Oh my gosh. Thank you so much!!! Ever since I bought my pfsense I've been trying to figure out how to get the DHCP moved to it from my Ubiquiti. This video is exactly what I needed.

Been running my UDM pro behind pfsense the whole time, I used the multiple IP addresses assigned to my from my isp to be able to get past my double NAT, great video

Thanks, I tried this with an Edge Router 4 last year for a few weeks and finally just gave up. I didn't like the double cabling, the double NAT, and felt a bit like riding in a helicopter - it was spending all of it's time trying to screw me and crash. ;) I agree with your assessment. Sell the UDMP if you want load balancing and advanced routing and get the CKG2+ and just be done with it. Thanks for your great videos as always.

Ayyyy I do this too! Glad to know I'm not the only one! I think each device has it's pros and cons, and each one fixes the other, having both of them makes everything better!

I'm glad I found this video. My UDM Pro SE locks up if download large amounts of data at 1Gbps so I have to limit the bandwidth of my clients to avoid this. I was hoping to put a pfsense box between my ISP and UDMP SE but this is sounding like a lot of work so I might just sell the UDM Pro SE.

That was a very fast video lol... As a Dutch speaking guy, I'll have to watch it more than once and pause in between to let it sink into my brainzzz :) But I was one of the many who had this same question of putting pfsense in front of unifi stuff hehehe

Love this video. Thanks for making it so simple. My UDM pro would be perfect but unfortunately, my remote Avaya phones don't support L2TP over IPSec, they just want pure IPSec so I've been trying to find a solution. Really wish Ubiquiti would improve the VPN features in the UDM Pro! This is my only fault with the Ubiquiti products. They're brilliant.

At around 5:40 ish you are putting 1.1.1.1 for dns in each vlan dhcp, what if I'm using an adguard/pinhole ad blocker? Do I have to specify each one, or is there a way to set them all to look at 1 address and then point that address to said ad blocker? For the record, I'm trying to adapt this pfsense tutorial to opnsense I'm trying to setup, all VMs or dockers on my Unraid. I don't have my unifi stiff setup yet, but am trying to do a "pre-setup" of Opnsense for it.

The same applies to any UTM device as covered in this video, does add complexity but allows for features of a UTM while keeping a UDMP/UDMSE to manage the rest of the network and protect

One question regarding this setup. I am using a Frotigate instead of a Pfsense. The thing is that if a try this aproach of VLAN-only network I am no longer able to see the devices or 'clients' connected to the UDM Pro. As if by having another device do routing disbles this feature. I think that in order for the UDM to know what device is connected on which port and have all the metrics, the UDM needs to act as the FW.

Hi, Nice summary, but as you stated: I wouldn't do this kind of setup either as it makes things overcomplicated unnecessarily. My five cents (and I think I already mentioned it in other responses on other videos) is to let the UDM Pro do whatever it needs to do. However, it is always a good thing to put another firewall in front of it, but put that firewall in bridge mode (inline). The firewall does not handle any routing or blocking on the level of inter-VLAN communication or blocking specific inter-VLAN traffic, as this is not necessary because on that level the UDM Pro does what it needs to do very, very well). I did the inline firewall setup with Sophos XG, however, also works with PfSense I assume. The reason for this kind of setup: additional layer of IPS/IDS as I trust Sophos XG (or PfSense) more than UDM Pro for that (and in any case: it IS an additional security layer on which you can block anything you absolutely want to keep blocked when it comes to homenetwork to internet traffic and more important internet to homenetwork traffiic, even if you make a mistake on the UDM configuration and accidentally open up everything. However: I was wondering: is there a possibility to do https decryption in front of the UDM Pro (as in: where the in-line firewall is between internet and the UDM Pro?). The reason why I would do this is to avoid having to publish certificates to each and any device (I think). When the https decryption happens in front of the UDM Pro, only the UDM Pro would have to trust the certificate for the decryption (I might be dreaming here as I doubt this is even possible)

Bridged or routed, so long as it's not double natted. Just use PFSense as a router disabling NAT. You can then use Suricata, PFBlocker, ntopng, etc. Good video, but you made it more difficult then it needs to be. You can also then use DNS over TLS DoT on PFSense. The UDMP can handle DHCP, NAT, etc.

Does the way you are connecting between Netgate 6100 and UDM Pro allow multigigabit/10gigabit VLAN downstream?

Seeing UDM-PRO and Ubiquiti don't have a native HA proxy or plugin support but pfsense does, I had to do something similar to this video. It's a common request and sad is still missing from the prosumer UDM-PRO.

After watching this video, I think it's time I let go of my UDM Pro. I've only been looking into this because the 3.5Gb throughput cap for IPS will limit me in the near future, but from the first thought I didn't want to deal with over complication and double NAT.

Hello, I was wondering if you could tell me if it’s possible to use UniFi protect camera and store the live footage simultaneously on the Nvr/cloud key gen2plus and on a cloud storage like Dropbox,backblaze in real-time.is that possible?

Wouldn't it be better to let the udm pro do everything as normal then just set up pfsense as a transparent firewall/proxy in front of it? That would give you the analytics on the udm dashboard and eliminate the weird middle subnet between the udm and pfsense.

Hi I’m moving to another country so need to have a way of circumventing geo-locking. I was thinking of adding a PFSense between the UDM and the modem to install a VPN on my system. Would this work?

I've been considering doing this because of UI's horrible IPv6 support.

Says a lot about the unifi routing product if you have to find a way to make use of a routing device that sucks at it's job. Throw em away and just run pfsense and a cloud controller for unifi. Unvr if you need protect.

Thanks.

Thanks for the video. I would say either use pfSense OR the UDM Pro/SE on their own. It's fun to mess around in a lab setting, but in production, not so much. Ask me how I know 😉 Edit to say I've increased to your highest tier from the live stream the other day.

There's really no good way to use pfsense as an edge device with the UDM Pro. I think you'd need a Unifi Layer 3 switch instead of a UDM Pro to avoid the double NAT problem. That or put pfsense/opnsense on the "side" rather than on the edge/perimeter, but port mirror the UDM Pro and feed it to pfsense/opnsense and use Snort or Suricata for IDS/IPS

Why buy a udm, to not use as a router? Just buy a cloud key instead

Yes, but why ? You essentially put a device (UDM) that dials out for you outside of your network :/ And considering how their manufacturer approached a catastrophic security breach, begs to ask why you would use any of their "toys" (pretty graphs and facebook logging rather than ability to configure properly a nat-loopback to improve wifi-calling or decent wifi roaming constitute a toy, sorry).