The latest generation of WiFi Access Points here in Q4 of 2017 from your competitors seems to be leaning towards 2.5GbE and 5GbE PoE+ for better bandwidth, less cable runs being necessary, and a reason for them to market their 2.5GbE PoE+ capable switches. When will we see UniFi switches that have this capability?
Along with the ability to make direct host entries into DNS managed by Unifi, there really needs to be a way to also enter domain overrides as well. The biggest use case for me is for sites with Active Directory. With pfSense I can enter the forward and reverse zones and I get all my clients identified in stats and reporting - it's very nice! Unifi desperately needs this as well!
Zone firewalls were implemented in the EdgeRouters recently, and it always made WAY more sense to me than ACL based firewall rules. I realize we just got ACL based firewall rules in the Unifi GUI - hopefully while that's still fresh it would be fairly simple to reuse a lot of that work to enable the zone firewall as well
This thread in particular was a good discussion about this: https://community.ubnt.com/t5/UniFi-Routing-Switching/Prevent-controller-from-pushing-down-firewall-settings-to-USG/m-p/1899307#M42575
@iu4s9akkddja posted an excellent link on zone routers and in particular I liked the persons summary of zone firewalls vs. ACL firewalls:
While an ACL firewall can be easier to set up for simple networks such as the one in this example, a zone-based firewall is conceptually simpler (in my opinion at least) and less susceptible to the sorts of mistakes that can open up your network to the outside.
I'm very often facing the situation where I need to install a 8 Port Switch (150W POE) in a 19" Rack. This ist only possible with the help of a shelf with costs me usually 1Unit of space. Using a 16Port Switch is simply to expensive. As well, sometimes we need to mount the switch in a wall mount (hanging) cabinet...
So could you please think about manufacturing larger brackets for the 8-Port Switches?
I'm fully aware that IPv6 can be configured from the CLI now but UniFi is a SDN product which means that all if not most features should be able to be configured from the controller. not from the CLI.
I'm suggesting that UBNT include the IPv6 Settings under WAN settings for USG like as shown below. (Sorry, my drawing isn't very good)
In the IPv6 Connection Type, the following should be included:
1. Native IPv6
2. Tunnel 6to4
3. Tunnel 6in4
4. Tunnel 6rd
5. Static IPv6
Other than that, the following options in the picture should alse be included:
I don't know how Asus did it, but their routers are smart enough to get the right prefix without my intervention, I wish USG will have this feature too.
I wish UBNT will include full IPv6 support into the controller ASAP that is easy to setup without much technical knowledge.
When I'm comparing between Meraki Security Devices and USG, I realised a very important feature which USG lacks, which is the support for USB Cellular Stick.
I believe that the support for USB Sticks are crucial for:
1. Deployments that relied on cellular data as their primary connection.
2. Mission critical deployments which use cellular data as their failover.
Other than that, I don't see the reason for UBNT to not support USB Cellular Stick because even a cheap $40 mini router from TP-Link supports this function.
Suggestions on how to deploy support for USB Cellular Stick.
I would suggest UBNT add another option called "USB Cellular Stick" under the USG > WAN > Connection Type.
In the "USB Cellular Stick" Option, I would suggest putting "Country" and "Carrier" with preset settings like the ones shown below:
When we select the preset settings, please show the username and password of the preset settings in a blurred out column below so that we know which APN is used with the preset settings (Some Carriers have multiple APNs).
Other than that, please add a "Custom" settings option under the Username and Password for the APN settings so that we can use custom APNs when the situation requires it.
Personally, I don't think that the Connection Mode and Authentication Type have to be included.
Supported USB Cellular Sticks.
I would suggest UBNT to support only the mainstream USB Sticks since the USG isn't meant to be a cellular modem/router. I'll leave the supported USB Stick list from Meraki and other vendors below for reference:
Lastly, I would suggest UBNT to include a USB port for USB Cellular Stick on the next revised version of USG-3P so that the USG-3P can be deployed as a teleworker gateway.
I've seen some topics around this, but not the exact one as far as I could find.
I would really suggest having SSL VPN for remote users on the USG.
Now, we are forced in using L2TP or PPTP. The issue with this, is that most secure networks don't allow these types of connections and are blocked.
Using SSL VPN, which uses port 443, is automatically allowed.
I've asked if it's possible to set the L2TP or PPTP to a different port, but this was not possible.
So; feature request: SSL VPN for remote users on the USG!
sometimes it could be useful to use these kind of protocols as site-to-site vpn in interface mode instead of simple tunnel.
For example Mikrotik could use that as interface, and runs dynamic routing protocol such as OSPF over PPtP or L2TP interface binding.
To compete with some of the other SOHO firewall appliances out there, it would be great if the USG could perform packet/data filtering based on signatures. The intent would be to use the USG as an appliance to filter out malware based on signature. A similar-priced product that has this feature is the Sonicwall TZ series.
I could be a great addition, if it was possible to enable colors og the connections in the Topology map, based on their utilization percentage.
This would be an easy way of visualizing bottlenecks in the infrastructure.
I am using unif USG Pro. In my case I am using both WAN port, WAN 1 is primary with higher bandwidth from ISP 1 and WAN 2 is secondry with low bandwidth from ISP 2. WAN 2 is configure for load balance and carry only 10% of actual. First thing is that on controller dashboard not a single option show us both port are active, like number of active AP's and Second thing is that when WAN 1 goes down not a single alert or event occured in log.
Kindly provide the option for this, so it is very easy to understand which WAN link is down.
I'd like to be able to setup a IP address group from an external source(spamhaus or a standard text file for instance) and keep it updated without having to manage it by manual intervention. That way I could set up a deny/block IP rule to drop traffic from unreliable/unsafe hosts.
I'd like to be able to quickly block an entire country worth of IP addresses. This is trivial for a small country, say Cambodia, but with China having over 7000 assigned IP blocks this gets to be a really big headache. Ideally, I'd like a drop-down list of countries to block, and have the IP blocks for those countries pulled dynamically from somewhere like IPDeny.
Double bonus points if I can tell it "only allow from USA, drop everything else."
As an interim measure, can you at least let me copy and paste a huge list of IP blocks?
the current US 8-150W is certainly a good product but is missing out on some new developments.
In environments where noise is of the essence and a cabinet is not available the fanless design and rather small build factor is great, however there are three areas the device could be extended and also close a gap in the portfolio - it could be a US 12-225W for example.
1. Up to 12 Ports - not necessarily all of them POE+ powered.
2. Upgrade the SFP Portsmto SFP+ Ports, allowing the device to be connected to a e.g. Core switch US-16 XG, without creating a bottleneck compared to the 8-150W
3. Adding two 10 Gig/Multi Gig Copper Ports (e.g. Local connection to NAS, AP etc. - potentially powered)
This would be really something unique in the Market, addressing small enterprises and SOHO as well.
Currently there is only one product available close to that, what I unfortunately need to use in the meantime - the upcoming Netgear GS110EMX.
I know there is a wonderful guide here which details how to enable dead peer detection on a USG - But.
Is there a reason why this is not a simple option the IPsec VPN set up?
As I have multiple VPN profiles and any small network change, causes the vti rules to become out-of-sync (these are not in the "vpn" section) and I have to re-do the whole config.gateway.json file in order to get these back into site alignment.
It is also unhappy with the L2TP vpn, which was working prior to enabling the dead peer detection. I suspect this is down to the config.gateway.json file.
Really, I'd like a GUI option to enable dead-peer-detection on an IPSec site-to-site VPN, even if it's just a tickbox at first with the suggested defaults.
An OpenVPN client for the USG with GUI support. Routes ALL WAN traffic through the tunnel without additional confugration when the client is connected. Should by default accept DNS settings sent from the VPN server etc. You get the idea, limit what ISPs can do to collect, profile, and sell personally identifiable data.
Here are the corrective items
1) Add the USG internal network(s) to "Network Protection" -> "Firewall" as the source for all outgoing rules
2) Add the USG internal network(s) to the "Network Protection" -> "NAT" masqerading sources
3) My major fault. make sure the USG internal networks are NOT assigned the the UTM already: "Interfaces & Routing" -> "Interfaces" -> "Additional Addresses"
then it works.
I have a couple of networks where I will never replace the router (for one I can't - it's provided as part of the environment) but I would still like to have stats in the controller.
I would like to see a pass through mode for the USG where it passes traffic with no NAT, no firewall rules, no DHCP, etc. Just analyzes traffic.
Even better - a monitor mode where I could feed a USG a mirror of the port that goes to my exising router so I don't have to have latency of the USG in the packets path. Use it as a sensor, basically.
I think you guys would sell a boatload of USGs if you supported this!
EDIT: It appears to be on the roadmap: https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-Feature-Roadmap-January-2017-update/m-p/1792230#M31948
In Progress / Near Future
- DPI support in passthrough mode or on monitor interface
- PaulGreenChip on: Ubiquiti EdgeRouter Infinity for the Unifi Range
- dumiller on: 2.5GbE and 5GbE PoE
- UBNT-cmb on: [USG] Dead peer detection in the GUI
- UBNT-cmb on: [USG] Domain overrides in the DNS forwarder/resolver
- UBNT-cmb on: WAN bandwidth limit for networks/VLANs
- V42 on: Global reset
- UBNT-cmb on: Global reset
- joehuersch on: Ability to set time frames for DPI and traffic useage.
- EricE on: Enable Zone Based Firewall in the Unifi USG
- MarRuat on: Next Gen US 8-150W
- Ubiquiti EdgeRouter Infinity for the Unifi Range
- 2.5GbE and 5GbE PoE
- [USG] Dead peer detection in the GUI
- Customizable columns in Client/Device/Insight/etc.
- [USG] Domain overrides in the DNS forwarder/resolver
- Is there any plans for a US-12F (a sibling to ES-12F)
- Filter or exclude ports, VLANs, Wireless LANs or LANs from stats collection
- Cloud managed VPN
- Use IPSEC and/or PPTP/L2TP vpn tunnel as Site-to-Site with Dynamic Routing
- WAN bandwidth limit for networks/VLANs