Reply
New Member
Posts: 4
Registered: ‎03-16-2017

Hub/Spoke Site to Site VPN - 15+ Sites - Possible with USG Pro/USG's

We are primarily a Sonicwall shop but recently saw a little demo if the new Unifi controller and heard some raving reviews from a company that manages several properties and how great it was all to configure.

 

This got me thinking as we have a non-profit client that currently operates 17 locations in a hub-spoke configuration. They are currently utilizing an MPLS connection through a local provider, but the provider has bascically informed them this product is going away.

 

They will be moving to independant broadband cable connection at thier offices which will now require the use of site to site VPN's to provide that same connectivity.

 

We had already spec'ed the Sonicwall required devices but after my demo I wanted to investigate the possibility of them saving quite a bit of money by using the USG and USG Pro.

 

Most locations have 3-8 people in them- which I thought was perfect for the USG. We then have 2-3 locations (one being the primary hub where all servers reside) that have 15-40 people depending.

 

I am wondering if a single USG Pro can can configured to have 15+ site to site VPN's configured to point back to it? All networks are already configured with their own private subnets 10.1.x.1-254/24.

 

Bandwidth at the locations will be 10x1 or 15x2 type connections, except for the main location would have a 10x10 or 20x20 fiber connection- currently being negociated. 

 

My big concern is if the USG Pro can really handle 15+ Site to Site VPN's.

 

The last question I had was to allow for Internet routed traffic to go directly out of the site lines, or if all traffic would be routed back to the main location (including general Internet)?

 

Thanks so much!

Tom

New Member
Posts: 11
Registered: ‎03-03-2017
Kudos: 2
Solutions: 1

Re: Hub/Spoke Site to Site VPN - 15+ Sites - Possible with USG Pro/USG's

I'm interested in knowing how many sites a USG or USGPro can handle too and the question has been raised in another thread but there's no clue in there either...

 

https://community.ubnt.com/t5/UniFi-Routing-Switching/USG-Site-to-Site-VPN-limit/td-p/1455733

 

Regular Member
Posts: 752
Registered: ‎12-05-2016
Kudos: 241
Solutions: 77

Re: Hub/Spoke Site to Site VPN - 15+ Sites - Possible with USG Pro/USG's

I don't know that its possible to give a specific answer on max numbers, as there are likely other variables involved.  Things like how much data will be carried over each tunnel at the same time?  Will they all be "active" at the same time?  Not to mention other things the USG does like DPI, QOS, etc will all have an effect on the CPU, and therefore performance.  IMO the USG pro should be able to do this as long as you don't expect it to QOS traffic as well.  Certainly would be a good use case to have a network monitor running full time to grab CPU/Memory stats to see how hard the VPN's hit the hardware.

 

Not really an answer I realize, but something to think about none the less.

 

As for hardware that I know can handle that many tunnels, I have used a clustered pair of Cisco 5540 ASA's handling 30+ Site to site VPN's and anywhere from 10-50 SSL VPNS at the same time with 0 issues. Certainly not the current generation firewall from Cisco, but a functioning (and expensive) setup none the less.

Cain Tech Solutions | Hosted UniFi/UNMS | Other Services | Service Eastern NC and more!

New Member
Posts: 4
Registered: ‎03-16-2017

Re: Hub/Spoke Site to Site VPN - 15+ Sites - Possible with USG Pro/USG's

Thanks for the information...
The site to site VPN's would always be active.
The hub would contain the primary file server, so a fair amount of traffic would pass.
No QoS and DPI across the site to site, but DPI enabled on the Internet traffic from from each site is desired.
Each site would have 5-15 users (depending) at it.

I think with the last of response from Ubiquiti (I send them an e-mail directly as well) and with no one having real specifics we will just stick with our Sonicwall plan. It's too bad though, the interface looks pretty cool, and the cost is compelling, but lack of support and seemingly maturity on the UniFi side is a deal breaker.
Established Member
Posts: 1,586
Registered: ‎04-08-2014
Kudos: 497
Solutions: 79

Re: Hub/Spoke Site to Site VPN - 15+ Sites - Possible with USG Pro/USG's

I don't know of a limitation, but I would imagine 15 is fine. If every small site has a USG as well and are managed by the same controller, then the VPN configuration is something like 3 clicks.

I think the thing to consider is how much data/throughput can the USG Pro handle (instead of the number of VPN sites).

You have the flexibility to route the traffic whichever way you want. By default, non-vpn traffic will go out to the internet locally.
Controller: 5.9.26 | Sites: 12 | Devices: 55 | Clients: ~250
USGs (4.4.28): XG8 (x1) | Pro4 (x4) | USG3 (x4)
UAPs (3.9.50): AC-Pro (x17) | AC-LR (x3) | Mesh-Pro (x2) | Mesh (x1) | Outdoor+ (x2)
USWs (3.9.50): US-16XG (x2) | US-40-500w (x3) | US-24-250w (x2)| US-8-150w (x3) | US-8-60w (x3) | US-8 (x2)
New Member
Posts: 4
Registered: ‎03-16-2017

Re: Hub/Spoke Site to Site VPN - 15+ Sites - Possible with USG Pro/USG's

That is exactly how traffic would be handled, but the tunneling of 15 sites would certainly have a toll on the CPU and Memory I would think. The Hub would be a Pro no question, and the remote sites would be the smaller unit. I would consider putting a Pro at the larger sites also. The overall bandwidth at these locations though are 12x1 to 15x2mbps connections at the remote sites, and the Hub would be a 20x20mbps fiber connection.

At this point no failover needs.
When I typically look at Sonicwall, Fortinet, Cisco, etc the spec sheets really provide quite a bit more information regarding throughput based on conditions then Ubiquiti. That is my major hesitation. I am sure someone out there is doing what I want to do, but it all seems like a try and pray situation here.

How would people consider the Ubiquiti support in general? I love me a good user forum- which there seems to be, but without top notch backend support this is Tier II or III hardware. It could do everything I ever wanted, but when I hit a rock there needs to be support behind it.
Established Member
Posts: 1,586
Registered: ‎04-08-2014
Kudos: 497
Solutions: 79

Re: Hub/Spoke Site to Site VPN - 15+ Sites - Possible with USG Pro/USG's

The pro can handle 20mbps vpn, so that should be an issue.

If support (tech and HW) is important, look into their Unifi Elite offering. It's an annual service for devices which provides tech support and HW maint.
Controller: 5.9.26 | Sites: 12 | Devices: 55 | Clients: ~250
USGs (4.4.28): XG8 (x1) | Pro4 (x4) | USG3 (x4)
UAPs (3.9.50): AC-Pro (x17) | AC-LR (x3) | Mesh-Pro (x2) | Mesh (x1) | Outdoor+ (x2)
USWs (3.9.50): US-16XG (x2) | US-40-500w (x3) | US-24-250w (x2)| US-8-150w (x3) | US-8-60w (x3) | US-8 (x2)
Reply