Asus vs Unifi vs ?

[ddrum2000]

Small loop back into the conversation with prime day and all...

Would you recommend a RT-AX86u Pro (currently on sale for $152) OR GT-AX6000 (on sale for $190) AND a second router to be a wired backhaul node? I can get a refurbished AX58U (AX3000) for $80? Thoughts?

 

[Tech9]

Get 2x GT-AX6000 if you want Asus and AiMesh, use 2.5GbE link for wired backhaul.

 

[RandomUser777]

I had the opportunity to tinker with both a UDM Pro and SE for several days, along with some AC and U6 Pro APs.

Hands down the user interface is cool, and the device adoption process for APs and switches was easy-peasy.

But that was the end of my satisfaction and amazement.

UDMs do not hold a candle to Asus-Merlin's scripting, configuration and scheduling. Even Asus OEM firmware has more options for configuration at multiple levels than the UDMs.

On the Ubiqitis, I could not reliably set up DNS redirection and blocking. Tried DNAT, masquerading, firewall blocking, even SSHing to manually add iptables rules - GARBAGE.

OpenVPN server setup is terrible (can't just create/import keys). No cron jobs to send curl updates to DNS & DDNS services. Barely any iptables or dnsmasq functionality, so no way to push custom DNS to individual devices or blocks of devices, or set up special routing rules, or block swaths of IPs (DoH, DoT, etc) from a text file. My old ER-X had more capability than these newer UDMs.

Tailscale sideload borks the whole unit if you mess up the initial "tailscale up" command - like, wipe and reset.

Right now, I am splitting the difference to see how at least the APs perform: disconnected/abandoned the UDMs, and went back to my ASUS-RT-AX88U-Pro with 3006 Merlin as the firewall, router and DHCP server but installed the Unifi software controller.

1) It sucks that the APs can't be fully configured without Unify.
2) Using Unify, I was able to propagate my native WiFi networks and it work's just like another Asus AP/AiMesh.
3) Using Unify, I was able to propagate my guest network to the same VLAN as the ASUS, so that worked fine also including the network segmentation and custom DNS filters for that network - the RT-AX88U-Pro worked perfect as the main router.

The only setup that I see competing with ASUS-Merlin functionality is maybe a Mikrotik or OpnSense setup. Everyone should be thankful to @RMerlin and all the addon coders for making these consumer level routers superior to cloud-centric, dumbed down Ubiquiti, Cisco/Meraki, and PaloAlto gear.

My $0.03.

 

[Tech9]

Not very clear to me what exactly you wanted to do. I could help if you asked some more specific questions. Not a pro in UniFi configuration, but I have 3x UniFi home networks up and running with site-to-site, local VPN servers, DNS interception and redirection, etc. and most of it was configured with available in UI options and built-in features. Not sure what is cloud-centric in UniFi either. For a small home setup cloud account is not required. At the end of the day - use whatever is easier for you.

 

[tgl]

FWIW, my own setup has UniFi APs, pfSense router, mostly-Cisco switches. I too find UniFi's routers/gateways to not be compelling, but they make good APs.

 

[Tech9]

Have you seen the new Zone-Based Firewall after Network Application 9.x update? The Zone Matrix is actually pretty close to how usually network planning is done. Lawrence Systems has good video about how it works.

 

[RandomUser777]

Have you seen the new Zone-Based Firewall after Network Application 9.x update? The Zone Matrix is actually pretty close to how usually network planning is done. Lawrence Systems has good video about how it works.

I checked out the video and will give the zone based firewall a try - it may accomplish some of the one way comms and isolation that I do manually with scripting.

As for my other "needs" that I could not get to work with unify:

1) DNS interception that allows devices in my network to access a specific public IP address range for DNS resolution as well as one specific DNS IP, but any request outside of that range set get redirected to a specific DNS server (ie, hardcoded failbacks, manual circumvention of assigned DNS (see my #3):

#!/bin/sh

# redirect any DNS that is not cleanbrowsing or minecraft bedrock server
iptables -t nat -A PREROUTING -p udp -d 104.238.130.180 --dport 53 -j DNAT --to 104.238.130.180
iptables -t nat -A PREROUTING -p udp ! -d 185.228.168.0/23 --dport 53 -j DNAT --to 185.228.168.53
iptables -t nat -A PREROUTING -p tcp -d 104.238.130.180 --dport 53 -j DNAT --to 104.238.130.180
iptables -t nat -A PREROUTING -p tcp ! -d 185.228.168.0/23 --dport 53 -j DNAT --to 185.228.168.53

2) Completely block a list of DOH servers, and auto DOH.

#!/bin/sh
# List of DoH DNS IPs and ranges to block EXCLUDING Cleanbrowsing
DoHdns_ips="
1.0.0.1
1.0.0.2
1.0.0.3
1.1.1.1
1.1.1.2
1.1.1.3
8.8.4.4
8.8.8.8
9.9.9.9
9.9.9.10
9.9.9.11
9.9.9.12
9.9.9.13
23.92.29.236
35.231.247.227
37.252.185.229
40.76.112.230
......
......

223.6.6.6
223.5.5.5
233.35.99.33

"

# Loop through each IP in the list and block it
for ip in $DoHdns_ips
do
    # Block incoming, outgoing, and forwarded packets for each IP
    iptables -I FORWARD -d "$ip" -j REJECT
    iptables -I INPUT -d "$ip" -j REJECT
    iptables -I OUTPUT -d "$ip" -j REJECT
done

3) Assign DNS to devices based on DNSMasq option configs (this is just one example of several range and option sets I assign):

#set Nintendo Switch to have custom dual DNS - Bedrock Server and CBNS Free Adult
dhcp-range=set:switch,192.168.50.191,192.168.50.191,24h
dhcp-option=tag:switch,option:dns-server,104.238.130.180,185.228.168.95

4) be able to use a master list of IPs and domains to blacklist access at the router/gateway level.

 

[RMerlin]

The only setup that I see competing with ASUS-Merlin functionality is maybe a Mikrotik

If OpenVPN is important to you, then stay away from Mikrotik. Not only is their implementatlion clunky, but it`s also so old that you have to either use OpenVPN 2.5.x, or add config settings with OpenVPN 2.6.xx clients to downgrade to the older TLS/SSL parameters Mikrotik use. Took me a long time to figure it out, I only recently did so, so I could finally upgrade my desktop client version.

tls-cert-profile insecure
compat-mode 2.4.0

I manage one customer who has a Mikrotik, and I seriously dislike it...

 

[Tech9]

1) DNS interception that allows devices in my network to access a specific public IP address range for DNS resolution

Not sure why the devices have to access a specific range, but DNS interception and redirection happens automatically when Ad-blocking or Encrypted DNS are enabled. All requests on port 53 are redirected to the Gateway's DNS proxy server. There is nothing to do manually. In case the two above are disabled DNAT rule in UI can do the same.

2) Completely block a list of DOH servers, and auto DOH.

For this you have to use App Blocking feature, it also has services on the list with DoH and DoT. The former is using a list of DoH servers, the latter blocks port 853 UDP/TCP. It's literally few clicks and again no need to do anything manually. This blocking doesn't prevent the Gatateway itself to do DoH upstream to your preferred DNS service.

3) Assign DNS to devices based on DNSMasq option configs

You better don't mess with files in SSH because every VLAN has own Dnsmasq instance and your Gateway can run up to 255. Make sure you know exactly how the system works before doing this. You can group clients and assign custom rules to the group in UI. I'm not using it for home networks, but research Profiles to eventually achieve the goal.

4) be able to use a master list of IPs and domains to blacklist access at the router/gateway level.

You have 26 categories in IDS available plus geo-blocking in UI. SyberSecure subscription for additional 50+ categories is available. What you want is not available in UI, but UniFi OS is Debian Linux based system. If you feel comfortable with CLI and you are sure you won't mess up quite complicated OS - go ahead. I don't remember this as an option in pfSense/OPNsense UI either.

------

Keep in mind SMB software is more strict about manual interventions by design. What is strange to me - you insist to do things manually and even take over what common trusted blocklist providers like CINS Army or DShield are already doing for you. Is your manual list going to be updated daily like what UniFi OS is doing? You are looking for unnecessary complications.

What you call "garbage" is up and running here on tree different sites since installed. True set-and-forget hardware and software. I take a peek at Asuswrt-Merlin 3006 branch release threads (both beta and stable) and noticed quite unusual long runs lately. Some broken functionality in underlying Asuswrt base is still present, the compatibility mess Asus did with AiMesh and all variations of Guest Network Pro, Network and Smart Home Master requires special degree to navigate.

 

[RandomUser777]

Not sure why the devices have to access a specific range, but DNS interception and redirection happens automatically when Ad-blocking or Encrypted DNS are enabled. All requests on port 53 are redirected to the Gateway's DNS proxy server. There is nothing to do manually. In case the two above are disabled DNAT rule in UI can do the same.



For this you have to use App Blocking feature, it also has services on the list with DoH and DoT. The former is using a list of DoH servers, the latter blocks port 853 UDP/TCP. It's literally few clicks and again no need to do anything manually. This blocking doesn't prevent the Gatateway itself to do DoH upstream to your preferred DNS service.



You better don't mess with files in SSH because every VLAN has own Dnsmasq instance and your Gateway can run up to 255. Make sure you know exactly how the system works before doing this. You can group clients and assign custom rules to the group in UI. I'm not using it for home networks, but research Profiles to eventually achieve the goal.



You have 26 categories in IDS available plus geo-blocking in UI. SyberSecure subscription for additional 50+ categories is available. What you want is not available in UI, but UniFi OS is Debian Linux based system. If you feel comfortable with CLI and you are sure you won't mess up quite complicated OS - go ahead. I don't remember this as an option in pfSense/OPNsense UI either.

------

Keep in mind SMB software is more strict about manual interventions by design. What is strange to me - you insist to do things manually and even take over what common trusted blocklist providers like CINS Army or DShield are already doing for you. Is your manual list going to be updated daily like what UniFi OS is doing? You are looking for unnecessary complications.

What you call "garbage" is up and running here on tree different sites since installed. True set-and-forget hardware and software. I take a peek at Asuswrt-Merlin 3006 branch release threads (both beta and stable) and noticed quite unusual long runs lately. Some broken functionality in underlying Asuswrt base is still present, the compatibility mess Asus did with AiMesh and all variations of Guest Network Pro, Network and Smart Home Master requires special degree to navigate.

As for DNS, I do not want to use UDM's deployment or catergories - I like Cleanbrowsing's logging, filtering, and whitelisting, and I want my clients (both local to my network and when away on a guest wifi or cellular) to always use Cleanbrowsing. But since different groups use a different DNS IP, I need to be able at the router level to allow DNS requests to the Cleanbrowsing CIDR range I specified (plus the one minecraft DNS) to pass through the router, but ANY and ALL other DNS requests to any other IP need to be intercepted and DNATed to a default Cleanbrowsing server (see example, above). I can do that on my ASUS and other platforms... Can Unify do this? I tried several rules but the client device DNS (manually changed at the device) slid right past the rules.

I like using publicly available blacklisting, but I also like being able to have 100% local control and configuration. I admit that my aversion ro the Unifi ecosystem is limited to just several days of experimentation (home labbing).

Sounds like I should dig a litter deeper before being so critical, and I will do so including checking out the zone based firewalling, cybersecure, and zone based firewall update.

 

[Tech9]

UniFi made quite a bit of updates lately and some UI categories and options were changed. Had some time to play with the settings to see what happens. Seems like in SyberSecure menu, Content Filter, Ad Block/Safe Search/Filtering all activate DNS interception and redirection automatically in background. It makes sense to have it enabled. This thing:

If none are enabled like in the screenshot above, then something like this rule in Policy Engine menu, NAT tab does the same thing instantly. The rule has to have name and has to be applied to interface. I have Guest Network going through NordVPN and using gateway's DNS with DoT upstream.

For preventing clients doing DoT/DoH - it can be done per client or per interface. There are two ways to achieve the same thing, Simple App Blocking in CyberSecure Menu, Protection tab or straight in Policy Engine with Firewall rule.

It's just different OS with settings in different places following different logic.

 

[Tech9]

I like Cleanbrowsing

You won't have the logging, but UniFi content filtering is using Cleanbrowsing filters. Ad-blocking is using AdGuard filters.

I also like being able to have 100% local control and configuration

Many users have Pi-Hole or AdGuard Home to do this, but read about configuration specifics related to multiple VLANs. Home routers with flat network design are easy. This one is more complicated. The same applies to Asuswrt 3006 with multiple DHCP server instances. You have to know what are you doing.

 

[Tech9]

Sounds like I should dig a litter deeper before being so critical

I understand where are you coming from - you want total visibility and manual control. Old habits, perhaps. You have noticed already UniFi is like Apple. Some things just happen automatically in background when there is a need. Other things are not available when there is no need. It's done this way perhaps because when you have 1000+ clients your "small network total control" approach will be extremely time consuming. The system doesn't focus on a client, but is made to scale for thousands of clients. What you want is possible with more open system like 3rd party firmwares. A sysadmin in a larger company will never want this.

My own opinion - let the system work for you. You don't want a second unpaid job as home sysadmin - the only one who can fix all the customizations and tweaks. Keep it simple, the options available are plenty. Set notifications, let the system monitor the performance and ask for your attention only when something is wrong. Time is irreplaceable commodity. What exactly was blocked, what exactly client, when it happened, what blocklist was involved... it doesn't matter much if you think about it.

 

[ddrum2000]

Get 2x GT-AX6000 if you want Asus and AiMesh, use 2.5GbE link for wired backhaul.

It look like I have the option of either 2 x GT-AX6000 or 1 x GT-AX6000 and 1 x RT-AX88U Pro. Do you see reason to chose one over of the other? If I were to mix the two devices, is there any reason to chose one to be router vs the sattellite?

 

[Tech9]

Both are very similar devices. I personally will prefer two identical units.

 

[Clark Griswald]

Casa Griswald prefers the GT-AX6000