Review: Ubiquiti UniFi Security Gateway

Sometime after I reviewed the Ubiquiti EdgeRouter Lite, Ubiquiti contacted me and offered me a few products to test and review. One of the products they sent me was the UniFi Security Gateway. At the time, I set the box aside as it didn’t have all the features of the EdgeRouter Lite. In January when my father was having trouble with his Internet, I put the USG into service. For that application, it was ideal as it integrated with the rest of the components and was simple to manage.

After the success of that install, I was kind of jealous and decided to purchase a USG and see what it would take to replace my EdgeRouter Lite; the UniFi team has done a lot of work on the controller (the GUI to manage the device) since I was originally sent the device. Replacing a router should not be rocket science. Unfortunately for me, my network is a little bit customized. Going from the EdgeRouter Lite, I had to move over the following:

  • Dynamic DNS (for my external IP address)
  • IPv6
  • VLANs
  • Firewall rules for the VLANs
  • OpenVPN server
  • Static DHCP entries
  • Static DNS host entries

Some of this is available in the controller, some of it isn’t.

The first step was to adopt the USG into my controller. I followed the instructions on how to integrate the USG into an existing network. Unfortunately, I was unable to adopt (meaning the controller can manage the device) the USG. I tried a few times with no success. Next I looked at an article that allows me to configure the USG to find the controller (instead of the controller finding it). I followed the SSH instructions and issued the commands:

    mca-cli
    set-inform http://ip-of-controller:8080/inform

This worked and I started getting somewhere. (After reading some more posts on Ubiquiti’s extremely helpful forum, it appears that an old firmware may have had issues adopting and that upgrading the firmware before adopting may have helped.)

After the USG was adopted into the controller, I plugged in the WAN connection, rebooted the cable modem (so that it would pick up the new MAC address) and was able to connect to the Internet. If I had a simple network, I’d be done, but nothing is ever easy for me.

Next up was setting static DHCP entries. While the current controller doesn’t let you assign DHCP entries until after a device has been seen, all my devices were online and showed up in the controller (I have UniFi switches which makes the controller populate with all devices it sees) using the addresses I had assigned from the EdgeRouter Lite. It was a simple matter of selecting each device, clicking the “Use fixed IP address” checkbox and clicking Apply. (Note there is a bug in the UI where the checkbox doesn’t stay checked even after applying.)

Screen Shot 2017 03 06 at 11 08 48 AM

Perfect, so now that was out of the way (tedious, but reasonable), I could move on or so I thought. The controller lets me assign static IP addresses for clients; switches and access points are not considered clients. I needed static IP addresses for the switches and access points so that I could use SNMP monitoring on them; the package I’m using, Observium uses host names to address the devices; in order to use host names, I had to first give devices static IP addresses. This is where the messiness begins. Ubiquiti has an article on how to customize the USG and have the changes persist across reboots. (The EdgeRouter Lite just lets you configure it using the command line and the changes persist.)

You start the process by doing something like this:

    configure
    set service dhcp-server shared-network-name LAN_10.0.1.0-24 subnet 10.0.1.0/24 static-mapping UniFi-LR ip-address 10.0.1.131
    commit
    save
    exit

and then

    mca-ctrl -t dump-cfg

At this point, you have to pick through what was dumped and only choose what you entered manually as the json file you create gets merged in with what is produced from the controller. This isn’t necessary if you have a standard config and the controller has all the options you need.

I then repeated this process for IPv6, static DNS entries and my OpenVPN server configuration.

There is a GUI for configuring the firewall and I setup rules that prevent IoT devices from talking to my LAN, my cameras from talking to anything except 1 device, and a few other rules. This was straightforward, but a little different than on the EdgeRouter Lite.

Screen Shot 2017 03 09 at 2 13 16 PM

Now that I had the USG setup like my EdgeRouter Lite, what did I get? The hardware is virtually identical, so I didn’t gain performance. The main thing I gained was being able to look at my entire network in 1 place. In addition, I get the ability to remotely manage/monitor my network through the UniFi cloud. Did I mention the pretty picture with the circles?

Screen Shot 2017 03 06 at 10 59 55 AM

People are going to ask, why go with a USG over an EdgeRouter Lite. Here’s my rundown:

USG

  • Easily integrates with other UniFi equipment.
  • Simplified configuration.
  • Remote access via UniFi mobile app.
  • Firewall configuration is slightly easier than on ERL, I think.

EdgeRouter Lite

  • UI has some more advanced configurations like being able to change any option using the configuration tree.
  • Firewall configuration in UI allows you to apply rules directly to VLANs.
  • Configuration via command line is a one step process; make change and save it vs USG which has multiple steps.
  • Core operating system is newer than USG.
  • Static DHCP reservations can be made prior to a device being on the network.

Conclusion

Pros

  • Easy setup for simple networks.
  • Full view of entire network in one spot.
  • Remote access to router from UniFi mobile app (using the UniFi cloud).
  • Easy configuration of firewall entries.

Cons

  • No IPv6 DPI (deep packet inspection).
  • DPI works across all interfaces and may not give you an accurate representation of WAN traffic (which is what interests me).
  • Not all configuration options are available via the GUI.
  • Initial setup into a non-trivial existing network is painful.
  • WAN speed test is only useful for up to 150 – 200 Mbps (according to a forum post; I have 300 Mbps down and can only get about 130 Mbps shown).
  • JSON configuration for command line options is a bit awkward as you have to use the command line first, export the options and then pair down the result to put in the JSON config so that settings persist.

Summary

As I’ve written about in the past, the UniFi line of networking products is easy to use and everything works well together. The USG fits in well and despite my rough start with it, I’m pleased with it. While there wasn’t a huge leap from the EdgeRouter Lite to the USG, being able to see my entire network configuration in one place makes it easier for me to manage. In the future, I plan on adding more firewall rules and possibly more VLANs to separate out more IoT traffic (a day doesn’t go by where you don’t here about some IoT device doing something shady).

If you already own an EdgeRouter Lite, moving to a USG is a tough decision. You gain no new functionality or performance, but an interface that works with other UniFi hardware. If you don’t already own an EdgeRouter Lite and either plan on getting UniFi access points or switches, I think it is a no brainer to get a USG. If you aren’t using other UniFi gear, a USG itself won’t buy you a whole lot. With the USG, I’m able to define VLANs once and have it apply to the WiFi access points and the switch ports; with the EdgeRouter Lite, I had to define VLANs in both places for proper routing.

UniFi employees are quite active on their forums and have posted their roadmap. I really like some of the features and their openness is refreshing. The features won’t really change how I use the device, but will help reduce the number of command line changes I have to make.

12 Replies to “Review: Ubiquiti UniFi Security Gateway”

  1. Great review! I was curious to learn if Ubiquiti addressed any of your issues with later releases. I’m hoping to see a trend that they add functionality when users need additional functionality to make the experience better. Thanks!

    1. Ubiquiti is addressing some of the issues I indicated. They have beta versions of the firmware available all the time that have improvements, but I’m waiting for the full release before updating. One huge difference between the USG and other routers is that the updates are regular and not just security fixes, but features are added as well (note that some features are in the controller software and some are in the USG itself; most of the improvements I’d like to see are in the controller. The controller and USG firmware are typically releases in different cycles.)

    1. Hi Borgie,

      While the USG doesn’t currently have a UI for IPv6, it can be configured via the config.json file. I have this setup and it works fine. It appears that a future UniFi Controller will have IPv6 exposed in the UI.

  2. Hi Scott,

    Just orded my setup.
    One USG, one US-16-150, two UAP-AC-lite (new with 802.3af support), one UAP-AC-Pro (because the extra Eth. Came one wall-outlet short in the room), and one Cloud-Key. Did test the Unifi Controller package on my Synology in docker. Like to keep things separated.

    So thank you for sharing you experience with the Unifi components.

    Borgie.

    1. Hi Terence,

      Yes, I’m using Observium to monitor the USG (along with my USWs and UAPs). I don’t do any DPI monitoring (if I recall correctly, the USG only does DPI with IPv4 and a lot of outside traffic from my network is IPv6). I setup Observium awhile ago and I think I just enabled SNMP on the UniFi Controller and then gave Observium the IP address to add it; nothing fancy and it just worked.

      Give that a try and see if it works. If it doesn’t, let me know and I’ll do a little digging to see if I did something special.

  3. Thanks for the review. I’ve had Unify APs and and EdgeRouter-X for a while, doing pretty basic rooting for my home network. I’m not a network expert but because I worked for years at Cisco* I became aware of the need for better than consumer grade equipment. That’s become more obvious because of all the IOT devices (existing security cameras, new Nest Protect and Thermostat) in my house – and more to come. I decided it’s time to start using separate VLANs to keep the IOT devices away from my home network. I recently picked up a Unify Switch 24 and it seems pretty simple to set up separate VLANs using the controller software – but there’s little information about how to use an Edgerouter instead of a USG. Sounds like you’ve done that previously. Would you share?

    Thanks,
    Dave
    * I’m actually a UX Designer, or as my title once read “Apple Human Interface Designer” when I worked on AppleScript 1.0. Thanks for being an Apple Developer!

    1. Hi Dave,

      I’m not sure if you saw my post about blocking cameras from talking to the Internet, but it shows how to combine the EdgeRouter with the UniFi switch for a VLAN. That should give you a good start. The USG makes things a lot simpler, but you still have to configure firewall rules and the USG does it differently than the EdgeRouter. Be careful with the VLANs because some devices need to be on the same VLAN to work; for instance if you have Hue lights and an Amazon Echo, the Echo uses UPnP to discover the Hue lights and that doesn’t jump VLANs (not that you’d want it to). Also if you do AirPlay, you’ll want all your iOS (Apple iOS, not Cisco iOS) devices on the same VLAN. There are some ways to advertise AirPlay across VLANs, but it is a mess. I currently have the following VLANs:

      • IoT (Amazon Echo, automation, etc.)
      • Ooma (for my phone)
      • Music (for my Squeezeboxes)
      • LAN (main LAN which has all my iOS and macOS devices)
      • TV (for my HDHomeRuns); my TV is completely off the network
      • Guest

      It isn’t easy to configure and get it right, but persistence will get you through it. Good luck!

  4. Hi Scott –

    I was curious to see if you were still happy with the USG? I’m currently using pfSense, and am about to break out my home networks into separate VLANs and such for security as you did. In addition to pfSense, I’m also running a 3850 Cisco switch and (2) UniFi AC-Pro APs. It’s doable on my current setup, but it sure would be nice to have everything in one display as you showed above. Did you ever get your full Internet throughput back? I’ve got a 500 down / 50 up ISP connection and you not getting your max throughput caught my eye.
    Thanks!
    Bill

    1. Hi Bill,

      Yes, I’m still happy with the USG and get my full 300/20 bandwidth without problems. While I’d like a bit beefier unit to do IPS/IDS in the future, the USG satisfies all my needs at this time.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.