Unifi Security Gateway - I just want the throughput info
-
I apologize if this has already been discussed, a quick search did not come up with any definite answers. Is it possible to plug a Unifi Security Gateway between my modem and the pfsense box, or between the pfsense and switch, to see the throughput information provided by the USG?
-
Not without suffering from double NAT.
It's been asked for: https://community.ubnt.com/t5/UniFi-Routing-Switching-Feature/USG-passthrough-monitor-mode/idi-p/1537588
-
Cool, thanks for the link. Hopefully they will get the feature added in the near future.
-
If one just wants to see the throughput which is passing via pfSense why not capture that at the switch port via simple SNMP tool like Cacti? No need for a box-in-the-middle kind of a setup just to measure the throughput ?
-
if you want throughput info, what is wrong with the monitoring right on pfsense? That is what the monitoring traffic graph would show you for whatever interface you want.
Is there some other aspect of the info your looking for like the DPI stuff that unifi can do?
-
Is there some other aspect of the info your looking for like the DPI stuff that unifi can do?
Yup, mainly just lighting up the rest of the Unifi dashboard and the more detailed stats from DPI (although they have their shortcomings too).
You can finally disable NAT. They indicate they are working on firmware to support DPI with bridging - it's mentioned a post from UBNT-Brandon near the bottom of page 31 of the comments: https://community.ubnt.com/t5/UniFi-Routing-Switching-Feature/USG-passthrough-monitor-mode/idi-p/1537588/page/31#comments
I haven't had time to test it myself, but plan to over this long holiday weekend. After two years of stagnating, the USG is finally maturing into something useful with the latest beta controllers. Once they add Open VPN to the GUI most of the things keeping me on pfSense will have been addressed.
-
Quite an interesting thread as I am an UBNT user myself and my original plan was to get one of their routers. Still UBNT had two different blends: USG which is less configurable by advanced users and EdgeOS based one which is more power but not yet integrated with their UniFi Controller.
After watching them for about 2 year, it seems that there is a LOT confusions at UBNT and their software development is very slow and confusing at least. OpenVPN performance is very poor on all of their hardware. They are working now on UNMS which is supposed to integrate also with EdgeOS range of products but …. they fail to deliver working software... not to mention this interesting issue I found yesterday https://github.com/Ubiquiti-App/UNMS/issues/86
I almost decided that I am not going to wait for UBNT to do the right thing. I also considered Synology router as I already a Synology DSM but it seems that it suffers from OpenVPN low performance and that is not a priority for them.
So, as times passed pfSense looks more and more interesting especially because I want both: a linux configurable router where I can to advanced things but also a simple web gui for doing basic things, like looking traffic load, changing DHCP assignments.
I am still trying to find the HW to order for pfsense as the SG one seems far outside what I am willing to pay for. The OpenVPN performance requirements make the search quite hard.
PS. In case it was not clear: I don't fancy fully DIY software: I would consider only a device where I can enable OS auto-updates. Life is too short for updating firmware manually, or to spend recovering data after being hacked because your firmware was not updated.
-
"Once they add Open VPN to the GUI most of the things keeping me on pfSense will have been addressed. "
While that would be another step in right direction, they are still very very far behind that is for sure.. I have had to use the usg to handle my new 500/50 line that my pfsense box on VM couldn't handle.. So over the last couple of days I have been finding out all the stuff that is lacking..
Don't get me wrong - it is handling my 500/50 connection fine.. I do not have any shaping enabled - but I will test how bad of hit it takes when you try that..
You hit on openvpn.. Which is big one - pfsense has made multiple types of setups in openvpn be it site to site, road warrior, client overrides, etc etc.. all clickity clickity follow the bouncing ball stupid simple!!
After firing up the usg, I quickly found that its has really zero dns support.. Simple forwarder is all.. Can not even do simple host entries in without doing it via cli..
Dhcp - again while yes people want pfsense to be able to handle dhcp for networks its not in.. The usg dhcp doesn't even allow for a simple reservation.. Without having to edit the client after its already gotten an IP in the controller client listing. While they seem to have a wpad url option - you can not set any other dhcp options from the gui..So while I am letting the usg do the routing and nat.. I have left my pfsense vm to handle dhcp and dns duties. I can live without the vpn access and HE ipv6 tunnels until I get my pfsense running on hardware - sometime in nov I hope..
While the dpi stuff is interesting.. Not sure how it would compare to just installing ntopng package on pfsense?
The creation of firewall rules is very clunky at best.. And doing a simple port forward into my plex server required a long list of rules since you can not use multiple netblocks in the same rule as source.. So you have to create multiple rules to allow the port forward from different ips or netblocks. I lock my plex down to the amazon blocks of networks they are using.. A few /12 and /15, etc. And then the specific IPs of my sons and friends that I allow to access it directly. So that is a lot of rules I had to create for 1 simple port forward.
I am a big fan of their APs, and for the price point the usg is not a bad little box.. And if they continue to mature it - it will for sure be a viable option for many a budget minded user that is for sure.
My opinion might be a bit fanatical when it comes to pfsense since I have been using it for so many years and have watched it grow and mature… And I sure hope the usg gets there, but for me - its a few years behind for sure..
-
pfSense fits a fairly niche market, at least for home users).
But for those that fall into that niche, pfSense is a really exceptional tool.
To me pfSense is apples and oranges from anything Unifi/Ubiquiti.