Excellent review Toasty I hope Unifi listens to your comments! I use the UDM Pro in a business environment with about 100 connected devices because it's almost plug and play, decent GUI, no annual license, reasonably good IPS and IDS, Wireguard VPN for cell phones and automatic Internet failover and the price point makes is affordable for SMEs.
Yes, this was one feature that got added between the recording of this video and the release. There are a couple others that got either "fixed" or "better" with more recent updates.
I agree with those a lot of your feedback I currently manage an environment with about 1500 clients 57 unifi switches and 73 APs. My firewalls are sonic wall currently. I did buy the Enterprise grade unifi gateway EFG Enterprise Fortress Gatewa or whatever it's called to play around with and I hope to eventually be able to switch over that I will say in the past year they have added a lot of extra features and done a great job expanding the capabilities of their routers. But I will say the quality of their equipment and ease of use in future set is unmatched for the price even if they do have some weird quirks to them. Anyway great video and I hope ubiquiti watches this and continues there expansion of product features and does a little clean up.
Why did you create all the firewall rules to prevent your VLAN's from talking to each other instead of using the "Isolate Network" checkbox under each network? Is there an advantage to creating your own rules vs. using the checkbox to enable the unifi predefined rules?
Great question. I typically only use the isolate network checkbox for networks I want completely isolated (without firewall rules) but I've never actually tried it as the default. After reading your comment, I actually gave this a go. The main difference I found is that the rules are applied as "LAN IN" rules, which override any "LAN Out" rules configured on the firewall for networks with isolation enabled. This isn't a huge drawback, I'm just personally used to using "LAN Out" rules when configuring my firewalls. I guess the only advantage to creating your own rules is not needing to double up on the "LAN-IN" and "LAN-OUT" rules, but this kind of depends on your approach to firewall rules. I'm just not used to doing it that way so it made more sense to me to stick to "LAN-Out"... but it's probably more work in the long run. Thanks for pointing that out and getting my brain going.
@@ToastyAnswers This is a great video! I have one question though if you don't mind - what's the difference between LAN-IN and LAN-OUT firewall rules? I would've thought we need both (to control for bad actors coming into the network, and bad actors already in the network e.g. virus on an IoT device trying to dial home going out), which then leads me to think maybe I need to use both the "Isolate network" checkbox AND also set up my own firewall rules? Would really love your advice, thank you.
I just now saw this comment since it got buried as a reply to a reply. I will actually be explaining this a bit more in-depth in an upcoming video. The In / Out directions can be kind of confusing because we generally think of it as "Things coming into the network" and "Things going out of the network" but this isn't "actually" the way it works. It's better to think of these as the "Interface" or "Port" they are being applied to. Traffic coming IN to the network interface (Your PC -----> "Network Port") and Traffic being Output from the network interface (Your PC
I have to agree with this video. Currently I prefer to use Palo Alto which gives you all the granular configuration options and I understand Palo Alto cost way more but they should consider a higher end enterprise solution. Also, Im confused how the UDM process firewall rules. if I deny a particular traffic lets say all DNS traffic and then allow DNS to and from a specific DNS server and pace that rule at the top of the deny all DNS it doesn't work. Thenn some of those apps and app groups don't work correctly ll the time.
@Toasty, I'm currently running dual Edgerouter4's in a VRRP configuration. I am considering moving to something else that is similar in functionality and technicality, not necessarily retaining a VRRP config, but I don't want to go to any of the UDM lines like the Pro, SE, Pro Max, etc for the reasons you've pointed out in this video, but also because I feel that these devices, especially the Pro, are still too buggy in their reliability for my liking. What would you recommend?
Personally, (as I mentioned in the video) I just retained my existing ER4 to take care of everything the UDM doesn't support. However, if I were to consolidate and move to something different, I would probably gravitate towards Pfsense/Opnsense. I've worked with these in the past, and they appear to support most of the features I would want. Another option I considered is an Edgerouter that supports 10Gb with a separate box running Pfsense in line mode (or whatever it's called... where it's just a pass-thru for threat detection). However, the cost of both is probably about the same as a higher-end standalone Pfsense box. If price wasn't a consideration... I'd probably consider a beefy SonicWall, but that's mostly because I'm familiar with the platform. It is cost-prohibitive in a home environment, though.
The network mapping on Unifi sucks. It just doesn't update entries as far as I can tell. Adding a switch and moving devices doesn't seem to actually change the map. Even on a simple Network it will occasionally confuse wired and wireless devices.
Has your view changed with Network version 8.4.54 installed? I noticed under routing NAT does appear now. I guess you don't use 2FA on any of your clients VPN's? This is a major problem with the UDM-Pro as none of their VPN servers support it. SNMP v3 on my UDM-Pro running 8.4.54 doesn't show my UDM-Pro but it does show my USW Enterprise 8 PoE switch.
Yes, actually it has a bit. A few things I mention in this video were "fixed" before I even released it. I plan eventually to go back through and touch on the improvements. I will agree that 2FA on VPNs is definitely something that is lacking... for reasons that I might mention in a future video.
Quite the vid, thank you. I loved my abandoned ER4, even when they borked the kernel update so bad. I'm so done with Unifi stuff, their software quality is on par with Microsoft, meaning we are all the alpha/beta testers for broken software stacks. I just run a Fortigate at home now, it actually works, as long as you don't do any client VPNs with it, as they too can't seem to do that properly. Enshitification is REAL out there.
Hi Toasty. Just discovered your channel while looking for info on the Ubiquity U7 Outdoor access point. Would you be willing to do a video on the subject and show us the configuration process? Also, I HATE that everything has a “controller” so could you also show us if there is any way to access it without using the controller? If so, what can it do or not do. For example, can it connect to dual or triple wifi bands without the controller? Hmmm, this sounds like it may take TWO videos after which I will have more questions, lol. But if the procedure would be the same as your “Unify AP - First Time Setup” video, please let me know and I will just follow that video. Thank you. Oops - it just occurred to me that you would have to BUY the access point to do a video about it when all I’m trying to do is extend my wifi to help my surveillance cameras reach back to my router better because their signals are weak and unreliable at 175 feet away. 😔
I have plans to buy some "recent" APs and redo my first time setup video. 90% of the information will be the same as my existing videos. The main difference is the interface and some of the product information (i.e. newer models do not include PoE injectors, they are a separate purchase). As far as I'm aware, the Ubiquiti equipment doesn't support a "standalone" operation method and requires the controller for all configuration. The good news is the controller is not required once setup is complete unless you are wanting to log historical data or run an active guest portal.
I wouldn't say I like them better, but I do like how they implement certain features and the flow of object categorization. I'm certainly very familiar with SonicWalls, but there is plenty I don't like about them as well. There isn't really anything the UDM can do that a SonicWall can't, besides be affordable. The allure of the UDM is that the price/performance ratio is very good and the feature set is decent. If cost wasn't a factor, I would probably be running a SonicWall, Custom Pfsense box, or something else. The problem is that many alternatives cost upwards of $1000 to match the raw throughput of the UDM (you can argue the "robustness" of security features is much higher on more expensive platforms, but just strictly speaking in throughput with all services enabled). For example, to get close to the advertised 3.5Gbps of IPS throughput of the UDM you would need a SonicWall TZ670 which starts around $1700 and must be continually re-licensed in order to remain functional. This is kind of an apples/bananas comparison, but it highlights how attractive the UDM looks at roughly $400 when you start shopping around for UTM appliances.
@@ToastyAnswers I have an old pfSense box, TZ570 on hand. However, UDM for the speed issue is preferred. I have 3 subnets, one for personal devices including 80 iot devices all with fixed IPs in which that topic related to the reconfigure of those IPs looks like a challenge. The grouping issue with the UDM is concerning since I will plan to vLan segments on the personal subnet. The other two subnets are for work related and are isolated and less complex. Was definitely planning on the UDM Pro which allows for 2G fiber, which just became available. This video caused me to pause and comprehend the cross over from pfSense. Probably go UDM, put in second internet via fiber and slowly migrate. Excellent videos on your site. You do fine work. I've been in IT since the mid 80s. Keep up the good work, it is important. Thanks.
I’m only a little bit into this video that came out 13days ago but i just recently had a big UniFi OS 4.0.6 update so curious if you’d had a chance to look through that I saw “Added SNMP support” at least in their list Anyways maybe you can make a followup vid if you check it out and see some improvements
Yeah, I was very late uploading this video and it was recorded quite a while ago. I plan to make a follow-up since a few of my points have been either improved or removed entirely in more recent updates. I didn't notice the SNMP support in the latest notes, I'll have to check that out.
Yes, you are not using the latest available version, missing quite a few new features....please redo this vidoe after that update, it would be interesting to see your input after that.
Yeah... I'm going to have to do an update. I recorded this a couple months ago right before the new update came out. You're right, they did fix one of my main complaints in the security tab along with some updates to other things.
You don't have to do that anymore initiating the advice to failover is automatic it's nothing you don't have to do anything you could be a million miles away and be sleeping and it'll do it for you that was only because with Shadow Moon first came out it was in beta still it wasn't the full version
wow, so wrong on so many points. I run a very large network on UDM-Pro. Works fantastic. Confusing firewall rules? not really, this issue is everyone has learned the confusing cisco rules, so rules that make sense are confusing. noisy? its a businesses/enterprise solution, it goes in a server room or rack, its the least noisy thing I have. Under powered?, yes/no. If you try and record video and run all the other applications, you will run into trouble. The NVR embedded in the UDM is only good for 1 or 2 cameras. They have multiple alternate NVR products at a dirt cheep price! Everything in the world is under powered if you try to use it past its design. My 1/4 ton truck is under powered to carry 2 yards of gravel.. a 5 gallon bucket is under powered to carry 10 gallons of water. I currently am running over 200 cameras with my unifi system. But I designed correctly! I am using 3 NVR, A dedicated UDM-Pro , oh and I wired a completely separate network for the cameras, 200 cameras sharing my data network would be BAD!
Fair point. A lot of my "problems" are nit picks or more along the lines of managing expectations. I will say, however, that there is a difference in network "scale" and network "complexity". The UDM can handle an impressively large network, but falls short when additional complexity is required.
![Megan Thee Stallion - Neva Play (feat. RM) [Official Video]](http://i.ytimg.com/vi/TpYTyAaTRts/mqdefault.jpg)
Excellent review Toasty I hope Unifi listens to your comments! I use the UDM Pro in a business environment with about 100 connected devices because it's almost plug and play, decent GUI, no annual license, reasonably good IPS and IDS, Wireguard VPN for cell phones and automatic Internet failover and the price point makes is affordable for SMEs.
as a UDM owner, I pray Ubiquiti watches this
This is excellent feedback for Ubiquiti. I agree the advanced firewall rules are somewhat ambiguous in how one might interpret them.
Snmp support recently got enabled on UDM Pros via network GUI, so hopefully someone found at ubiquity found your video.
SNMP was added in 4.0.3 EA firmware which came out a couple of months before the video was posted.
Yes, this was one feature that got added between the recording of this video and the release. There are a couple others that got either "fixed" or "better" with more recent updates.
I agree with those a lot of your feedback I currently manage an environment with about 1500 clients 57 unifi switches and 73 APs. My firewalls are sonic wall currently. I did buy the Enterprise grade unifi gateway EFG Enterprise Fortress Gatewa or whatever it's called to play around with and I hope to eventually be able to switch over that I will say in the past year they have added a lot of extra features and done a great job expanding the capabilities of their routers. But I will say the quality of their equipment and ease of use in future set is unmatched for the price even if they do have some weird quirks to them. Anyway great video and I hope ubiquiti watches this and continues there expansion of product features and does a little clean up.
Why did you create all the firewall rules to prevent your VLAN's from talking to each other instead of using the "Isolate Network" checkbox under each network? Is there an advantage to creating your own rules vs. using the checkbox to enable the unifi predefined rules?
Great question. I typically only use the isolate network checkbox for networks I want completely isolated (without firewall rules) but I've never actually tried it as the default.
After reading your comment, I actually gave this a go. The main difference I found is that the rules are applied as "LAN IN" rules, which override any "LAN Out" rules configured on the firewall for networks with isolation enabled. This isn't a huge drawback, I'm just personally used to using "LAN Out" rules when configuring my firewalls.
I guess the only advantage to creating your own rules is not needing to double up on the "LAN-IN" and "LAN-OUT" rules, but this kind of depends on your approach to firewall rules. I'm just not used to doing it that way so it made more sense to me to stick to "LAN-Out"... but it's probably more work in the long run.
Thanks for pointing that out and getting my brain going.
@@ToastyAnswers This is a great video! I have one question though if you don't mind - what's the difference between LAN-IN and LAN-OUT firewall rules? I would've thought we need both (to control for bad actors coming into the network, and bad actors already in the network e.g. virus on an IoT device trying to dial home going out), which then leads me to think maybe I need to use both the "Isolate network" checkbox AND also set up my own firewall rules?
Would really love your advice, thank you.
I just now saw this comment since it got buried as a reply to a reply. I will actually be explaining this a bit more in-depth in an upcoming video.
The In / Out directions can be kind of confusing because we generally think of it as "Things coming into the network" and "Things going out of the network" but this isn't "actually" the way it works.
It's better to think of these as the "Interface" or "Port" they are being applied to. Traffic coming IN to the network interface (Your PC -----> "Network Port") and Traffic being Output from the network interface (Your PC
I have to agree with this video. Currently I prefer to use Palo Alto which gives you all the granular configuration options and I understand Palo Alto cost way more but they should consider a higher end enterprise solution. Also, Im confused how the UDM process firewall rules. if I deny a particular traffic lets say all DNS traffic and then allow DNS to and from a specific DNS server and pace that rule at the top of the deny all DNS it doesn't work. Thenn some of those apps and app groups don't work correctly ll the time.
@Toasty, I'm currently running dual Edgerouter4's in a VRRP configuration.
I am considering moving to something else that is similar in functionality and technicality, not necessarily retaining a VRRP config, but I don't want to go to any of the UDM lines like the Pro, SE, Pro Max, etc for the reasons you've pointed out in this video, but also because I feel that these devices, especially the Pro, are still too buggy in their reliability for my liking.
What would you recommend?
Personally, (as I mentioned in the video) I just retained my existing ER4 to take care of everything the UDM doesn't support. However, if I were to consolidate and move to something different, I would probably gravitate towards Pfsense/Opnsense. I've worked with these in the past, and they appear to support most of the features I would want.
Another option I considered is an Edgerouter that supports 10Gb with a separate box running Pfsense in line mode (or whatever it's called... where it's just a pass-thru for threat detection). However, the cost of both is probably about the same as a higher-end standalone Pfsense box.
If price wasn't a consideration... I'd probably consider a beefy SonicWall, but that's mostly because I'm familiar with the platform. It is cost-prohibitive in a home environment, though.
The network mapping on Unifi sucks. It just doesn't update entries as far as I can tell. Adding a switch and moving devices doesn't seem to actually change the map. Even on a simple Network it will occasionally confuse wired and wireless devices.
Has your view changed with Network version 8.4.54 installed? I noticed under routing NAT does appear now. I guess you don't use 2FA on any of your clients VPN's? This is a major problem with the UDM-Pro as none of their VPN servers support it. SNMP v3 on my UDM-Pro running 8.4.54 doesn't show my UDM-Pro but it does show my USW Enterprise 8 PoE switch.
Yes, actually it has a bit. A few things I mention in this video were "fixed" before I even released it. I plan eventually to go back through and touch on the improvements.
I will agree that 2FA on VPNs is definitely something that is lacking... for reasons that I might mention in a future video.
Quite the vid, thank you. I loved my abandoned ER4, even when they borked the kernel update so bad.
I'm so done with Unifi stuff, their software quality is on par with Microsoft, meaning we are all the alpha/beta testers for broken software stacks.
I just run a Fortigate at home now, it actually works, as long as you don't do any client VPNs with it, as they too can't seem to do that properly.
Enshitification is REAL out there.
Hi Toasty. Just discovered your channel while looking for info on the Ubiquity U7 Outdoor access point. Would you be willing to do a video on the subject and show us the configuration process? Also, I HATE that everything has a “controller” so could you also show us if there is any way to access it without using the controller? If so, what can it do or not do. For example, can it connect to dual or triple wifi bands without the controller? Hmmm, this sounds like it may take TWO videos after which I will have more questions, lol. But if the procedure would be the same as your “Unify AP - First Time Setup” video, please let me know and I will just follow that video. Thank you. Oops - it just occurred to me that you would have to BUY the access point to do a video about it when all I’m trying to do is extend my wifi to help my surveillance cameras reach back to my router better because their signals are weak and unreliable at 175 feet away. 😔
I have plans to buy some "recent" APs and redo my first time setup video. 90% of the information will be the same as my existing videos. The main difference is the interface and some of the product information (i.e. newer models do not include PoE injectors, they are a separate purchase).
As far as I'm aware, the Ubiquiti equipment doesn't support a "standalone" operation method and requires the controller for all configuration. The good news is the controller is not required once setup is complete unless you are wanting to log historical data or run an active guest portal.
Agree
So I’m sensing that you like sonic wall better? What does Unify do that Sonicwall doesn’t? Thx
I wouldn't say I like them better, but I do like how they implement certain features and the flow of object categorization. I'm certainly very familiar with SonicWalls, but there is plenty I don't like about them as well.
There isn't really anything the UDM can do that a SonicWall can't, besides be affordable. The allure of the UDM is that the price/performance ratio is very good and the feature set is decent. If cost wasn't a factor, I would probably be running a SonicWall, Custom Pfsense box, or something else. The problem is that many alternatives cost upwards of $1000 to match the raw throughput of the UDM (you can argue the "robustness" of security features is much higher on more expensive platforms, but just strictly speaking in throughput with all services enabled).
For example, to get close to the advertised 3.5Gbps of IPS throughput of the UDM you would need a SonicWall TZ670 which starts around $1700 and must be continually re-licensed in order to remain functional. This is kind of an apples/bananas comparison, but it highlights how attractive the UDM looks at roughly $400 when you start shopping around for UTM appliances.
@@ToastyAnswers I have an old pfSense box, TZ570 on hand. However, UDM for the speed issue is preferred. I have 3 subnets, one for personal devices including 80 iot devices all with fixed IPs in which that topic related to the reconfigure of those IPs looks like a challenge. The grouping issue with the UDM is concerning since I will plan to vLan segments on the personal subnet. The other two subnets are for work related and are isolated and less complex. Was definitely planning on the UDM Pro which allows for 2G fiber, which just became available. This video caused me to pause and comprehend the cross over from pfSense. Probably go UDM, put in second internet via fiber and slowly migrate. Excellent videos on your site. You do fine work. I've been in IT since the mid 80s. Keep up the good work, it is important. Thanks.
If you use IPv6 then you don't need to worry about NAT between overlapping subnets :)
I’m only a little bit into this video that came out 13days ago but i just recently had a big UniFi OS 4.0.6 update so curious if you’d had a chance to look through that
I saw “Added SNMP support” at least in their list
Anyways maybe you can make a followup vid if you check it out and see some improvements
Yeah, I was very late uploading this video and it was recorded quite a while ago. I plan to make a follow-up since a few of my points have been either improved or removed entirely in more recent updates. I didn't notice the SNMP support in the latest notes, I'll have to check that out.
Maybe you should have updated to 8.2.93 before uploading this video as there is a lot of improvement in the security tab
Yes, you are not using the latest available version, missing quite a few new features....please redo this vidoe after that update, it would be interesting to see your input after that.
And, although you only uploaded this 2 hours ago, the tabs and interface is different 🙂
Yeah... I'm going to have to do an update. I recorded this a couple months ago right before the new update came out. You're right, they did fix one of my main complaints in the security tab along with some updates to other things.
You don't have to do that anymore initiating the advice to failover is automatic it's nothing you don't have to do anything you could be a million miles away and be sleeping and it'll do it for you that was only because with Shadow Moon first came out it was in beta still it wasn't the full version
True, updated video will be coming at some point.
wow, so wrong on so many points. I run a very large network on UDM-Pro. Works fantastic. Confusing firewall rules? not really, this issue is everyone has learned the confusing cisco rules, so rules that make sense are confusing. noisy? its a businesses/enterprise solution, it goes in a server room or rack, its the least noisy thing I have. Under powered?, yes/no. If you try and record video and run all the other applications, you will run into trouble. The NVR embedded in the UDM is only good for 1 or 2 cameras. They have multiple alternate NVR products at a dirt cheep price! Everything in the world is under powered if you try to use it past its design. My 1/4 ton truck is under powered to carry 2 yards of gravel.. a 5 gallon bucket is under powered to carry 10 gallons of water. I currently am running over 200 cameras with my unifi system. But I designed correctly! I am using 3 NVR, A dedicated UDM-Pro , oh and I wired a completely separate network for the cameras, 200 cameras sharing my data network would be BAD!
Fair point. A lot of my "problems" are nit picks or more along the lines of managing expectations. I will say, however, that there is a difference in network "scale" and network "complexity". The UDM can handle an impressively large network, but falls short when additional complexity is required.
If you have so many complaints, why do you use it? for many people this is a great system for normal home use
It's still a great system and the price/performance makes sense. I'm just a nerd with unrealistic expectations...
19' rack mount routers aren't for 'normal' home use.
My first firewall vendor is Fortinet. Guess I got luck out😂
I use both Fortinet and Unifi since 10 years and they are different but its all about the usecase.