Back
Featured image of post Ubiquiti UniFi Security Gateway (USG) our journey

Ubiquiti UniFi Security Gateway (USG) our journey

We use a lot of Ubiquiti Access Points! Mostly the UniFi AP-AC-Pro Model. They are great, and the UniFi Controller makes it easy to manage them. My colleagues like the possibility to manage all locations within one simple to use Web UI. We have several locations where we provide wireless access, for our users and within a complete separated guest network.

A while ago, we had to replace a few old and outdated Cisco Switches: Cisco Catalyst 3560-48PS in the office and some SG300 in the other locations. So we decided to go with the UniFi Switch 24 AT-250W as access switch in the Office, and a bunch of UniFi Switch 8 POE-150W in the Home-Office locations. We had pfSense based firewalls in all locations, to provide security, do the VPN handling, and local VLAN routing. The hardware was a bit old, so it was obvious to think about an UniFi Security Gateway (or USG for short) as a replacement.

I was amazed how easy it was to adopt the UniFi Security Gateways, just bring them up and adopt them. It took just a few hours to replace our old firewalls… But not so fast! The first shock came when we tried to establish a VPN connection between all our locations like we had that before. If the UniFi Security Gateway sits behind an existing NAT Router (in our case, we have this in all the home offices) IPsec will not work. So we had to switch to OpenVPN instead. That was interesting, because a Remote User VPN (L2TP) works just fine, but the Site-to-Site is not. We never had an issue like this without pfSense/Cisco ASA combination.

The IPv6 support off the UniFi equipment is marked as Alpha and there are a lot of missing things!

Here are a few examples:

  • For our Home Office concept, we would like to use IPv6 internally, but IPv6 is not supported in the VPN configuration! Private IPv4 (with or without  NAT) is OK, but I think IPv6 is much better here.
  • The equipment itself supports IPv4 only (We could life with that)
  • We need some workarounds for some of the issues that we found

The UniFi Security Gateway 3P in our office locations caused us a lot of headache! Mostly because we had issues with IPv6, but this is something we desperately need.

But it was never really stable when the load was high. Sometimes the USG just disconnected from the controller, often it dropped all connections. And that caused much bigger issues!

A router in-front of the UniFi Security Gateway wasn’t an option: We need a VPN connection between our Office and Azure! And because the UniFi Security Gateway is unable to handle such a connection behind a NAT router, it became a blocking issue (and I mean a real show stopper for us)!

We also ordered an UniFi USG‐PRO‐4 for our hosting location! After all we learned with the UniFi Security Gateway 3P in our office locations, we decided to send it back before we even tried to replace our existing solution there.

What makes us do that: Multiple (real) external IPv4 addresses. Hair-pinning-NAT is not available in the GUI (UniFi Controller)! Something that works fine since a long time in our pfSence based solution!

And to be honest: The UniFi Controller (especially the GUI based administration) was one of the main reasons why we decided to go with the Ubiquiti UniFi equipment! With a lack of features and more and more manual (console based) workarounds, it became obsolete as a reason. At least for us! We were looking for a solution that everyone can learn in a short time-period, drop all the different Tools and get rid of shell based administration. Something we already have, but with a much better stability.

The journey is not over! Access points are (still) great! We decided to roll out a few UniFi UAP-AC-IW-PRO (The In–Wall 802.11ac Wi–Fi Access Points) to a new location instead of the UniFi AP-AC-Pro Model. We will also keep the switches! They provide Power over Ethernet (PoE) for all our Equipment, for a good pricing. The only thing that I miss (on the US-24): No SFP+ Ports for 10G uplinks. And the US-48 is totally oversized for us.

We might also get a new UniFi US‑16‑XG as 10G core switch for our hosting environment, we will evaluate it soon.

Just to wrap things up: The Ubiquiti UniFi equipment is good. Some call it enterprise ready! I would agree for the Access Points and most of the switches. I disagree for the UniFi Security Gateway! I would call the UniFi Security Gateway an “Prosumer” device. Good, but not perfect yet.

And they might have a good reason why they mark the complete IPv6 support as Alpha!