I have some devices that basically move a lot of intranet traffic, like NVR, UVCs, etc.. and its useless to have this traffic counted by the DPI counters. My request is for a way to disable (exclude) this devices from the DPI counters.
This has already been suggested for the EdgeMAX series in,
but it is just as important for the UniFi series of products. The Linux 3.10 kernel has reached end of support in November 2017 and will not receive security fixes from upstream. Especially with network equipment security is vital, hence UniFi products must be upgraded to use a supported kernel.
So, I know it has been mentioned in other places (Specifically I have included a link to the forum topic) but I would like to create a new idea request specifically for realtime bandwidth activity.
I have ran into several occasions where clients are limited in bandwidth and will call about slow speeds. I would like to be able to see at a glance what the current usage is and, if possible, who is using it. Right now I would settle for just a graph showing the last ~15min - 1hr.
As it stands now, I am going to have to figure out some option of monitoring this. Sadly, in my own home, I am going to be replacing the USG with a PFsense box. It was either this or put in an edgerouter X as a transparent monitor and I would rather keep the device chain smaller. The USG will sit on the shelf as I wait hoping this will be implemented. :-)
I hope the images below will spell out better what I and others like me would like to see. Ubiquiti makes wonderful products and I hope you all will see the potential in this suggestion and implement it.
Looking at the controller I beleve these stats are already gathered so I would hope it wouldn't be too difficult to create a graph on the dashboard showing these stats.
This is ultimately what I would love to see. I am able to see at a glance what the traffic is and who my "top talkers" are.
I would even be OK with just simply something that keeps a live update.
I also have included a link to a couple forum topics discussing this further. Hopefully they might provide more insight as well.
Thank you for your consideration.
I would be great in the USG to have (like edgerouter) timebased firewall rules.
That way i can block my kids certain times of the day/night when they are supposed to sleep.
I switched from edgerouter to USG because of integration but only missing the timebased rules.
I'm fully aware that IPv6 can be configured from the CLI now but UniFi is a SDN product which means that all if not most features should be able to be configured from the controller. not from the CLI.
I'm suggesting that UBNT include the IPv6 Settings under WAN settings for USG like as shown below. (Sorry, my drawing isn't very good)
In the IPv6 Connection Type, the following should be included:
1. Native IPv6
2. Tunnel 6to4
3. Tunnel 6in4
4. Tunnel 6rd
5. Static IPv6
Other than that, the following options in the picture should alse be included:
I don't know how Asus did it, but their routers are smart enough to get the right prefix without my intervention, I wish USG will have this feature too.
I wish UBNT will include full IPv6 support into the controller ASAP that is easy to setup without much technical knowledge.
When I'm comparing between Meraki Security Devices and USG, I realised a very important feature which USG lacks, which is the support for USB Cellular Stick.
I believe that the support for USB Sticks are crucial for:
1. Deployments that relied on cellular data as their primary connection.
2. Mission critical deployments which use cellular data as their failover.
Other than that, I don't see the reason for UBNT to not support USB Cellular Stick because even a cheap $40 mini router from TP-Link supports this function.
Suggestions on how to deploy support for USB Cellular Stick.
I would suggest UBNT add another option called "USB Cellular Stick" under the USG > WAN > Connection Type.
In the "USB Cellular Stick" Option, I would suggest putting "Country" and "Carrier" with preset settings like the ones shown below:
When we select the preset settings, please show the username and password of the preset settings in a blurred out column below so that we know which APN is used with the preset settings (Some Carriers have multiple APNs).
Other than that, please add a "Custom" settings option under the Username and Password for the APN settings so that we can use custom APNs when the situation requires it.
Personally, I don't think that the Connection Mode and Authentication Type have to be included.
Supported USB Cellular Sticks.
I would suggest UBNT to support only the mainstream USB Sticks since the USG isn't meant to be a cellular modem/router. I'll leave the supported USB Stick list from Meraki and other vendors below for reference:
Lastly, I would suggest UBNT to include a USB port for USB Cellular Stick on the next revised version of USG-3P so that the USG-3P can be deployed as a teleworker gateway.
I run a lot of UniFI gear now and something that has bugged me a little, but not so much a deal breaker is the port LEDs across the range
It seems no matter how much traffic is thrown at a port on the USG or USWs the activity led is more a casual blink rather than a crazy flashing like im used to on othe vendor devices.
Im used to other vendors where by if you are driving alot of traffic down a port, that port LED is flashing ery rapidly to show that
kind of handy when you near a device and locating a port being hammered.
Right now there two amazing EdgeRouters are launched, the EdgeRouter 4 and EdgeRouter 6. Both perform great for an affordable price in a compact and energy efficient form-factor. It would be very nice if we could have those routers with UniFi software, using them as USG's.
The routing performance is impressive:
|1518 bytes throughput||3 Gbps||4 Gbps||4 Gbps||6 Gbps|
|1518 bytes pps||240,000||320,000||320,000||490,000|
|64 bytes throughput||512 Mbps||1.2 Gbps||1.8 Gbps||1.8 Gbps|
|64 bytes pps||1,000,000||2,400,000||3,400,000||3,400,000|
If you compare the features you see that the ER-4 and ER-6 would be great additions.
|CPU||Dual-core 500Mhz||Dual-core 1GHz||Quad-core 1GHz||Quad-core 1GHz|
The ER-6P's five gigabit RJ45 ports can deliver 24 and 48 volt PoE, with 60 watt max. That's perfect to power up to 5 access points (AC Pro / AC IW Pro / AC Mesh Pro). It would be the perfect set-up for a small unifi installation: Just the USG-6P and 5 access points, plus the SFP for uplink.
I think a USG-4 and USG-6P would be amazing additons to the current USG line-up. If priced the same as the EdgeRouter versions it would be killer routers.
|CPU||Quad-core 1GHz||Quad-core 1GHz|
I could be a great addition, if it was possible to enable colors og the connections in the Topology map, based on their utilization percentage.
This would be an easy way of visualizing bottlenecks in the infrastructure.
When running a dual WAN configuration with dynamically allocated IP addresses, we should be allowed to have two DynDNS settings. Currently, if you try to configure DynDNS for WAN2 when one is configured for WAN1 you get the following error: "There was an error saving the Dynamic DNS changes. Dynamic DNS service "dyndns" already exists."
Zone firewalls were implemented in the EdgeRouters recently, and it always made WAY more sense to me than ACL based firewall rules. I realize we just got ACL based firewall rules in the Unifi GUI - hopefully while that's still fresh it would be fairly simple to reuse a lot of that work to enable the zone firewall as well
This thread in particular was a good discussion about this: https://community.ubnt.com/t5/UniFi-Routing-Switching/Prevent-controller-from-pushing-down-firewall-settings-to-USG/m-p/1899307#M42575
@iu4s9akkddja posted an excellent link on zone routers and in particular I liked the persons summary of zone firewalls vs. ACL firewalls:
While an ACL firewall can be easier to set up for simple networks such as the one in this example, a zone-based firewall is conceptually simpler (in my opinion at least) and less susceptible to the sorts of mistakes that can open up your network to the outside.
In most cases, the default spanning tree configuration using only mac addresses results in poor implementation of spanning tree. The switch closest to the router should have a priority of 4096, and each succeding switch another 4096 more.
Since the controller and switches all know there uplinks and downlinks, it should be pretty simple for UniFi to quickly configure the spanning tree priority of all the UniFi switches on a network.
UniFi is being set up by a lot of folks that aren't that familiar with spanning tree or how to set it up.
I just spent the afternoon dealing with a 30 device UniFi install with 7 switches that had Sonos and huge loops and disconnected UniFi switches going on. The installer had no clue about spanning tree and the previous implementation using NetGear switches had worked great.
After carefully setting all the spanning tree priorities, everything started working again. Had UniFi helped and done this simple assignment of priority based on typology, I wouldn't have needed to go over there to figure things out.
The rule should be if a UniFi switch has a default priority, then UniFi should configure it, or adjust it if new switches are added inbetween. There should be an option on the Site to disabled this, but it should be enabled by default on new sites.
I don't see an official post in the feature requests area so I'll start it.
If there is one, please let me know and I'll add my 2 cents there.
We seriously need a Unifi version of the Amplifi Teleport!!!!
A few desires for this:
1. Support multiple Teleports to a single USG (limited only by CPU)
2. Single Teleport => Multiple USGs (as a form of fallback, load balancing, failover, etc)
3. Dual WiFi / Dual Ethernet models (all four permutations - 1 WiFi + 1 Ethernet, 1 WiFi + 2 Ethernet, etc).
This would be ideal for cases where you have to connect a wired device over a wired connection or a wireless device over a wireless connection.
4. VPN protocol in use is one of the ones out there designed to look as much like HTTPS as possible.
5. Allow users to handle captive portals before connecting somehow.
6. Key management process should be invisible (once you adopt it to a controller, that should be all you need to do until a firmware update comes out - keys and certificates will be seamlessly rotated
7. Controller would have to be updated to include some sort of special path to quickly lock out Teleport units if something bad happens (but maybe unlock them if they're recovered, etc).
As for the people who'll say "just use a regular VPN to the USG", sometimes you can't (e.g. device doesn't support VPNs at all, doesn't support your choice of VPN protocol, user can handle plugging in an ethernet cable but not dealing with VPN software, etc).
Having a device that captures traffic and sends it across to a remote network without the local clients knowing would fill a connectivity void that UBNT obviously thinks is worth filling to at least some extent (hence why Amplifi Teleport showed up).
It's definitley a good security measure to decrease the risk of inadvertent information leakage. The NSA recommends a physical device dedicated to VPN tunneling too - see https://github.com/iadgov/goSecure - however, that's a Raspberry Pi (which can be sloooow).
Noob home user here. I just bought the ER-X and 2 AC Lites. Would love to have one economical UniFi product with:
-1 WAN input
-4 POE outputs
This would work great for home users wanting to step up from all-in-one commercial router/wifi/mesh systems.... without having to buy so many separate products. The USG price isn't too bad, but personally don't need console (leave it for your pro line), don't need VOIP. I would love to have more POE outputs to reduce the mess of POE injectors. 4 POE outputs would allow for direct AP connections and then unmanaged cheaper switches for everything else. I think this would probably work great for those of you supporting family/friends/small business.... maybe throw CK/controller in this thing too.
"photoshop" mockup attached :-)
We use Fios on WAN1 and Comcast on WAN2 (failover only). Our Fios is a bit temparamental and craps out several times a week. The USG does its job and switches over to Comcast within a minute or two.
Now, to get back to Fios once it's up again, I need to restart the USG via the UI. This sucks, as it takes quite a bit of time, and obviously I'm completely down now even tho I have TWO working Internet connections.
I’m asking for a feature to easily manually be able to switch between WAN1 and WAN2 in the UI, with the least amount of possible downtime. Also, it would be good to see, seperately, if WAN1 and WAN2 are working and have an Internet connections. There's no way to see this right now (e.g. on the Dashboard).
The whole point of this setup is to have redundancy and it's super clunky and only half-works.
- madhacker3kxl on: DPI Control per Device
- bb_referee on: Upgrade Linux kernel to newer LTS version
- Analogiker on: Multiple vlan use on the wan port.
- ajsadeh on: Igmp proxy settings in the controller.
- bsa_itofficer on: Timebased firewall rule
- joehuersch on: Fast port LED responsivenes
- stiffbeta on: Some type of Web/App filter simplier than IDS/IPS
- DHD on: DPI Log by MAC, IP or Both
- ambor on: Separate/different DynDNS setting for WAN1 WAN2
- Metal-Cloud on: UniFi Desktop Switch
- DPI Control per Device
- Unifi Security Gateway USG or USG Pro-4 Limite Speed
- USG with Gigabit POE
- Upgrade Linux kernel to newer LTS version
- FQND Routing
- Multiple vlan use on the wan port.
- Igmp proxy settings in the controller.
- Please identify *svtplay* uris as a unique appid under the streaming category.
- Customizable http(s) uri DPI identifiers.
- Timebased firewall rule