Moving from pfSense to Unifi Firewall? Here's what you need to know!

Рет қаралды 37,996

Күн бұрын

lawrence.video...
In this video, I migrate from pfSense to Unifi Firewall, testing whether Unifi Network 9 is truly a game changer. I walk through my migration process, compare features, and share my thoughts on whether Unifi can replace pfSense in business and homelab environments.
pfsense vs UniFi 2025 video
• Which Firewall is RIGH...
Connect With Us
---------------------------------------------------
Hire Us for a project: lawrencesystem...
Toms' Twitter 🐦 / tomlawrencetech
Our Website www.lawrencesy...
Our Forums forums.lawrenc...
Instagram / lawrencesystems
Facebook / lawrencesystems
GitHub github.com/law...
Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video...
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com...
UniFi Affiliate Link
🛒 lawrence.video...
All Of Our Affiliates help us out and can get you discounts!
🛒 lawrencesystem...
Gear we use on Kit
🛒 kit.co/lawrenc...
Use OfferCode LTSERVICES to get 10% off your order at
🛒 www.techsupply...?aff=2
Digital Ocean Offer Code
🛒 m.do.co/c/85de...
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?v...
Protect your privacy with a VPN from Private Internet Access
🛒 www.privateint...
Patreon
💰 / lawrencesystems
00:00 Introduction Migrate from pfSense to Unifi
01:34 The Unifi UDM Pro Max Hardware
03:54 Migrating Self Hosted UniFi to The UniFI Dream Machine
05:18 Preparing for migration with pfsense
06:30 Converting UniFi from Third Party Gateway
07:21 UniFi Zone Based Firewall Rules
10:32 DNS Host Entries
10:57 UniFi VPN
12:27 Privacy VPN Setup With UniFi
14:17 Application Filtering, Tracking, and Blocking
15:43 System Logging Netflow and SIEM export
17:20 State Table Tracking
19:18 Advance Firewall Routing
20:16 Why Did I switch?
22:07 Reverse Prox?

Пікірлер: 180

@ZombieLurker 23 сағат бұрын

PERFECT timing! I just got a UDM Pro Max and a Unifi Pro HD 24 POE switch as my first Unifi devices besides U7 Pro Max and trying to migrate from OPNsense firewall rules to the Unifi Zone Firewall rules has been a complete headache. The OPNsense/Pfsense way of doing firewall rules was way easier to understand but maybe this video is exactly what I need.

@LAWRENCESYSTEMS 23 сағат бұрын

I will soon have a dedicate UniFi Zone Based Firewall video.

@LtsPrty 9 сағат бұрын

sweet! have exactly the same devices + unas pro. @lawrencesystems awesome. please with 2 new zones for secure (vlans for just management of the unifi devices & one for personal hardware) & unsecure devices (IoT, cams, etc.) firewall rules for the unas pro would be amazing too. most just show how the device works but never touch the FW rules. thank you!

@marcelbastiaans8700 16 сағат бұрын

Thanks Tom. I made the change from pfsense to UDM- SE about 12 months ago. I agree the new firewall layout is way more intuitive than the old way. Looking forward to more videos.

@PreybirdMKII 21 сағат бұрын

Switched from pfSense to a UDM Pro well over a year ago now, and it's been good. Step learning curve, and certainly there were firewall limitations at the time. But the updates in Network v9 have been awesome, and you're completely correct Tom that they are a bit fiddly to understand to begin with, but Unifi has made the firewall quite easy to use.

@bryce180 29 минут бұрын

Love to see you doing the switch. I work for an SMB and have been delaying my decision to move away from Pfsense for a while now. I really wanted to make the switch to Unifi as I have always enjoyed the products they put out but have been worried that I might be making a mistake. Will be continuing to follow your adventure into Unifi!

@LeifJensenDK 7 сағат бұрын

Thank you for the explanation about Return Traffic

@ifneeded1 22 сағат бұрын

I have 2 questions: 1) How will other firewall brands (Sonicwall, Sophos, etc) be able to compete when even the Proofpoint add-on is 1/10th their price? Are they just milking the end of a dying business? 2) As great as Unifi products are, do we really trust these guys enough to hinge our whole business on their software staying free and great? What if they get bought out?

@JamisonStaysAtHome 21 сағат бұрын

1. Look up a checkpoint machine. They're selling to a different grade of Enterprise. Sophos and others are fine for some people who like/are used to them 2. Same is true of any company you pick.

@Darkk6969 19 сағат бұрын

@@JamisonStaysAtHome One of the reasons why I use open source firewall on my own hardware. If they no longer support it or something should happen I can easily switch to another open source firewall. Can't do that easily with proprietary hardware such as Unifi's.

@LAWRENCESYSTEMS 18 сағат бұрын

1) I do feel those companies are over charging 2) With their current founder. CEO I don't see them selling soon, but that risk is always there. I MUCH prefer open source, but when there is not a good open source solution with all the features I want available, I have to make some hard choices.

@Darkk6969 17 сағат бұрын

@@LAWRENCESYSTEMS I think alot of us are in the same boat when it comes to features.

@Chris-gt7ob 22 сағат бұрын

Tom, could you make a video about your implementation of nginx and how you are using that in your Unifi environment? I could use some clarification on how to implement this in my home environment. As you stated, Unifi doesn't have a full featured solution for certificates. I really only do this kind of thing on the weekends as a hobby, so I would love to see a video taking about the why's and how's. - Chris

@LAWRENCESYSTEMS 18 сағат бұрын

There is an NGINX Proxy Manager Video in the works.

@alpenmerlin 13 сағат бұрын

@@LAWRENCESYSTEMS That's perfect, thank you so much! I would also be interested in that topic. We recently moved into a new home and I set up everything up from scratch with Unify gear. The addition of the Proxy Manager would be the next logical step.

@jamess.2491 6 сағат бұрын

Nginx proxy manager is really easy to setup (can spin it up in a docker container) and the UI is very intuitive

@tunglau1169 23 сағат бұрын

What happen to Pfsense CE update?

@Faustetheus 19 сағат бұрын

They intentionally don't update to extort their users and leave them vulnerable. Netgate is absolute slimeballs for 100 different reasons. Use OpnSense.

@LAWRENCESYSTEMS 18 сағат бұрын

¯\_(ツ)_/¯

@bertblankenstein3738 14 сағат бұрын

Yhea, people are going elsewhere...

@adriftatlas 9 сағат бұрын

Netgate wants you to buy their overpriced hardware, which are off the shelf boxes one can buy direct from Silicom. They lured homelabbers onto pfSense Plus from CE and then pulled the rug out. Even if one does pay yearly for pfSense Plus it will deactivate itself if one adds or removes a NIC. Once it deactivates they'll graciously do a "one time favor" by letting one continue using their subscription. Management is generally hostile to its user base especially on Reddit. It's a good product that's being ruined by poor business practices.

@AlexKidd4Fun 20 сағат бұрын

Thanks for the update video Tom, very informative!

@ColeBlack2 22 сағат бұрын

Man I just swapped a Netgate 6100 for a UDM-Pro Max at my house/homelab. Have quite a few Netgates out there but network 9 is very enticing. Already have unifi switching and aps everywhere. Love the single panel for everything. And easy central management. As for wire guard site to site. I created a wire guard server in unifi and pfsense as a “client” works great. Basically reverse of how you are doing OpenVPN in this video.

@graysonpeddie 22 сағат бұрын

6:25 That's the reason why I want to keep my DHCP server separate. This would make migration a lot easier except for firewall rules. 7:40 I like how the zone table is made where we can see what goes in (source) and what goes out (destination). Nice touch.

@PowerUsr1 22 сағат бұрын

yeah agreed with your points. I also prefer a separation in functions. I keep DHCP/DNS and Reverse Proxy all on separate systems which makes migrations to any platform easy. Firewall rule translations will always be a pain but that's alright.

@GodAtum 22 сағат бұрын

what dhcp server do you use?

@PowerUsr1 22 сағат бұрын

@@GodAtum Im lucky enough to have Windows Server 2019.

@graysonpeddie 22 сағат бұрын

@ Oh nice! Are you running an evaluation version? Because I cannot afford one at all in a home environment. I would love to have one for Active Directory if I don't want to re-arm every 180 days or so and reinstall every couple of years...

@graysonpeddie 22 сағат бұрын

@ A standard isc-dhcp-server. I can easily migrate the DHCP server to a different machine if I want to make any network structural/infrastructural changes as it's just a configuration file. I have it in my firewall appliance that's running Debian with nftables for my router.

@Zaim-S 22 сағат бұрын

18:22 They‘re not blocking you to access SSH but I hate the popup that your warranty will be void if activating SSH on the console. This is ridiculous

@TheDefusedHero 22 сағат бұрын

They’re trying to encourage you to use VPN instead of exposing SSH on your WAN IP. Granted, it’s aggressive to void a warranty, but is a good way to have people strongly consider alternatives

@Zaim-S 21 сағат бұрын

that‘s not true. When enabling SSH it‘s not exposed automatically to WAN and if not enabled you can’t access it from local network either. And I‘m using SSH just for debugging purposes, so if I just enable it on the new EFG at customer site and a port stops physically working or worse the mainboard fails I can pay for a new EFG out of my pocket 1899€

@hugevibez 20 сағат бұрын

@@Zaim-S I agree that is a no go for me. Not sure if that is even legal in Europe. A manufacturer has the burden of proof if it is the customer's fault when denying a warranty (this applies to b2b too since a few years). Even if that pop-up doesn't exist in Europe (bc im from there), I would still be wary of companies that have vastly different warranty policies across regions, especially when showing hostility towards advanced users. You can deny my warranty if I break something using SSH thank you very much, a pop-up telling me "Hey, if you use SSH you could void your warranty. Be careful!" would be a much better solution. I don't even know what they are scared of, users turning fanspeed to 0 and overheating devices? If you break the config, a factory wipe would just fix whatever it was that you broke. Exposing SSH to WAN is dumb, but having access to it at all is basic functionality IMO

@Zaim-S 20 сағат бұрын

I totally agree on that. I‘m from EU too, AT. And I do get the popup while trying to activate SSH on any console. I don’t think this depends where you are located.

@rickyc5860 22 сағат бұрын

I JUST DID THIS YESTERDAY!!!! Where was this video!!! LOL the migrating sucked for me!!!

@jdmcivicrrr 20 сағат бұрын

Hey Tom, great video! If you end up doing a follow up video with more advanced features, something else to consider. I know your personal take is to do ad blocking/DNS filtering at the client, but many people like using pihole w/ unbound as their local DNS server. Would be cool if you can set that up and see if it plays nicely with the advanced filtering, tracking and blocking built-in to unifi.

@renehoehle 23 сағат бұрын

Normally i have used Sophos Firewalls but they have increased their prices 3 times a year. So i have a customer where i will use and test the unifi Pro. (i have a lot of small customers where i use the UDM already)

@munchiesthesockmonkey 23 сағат бұрын

I have a sm dedicated appliance that runs OPNSense to my desktop and NAS then a passthrough to a UNifi Dreammachine SE with its own firewall and wireless both workiing great. OPNSense is way easier to figure out than Pfsense, i always had trouble with Pfsense.

@loganedmonds7125 23 сағат бұрын

We moved off Netgate firewalls to unifi firewalls about six months ago.

@thebyzocker 5 сағат бұрын

Awesome, ordered a UCG-Ultra a few days ago and i'm planning on switching from OPNsense!

@leonkernan 22 сағат бұрын

Netgate will be losing their minds right now.

@nils-erikolsson3539 20 сағат бұрын

Plus rolling up their sleeves to welcome the competition. Or welcome, but, outdo the competition. Hopefully

@Destroyer954 18 сағат бұрын

would be nice if they finally pushed the ce update

@msolace580 11 сағат бұрын

They are fine, unifi hardware is lacks, controller based stuff has extra points of failure/attack, old guys like to run stable tested stuff...

@peterpain6625 10 сағат бұрын

@@Destroyer954 I don't think they'll ever get their sh!t together. As good as pfSense is their development, especially the transparency of it, is a joke.

@peterpain6625 10 сағат бұрын

I just hope pfSense finally gets their act together in the near future. As good as pfSense is their development team still hasn't heard about timelines, point releases or transparency even. Good on UniFI to be on the right way. Still need pfBlockerNG though. And a decent Certificate management. Maybe 10.0 is the charm ;) Thanks for sharing

@mistakek 15 сағат бұрын

Great video. Looking forward to more unifi firewall videos as I think I'm going to switch for at least the foreseeable future also. I wish you released this 3 days ago, so I didn't create all my firewall rules and routes etc., that will now get wiped when I import my current site from my self hosted controller so I keep my switch and AP settings. 😂 or I might just redo switch and AP settings, as there's less of that compared to, firewall rules, routing etc.

@mcury85 5 сағат бұрын

Really interesting video, thanks Tom. One thing that Unifi needs to work on is their documentation although it seems extremely easy to get things the way you want.

@g04tn4d0 18 сағат бұрын

Pretty neat! Might be a great option for someone that doesn't have stringent security or regulatory requirements.

@Christiaan- 21 сағат бұрын

Did you try some ipv6 too? Unifi still lagged behind while pfsense handled combined ipv4, ipv6 rules beautifully. I didn't see anyone cover it yet for the new firewall update on the Unifi side.

@Sevenfeet0 3 сағат бұрын

The fact that you even made this video shows how far Unifi has come. Still not perfect but Network 9.0 is a big deal. I finally got my internal network right and it took less time.

@josephp1592 22 сағат бұрын

Unifi is neat for simple setups - I installed a UDM at my works office. At home no way id give up things like running Haproxy, tailscale, custom lists etc directly on the firewall. At home Ive found Pfsense on an old i3-7100 build with a dual sfp+ nic, mikrotik switches, and unifi APs does me well

@lmamakos 22 сағат бұрын

Perfect timing for me, too! I have a cloud gateway box I want to migrate a self-hosted controller and pfSense implementation to. I was desperately hoping that you might have found an easy way to import a whole bunch of DHCP reservations in one easy import... but NO! This is the major impediment to my starting the migration and it's disappointing this still isn't possible after all this time. There's hints that an API exists to do this, so maybe time to give that a try and hack up a quick and dirty python script or something.. Thanks for the video, perfectly timed for me!

@SimonEgger 6 сағат бұрын

13:54 we use about 20 WG S2S setups between Unifi Gateways and OPNSense gateways. It’s definitely possible but there are a few annoyances: 1. every IP that communicates via the tunnel needs to be allowed via FW rule (Tunnel, local, and site network) 2. static route on Unifi GW for site network to next hop WG tunnel ip of the other site 3. every traffic from a WG client has the source ip of the tunnel interface so you need FW rules and routes to consider this fact Other than that it works very stable and a lot faster than our IPsec tunnels. One other nice fact is that you don’t need a continuous connection between the two sites so if a customer has a very bad internet connection the experience is a lot better with WG tunnels

@LAWRENCESYSTEMS 5 сағат бұрын

Interesting and sounds like more work than it should be. I might do some testing or wait until their updated WG get's out of beta.

@SimonEgger 2 сағат бұрын

@ yes that would be great but I haven’t heard anything about a complete S2S wireguard implementation. This feature is requested for a long time without any timeline from ubiquiti. Interestingly their mobile routers have a native S2S wireguard implementation

@danielanderson9052 22 сағат бұрын

look forward to video about creating and setting up security zones from scratch, not from past backup

@Darkk6969 18 сағат бұрын

I may eventually move from pfsense to Unifi Firewall. Won't happen anytime soon as I'm still happy with pfsense. Just I like the GUI that Unifi provides. Just not too crazy getting locked in with some hardware that I can't do anything with after it's EOL. It's one of the reasons why I use open source firewall on my own hardware.

@BoarderX 23 сағат бұрын

Just moved to Unifi from pfsense ce due to the lapse in updates from Netgate

@PowerUsr1 22 сағат бұрын

Really great video here and i like the options specifically around logging. I use graylog to inject not just syslog but IPFix flows as well. Additionally, as stated, the ability to track down connections (blocks or permits) from the firewall rules is important for compliance or just basic troubleshooting so that area for me needs improvement Lastly, I will say that Unifi has a cohesive experience which for me is the biggest draw. pfSense , specifically its support for 3rd party packages, is jumbled and not clear and most important, its not supported. FRR on pfsense is broken. Dynamic routing with more than one peer does not work. (Redmine 14630). There is an IPsec bug where any modifications to the configuration results in all tunnels dropping traffic (Redmine 14483). There are more examples but the point I'm trying to illustrate is that there is seemingly more support and a willingness to fix broken things on the Unifi side then the pfsense side. Its a much more polished experience from Unifi and I'm looking forward to the improvements. All that to say, for now, Im still on pfSense.

@DavidWhatfor 4 сағат бұрын

As someone who has worked with Interface rule based firewalls (i.e. Cisco ASA, pFsense, smoothwall) but also worked with PaloAlto for 9+ years the Zone method is such a better way. All rules, one place, multiple subnets in one zone etc. Block by default is a better method to work by. PaloAlto has this too on Interzone rules (traffic in and out of zones) blocked by default. On PaloAlto you can also configure Interzone rules (different subnets on same zone), allowed by default, I assume you can do this too on the Network v9 ?? I'm really debating to go Unifi or pFsense now as I only have Protect and my all switches are Aruba 2530's with Aruba APs and a few MikroTiks. I did have Unifi wifi and switching some years back but no desire to go back yet.

@OGDazwhite 14 сағат бұрын

I just did this migration in the new year. Migrated my pfsense to the Unifi Express. Overall I'm pretty happy with it. The UX is pretty underpowered though and i plan to upgrade to the UCG Max asap.

@andrewwestfall234 22 сағат бұрын

17:31 I have had a case opened with them since shortly after 9.0.8 came out asking for a state tracking table, coming from pfsense as well, can’t believe this feature was overlooked. It makes it much harder to troubleshoot when you need to run packet captures to see the traffic. This feature can’t come soon enough.

@revealingfacts4all 20 сағат бұрын

Do you use the UDM Pro as your VLAN router or did you use the L3 capabilities of the unifi switch? In the video it shows "LTS Studio" for router... what device is LTS Studio? Curious about your VLAN to VLAN setup

@LAWRENCESYSTEMS 19 сағат бұрын

LTS Studio is the UDM Pro Max

@revealingfacts4all 3 сағат бұрын

@@LAWRENCESYSTEMS ok, thanks. Curious if you considered using the switch as your VLAN router and, if so, why you chose not too?

@M.J.C.W. 21 сағат бұрын

Is there reoccurring cost with the Dream machine pro?

@LAWRENCESYSTEMS 21 сағат бұрын

@peterforslund3350 22 сағат бұрын

If I am going to use unifi what do I do with my hikvision cameras? Unifi uses the same port as hikvision. I have tried a bit but they don't work together but can I easily change ports and if so what? hik or unifi for best results? I have about 40 hikvision cameras.

@jason7i2 18 сағат бұрын

21:47 The eMMC on my ST-4100 was nearing EOL so I picked up a UCG Max while I see about swapping in a M.2. Seems to be doing everything I need well enough. I was able to export my HAProxy config file and drop it into a LXC container with HAProxy. All is well. Did take a while for my pf brain to adjust.

@stoffe3594 9 сағат бұрын

One thing Im really missing is in the Geo section, I can block traffic to a country, but I cannot just view and filter all that traffic directly from the Geo tab, to be able to just directly find what traffic is talking to a specific country. Lets hope that comes, just an easy use to see and filter that country traffic.

@nathanddrews 23 сағат бұрын

My current pfsense install uses several pfblocker-ng lists, can I use those SAME block lists and load in my own list of entries? Everything is kinda set up the way I want it from a block vs. whitelist perspective.

@LAWRENCESYSTEMS 23 сағат бұрын

Nope, they don't have custom lists.

@moelassus 22 сағат бұрын

You can always add a Pi-Hole to your network.

@nathanddrews 22 сағат бұрын

@@LAWRENCESYSTEMS D'oh! That's one of my favorite parts about my current setup. Yes, I could run a pihole instead, but I'm not convinced it will afford me the same flexibility, but that's only based upon comments I read online related to HA and VLANs.

@akosovari8794 12 сағат бұрын

VirtualWANs would be cool, so you could set a vpn interface as a lan interface. So you can port forward to it.

@Kulocka 4 сағат бұрын

Hi Tom, Great video! Would you recommend replacing clients routers with Unifi firewall? I work at an MSP and looking into other options for our clients.

@LAWRENCESYSTEMS 4 сағат бұрын

I would say they are fine for an MSP

@midknightplays 22 сағат бұрын

13:20 I need to comment to say that at this moment the Fallback option does not work properly. On my machine (UCG Max) the Fallback option does NOT block traffic when VPN connection is lost. To prevent it there are a few firewall rules you can use in the Internet Out section, or (what I did) was set up 2 custom NAT rules (one allowing nat from the vlan to VPN, one blocking vlan from primary Gateway), similar to how I had it in PFSense.

@Glatze603 2 сағат бұрын

I prefer Sophos XG - I think it's way more intuitiv and more feature rich than unifi firewall. I think unifi took many features and options from sophos (zone settings, application policies e.g.).

@martijnsanders8527 10 сағат бұрын

Did you already do a video on Unifi Teleport? Problem i have with that is that all teleport devices come in their own ip range and there seems to be NO possibility to define any firewall rules for those. Basically rendering teleport totally unusable for me. (am using two internal networks: one for all wifi devices (ie phones and laptops) and my homelab. Access to homelab should be limited to listed devices only, but teleported devices just have access :( )

@LAWRENCESYSTEMS 9 сағат бұрын

Teleport is probably fine for basic use, but the other VPN option are better for people with more advanced use cases.

@Traumatree 16 сағат бұрын

I too switched my setup for a UDM Pro Max in last December and I am not very please with what I thought 9.x would be. I miss my Fortinet setup which was much more mature (even with their flaws - updates do the trick). 1st: The fact UDM is still using IP tables limits (or complexify) the firewall rules ease to work with it. We're in 2025 now, and I wish Unifi could part by doing firewalling like we did pre-2010. Having to setup return traffic and explicitly having to block inter-vlan traffic is just dumb when it should be by default - reminds me of L3-switch that do routing where you need to add ACLs to block inter-vlan traffic. 2nd: doing simple inter-vlan NAT is a nightmare and doesn't really work - a thing that is easy with real NGFWs (or 4th gen firewall - UDM is more of a 2.5ish gen firewall IMO). 3rd: UDP Streaming (even on wire) get some hiccups from time to time. Never had that before with the same ISP and bandwidth under pfsense and Fortigate that were using the same Unifi switches and APs. All in all, it is a nice "toy", but I do not feel I have full control over what is going on and I hate that. Great video Tom!

@108u9 13 сағат бұрын

Hi beginner question here. Does any of this setup matter whether is the devices trying to connect to the web through the setup are iOS, Mac, Windows etc.? Is this all fully agnostic? Or are there some specific quirks? Thank you!

@LAWRENCESYSTEMS 8 сағат бұрын

It does not matter if it is Mac, Windows, or Linux

@rchrstphr-smp1043 22 сағат бұрын

Cam, wifi and router together is better for management. I hope this system keep going steady and don't be like the "edge router system".

@RobinMoran 15 сағат бұрын

can we now set the priority of queues? or is it still smart queues only?

@LAWRENCESYSTEMS 8 сағат бұрын

help.ui.com/hc/en-us/articles/12648661321367-UniFi-Gateway-Smart-Queues

@allandresner 8 сағат бұрын

Waiting for that wireguard site to site before I make the leap.

@JonathanSwiftUK 19 сағат бұрын

I'd like to see the packet capture, also on my pfSense I have several VoIP phones and had to enable the STUN option, and I'd like to know how this works in Unifi. My Cloud Max arrives tomorrow, I have a couple of Unifi switches already, and I'm replacing my lovely Zyxel APs with a couple of U6 or U7 APs. I think you have to be all-in to see all the stats and manage it all from one place.

@awstott 21 сағат бұрын

I have a Netgate 6100 right now. I got it after I got rid of my first UDMP quite awhile ago, however with the changes it looks enticing to maybe explore again. With everyone jumping off the BSD bandwagon how long before pfsense is abandoned?

@reejah 20 сағат бұрын

I have a restaurant that needs a new firewall and switch. They will have WiFi for internal and guests. I am familiar with Meraki, Netgate, Cisco, extreme, unifi (but nothing fairly new with unify) Any suggestions of what to install?

@LAWRENCESYSTEMS 18 сағат бұрын

The Dream Machine line is good, they have smaller ones for smaller locations.

@msolace580 11 сағат бұрын

why do they need a new firewall and switch, does unifi solve a need ? I always prefer a good firewall on the router, and then a machine running the DNS/DHCP, and connect that too a good quality switch,

@braptube6667 23 сағат бұрын

Is routing achieved through L3 ACLs if you use their switches, or is all traffic routed through the UDMP?

@mpstein1976 23 сағат бұрын

Looking to move from ER-X. Looking for same thing but 2.5G ports. Hoping unifi has something soon.

@TheRDB46 9 сағат бұрын

UniFi need to seriously just have a section to show firewall logs, allow deny all that stuff domain name resolution to help with managing the firewall in a cooperate setting

@avvidme 4 сағат бұрын

Considering using OPNSense for transparent filtering IPS/IDS etc. and keeping UniFi for internal routing, vlan, fw rules. Primarily to offload IPS/IDS from Unifi. Would this make sense?

@LAWRENCESYSTEMS 2 сағат бұрын

Only if you are going to do full traffic inspection by installing SSL certs which is a pain to manage so I wouldn't do it, but it could be fun if you want to learn how that works.

@avvidme 2 сағат бұрын

@@LAWRENCESYSTEMS Thanks. I guess I was thinking more of offloading IPS from UniFi as I'm seeing my UDMPro hit fairly high on the CPU, and that's without enabling all the IPS features.

@syl764 22 сағат бұрын

My only complaint about DNS is that they still haven't got CNAMES sorted yet. It's been an age!

@LAWRENCESYSTEMS 22 сағат бұрын

Why do you need cnames internally?

@syl764 21 сағат бұрын

@@LAWRENCESYSTEMS So when I change the IP address of my nginx proxy manager host, I don't have to individually change all the internal services I have pointed at it as well.

@dominiquerichardson 22 сағат бұрын

is there a way to block all non us traffic to your nas but sill allow update whenever your trust nas needs it?

@EinGamer22 23 сағат бұрын

I wish they would offer an option to use the hurricane electric ipv6 tunnel.

@juhthreef 9 сағат бұрын

Man I would love to be able to just run unifi but my problem is this. I have a wireguard tunnel between me and a datacenter, where I have 5 static IPs. I have VMs at home that I send over the tunnel (like plex, some game servers, and etc) and port forward on the far end thus giving them the external IP in the DC even though they're hosted at home. I am assuming I am not going to be able to replicate this even using this but I may try it out.

@seansingh4421 21 сағат бұрын

Do Firewalla next. I have heard good things about it. I know its great for home but is it good for businesses ?

@LAWRENCESYSTEMS 18 сағат бұрын

kzbin.info/www/bejne/qnrJdISEj56qoJosi=7h6m1wK1keDRfLVK

@magnus33john 21 сағат бұрын

Have noticed there is a bug with the sfp ports on the udm models now. If for some reason there is a restart needed or a power loss they can lose function. For some reason they get stuck and wont renew the ip's unless you physically unplug the power from the back and let it sit for a few minutes to discharge the capacitor. Once you do this they function normally again.

@TantissTheEmperor 11 сағат бұрын

My genuine question is the following, firewall and their features exist since ages. Why unifi is implementing basic stuff in their products bit by bit and brand it like it’s incredible? It’s like their L3 support in their switches, it exists since decades in enterprise world and they add stuff little by little on a hardware supposed to support those features (enterprise means enterprise right ?).

@corneliusmixon 23 сағат бұрын

I'm having issues importing Unifi logs into Wazuh. Do you have a video guide covering this?

@LAWRENCESYSTEMS 18 сағат бұрын

Never tried that, post in the forums.

@adriftatlas 9 сағат бұрын

Do they still require you to keep the native VLAN at 1? I prefer pfSense still even if Netgate is evil, the packages are what keeps me. The configuration UI is also well organized as opposed to a deep maze.

@LAWRENCESYSTEMS 9 сағат бұрын

You can set a management VLAN

@bigchew3149 19 сағат бұрын

Dang What Are The Odds.. I Just Switched From PfSense To a Unifi USG Pro 4 like 24-36 Hours ago..lol. Wish i could Get a UDM Pro SE But That's just not possible ..I Can Only Live on Roman Noodles for So Long ! I Really Want/Need To Know How To Do Add Blocking & a Separate IOT Network ! I Would Love to see a Follow Up !

@sliphere011 23 сағат бұрын

Blocked by default is a 0 trust idea. Honestly best default.. Only allow what I explicitly allow between nets.

@imraz0r 8 сағат бұрын

In Germany there are a lot of ISP with VLANs on WAN (e.g. one VLAN for Internet, one for VoIP). As far as I know, UniFi Firewall can't handle multiple VLAN on WAN, I'm I right?

@LAWRENCESYSTEMS 8 сағат бұрын

unifi wan vlan is supported

@imraz0r 5 сағат бұрын

@@LAWRENCESYSTEMS then multiple VLANs on WAN must be new. Several threads and posts in the UI support forum are about this topic. Obviously UI can/could only have one VLAN on WAN.

@LAWRENCESYSTEMS 5 сағат бұрын

@@imraz0r I am not sure how many are supported since this is not a common requirement I find here in the USA. Of course the work around is putting a managed switch in front of the WAN to split the VLANs but obviously it would be better to have it built into the UniFi firewall.

@imraz0r 5 сағат бұрын

@@LAWRENCESYSTEMS Putting a managed switch in front of the WAN can be a solution, right. But in this case, I prefer to stick with my OPNsense, which can handle multi-VLAN on WAN. ;-) Nevertheless, thank you for your answer and your great videos!

@Daniele-i7h 38 минут бұрын

Maybe I missed something earlier, but the fact that Lawrence is leaving pfSense is a big blow to the pfSense community. What happened? Is there something particularly bad we should know about pfSense?

@leewallis5067 7 сағат бұрын

The only thing now holding me back from moving to a UDM pro from PfSense at one customer is their IPSEC VPN tunnel to a business partner’s SonicWall. Trying to get the UDM Pro to manage a IKEv2 connection just doesn’t work. I know it’s labelled differently in the UDM Pro but I’ve tested everything exhaustively and no dice. I don’t have direct access to the SonicWall so have to rely on less than helpful third-party IT provider. Essentially, I have to transpose manually from the PfSense box to the UDM Pro. All my tests fail and it needs to be IKEv2. If this resolved in the v9 of the network application I would be very happy.

@seanwilkinson2291 18 сағат бұрын

The Wireguard client on Unifi uses PBR's for routing instead of adding "allowed IP's", careful though as the wireguard interface is put into the external FW zone instead of the site-to-site FW zone. The Unifi GUI also forces you to add a DNS server to the wireguard config, this results all your DNS traffic being forced across the tunnel. If the tunnel goes down DNS stops working for all LAN clients. It will be nice when Unifi add wireguard under site-to-site as it should resolve these issues. The Unifi GUI looks nice but lacks core functionality as it always has and likely always will, this is why ill never use a Unifi firewall regardless of how shiny it is.

@PsyMan2022 9 сағат бұрын

I finally have a PFsense wireguard tunnel and unifi wireguard vpn client as an added peer working OK after I set it up manually using optional preshared key (not sure if I needed to us the optional key but I did and I am not breaking it again to find out 🙂) Couldn’t seem to get the file based config to work though, at least not when exporting from pfsense and trying to import in unifi controller. Manually setting up works just fine though, I treated it much the same as setting up a normal desktop client.

@onedsc1 19 сағат бұрын

Yeah have an 8200 Netgate not planning on changing anytime soon

@alexmoore4926 22 сағат бұрын

I recently did a site to site wireguard, and was able to hit the opposing network reasoures by connecting as a client (wireguard server on opposing end on a pi) and used "policy-based routes" under routing, to send sepecfic traffic, to destination of ip range of opposing network, via vpn tunnel. Only downside is when i go into a device on that network it cant get back (im going to have them connect as a client to me at somepoint, and basically just run two tunnels, but i havent yet)

@EduardoReyesDPM 20 сағат бұрын

The migration from bsd is nearly complete.... first truenas to scale now the firewall... need pfsense to pull a truenas convert

@BertramJoseph 2 сағат бұрын

I'll wait for WG site-to-site

@GodAtum 22 сағат бұрын

what about content filtering? can i block porn on one device but not on other?

@LAWRENCESYSTEMS 22 сағат бұрын

Yes, and I covered that

@VinothVKR 14 сағат бұрын

Migrated from pfSense+ to OPNsense.

@JasonsLabVideos 19 сағат бұрын

SO this means you are leaving Pfsense to go with Unifi now ?

@LAWRENCESYSTEMS 19 сағат бұрын

Watch the ending of the video

@JasonsLabVideos 18 сағат бұрын

@@LAWRENCESYSTEMS Thanks sir !

@rays4408 23 сағат бұрын

I went from a Meraki firewall to a UDM Pro, and went back to Meraki. The through put was horrible, got Tech support involved, they agreed something was wrong with the unit but never offered to swap it. Less than 6 months it was given to recycling. What a waste of money.

@HijmenSchilperoort 10 сағат бұрын

I am switching my current pfsense plus fw to a new device, just to remember there is no free (or in my opinion affordable) plus for home anymore. Well, apart from the boot environments, CE should also be fine .... except that it has not received an update over a very long time, has a bug with igmp proxy in the 2.7.2 version and also no beta access for 2.8 This will probably be the end for my time with CE 😢 Looking for alternatives and now playing with of course opnsense, but also sophos XG that is also free for home use. Sophos is also using zones and i am still trying to get my head around that concept

@Dogzdangliz 20 сағат бұрын

Needs HA Proxy and I’m onboard

@msolace580 11 сағат бұрын

UNifi hardware needs a upgrade, for the price all this stuff should be 2.5g /10g+ sfp and should start seeing 25g, Alta labs route10 soon as they work all the little issues out has way better hardware for 200 bucks, and they don't add 70 for a AC adapter that you can buy for ~10... Software seems solid though, Just call me old fashion i dont need all the graphics though.

@SilentServiceCode 22 сағат бұрын

NOOOOOOOOOOOOOOOOOOOOO

@am3777 22 сағат бұрын

No openvpn client export or ldap sync. Thsts what stopping me twitching

@LAWRENCESYSTEMS 18 сағат бұрын

It has OpenVPN config file export, AD, Entran, JumpBox, and LDAP support.

@alfabètagamma-k7p 23 сағат бұрын

When I saw this title, my first thoughts were: "What about the performance??" pfSense+ is much faster with all security added, has much higher throughput when running on a bare metal server (like Proliant Micro or Proliant DL20)

@LAWRENCESYSTEMS 18 сағат бұрын

The UniFi performs quite well.

@sharkfinn6469 9 сағат бұрын

Unifi is great for home lab. Not good for enterprise management and support. I bought a uxg-pro and struggled for 3 days only to find out that changing the default submet causes issues on this specific device.

@LAWRENCESYSTEMS 8 сағат бұрын

It's fine for enterprise if you know how to use it.

@atlasdm 19 сағат бұрын

Until they get FIPS 140-2 certified they're still a non-contender as far as I'm concerned.

@Goku-w1n5p 23 сағат бұрын

Unify has terrible support. They let me down twice. Once was an obviously defective unit. Never again.

@JamisonStaysAtHome 21 сағат бұрын

Never had an issue myself and spent over 5 years working with them. Good luck finding an option for you!

@dyerseve3001 18 сағат бұрын

The hardware is crazy reliable, I don't think we've sold any other hardware that just keeps chugging along. Maybe those old HP Laserjets were more reliable. And at the price, the warranty doesn't even matter, for the price of a Meraki, I can just buy two Ubiquiti. Support is basically DIY, which is a downside if you can't diagnose and troubleshoot it yourself. We've probably sold 400 units and I can think of maybe two or three that have failed. Also gone into many locations and replaced old unifi that was still working just fine just in need of a refresh.

@williamp6800 17 сағат бұрын

“Unifi has terrible support” I always wonder what the purpose of such a non-specific complaint is. Is everyone just supposed to say “Well okay, he said they have terrible support. Guess I better buy “X” instead. What were you expecting? How did they let you down? What hardware problem did you have? 🤷🏻‍♂️

@JamisonStaysAtHome 16 сағат бұрын

@ I would agree except HP exists. They truly do have terrible support.

@scruggs.jonathan 14 сағат бұрын

I can't say I disagree. I've dealt with them a few times and it takes forever for them to get back to you.

@GpconnectInfohotspot 21 сағат бұрын

cannot stand the fact that i cannot set up a vpn client without connecting to the unifi application first :)

@LAWRENCESYSTEMS 20 сағат бұрын

Huh?

@GpconnectInfohotspot 20 сағат бұрын

@@LAWRENCESYSTEMS i mean you need the unifi app to configure vpn right ? cannot do it without adopting first right ?

@LAWRENCESYSTEMS 18 сағат бұрын

Only their Teleport VPN needs that, as I showed in the video you can use OpeVPN and or Wiregaurd with no special app.

@linearburn8838 18 сағат бұрын

my condolences

@LAWRENCESYSTEMS 17 сағат бұрын

😜😂

@timramich 21 сағат бұрын

Funny, I moved from UI to OPNSense and Omada. I was sick of the constant 2FA bullshit to locally manage stuff. The constant security warnings about no certificate. I don't manage my Omada stuff remotely, so I turned off HTTPS. I still have a Unifi NVR, and that's a pain in the ass every few days. I don't know WHY I can't, in ANY browser, add some sort of exception to not bug me.

@haroldpepete 19 сағат бұрын

This video is brought you by ubiquiti 😂

@RK-ly5qj Сағат бұрын

Cisco firepower has less Quality of life then this toy xD

@Faustetheus 19 сағат бұрын

Pfsense is run by shady slimeballs. Unifi is ok but overpriced. OpnSense is the gold standard for homelabs.

@T1DoDo 21 сағат бұрын

Yuck... good video tho

@mrissiotti 17 сағат бұрын

It’s frustrating seeing so many influencers pushing Unifi products just because they’re getting paid to do so. Sure, they make it sound great, but the reality is that Unifi can be a nightmare for many users. The setup isn’t as smooth as they make it seem, and the software can be buggy, especially for home users who don’t have the technical know-how. A lot of these influencers don’t mention the hidden costs or the headaches that come with the system. It feels more like they're selling convenience for a paycheck than genuinely recommending the best option for their audience

@LAWRENCESYSTEMS 16 сағат бұрын

Well, I am not paid by UniFi but they are a very popular product that works quite well.

@mikescott4008 20 сағат бұрын

I’m about to remove pfsense CE from my parents and drop in a Unifi Cloud Gateway Ultra. 900/900 connection, IPV4 CGNAT and IPV6. There is currently an IPsec vpn to my home for Synology sync.