PFsense & Unifi USG working togeather

gklimeck

Hello Zeric,
I was considering using my pfsense as a UTM only placing it in front of the USG3. How far have you gone with your experiment?

Can I simple make the pfSense the Suricata server only?

Thank you
Gary

Zeric

I'm still running the same configuration I described back in April which seems like what you want to do also. It's been quite stable.

I know I found some online examples on setting it up, that plus a little experimenting and I got it going without too much issue. For the USG, I created a json file to turn off NAT and put it in the correct place for the unifi controller to upload it. It's possible (and easier) to leave NAT on so it's double NAT'ed, but you could potentially run into issues, but maybe not.

gertty

@gklimeck said in PFsense & Unifi USG working togeather:

Hello Zeric,
I was considering using my pfsense as a UTM only placing it in front of the USG3. How far have you gone with your experiment?

Can I simple make the pfSense the Suricata server only?

Thank you
Gary

If you have the pfSense on the WAN side of the USG, you could turn off NAT on the pfSense, and have no of few firewall rules on pfSense, running just Suricata there. From the pfSense's point-of-view, the USG is it's only client on the LAN side.

gklimeck

@Zeric Thank you

gklimeck

@gertty Thank you

JeGr

@gertty said in PFsense & Unifi USG working togeather:

pfSense currently handles my DHCP and local DNS. If I had UniFi gear doing that, I get easier configuration and changes in the UniFi controller UI

Meh, no you don't. Unifi's USG or the newer UDMs (even Pro) suck bad when used with DHCP and DNS. They aren't able to do the most basic DNS stuff that can be done with DNS forwarders or resolvers. Host Overrides? Domain Overrides? Setting up static hostnames for specific devices that don't go through DHCP (because they are servers or NAS etc. with static IP)? It's ridiculous how dumbed down these devices are. Really sad to see. Even OpenVPN or IPsec setup on the UDMs I got to play with is that bad/dumbed compared to pfSense that it's easier taking a Raspi and throwing OVPN on it than configure an OVPN tunnel in a UDM.

pfSense now has to have a VLAN config matching the UniFi gear, that could all move to the USG

True, but you don't create / handle new VLANs on a daily basis. Set up once, it's working fine.

Suricata and similar would run on the pfSense, I don't see how a USG can keep up.

If you throw that on pfSense better pack everything there. Because the "click-and-it-works" stuff like packet inspection etc. in the controller all relies on the USG and their IDS. So if pfSense should even do that job, why packing things like DHCP and DNS or even VLANs there?

You can name and setup your network in the unifi controller just fine without a USG. The only thing that's missing is the bandwith graph on the dashboard and the one-click packet-inspection. Ah the rule handling of the USG is a bit shaky and strange, too.

@gertty @gklimeck Considering the way, Ubiquiti has dumbed down the UDM and even the UDM pro and is going their own OS route (USGs can still be modified via JSON or on the OS level, with their own minimal-OS there is no way anymore) I'd rather use pfSense as the only gateway in your setup rather then playing with two gateways for almost zero gain.
But to each their own :)

gertty

@gertty @gklimeck Considering the way, Ubiquiti has dumbed down the UDM and even the UDM pro and is going their own OS route (USGs can still be modified via JSON or on the OS level, with their own minimal-OS there is no way anymore) I'd rather use pfSense as the only gateway in your setup rather then playing with two gateways for almost zero gain.
But to each their own :)

Heh. I came to the same conclusion.

In another thread (maybe on the Ubiquiti forums?) I walked thru running the pfSense in front of the USG (NAT off on the USG) for maybe a month or two, then eventually moving everything back to just the single pfSense box as the gateway, DHCP, and DNS for the network. Agree with the configurability of pfSense vs the USG (or UDMs), it's just not there.

For getting "pretty graphs" I'm currently working on setting up netflow to export to a VM running somewhere else on the network.

JeGr

@gertty said in PFsense & Unifi USG working togeather:

For getting "pretty graphs" I'm currently working on setting up netflow to export to a VM running somewhere else on the network.

Just a hint: Telegraf plugin to influx and show it in Grafana or even use syslog and throw it over to graylog and use that for logging and nice dashs (or use it as a source for more grafana magic) :)

gertty

Cool, thank for the advice. My first attempt at this is an ELK stack because I'm familiar with it and I also had an Elastic Search instance for an entirely different thing.

gklimeck

@JeGr I am strongly considering going back to my pfSense and removing the USG-3. Its been a few years running the USG but like JeGr said, Ubiquity is making things proprietary and I I am sure anytime now we will see a subscription model soon.

Zeric

@gertty said in PFsense & Unifi USG working togeather:

@gertty @gklimeck Considering the way, Ubiquiti has dumbed down the UDM and even the UDM pro and is going their own OS route (USGs can still be modified via JSON or on the OS level, with their own minimal-OS there is no way anymore) I'd rather use pfSense as the only gateway in your setup rather then playing with two gateways for almost zero gain.
But to each their own :)

Heh. I came to the same conclusion.

In another thread (maybe on the Ubiquiti forums?) I walked thru running the pfSense in front of the USG (NAT off on the USG) for maybe a month or two, then eventually moving everything back to just the single pfSense box as the gateway, DHCP, and DNS for the network. Agree with the configurability of pfSense vs the USG (or UDMs), it's just not there.

For getting "pretty graphs" I'm currently working on setting up netflow to export to a VM running somewhere else on the network.

I've been also considering getting rid of the USG in my current pfsense->USG3->US24 setup at some point. Rock solid stability is important now working from home, so I've just left if for the time being. Maybe I'll start migrating non-critical subnets/VLANs over to pfsense for testing so it won't affect "working from home". Will have to look into how to setup graphs on pfsense, sounds promising.

I really like the 'single pane of glass' concept with Unifi, but they just can't seem to get the features people want into gateway router. I was really hoping the UDM Pro would have got there, but it just didn't, and in some ways it's worse than USG. It's weird because people have been complaining about the same things for years with the Unifi routers.

JeGr

@gklimeck said in PFsense & Unifi USG working togeather:

Ubiquity is making things proprietary and I I am sure anytime now we will see a subscription model soon.

That I don't see. Nope, there are too many thing GPL etc. that can't be just made closed source etc.

But UDMs were a real bummer for me after checking it out. Sure, controller, switch, AP AND USG in one box sound too good to be true anyways but seeing a gateway/firewalling device dumbed down to such levels was really crude. My brother is running one and first thing I did was letting him shop for a Raspi4, throwing Pi-Hole and OVPN on it and have DHCP/DNS running over the Raspi as the Controller UI and USG is THAT bad for simple DNS/DHCP things that are "normal" coming from pfSense.

MaBo1968

This post is deleted!