Unifi Dream Machine Pro
One of my long term plans is to consolidate to a single network manufacturer for my home networking. After months of deliberations, I decided to bite the bullet and just move to Ubiquiti Unifi.
Why? Really because I am getting sick of the missing components in the Unifi dashboard.
With the new router in place I can finally fill in the first 2 spots in the chain - Internet Capacity and Router Utilisation.
Yes these two may well be unnecessary, and yes Ubiquiti should have support for third party routers like Untangle and pfSense. But all said and done, I hope to have a final single pane of view for my network.
What Is the Unifi Dream Machine Pro?
Put simply the Unifi Dream Machine Pro (UDM-Pro) is a gateway/router that connects your home network to the greater Internet.
UDM-Pro comes in a 1RU form factor case so it can be rack mounted. This device is a router and more. It is indeed a feature rich dream machine.
Security Gateway
The purpose of the gateway is to route network across different networks. In other words, the gateway is responsible for handling communications with devices inside your home (Local Area Network, or LAN) to and from the greater internet (Wide Area Network, or WAN).
The Internet is the wild west and is full of threats (virus, trojans, and so on), dangerous agents that will try their best to get inside your LAN. This is where the security part comes in. A security gateway will scan the network traffic for malicious activity and either alert you (Intrusion Detection System, or IDS), or block it (Intrusion Prevention System, or IPS). IDS/IPS is done by a software called Suricata. This is also the same security system used in pfSense and Untangle.
Other security features include a VPN client/server (this allows you create a private network between your LAN and a different LAN across the Internet - say your friend's home network, or even your work network). You can also use this VPN to connect back to your LAN from the Internet.
The final feature of a security gateway is called Deep Packet Inspection (DPI). The security gateway will peek into all the traffic that passes through it, and can decide what to do with it. DPI is a useful tool for application security. For example you can block access to sites like PornHub or even YouTube.
You can also block traffic by countries. This is called Geo-blocking. For example you can set a rule that blocks all Internet traffic to and from China. Alternatively you can set it such that a server in a hostile country can communicate with your LAN devices, if and only if your local LAN device initiates contact first.
All these security processing will require a fair amount of CPU processing. The UDM-Pro has a 10Gbps WAN connection, apparently with every security feature turned on, it can still forward traffic at a blistering 3.5 Gbps. Now that is impressive indeed! Alas this is not something I can verify with my fraudband FTTN connection.
Network Switch
The UDM-Pro comes with 8 LAN Gigabit Ethernet ports, 1 SFP+ LAN port, 1 WAN Gigabit Ethernet port and 1 SFP+ WAN port. This gives you a lot of options in terms of connectivity.
For example on the gateway side - you can setup two WAN connections, for example you can setup a wired on WAN1, and 5G wireless on WAN2. This is all nice in theory but the controller software is severely limiting the things you can do (more on this later.
The 8 LAN port is a nice touch, and this gives me 3 additional ports when compared to my old DIY Untangle/pfSense router. Note the picture above saying this is a Layer 2 (L2) switch. Meaning if you setup a different subnet in this ports, they have to go through the gateway first (so the maximum 3.5 Gbps throughput will apply). Consider this bottleneck when you are connecting the SFP+ LAN port and want to route traffic between that and these 8 ports.
[Update 08 July 2020] Data transfer between the 8 wire ports is capped at 1 Gbps! See the conclusion for more information.
Unifi Protect
Unifi Protect apparently is a new software for their security camera products. I do not have any Unifi cameras yet to test this feature yet so stay tuned for a future article on this.
Redundancy
Two rails of power is important in the enterprise market. The Unifi is offering a somewhat out of the box solution here. You can buy an additional power unit to offer redundancy power. I'm not sure I like this solution to be honest. I prefer the standard solution of a choice between 1 or 2 hot-plug PSUs.
Refer to the UI product page for UDM-Pro for more details on this product (including hardware spefcifications).
Why I Chose The UDM-Pro
I started with pfSense when my house was first connected to FTTN. Around September 2019 I switched to Untangle. That is replaced by the UDM-Pro in late June 2020. Of the three, my favourite is Untangle. Untangle ticks everything I want a security gateway.
So why the switch (pardon the pun!) to UDM-Pro? There's really only one reason - single pane of glass.
This is a concept where I can look at everything from a single screen (or a single app). Before, I need to go to both Untangle and Unifi GUI when I need to configure the network (Untangle for security configuration and Unifi for network configuration). Analytics are split between the two user interfaces as well. This really is not an absolute deal breaker, put simply, it's just a simple pet peeve of mine.
Going with the UDM-Pro as my security gateway means I only have to deal with a single user interface for all my networking needs. This single pane of glass is the only go to place for network configuration, analytics and troubleshooting.
To be honest, the reporting provided by Untangle is a lot better than Unifi, but SINGLE PLANE OF GLASS!
Beware of Unifi Marketing
I am pretty sure Unifi ships out a lot of their products to online influencers. This tends to generate very favourable reviews. The Unifi gear in review here is funded with my own money. So my opinions will be more objective, and perhaps more on the negative side.
At the end of the day, Unifi products are cheap. The hardware is excellent, but the software is really really bad. Unifi does one thing exceptionally well - wireless access points (WAP). These WAPs are so good everything else really pales in comparison.
Unfortunately Ubiquiti's business model appears to sell as many new hardware as possible, but their software development simply fail to keep pace. This is the reason why it took me so long to fully commit.
I am taking a gamble here, but with the UDM-Pro priced at a somewhat reasonable AUD$800, admittedly it is not a very big one.
Unifi vs Cisco Meraki
The product that matches closest to the Unifi line would be the Cisco Meraki. Both product lines attempts to simplify networking, the MacOS of the networking world. To cut the comparison short, functionality wise - Meraki just beats Unifi hands down. This is no competition at all.
The software (and firmware) of Cisco Meraki is far more stable than what Unifi can offer currently. And here are the biggest advantages of Meraki:
- Meraki offers true Layer 3 networking switches. Unifi has been promising Layer 3 support in their switches for years, they have never delivered (and likely never will).
- Meraki allows you to stack your switch. This high speed backplane is missing in
- Meraki offers true redundant power supplies, allowing you the option of using 1 or 2 PSU to power their hardware. This is far better than Unifi's solution (which is more cost effective, but cannot guarantee the same up time Meraki provides)
- The user interface on Meraki's dashboard is a lot better than Unifi. Organisation and layout on the Meraki dashboard is very good. You can go to a single page to view everything you need to know about a switch. You can look at the virtual stack and configure all the ports at once.
Unifi's portal is just not as organised. Information is split across a lot of sections, meaning it does take some time to find the information you need. The Unifi dark and light themes are also not done well. - Meraki has the ability to do packet captures directly from the portal. This is one of the best feature of the Cisco ecosystems, and something I do not think Unifi can ever replicate.
So why Unifi then? Price! You need to pay for a subscription to use Meraki. As good as Meraki is, it's more suitable in a small business or a bigger enterprise. Unifi on the other hand, the price is more reasonable for home use.
Unboxing pictures coming right up!
Unboxing: Part 1
Delivery was exceptionally quick. Ordered on a Friday and delivered the very next Monday. Minor punctures here and there, but otherwise no big damages or dent on the shipping box.
My heart raced when I first look at the shipping box - there are two MAC addresses! Did the vendor send me two UDM-Pro by mistake?
Of course they didn't. There's only 1 unit in the shipping box. First of many disappointments to come.
The box is unsealed. What is going on?
Unboxing: Part 2
The seller should have sealed the box properly. Not sure why they did not re-seal this. If the shipping box is opened during transport, there's always a possibility things can fall out from this unsealed inside box.
Here's a side view of the inside box. Showing the outline of the UDM-Pro.
Here's the back of the box, there's a lot of text in here.
Nothing special on the side, a hologram stick and some other scannable information.
Now let's take a peek inside.
Unboxing: Part 3
First thing I see is the accessories box. Now this is the very thing that could dropped out during shipping if the shipping box is compromised.
The UDM-Pro unit itself is well protected by foam packaging.
The padding looks so pretty. There's a good symmetry look to this design.
Unboxing: Part 4
The UDM-Pro looks untouched. So the item I ordered is indeed BNIB. I suspect the seller open the box to replace the power cable to an Australian one. If true does this imply I purchased an import model?
This is the fancy new OLED screen on the new Pro series. Here it is in close up, still with the protective label attached!
An assortment of ports here for expansion. Featuring an 8 port switch, two SFP+ ports (WAN and LAN), and a gigabit port for WAN. Sadly I will be using this gigabit WAN port as I am on FTTN.
You can see ventilation slots at the top front. I do not know if these are intake or exhaust, but I suspect it will be the former.
Unboxing: Part 5
This is the HDD caddy meant for Unifi protect. As far as I can tell this is only used for Protect, in other words additional logs cannot be placed on this drive.
This is a really well designed tray. It is tool-less if you want to use a 3.5" HDD. Insert the HDD on to the tray and it will just snap lock into position. You have the option to secure it with a screw on the bottom but that's entirely unnecessary as far as I can tell. To remove the HDD simply open the latch on the side.
Here is a close up of the IKEA like instructions on how to fit a 3.5 HDD as well as the smaller 2.5 HDD/SSD.
There is no locking mechanism. Looking at this I just have a feeling it will break over time (plastic is a degrading material after all). Hopefully Ubiquiti will offer spare parts for this.
Here's the bay for the tray. Be careful when inserting the HDD as there are no guide rails. Do not push in too hard as you might risk breaking something.
Unboxing: Part 5
Nothing much to see on the sides. These are holes for mounting the rack ears.
This is a power connector for your secondary power supply. Secondary power is provided by the USP-RPS 1U module. Priced at around AUD$700 at time of writing. Total output of 950W and capable of powering 6 Unifi devices. As far as I can tell this is not a UPS. This solution makes more sense to me if it is a UPS.
Some Cisco networking gear always offers RPS via a similar 24pin ATX like input. I wonder if the two are inter-changeable. This is beyond the scope of the review.
Close up of the 2 SFP+ ports and Gigabit WAN. WAN ports are clearly marked with the blue Internet logo (Ports 9 and 10).
Unboxing: Part 6
This is the primary power for the security gateway. Does not have an external fuse, and is not a high temperature inlet (Incidentally Meraki use high temperature socket). Here you can also see ventilation holes at the back of the unit (probably exhaust?).
This is the accessory box. The IEC power cable looks out of place here, this is the reason I suspect the seller replaced the original (probably US cable) with an Australian compliant power cable.
Underneath the white box are the 2 rack ears. The little white box opens up like a match box and inside are all the fixings you need for the UDM-Pro.
They are of reasonable quality but honest I prefer back rack fixings. Segway, I will be putting all my networking and Snakeoil development gear on an open frame rack in the future so lookout for that in a blog soon.
Yes, I definitely prefer black rack fixings!
This is the quick start guide. Which will forever remained in mint sealed condition.
That's it for the unboxing. Now let's talk about the software.
What is Software Defined Networking (SDN)
Unifi (and Meraki) are SDN products.
With typical managed switches (e.g. HP Websmart switch), you need to go to the IP of each switch and configure from each switch individually. There may be a software that can manage all these switches at once, but this is additional layer and not part of the switch design. The configuration software is hosted directly on each switch. With this design, common configurations like VLAN, user accounts need to be mirrored across the switch. If you change the password on one switch, you need to do so on every other switch. A mis-configuration of a switch can potentially bring down parts, or the entire network.
SDN works differently. Configuration is done on a portal or a dashboard on a web browser. Configuration is made on the portal, and the settings are then pushed down to the networking equipment.
With Unifi, although you still need to configure the port settings on each switch individually, other aspects like VLAN definitions, network security, user management etc are global and applied to everything thing in your network.
While the Unifi controller is not as mature as Meraki, it can still stand on it's own.
Meraki's network management tool is a cloud only solution. With Unifi you have the option of hosting the Unifi controller software either in your local network, or on the Internet.
Locally you can host the software inside a virtual machine (recommended if you have a lot of users). You also have the option to purchase Unifi products like a Unifi Cloud Key, or the Cloud Key Gen 2. The downside of the latter options is it will take up a Ethernet port in your LAN. And now there's a third product, the UDM-Pro. The upside of this is it does not take up the port like the previous solutions. The controller software is now built into the router as an application. The application is now part of their new ecosystem - the DreamOS.
DreamOS
OS is short for Operating System. The idea of a OS is it allows you to run multiple applications. Right now at time of running, there are 4 applications in DreamOS - Network (Unifi Controller rebranded), Protect (Video Surveillance), Access and Talk (VoIP).
I believe Unifi Access is about physical locks and alarm system. I do not have the details of this as I'm not part of the early access program. This is a nice idea, and is expanding (perhaps redefining) what SDN can be.
The only aspect I can comment on at this point in time is the Network application.
UDM-Pro Registration
Registration of this device to the Unifi portal is straight forward. Connect the WAN cable, power on the device and my Android Unifi app detected and register the device straight away. The process was so quick I did not even remember to take snap shots of the process. You can refer to the various influencer videos on you tube to look at this process.
Once you have finished the initial setup of the device, start your web browser, go to https://unifi.ui.com, login with your credentials and you will see your UDM-Pro showing up in a list.
Click on this, and applications you have installed will be shown. The Network application is the only app I have installed at the moment. Click on that to start the new version of Unifi controller.
Unifi Network Problems
The critical element in a SDN setup would be the software, and this is Unifi's Achilles heel. The software has flaws, lots of them, and some of these are critical. Ubiquiti has a gained a reputation of shipping gear with incomplete or outright broken software. One can imagine the sales department is not really in sync with the software development team. Here are some of them, listed in terms of severity.
Jumbo frames not working
We talked about Jumbo Frames previously in this blog. In Meraki, this is a global option, you enable Jumbo Frames and this setting will be applied to all the switches for the organisation. This is logical and intuitive as Jumbo Frames needs to be enabled throughout the network.
With Unifi network (same as unifi-controller), you have to go into each switch and enable the Jumbo Frames setting individually on each switch.
This is not how SDN is supposed to work. This should just be a global setting, unless of course there's a use case where some switches needs to have Jumbo Frames enabled, while some not. But if that is the case, it should still be a global setting, while allowing me to override it at the switch level.
This UI annoyance aside, the setting does not work on the UDM-Pro. I repeat, this is broken in UDM-Pro. You can turn this option on, and the security gateway will not forward any jumbo packets. You can SSH into the UDM-Pro and look at the interfaces, each and every one of them still have a MTU of 1500. As a matter of fact, you cannot forward a 1472 byte message at all (the largest allowed message size for a MTU of 1500).
As a router this is a complete fail!
Fixed To One Single WAN IP Address
If you are on FTTN and need to have a VDSL modem in front of the router acting in bridge mode, the ability to give a second IP address is a godsend as it allows you to connect straight to the modem from your LAN. A commercial Internet connection often allocate a small subnet (say 8 IPv4 addresses).
All is moot as you are stuck with a single IPv4 and IPv6 address on the UDM-Pro. The Pro series is meant to target small businesses and maybe even the enterprise space. But they are not suitable to be used in these environments because you can't assign multiple WAN addresses.
Lockup on boot if there's a HDD
UDM-Pro will refuse to boot up if I have a HDD in the caddy. This makes no sense at all and I cannot work out the reason why it is doing this. This is not something I can troubleshoot in detail as I have no Unifi video cameras right now.
Again it's disappoint a firmware deemed stable has a bug like this.
SFP+ Lockup
This is potentially a deal breaker for folks who wants to use the SFP+ LAN or WAN port. If you use these ports, there's a chance you can lock up the UDM-Pro over time. If this happens, all switching and routing will fail. You need to reboot the device to regain network connectivity. For others, they reported a much slower throughput with SFP+ after a few days, with speeds that's slower than wired Gigabit.
This is not an issue for me because I'm not using the SFP+ port yet (I intend to use the LAN side in a future upgrade). A fix is in place but not included in the latest stable release.
Threat Management Bugs
Unifi Network is a strange beast. The software is run locally (what we call on premise). But if you access Unifi Network from a local IP, some things like the Threat Map will not work. The workaround is to go to the cloud (https://unifi.ui.com) and access your gateway from there (So it's a strange cloud/on-prem connection).
Now that you get the threat map to load properly in the browser, you'll realise it's useless. The ability to geo-block by country is not working in Firefox and Chrome. The only way to do this is to go to the classic settings (the old Unifi Controller settings) and configure geo-blocking there.
White-listing (probably not the best word to use in today's world) is also not working all the time. I have white listed an IP but traffic is still being blocked occasionally.
Cannot aggregate port (inconsistent UI between App and PC)
The best feature of pfSense is the ability for me to bunch up multiple network interface and treat them as one. This is termed a LAGG interface, or LACP (IEEE802.3ad). Having multiple links will instantly increase any bandwidth bottlenecks (allowing more devices to inter-communicate at any one time). The biggest advance of all is you can just connect the cables to the Aggregate ports in any order, as long as they are setup as such.
It's not known whether UDM-Pro supports port aggregation or not. You cannot configure this from the web portal, but you can do so from the Android app. Unfortunately the setting does not appear to work when I set this up in Android.
Update: 08 July 2000. I just did a speed test (iperf) on the 8 port switch on the UDM-Pro. The backplane appears to be 1 Gigabit. This means data switching between the 8 ports are going to be 1 gigabit between them (one way). In other words, if you have two ports transferring data at full speed, each will only get a throughput of around 530 Mbits/s. With a typical 8 port switch, you would assume the backplane to be at least be able to forward 16 Gbit/s of traffic.
Wait, There's More.
Go here for a list of bugs compiled by UDM-Pro users.
Conclusion
Relatively good hardware, but crippled by bad software. This statement basically sums up the woes of Ubiquiti Unifi. At the end of the day, no product is perfect. pfSense works well, but there's no central integration. For example if you want network analytics you have to run a separate program called ntopng. Untangle works even better, but it does not support LACP, and DHCPv6-PD at time of this writing.
You are really out of your depths anyway with pfSense and Untange if you are not familiar with computers and networking. These two products are highly specialised and you certainly need a higher level of IT competence in order to use them well.
The Unifi UDM-Pro is certainly better suited for the novice and general public. But when things are not working as intended, a novice certainly will not understand why things are broken.
For most people, especially audiophiles, a general all-in-one modem/router/WAP is still the better trouble free solution.
Despite this, I am still going all in with Ubiquiti. This includes security cameras. I still like the switching and wireless gear of Unifi. Over time I will also outline some of the tweaks you can do with home automation and music playback. So stay tuned.
Pros
- Quality hardware. The pro series is a good step up from the previous lines
- Very cheap
Cons
- Software is a huge letdown. A critical flaw because it's SDN. Some of the bugs should have been caught internally and never be seen/reported by the public.
- Both the Dark and Light theme don't work well. And there are inconsistencies (some pages are light, despite the setting to dark)
- The 8 gigabit port switch is useless. If you are on gigabit network, using the UDM-Pro to route internal VLAN is a very poor choice. You can technically use the SFP+ port to get better bandwidth, but then again there is the SFP+ lockup bug.
As good as the Unifi line of hardware is. I honestly cannot recommend the UDM-Pro to anybody at this time. There is no point waiting/hoping the software will improve. Ubiquiti over the years have not demonstrated they can achieve this. As the old adage goes - you get what you paid for.
I am scoring the UDM-Pro 3 out of 10.
Comments
This video sums up the flaws…
This video sums up the flaws of UDM-Pro. It’s really only good for very small businesses, or the home.
Add new comment