PfSense + Ubiquiti Unifi switch + UAP-AC-Pro APs



  • I've read a few threads on this forum and the UBNT one. Currently have a Qotom i5 box running pfSense and very happy with pfsense so don't want to lose that. Running pfBlockerng and Suricata/Snort and when doing a torrent download at close to 200mbit the CPU hovers at only around 10-15%.

    But looking to replace my current netgear switch (GS110TP) and a variety of wireless routers used as pure access-points with a Unifi switch and maybe 3 x UAP-AC-Pro APs. Just looking for people's experience with this and whether they feel they are still getting sufficient benefits from the "single pane of glass" type system when not using a USG gateway. This is for a home environment. I have a QNAP on 24/7 that I've been able to install the Unifi controller as docker container container.

    Not currently doing VLANs but I plan to do some simple stuff and find the simplicity of the Unifi interface appealing, but wondering if keeping pfSense as the firewall/router limits that simplicity.

    Anyway, any experiences with a smilar setup would be most welcome…..



  • Don't have any issue with UniFi + pfSense here. Sure, you don't get the nice UniFi dashboard, but you do get to actually do something with your traffic, something the USG/EdgeRouter X doesn't do very well in volume.



  • Thanks. Do you still feel you are gaining something with Unifi in terms of simple management of the switch + APs vs more "normal" switches? There's still some synchronization between the switch and APs, right?
    Re: the dashboard you should still get ssome monitoring capabilities even without the USG I thought. Like can you monitor per-client (as in per IP address, wired and wifi) realtime bandwidth usage even without the USG?
    Can I ask what your setup is in terms of hardware and what you are doing with it?



  • @occamsrazor:

    Thanks. Do you still feel you are gaining something with Unifi in terms of simple management of the switch + APs vs more "normal" switches? There's still some synchronization between the switch and APs, right?
    Re: the dashboard you should still get ssome monitoring capabilities even without the USG I thought. Like can you monitor per-client (as in per IP address, wired and wifi) realtime bandwidth usage even without the USG?
    Can I ask what your setup is in terms of hardware and what you are doing with it?

    We have two Qotoms in HA mode, and 12 AP-AC-Pro units, connected to a HP 1800 series managed switch. We put the AP's on 3 VLANs, one for guests, one for users, one for infrastructure. Per-user bandwidth monitoring can be done with stuff like ntop I guess, but most of the time, without 802.1x, you don't really know who is who.

    If you use the UniFi controller and check the actual user list, you get traffic/bytes used per wireless client, so that's something. And you can correlate IPs with the wifi MAC, so if you then use the bandwidth graph in pfSense on that IP, you can see the current usage.

    When using an UBNT switch, it might do some of that for you, but I'm not sure and haven't had the need for it.



  • my home setup is a sg2220 > 5 port tough switch with a ACLR and G3 camera.    to a edge router X in switch mode upstairs that powers a AC LITE.

    i highly suggest UBNT products.    they have given me i'd say 95% reliability on UPS battery backup systems.


  • LAYER 8 Global Moderator

    I played with the USG for a while, as a temp solution when I increased my internet speed from 75/10 to 500/50 and my trusty pfsense VM could not handle the speed.  While it could handle the 500/50 - and the pricepoint is nice.  In its current form its not very feature rich other than the eye candy dpi it presents.

    Once I got my sg-4860 the usg went on the shelf.. While I have been very happy with the unifi APs.. (have a AC Pro, Lite and LR) I don't see any reason for their switches.. I got a sg300-28 for better price point to be honest.  With much larger feature set..

    I would highly recommend their AP, and will at some point get their Camera's..

    The controller (run on a ubuntu VM running on my esxi host) gives you plenty of insight into your wireless clients..

    I don't see a reason why you would need or even want to use their USG product if you have a pfsense running.. There are better switches for better pricing even than theirs.. I am a huge fan of the cisco SG300 line.. Great pricing for the feature set and port density you can get.. I got my 28 port for under 200..



  • I can also recommend the Unifi AP's. We use a lot of them with the Unifi 8 Port PoE Switches (US‑8‑150W) and they are fanless and quiet. However they do run a bit to hot for my taste (150W).
    You may be ok with the 60W model which only has 4 PoE Ports and no SFP Slots.

    Together with the Unify Controller (on CloudKey or Debian) you can get some valuable information out of the network without much effort. I also like the fact the the Unifi Switches allow you to reboot PoE devices on a per port basis (by cutting PoE power).

    I also have setups that use Cisco SG300-10PP (60W) which powers3 UAP AC Pro's easily. You also get two extra ports with the Cisco and won't burn your hands when touching it.

    pfSense allows me to do everything I need to do with the UBNT products, and I have never considered the USG. I'm sure the USG will look great in the Unifi Controller but it's not a priority for me.



  • I'm running a pfSense firewall with a non-Ubiquity switch and a Unifi AC Lite.  I have a Raspberry Pi running the controller software.  It's a little silly to have an entire system just to manage ONE network appliance.  It would probably be pretty cool if I had the switch and firewall to work with it, but I like pfSense too much.  They've done some big updates to the firmware on these things since I bought mine, I'm pretty sure you can configure one from an iOS device now.  I should probably look into doing that instead of the Raspberry Pi running the software.



  • I also used the SG300 but switched to (used) HP switches which are cheaper and have a bit more options regarding automation, ssh and direct console access.


  • LAYER 8 Global Moderator

    While you can set basic features via ios for the AP… You get none of the info the controller brings about your wifi clients.

    It might seem silly to you to run the controller raspberry pi, you could also just run it on some PC you leave on all the time, etc.  If you had 1 or 2 wifi devices then maybe the info provided by the controller might not be very useful to you.  But most house holds these days have an every increasing amount of wifi clients.  Most people in the house will have a phone, and some tablets.  Shoot you start talking iot devices... I have 33 devices that connect to my wifi network... Some of these are my son's and friends/family phones, etc.  But with having this many devices connect to my wifi network then yes the info the controller provides can be very insightful..



  • @johnpoz:

    While you can set basic features via ios for the AP… You get none of the info the controller brings about your wifi clients.

    It might seem silly to you to run the controller raspberry pi, you could also just run it on some PC you leave on all the time, etc.  If you had 1 or 2 wifi devices then maybe the info provided by the controller might not be very useful to you.  But most house holds these days have an every increasing amount of wifi clients.  Most people in the house will have a phone, and some tablets.  Shoot you start talking iot devices... I have 33 devices that connect to my wifi network... Some of these are my son's and friends/family phones, etc.  But with having this many devices connect to my wifi network then yes the info the controller provides can be very insightful..

    He is already running the controller on his nas. This is about the bandwidth and DPI you get on the UniFi dashboard on the controller if you have more UBNT gear.


  • LAYER 8 Global Moderator

    My comment was in response

    "I have a Raspberry Pi running the controller software.  It's a little silly to have an entire system just to manage ONE network appliance."

    I guess I should of quoted..

    What would be nice if they brought in to their dashboard this sort of info from other switches that support flows and snmp where you could query the interfaces traffic, etc.



  • @johnpoz:

    My comment was in response

    "I have a Raspberry Pi running the controller software.  It's a little silly to have an entire system just to manage ONE network appliance."

    I guess I should of quoted..

    Ah yes, that makes more sense now.

    @johnpoz:

    What would be nice if they brought in to their dashboard this sort of info from other switches that support flows and snmp where you could query the interfaces traffic, etc.

    Ah yes, that would be nice indeed, but I'm sure what will never happen as long as this is what they push as their walled garden/marketing/USP. At best we could reverse-engineer the integration (which shouldn't be too hard) and supply it ourselves.


Log in to reply