PFsense & Unifi USG working togeather



  • Hi All,

    I am new to the PFsense product (but like it a lot) and have an existing Unifi network (USG, Switch, AP, CloudKey).
    How can I get the PFsense & Unifi to play nice with the following config.

    CableModel–--PFsense----USG----Switch----(Devices)

    Any help or direction is much appreciated.
    Thank you.



  • @NoRealSecrets:

    Hi All,

    I am new to the PFsense product (but like it a lot) and have an existing Unifi network (USG, Switch, AP, CloudKey).
    How can I get the PFsense & Unifi to play nice with the following config.

    CableModel–--PFsense----USG----Switch----(Devices)

    Any help or direction is much appreciated.
    Thank you.

    I'm running a similar setup at three sites.

    I have two WAN to the pfsense (loadbalancing/failover)
    LAN interface on the pfsense goes to WAN1 on the Unifi Gateway 4(USG) WAN2 unused.
    At two of the sites LAN1 and LAN2 on the USG have different subnets with private traffic on LAN1 and guest traffic on LAN2 (I have a firewall rule in the USG dissalowing all traffic between LAN1 and LAN2).
    At the third site that don't have any need for guest traffic i'm using LAN2 only for the Cloudkey.

    It took me a while to figure out how to setup the pfsense with routing and rules but I found all info needed in this forum. I had to turn off NAT in the USG to make loadbalancing to work. You find all info you need here if you need to do that: https://community.ubnt.com/t5/UniFi-Routing-Switching/Guide-to-disabling-NAT-on-USG/td-p/2012460/page/2



  • This is from one of my sites. I'm not a professional in this area in any way but this is how I made it work :)

    I have a 50/50 load-balancing setup and as you can see in the Rules/LAN pfsense is doing a good job spreading the load equal to the two WANs

    WAN3 is currently disabled.

    You might need to zoom in to see everything …



  • What is the point to have USG between? i can't get it!

    I mean i have one USG but i only will use it if something goes wrong with pfSense and prefere a hyper-v setup first. Maybe i use it if i lose my network cards.

    More things between? don't know. Failure points to the network.



  • @mais_um:

    What is the point to have USG between? i can't get it!

    I mean i have one USG but i only will use it if something goes wrong with pfSense and prefere a hyper-v setup first. Maybe i use it if i lose my network cards.

    More things between? don't know. Failure points to the network.

    I have a lot of Unifi Access points and other Unifi equipment. With the USG + Unifi management console I have everything I need in one interface including all the network usage statistics I need.


  • LAYER 8 Global Moderator

    I have a few unifi AP as well.. I had a usg for a bit… wow did it suck compared to pfsense... As soon as my hardware got here it was back to pfsense, the usg is sitting on the shelf.. Have zero use for it..

    What stats are you looking for - the dpi info?  Its pretty much just eye candy as it currently working... Don't get me wrong its slick looking and all, but ntopng information is of way more value trying to troubleshoot or track down something.

    But sure if you turned off natting in your unifi you could use it as downstream router to pfsense, and then just use pfsense as your edge firewall/router



  • @johnpoz:

    I have a few unifi AP as well.. I had a usg for a bit… wow did it suck compared to pfsense... As soon as my hardware got here it was back to pfsense, the usg is sitting on the shelf.. Have zero use for it..

    Same for me. I look at the USG occasionally , it isn't very capable, it is dumbed down.



  • @Raul-Ramos said in PFsense & Unifi USG working togeather:

    What is the point to have USG between? i can't get it

    I've been using a pfSense box at home for a few years, recently moved the wifi and switching gear to UniFi and I've been wondering about doing using a USG "inside" the pfSense. Here are my motivations, maybe you all can show me why I don't need to do this or how to do it.

    The plan would be pfSense as the edge router, maybe as a transparent bridge? The WAN side of the pfSense is both a WAN connection and an OpenVPN client, some VLANs route out the WAN others our the VPN tunnel.

    • pfSense currently handles my DHCP and local DNS. If I had UniFi gear doing that, I get easier configuration and changes in the UniFi controller UI

    • pfSense now has to have a VLAN config matching the UniFi gear, that could all move to the USG

    • I have a what I think is a pretty modest set of firewall rules, almost all based on source VLAN, with only a few port forwards. I hope a USG could handle this, pulling the bulk of my firewall rules and port forward exceptions into the UniFi controller UI

    • Suricata and similar would run on the pfSense, I don't see how a USG can keep up.

    If it turns out I can't replicate my current pfSense rules with a UniFi gateway, there still might be value to me for the USG handling DHCP and local DNS and DNS forwarder tasks, not doing NAT and just letting pfSense handle NAT and actual firewall rules.



  • I'm currently experimenting with pfSense as the internet facing firewall and USG on the inside. PfSense is handing any external firewall rules and port forwarding while the USG is handling routing and rules between internal subnets/VLANs, DHCP, and DNS. NAT is turned off on the USG so pfsense sees all the internal ip addresses.

    It's debatable rather the USG add enough value to have it in such a mix. On the plus side, one can use the Unifi controller exclusively to add or change subnets/VLANs, and most routine tasks, easily and quickly. Port forwarding is done in pfSense only. I don't need to go to both for much of anything once it's setup. On the down side, it is another failure point and adds another router hop. The USG-3 only has three interfaces with one dedicated for the "WAN", so any more than 2 internal subnets will require routing on a stick. If inter-VLAN traffic isn't heavy this really isn't a issue and can be mitigated by wisely choosing which subnets are one which interface.

    Like anything there are trade offs, one can choose just pfSense or just a USG or both, and arguments can be made for any of those depending on the network architecture and one's priorities. Having both gives one the ease of Unifi for internal changes along with the nice all in one interface with DPI, while still having a powerful fully configurable front door firewall that can run IDS/IPS.



  • Hello Zeric,
    I was considering using my pfsense as a UTM only placing it in front of the USG3. How far have you gone with your experiment?

    Can I simple make the pfSense the Suricata server only?

    Thank you
    Gary



  • I'm still running the same configuration I described back in April which seems like what you want to do also. It's been quite stable.

    I know I found some online examples on setting it up, that plus a little experimenting and I got it going without too much issue. For the USG, I created a json file to turn off NAT and put it in the correct place for the unifi controller to upload it. It's possible (and easier) to leave NAT on so it's double NAT'ed, but you could potentially run into issues, but maybe not.



  • @gklimeck said in PFsense & Unifi USG working togeather:

    Hello Zeric,
    I was considering using my pfsense as a UTM only placing it in front of the USG3. How far have you gone with your experiment?

    Can I simple make the pfSense the Suricata server only?

    Thank you
    Gary

    If you have the pfSense on the WAN side of the USG, you could turn off NAT on the pfSense, and have no of few firewall rules on pfSense, running just Suricata there. From the pfSense's point-of-view, the USG is it's only client on the LAN side.



  • @Zeric Thank you



  • @gertty Thank you


  • LAYER 8 Moderator

    @gertty said in PFsense & Unifi USG working togeather:

    pfSense currently handles my DHCP and local DNS. If I had UniFi gear doing that, I get easier configuration and changes in the UniFi controller UI

    Meh, no you don't. Unifi's USG or the newer UDMs (even Pro) suck bad when used with DHCP and DNS. They aren't able to do the most basic DNS stuff that can be done with DNS forwarders or resolvers. Host Overrides? Domain Overrides? Setting up static hostnames for specific devices that don't go through DHCP (because they are servers or NAS etc. with static IP)? It's ridiculous how dumbed down these devices are. Really sad to see. Even OpenVPN or IPsec setup on the UDMs I got to play with is that bad/dumbed compared to pfSense that it's easier taking a Raspi and throwing OVPN on it than configure an OVPN tunnel in a UDM.

    pfSense now has to have a VLAN config matching the UniFi gear, that could all move to the USG

    True, but you don't create / handle new VLANs on a daily basis. Set up once, it's working fine.

    Suricata and similar would run on the pfSense, I don't see how a USG can keep up.

    If you throw that on pfSense better pack everything there. Because the "click-and-it-works" stuff like packet inspection etc. in the controller all relies on the USG and their IDS. So if pfSense should even do that job, why packing things like DHCP and DNS or even VLANs there?

    You can name and setup your network in the unifi controller just fine without a USG. The only thing that's missing is the bandwith graph on the dashboard and the one-click packet-inspection. Ah the rule handling of the USG is a bit shaky and strange, too.

    @gertty @gklimeck Considering the way, Ubiquiti has dumbed down the UDM and even the UDM pro and is going their own OS route (USGs can still be modified via JSON or on the OS level, with their own minimal-OS there is no way anymore) I'd rather use pfSense as the only gateway in your setup rather then playing with two gateways for almost zero gain.
    But to each their own :)



  • @gertty @gklimeck Considering the way, Ubiquiti has dumbed down the UDM and even the UDM pro and is going their own OS route (USGs can still be modified via JSON or on the OS level, with their own minimal-OS there is no way anymore) I'd rather use pfSense as the only gateway in your setup rather then playing with two gateways for almost zero gain.
    But to each their own :)

    Heh. I came to the same conclusion.

    In another thread (maybe on the Ubiquiti forums?) I walked thru running the pfSense in front of the USG (NAT off on the USG) for maybe a month or two, then eventually moving everything back to just the single pfSense box as the gateway, DHCP, and DNS for the network. Agree with the configurability of pfSense vs the USG (or UDMs), it's just not there.

    For getting "pretty graphs" I'm currently working on setting up netflow to export to a VM running somewhere else on the network.


  • LAYER 8 Moderator

    @gertty said in PFsense & Unifi USG working togeather:

    For getting "pretty graphs" I'm currently working on setting up netflow to export to a VM running somewhere else on the network.

    Just a hint: Telegraf plugin to influx and show it in Grafana or even use syslog and throw it over to graylog and use that for logging and nice dashs (or use it as a source for more grafana magic) :)



  • Cool, thank for the advice. My first attempt at this is an ELK stack because I'm familiar with it and I also had an Elastic Search instance for an entirely different thing.



  • @JeGr I am strongly considering going back to my pfSense and removing the USG-3. Its been a few years running the USG but like JeGr said, Ubiquity is making things proprietary and I I am sure anytime now we will see a subscription model soon.



  • @gertty said in PFsense & Unifi USG working togeather:

    @gertty @gklimeck Considering the way, Ubiquiti has dumbed down the UDM and even the UDM pro and is going their own OS route (USGs can still be modified via JSON or on the OS level, with their own minimal-OS there is no way anymore) I'd rather use pfSense as the only gateway in your setup rather then playing with two gateways for almost zero gain.
    But to each their own :)

    Heh. I came to the same conclusion.

    In another thread (maybe on the Ubiquiti forums?) I walked thru running the pfSense in front of the USG (NAT off on the USG) for maybe a month or two, then eventually moving everything back to just the single pfSense box as the gateway, DHCP, and DNS for the network. Agree with the configurability of pfSense vs the USG (or UDMs), it's just not there.

    For getting "pretty graphs" I'm currently working on setting up netflow to export to a VM running somewhere else on the network.

    I've been also considering getting rid of the USG in my current pfsense->USG3->US24 setup at some point. Rock solid stability is important now working from home, so I've just left if for the time being. Maybe I'll start migrating non-critical subnets/VLANs over to pfsense for testing so it won't affect "working from home". Will have to look into how to setup graphs on pfsense, sounds promising.

    I really like the 'single pane of glass' concept with Unifi, but they just can't seem to get the features people want into gateway router. I was really hoping the UDM Pro would have got there, but it just didn't, and in some ways it's worse than USG. It's weird because people have been complaining about the same things for years with the Unifi routers.


  • LAYER 8 Moderator

    @gklimeck said in PFsense & Unifi USG working togeather:

    Ubiquity is making things proprietary and I I am sure anytime now we will see a subscription model soon.

    That I don't see. Nope, there are too many thing GPL etc. that can't be just made closed source etc.

    But UDMs were a real bummer for me after checking it out. Sure, controller, switch, AP AND USG in one box sound too good to be true anyways but seeing a gateway/firewalling device dumbed down to such levels was really crude. My brother is running one and first thing I did was letting him shop for a Raspi4, throwing Pi-Hole and OVPN on it and have DHCP/DNS running over the Raspi as the Controller UI and USG is THAT bad for simple DNS/DHCP things that are "normal" coming from pfSense.



  • This post is deleted!

Log in to reply