My previous network setup had served its purpose and it was time for a change. I had previously installed a Palo Alto Networks PA-220 for my network with standard L2 switches hanging off of it to support my connectivity requirements. Since the licensing on my PA-220 had expired and I couldn’t get it renewed for a decent price, and I was also having some wireless issues with my old Linksys router that I had turned into a bridged access point I decided it was time to cut my teeth into Ubiquiti’s Unifi networking systems.
I had seen Unifi at my work where they used it for some of their small remote offices. It worked really well and seems like great equipment. I picked up two Unifi nanoHD WAPs as well as the Unifi Dream Machine Pro. These all installed very quickly and it wasn’t too terrible to get it done.
The UDM was the most troublesome to install and actually a little underwhelming for me. Come to find out, the ports are basically accepting all network traffic with whatever tag is sent to them in 802.1q. So getting the trunk ports setup was easy. But the part that kind of let me down was the firewall and routing portion. If you have a static IP allocation from your ISP to provide internet exposed services you will not be able to continue doing so in its current revision. It has port forwarding which allowed me to continue doing some of my services, but they do not have a NAT table for you to modify which is a big let down. They really need to add the capability to create 1-to-1 NATs so if you are given a block of static IPs from your ISP, you can configure them to represent specific services you have in your network.
The firewall configuration seems more like you are modifying an IPtables rather than creating a true firewall with next-gen capabilities which I’m surprised they don’t tie into. The UDM can identify traffic based on application and purpose. Why not have that as part of your firewall configuration too? It’s relying on port based configuration which is 90s and early 2000s technology. We are in 2021 now, this should be up to snuff at that point.
The deep packet inspection and threat management is pretty lame as well. The threat management is basically a geolocation blocking mechanism… It does have some IPS/IDS capabilities, but I don’t see where you can review what signatures they have, how to modify those signatures as needed or even add your own. Where are they getting their signatures? What are they able to alert on? Really, I guess I can’t complain too much for the price without any yearly renewal to keep the support. I have to keep that in perspective. If you were looking for some kind of proxy capability as well to block certain categories of websites, you’ll also be underwhelmed. They do block “explicit”, pornographic, and malicious domains as well as set YouTube and search engines to Safe Mode. But it doesn’t help you in saying you want to block other types of categories if you need to. Again… perspective. This only costs $379, so you probably aren’t going to get huge gains in security levels, especially with this thing being capable of high throughputs even with all of the bells and whistles turned on.
I will say, some things that surprised me that are helpful are the vulnerability scanners and the honeypot. It’s nice to get some very basic scans of my hosts to know what they are and have and inventory. Granted, it does not really provide you a “vulnerability” list as I’m used to as it seems to be more of an enumeration scan than a vulnerability scan. The honeypot is interesting to see what things are scanning your network. I haven’t played with it enough yet to provide any useful feedback on the honeypot, but it is a great idea and I hope it turns out well. I don’t know if the honeypots tries to mimic any specific type of OS or if it is just listening for any and all network connections trying to hit it. We’ll see…
All in all, I’m not entirely dissatisfied with the products. They provide the connectivity that a remote office would need and give you a very basic level of security. And for what its price point, it kind of what I expected. I did expect NAT’ing which that was a huge let down but hopefully they will add that capability in the future to modify the NAT tables.
The WAPs were very nice though. They reminded me very much of the Cisco APs that we installed at work back in 2012. But they are extremely well priced for what you get. The placement was easy, it came with a PoE injector, and it can be controlled by the UDM very easily.
The cool functionality that I loved from the UDM/Controller (really the controller, you don’t need a UDM to get the controller software which is free and can be installed on any Windows device) You can upload a drawing of your floorplan, add walls of differing types (brick, drywall, glass, etc) and then place your APs on the map to get a rudimentary site survey style heatmap.
The UDM does come with “AI” to control the access points so that you get optimal coverage. I haven’t really experimented with that yet, so we’ll see what that truly means by the word “AI.” Alot of vendors are using that term now just because it is the latest buzz word.
I will hopefully update you down the road on how well the Unifi network equipment works in a home environment.