Switching from pfSense to Ubiquiti raises a few questions.
Switching from pfSense to Ubiquiti raises a few questions.
I’m setting up a PFSense firewall in Proxmox with Unifi switches and a self-hosted Unifi network. I’m exploring Ubiquiti’s options and want to switch to their firewall. I’ve reviewed many tutorials but still have questions about their terms (controllers, cloud keys, gateways, OS) and how everything connects. Specifically, I’m considering the “UXG Gateway Fiber” – it’s compact and supports 10G SFP+ and GbE WAN, 10G LAN, and needs over 2.5Gbps for IDS/IPS. Since I don’t need remote access, it won’t be linked to Unifi’s cloud.
Can I run this firewall locally now that Ubiquiti released self-hosted Unifi OS? Do I still require a physical hardware firewall like the Gateway Fiber? Should I adopt all my devices to the new appliance or keep using the self-hosted network appliance? I prefer flexibility, so full control over backups, restores, and rollbacks.
If I choose this Ubiquiti solution, what additional hardware or software is needed? For example, do I need a cloud key or anything else? Are there any hidden issues or considerations I should know about?
It seems there isn't a self-hosted Unifi firewall available. It functions more like a gateway, meaning it doesn't integrate directly—just use something like a UDM proxy if you need to run the Unifi server. You'll require a dedicated Unifi server with the box ID unknown; your internet speed is likely adequate for 10Gbps, but you're not using all features at that rate. You're paying well for 10G with NGFW capabilities.
Two 2.5Gb links from different suppliers—one via fiber, one over Ethernet. You don’t require full 10G on the WAN right now; perhaps later. You’re aiming for up to 5Gb with IDS/IPS active. That should work for your self-hosted Network Server, and you can connect it to this firewall.
The Cloud Key functions as an ARM server that runs the Unifi Network Application, formerly known as Controller. It manages the UI for handling all Unifi assets like switches and APs. You don’t require the Cloud Key to operate, nor must it be active around the clock—monitoring and fast adjustments are recommended. The app can be deployed on Windows or Linux systems. Self-Hosting a UniFi Network Server – Ubiquiti Help Center
It appears the recent updates are mainly due to faster speeds. This is the most significant advantage of pfsense/OPNsense in my view. Would you mind adding a new NIC to your existing hardware? I did that when upgrading to 10G—purchased a 10G card and installed it in my OPNsense device.
I noticed the availability of both "UXG-Fiber" and "UCG-Fiber" products. They appear to share similar technical details and pricing, with no recent changes in speed. We're currently operating on identical 2.5Gb connections using pfSense, and integrating these gateways into our Ubiquiti network aims to simplify our setup. The UXG-Fiber was selected for its adaptable physical connections, supporting up to 10Gb Ethernet or SFP+ inputs, along with strong switching performance.
I believed this was about adapting to speed changes ahead. Though I see the benefit in focusing on a single ecosystem, I remain cautious about becoming tied to one. My research showed Ubiquiti devices didn’t have suitable switches (they favor 1G ports), so I opted for Netgear models that fully supported 10G. I’m currently using Ubiquiti APs with OPNsense managing the setup.
There could be quicker connections later, but that doesn’t explain why we’d pick Ubiquiti over PFSS. It’s simply because we prefer the “Fiber” gateway instead of another Ubiquiti device. We’re already running Ubiquiti switches and APs with solid 2.5Gb and 10Gb options that include PoE. The PFSS configurations for VLANs and especially Layer 3 switching become more complex since they need to be deployed in various locations. Ubiquiti’s management tools have improved enough that we can handle most tasks ourselves, making it practical to centralize everything for simplicity. I’m also cautious about becoming tied into their ecosystem, but Ubiquiti doesn’t force it. You don’t need their cloud service (we won’t), and we can always replace the gateway—or any switches/APs—with alternatives later while maintaining our current setup.
The UCG line includes built-in UniFi support. Unlike other solutions that require a separate device or cloud to run the UniFi software (such as Cloud Key or Server), the UCG Fiber has everything integrated. This means you don’t need additional hardware to manage the UXG Gateway Fiber. The main distinction is that the UCG model offers 1GB more RAM, likely to accommodate the extra software. If you prefer a single device for UniFi management, the UCG is the better choice. However, if you can run UniFi elsewhere, the UXG variant could be preferable. In my view, opting for UCG saves space and reduces potential points of failure, though some may favor the UXG option for reliability or specialized needs.