Ubiquiti Unifi USG-PRO-4

[cs.dk]

Hi,
Does anyone have experience with the router in topic?
I can't find any real world performance figures, or reviews of the unit.

I've got a 500/500 fibre connection.

Other firewalls i should consider? I'm not going x86 and pfsense. I wan't a dedicated unit.
I've got an old SonicWall today, but an upgrade to a new one would cost me a fortune.

Thanks

 

[kvic]

Unifi USG series appear to be basically a Edgerouter equivalent HW (with EdgeOS) + Unifi Controller (SW) + "Powerful firewall performance".

Whether such a combination lives up to its promise, I don't have first-hand experience to assert one way or the other. But according to Ars technica's router rumble, the USG underperforms.

Interestingly as you mentioned, I couldn't find any honourable details about the "powerful firewall performance". My hunch is that it means USG series come with predefined firewall rules (and perhaps with pretty graphs and statistics in GUI). USG series run the same underlying EdgeOS which Edgerouter's share. By that, the predefined firewall rules are built upon iptables rules. For people with some background in iptables, one can easily configure Edgerouter's to provide the same security protection.

Edgerouter's come with empty firewall rules. That's an over-simplification. It does but it comes with a well thought and built framework of iptables that allow users to fit in firewall rules.

I had been searching for better models of using iptables on the web. Different "gurus" offer varying recommendations. So your trust in security as well as efficiency and elegancy depends on how much of their credibility you honour. I'm biased toward EdgeOS's way and the firewall rules I added on top. I think it's clean and neat. Here is a screenshot of the rules in brief and associated statistics:



So glad to assure myself that the "dark wild west" days of AsusWRT firewall was over for me.

 

[cs.dk]

Thanks for your reply.
I have actually ordered the thing, and it runs very well. My 500/500 is no problem what so ever.
The USG and USG Pro are two different versions. USG Pro is more like the Edgerouter Pro hardware vise. https://dl.ubnt.com/datasheets/unifi/UniFi_Security_Gateway_DS.pdf

I did get a USG Pro 4, a CloudKey, and a UniFi AP AC Pro. I'm overall happy with it.

 

[kvic]

Unifi Controller is already built in all USG's. If you only have Unifi AP's connected to your USG Pro, you don't need CloudKey for AP management. What was your intended use for CloudKey?

Now you can give me (and I'm sure there are other interested readers) an ad hoc review with your first hand experience. Any interesting features you see regarding the build-in firewall?

 

[cs.dk]

There is no Unifi controller build in.. Those devices doesn't have any sort of interface, other than SSH.
The idea is you dedicate one PC for the controller software, you can't reach the router or AP from any other than the one you dedicated. If you adopt it to another device, then the previous must "forget" it, and reset to factory defaults. Thats the reason i buyed the CloudKey.

There is really nothing exciting in the firewall. It seems pretty basic, like most other consumer routers. I hope it will mature, it seems like they are doing a good job on getting it one step further.

First hand experience; Easy to get up running, bandwidth capability, wlan is also well over my expectations.

For the price - Get one, and wait for it to mature.

 

[kvic]

Very interesting. Only after your comment I seriously looked at USG docs. Appears you're right (of course you're!). The paradigm of USG/Unifi AP lines is akin to Apple wifi. It's no surprise as the guy who started UBNT worked in Apple's wireless department. Unifi Controller = Airport Utility! USG + Unifi AP = Airport Basestation. Yet to run Unifi Controller users must buy a piece of HW (CloudKey) to run on it (or/and run on the cloud). Brilliant idea. He sells more stuff to users. Total cost of ownership isn't a bargain but maybe still of good value. EdgeMax line appears more honest products compared to USG.

 

[System Error Message]

the USG isnt a performance firewall, that firewall is basically means it will run slower than the ERL since they have the same hardware. However many will prefer getting faster hardware and using predefined rules for easiness than setting up all the security manually. If you want a performance firewall pfsense and mikrotik CCRs will do gigabit speeds while doing all the filtering you want as they dont have to rely on hardware acceleration. There are other performance firewalls but pfsense and CCRs are the cheapest around.

There are also other x86 based firewalls but its basically the same thing. Take an x86 OS and put what you want on it. You can build your own like getting the OS you want (such as BSD or a linux server), installing the software you want and configuring it or getting a firewall image instead.

 

[ericnix]

You can run the controller on any Mac, PC, or Linux machine. You don't need to purchase a CloudKey.

I have 4 AC-Pro's, USG-Pro4, and a 48-port PoE 500-watt switch (main network, powers AP's) and a 24-port PoE switch (powers my cameras).

 

[cs.dk]

the USG isnt a performance firewall, that firewall is basically means it will run slower than the ERL since they have the same hardware.

So, if you make the same firewall rules, what would make the USG slower? It doesn't even have to take care of a web-interface..
The most efficient firewall i have used is MS ISA. But kill me, that thing requires configuration like no other. And it takes quite some hardware too.

You can run the controller on any Mac, PC, or Linux machine. You don't need to purchase a CloudKey.

No, it's not mandatory to getting a CloudKey - But when you reformat your laptop, and/or wanna see your router/AP config from another PC, then you will buy the CloudKey too. You can't have the controller running on more devices in parallel.

 

[kvic]

So, if you make the same firewall rules, what would make the USG slower?

It should not. Just the same.

SEM is intensively in love with Mikrotik. Let's not challenge his dedication but feel free to turn on a deaf ear

Mikrotik seems have done a brilliant job in system optimization. They strip down a fully functional enterprise grade Linux router down to less than 16MB. At the same time I would think it must be a nightmare in major kernel upgrade. ROS 7 has been in the making for many years yet not shipped. IMO such paradigm justified in 1996 but not in 2006 not to say 2016. They have no choice but continue on the current projectile. It's a burden but also their competitive edge.

The EdgeOS backend of the web interface is about 30% of all consumed RAM which itself is about 30% of 256MB RAM on my ER-X. Non issue even for this small device. Screenshot of ER-X top:



Anyway, I might also get a Mikrotik when I see a good deal. Peace.

 

[System Error Message]

So, if you make the same firewall rules, what would make the USG slower? It doesn't even have to take care of a web-interface..
The most efficient firewall i have used is MS ISA. But kill me, that thing requires configuration like no other. And it takes quite some hardware too.



No, it's not mandatory to getting a CloudKey - But when you reformat your laptop, and/or wanna see your router/AP config from another PC, then you will buy the CloudKey too. You can't have the controller running on more devices in parallel.

its not just to do with firewall rules, it could contain a large number of firewall rules or even run other software. You can install debian linux software on the edgerouters as long as it is compiled for the MIPS CPU it uses. For example the ERPRO can do 80Mb/s of squid3 proxying per core.

 

[sfx2000]

Mikrotik seems have done a brilliant job in system optimization. They strip down a fully functional enterprise grade Linux router down to less than 16MB. At the same time I would think it must be a nightmare in major kernel upgrade. ROS 7 has been in the making for many years yet not shipped. IMO such paradigm justified in 1996 but not in 2006 not to say 2016. They have no choice but continue on the current projectile. It's a burden but also their competitive edge.

Gah... it's always hard to convince folks that "newer" isn't necessarily better... a lot of fixies in the kernel can be backported, some have to be done outside of things...

Consider that many of the 2016 model Broadcom devices are still running a 2.6 kernel these days...

 

[kvic]

Consider that many of the 2016 model Broadcom devices are still running a 2.6 kernel these days...

One of the reasons I abandoned Broadcom based consumer routers.

MediaTek MT7621A based Asus RT-N56U B1 is even doing better. It comes with a 3.x kernel. Supports true HWNAT. HW crypto...3rd party FW even enables client-mode wireless. That's huge progress! oh..well..