Ubiquiti intigration package?
-
Unifi Network Controller has Java JRE as a runtime dependency. Do you really want Java installed on your firewall? I certainly do not!
-
It will never happen for multiple reasons, including:
- Java dependency -- it does not belong on a firewall.
- The Ubiquity license forbids us from offering it that way (you can't redistribute their software)
Throw it in a VM, Pi, container, etc. Do not force the firewall to take on that role.
-
@visseroth said in Ubiquiti intigration package?:
add-on that would allow Ubiquiti integration?
It is achievable already by a slightly different approach. The approach I have take is DIY all in one router consisting of:
- Mini PC with 6 NIC,
- Proxmox (free version)
- pfsense VM with NIC pass through
- Ubiquiti VM (which is free)
- 3CX VM (free version)
But Ubiquiti application can readily be put in many locations.
-
@patch that is somewhat similar to my setup, except pfsense is installed bare metal on a Protectli Vault FW2B - 2 Port, then an old HP Prodesk 600 G2 i5-6500T, 32GB DDR4, 2.50GHZ, 2TB NVMe Mini PC running proxmox with home assistant and unify os vm's on the lan and some unify switch lites. it all works great and feels pretty bulletproof. I plan to get a couple more HP's to migrate to proxmox HA cluster at some point in the future
-
@cloudless-smart-home that looks a good solution.
The main issue with my implementation is the need to maintain a backup to provide temporary internet access should a Proxmox update fail. I currently keep an old ISP router for that function but in the future plan to have another Proxmox box used on a non-critical role which can be moved it required.
-
@Visseroth Not sure how long it's been since you've examined a UI console (UDMP/UDM-SE), but the logging in Network has significantly improved. Both pfSense and UDMP/UDM-SE use Suricata for firewalls.
I find that UI's consoles have more information that is better organized than my Netgate XG-1541 (that I now only use solely for a VPN server). As WireGuard server is now supported by my UDM-SE, I probably will ditch the Netgate in the coming months. Waiting on Comcast Gig Pro to be installed so I can test speeds between both.
The UDM-SE currently has more features than the UDMP, but UI is on par to get them on the same firmware soon.
-
@ericnix said in Ubiquiti intigration package?:
I find that UI's consoles have more information that is better organized than my Netgate XG-1541 (that I now only use solely for a VPN server).
Have fun. I had a look at an USG (Pro) and a UDM at my brothers and boy was/is that a huge loss of features. Anything besides their core functionality is a drag. DHCP settings, DNS, DNS blocking not possible, DNS overriding not possible, running a small little internal-only domain for your own clients so they can find themselves with names? It was so bad, we ditched the UDM bullshit and installed a raspi in the network, running PiHole for DHCP and DNS to actually have a real protective solution instead of a glossy dashboard with nothing behind technically. Comparing a *sense with UDM/UGS? IMHO that is a no-brainer loss for Ubquiti. Don't get me wrong, I run their switches, WiFi APs and bridges and they work great if reigned in. But as a gateway? No way hell on earth is that better then running a full featured Sense up front. Dashboard be damned. :)
But hey, YMMV :)
-
@jegr said in Ubiquiti intigration package?:
I run their switches, WiFi APs and bridges and they work great if reigned in
I do the same. any advice on reining them in? things are working fine, I guess, but always trying to learn how to improve / secure my home lab setup.
-
@ericnix I haven't done anything. I have a Unifi Cloud Key Gen 2 Plus for controlling my stuff
-
@cloudless-smart-home said in Ubiquiti intigration package?:
I do the same. any advice on reining them in? things are working fine, I guess, but always trying to learn how to improve / secure my home lab setup.
In paranoid setups, we've setup the management network for Unifi stuff separate from the default VLAN and actually use that (default VLAN) as a "sort of jail" where devices won't get an IP and are just isolated. So Mgmt runs with all other networks on different VLANs. Initially that's a bit harder to set up so you'll not loose connection between the controller and at least one switch but it works :)
After that it's really your choice. If you trust the updates and stuff you could leave outgoing HTTP/S open so switches, APs etc. can get their firmware themselves. Others like it better if only the controller itself has web access, no one else. You'd need to deploy the firmware via the controller then by caching it first there and then rolling the upgrading the controller should send it to the device. Or go full defense and revoke internet access from management alltogether and only open it for patch days. That choice is yours :)Otherwise reigning them in also means checking for things like RSTP etc. going wild etc. ;)
Cheers
