but nothing fairly new with unify)
Any suggestions of what to install?
The Dream Machine line is good, they have smaller ones for smaller locations.
why do they need a new firewall and switch, does unifi solve a need ? I always prefer a good firewall on the router, and then a machine running the DNS/DHCP, and connect that too a good quality switch,
I have a Netgate 6100 right now. I got it after I got rid of my first UDMP quite awhile ago, however with the changes it looks enticing to maybe explore again. With everyone jumping off the BSD bandwagon how long before pfsense is abandoned?
I'd like to see the packet capture, also on my pfSense I have several VoIP phones and had to enable the STUN option, and I'd like to know how this works in Unifi. My Cloud Max arrives tomorrow, I have a couple of Unifi switches already, and I'm replacing my lovely Zyxel APs with a couple of U6 or U7 APs. I think you have to be all-in to see all the stats and manage it all from one place.
My only complaint about DNS is that they still haven't got CNAMES sorted yet. It's been an age!
Why do you need cnames internally?
@@LAWRENCESYSTEMS So when I change the IP address of my nginx proxy manager host, I don't have to individually change all the internal services I have pointed at it as well.
Is routing achieved through L3 ACLs if you use their switches, or is all traffic routed through the UDMP?
Considering using OPNSense for transparent filtering IPS/IDS etc. and keeping UniFi for internal routing, vlan, fw rules. Primarily to offload IPS/IDS from Unifi. Would this make sense?
Only if you are going to do full traffic inspection by installing SSL certs which is a pain to manage so I wouldn't do it, but it could be fun if you want to learn how that works.
@@LAWRENCESYSTEMS Thanks. I guess I was thinking more of offloading IPS from UniFi as I'm seeing my UDMPro hit fairly high on the CPU, and that's without enabling all the IPS features.
Looking to move from ER-X. Looking for same thing but 2.5G ports. Hoping unifi has something soon.
is there a way to block all non us traffic to your nas but sill allow update whenever your trust nas needs it?
I wish they would offer an option to use the hurricane electric ipv6 tunnel.
Man I would love to be able to just run unifi but my problem is this.
I have a wireguard tunnel between me and a datacenter, where I have 5 static IPs. I have VMs at home that I send over the tunnel (like plex, some game servers, and etc) and port forward on the far end thus giving them the external IP in the DC even though they're hosted at home. I am assuming I am not going to be able to replicate this even using this but I may try it out.
My genuine question is the following, firewall and their features exist since ages. Why unifi is implementing basic stuff in their products bit by bit and brand it like it’s incredible? It’s like their L3 support in their switches, it exists since decades in enterprise world and they add stuff little by little on a hardware supposed to support those features (enterprise means enterprise right ?).
Have noticed there is a bug with the sfp ports on the udm models now. If for some reason there is a restart needed or a power loss they can lose function. For some reason they get stuck and wont renew the ip's unless you physically unplug the power from the back and let it sit for a few minutes to discharge the capacitor.
Once you do this they function normally again.
Do Firewalla next. I have heard good things about it. I know its great for home but is it good for businesses ?
ruclips.net/video/tIfCQNZ9wj8/видео.htmlsi=7h6m1wK1keDRfLVK
I'm having issues importing Unifi logs into Wazuh. Do you have a video guide covering this?
Never tried that, post in the forums.
Do they still require you to keep the native VLAN at 1?
I prefer pfSense still even if Netgate is evil, the packages are what keeps me. The configuration UI is also well organized as opposed to a deep maze.
You can set a management VLAN
Blocked by default is a 0 trust idea. Honestly best default.. Only allow what I explicitly allow between nets.
Dang What Are The Odds.. I Just Switched From PfSense To a Unifi USG Pro 4 like 24-36 Hours ago..lol. Wish i could Get a UDM Pro SE But That's just not possible ..I Can Only Live on Roman Noodles for So Long ! I Really Want/Need To Know How To Do Add Blocking & a Separate IOT Network ! I Would Love to see a Follow Up !
In Germany there are a lot of ISP with VLANs on WAN (e.g. one VLAN for Internet, one for VoIP). As far as I know, UniFi Firewall can't handle multiple VLAN on WAN, I'm I right?
unifi wan vlan is supported
@@LAWRENCESYSTEMS then multiple VLANs on WAN must be new. Several threads and posts in the UI support forum are about this topic. Obviously UI can/could only have one VLAN on WAN.
@@imraz0r I am not sure how many are supported since this is not a common requirement I find here in the USA. Of course the work around is putting a managed switch in front of the WAN to split the VLANs but obviously it would be better to have it built into the UniFi firewall.
@@LAWRENCESYSTEMS Putting a managed switch in front of the WAN can be a solution, right. But in this case, I prefer to stick with my OPNsense, which can handle multi-VLAN on WAN. ;-) Nevertheless, thank you for your answer and your great videos!
The only thing now holding me back from moving to a UDM pro from PfSense at one customer is their IPSEC VPN tunnel to a business partner’s SonicWall. Trying to get the UDM Pro to manage a IKEv2 connection just doesn’t work. I know it’s labelled differently in the UDM Pro but I’ve tested everything exhaustively and no dice. I don’t have direct access to the SonicWall so have to rely on less than helpful third-party IT provider. Essentially, I have to transpose manually from the PfSense box to the UDM Pro. All my tests fail and it needs to be IKEv2. If this resolved in the v9 of the network application I would be very happy.
The Wireguard client on Unifi uses PBR's for routing instead of adding "allowed IP's", careful though as the wireguard interface is put into the external FW zone instead of the site-to-site FW zone. The Unifi GUI also forces you to add a DNS server to the wireguard config, this results all your DNS traffic being forced across the tunnel. If the tunnel goes down DNS stops working for all LAN clients. It will be nice when Unifi add wireguard under site-to-site as it should resolve these issues. The Unifi GUI looks nice but lacks core functionality as it always has and likely always will, this is why ill never use a Unifi firewall regardless of how shiny it is.
I finally have a PFsense wireguard tunnel and unifi wireguard vpn client as an added peer working OK after I set it up manually using optional preshared key (not sure if I needed to us the optional key but I did and I am not breaking it again to find out 🙂) Couldn’t seem to get the file based config to work though, at least not when exporting from pfsense and trying to import in unifi controller. Manually setting up works just fine though, I treated it much the same as setting up a normal desktop client.
I recently did a site to site wireguard, and was able to hit the opposing network reasoures by connecting as a client (wireguard server on opposing end on a pi) and used "policy-based routes" under routing, to send sepecfic traffic, to destination of ip range of opposing network, via vpn tunnel. Only downside is when i go into a device on that network it cant get back (im going to have them connect as a client to me at somepoint, and basically just run two tunnels, but i havent yet)
Yeah have an 8200 Netgate not planning on changing anytime soon
what about content filtering? can i block porn on one device but not on other?
Yes, and I covered that
The migration from bsd is nearly complete.... first truenas to scale now the firewall... need pfsense to pull a truenas convert
Migrated from pfSense+ to OPNsense.
I'll wait for WG site-to-site
SO this means you are leaving Pfsense to go with Unifi now ?
Watch the ending of the video
@@LAWRENCESYSTEMS Thanks sir !
I went from a Meraki firewall to a UDM Pro, and went back to Meraki. The through put was horrible, got Tech support involved, they agreed something was wrong with the unit but never offered to swap it. Less than 6 months it was given to recycling. What a waste of money.
I am switching my current pfsense plus fw to a new device, just to remember there is no free (or in my opinion affordable) plus for home anymore. Well, apart from the boot environments, CE should also be fine .... except that it has not received an update over a very long time, has a bug with igmp proxy in the 2.7.2 version and also no beta access for 2.8
This will probably be the end for my time with CE 😢
Looking for alternatives and now playing with of course opnsense, but also sophos XG that is also free for home use.
Sophos is also using zones and i am still trying to get my head around that concept
Needs HA Proxy and I’m onboard
NOOOOOOOOOOOOOOOOOOOOO
UNifi hardware needs a upgrade, for the price all this stuff should be 2.5g /10g+ sfp and should start seeing 25g, Alta labs route10 soon as they work all the little issues out has way better hardware for 200 bucks, and they don't add 70 for a AC adapter that you can buy for ~10... Software seems solid though, Just call me old fashion i dont need all the graphics though.
No openvpn client export or ldap sync. Thsts what stopping me twitching
It has OpenVPN config file export, AD, Entran, JumpBox, and LDAP support.
Unifi is great for home lab. Not good for enterprise management and support. I bought a uxg-pro and struggled for 3 days only to find out that changing the default submet causes issues on this specific device.
It's fine for enterprise if you know how to use it.
Unify has terrible support. They let me down twice. Once was an obviously defective unit. Never again.
Never had an issue myself and spent over 5 years working with them. Good luck finding an option for you!
The hardware is crazy reliable, I don't think we've sold any other hardware that just keeps chugging along. Maybe those old HP Laserjets were more reliable. And at the price, the warranty doesn't even matter, for the price of a Meraki, I can just buy two Ubiquiti.
Support is basically DIY, which is a downside if you can't diagnose and troubleshoot it yourself. We've probably sold 400 units and I can think of maybe two or three that have failed. Also gone into many locations and replaced old unifi that was still working just fine just in need of a refresh.
“Unifi has terrible support”
I always wonder what the purpose of such a non-specific complaint is. Is everyone just supposed to say “Well okay, he said they have terrible support. Guess I better buy “X” instead.
What were you expecting? How did they let you down? What hardware problem did you have? 🤷🏻♂️
@ I would agree except HP exists. They truly do have terrible support.
I can't say I disagree. I've dealt with them a few times and it takes forever for them to get back to you.
When I saw this title, my first thoughts were: "What about the performance??" pfSense+ is much faster with all security added, has much higher throughput when running on a bare metal server (like Proliant Micro or Proliant DL20)
The UniFi performs quite well.
Until they get FIPS 140-2 certified they're still a non-contender as far as I'm concerned.
cannot stand the fact that i cannot set up a vpn client without connecting to the unifi application first :)
Huh?
@@LAWRENCESYSTEMS i mean you need the unifi app to configure vpn right ? cannot do it without adopting first right ?
Only their Teleport VPN needs that, as I showed in the video you can use OpeVPN and or Wiregaurd with no special app.
my condolences
😜😂
Funny, I moved from UI to OPNSense and Omada. I was sick of the constant 2FA bullshit to locally manage stuff. The constant security warnings about no certificate. I don't manage my Omada stuff remotely, so I turned off HTTPS. I still have a Unifi NVR, and that's a pain in the ass every few days. I don't know WHY I can't, in ANY browser, add some sort of exception to not bug me.
This video is brought you by ubiquiti 😂
Cisco firepower has less Quality of life then this toy xD
Pfsense is run by shady slimeballs. Unifi is ok but overpriced. OpnSense is the gold standard for homelabs.
Yuck... good video tho
It’s frustrating seeing so many influencers pushing Unifi products just because they’re getting paid to do so. Sure, they make it sound great, but the reality is that Unifi can be a nightmare for many users. The setup isn’t as smooth as they make it seem, and the software can be buggy, especially for home users who don’t have the technical know-how. A lot of these influencers don’t mention the hidden costs or the headaches that come with the system. It feels more like they're selling convenience for a paycheck than genuinely recommending the best option for their audience
Well, I am not paid by UniFi but they are a very popular product that works quite well.
I’m about to remove pfsense CE from my parents and drop in a Unifi Cloud Gateway Ultra. 900/900 connection, IPV4 CGNAT and IPV6. There is currently an IPsec vpn to my home for Synology sync.
Hey Tom, I haven't finished the video yet, but why did you pick UDM over any other firewall brand like palo alto or checkpoint? Cheers 🫶