Reply
New Member
Posts: 25
Registered: ‎04-05-2018

Router upgrade USG or USG-Pro-4 & CK-Gen2

Thanks to some awesome support from here we moved from an EnGenius Wifi Blaster to 9 APs, 1 outdoor POE, 4 8-port POE switchs, 3 nanobeams & litebeam. We run holiday cottages on site and the guests are loving the fact that Wifi is now rock solid across the site. And not 1 reboot required in 6-months.

We run 4 VLANs (Management, Guest, Private, IoT Stuff), and have up to 80 WiFi devices and 80 hardwired devices (really techy house).

 

But our internet still sucks 5MB on Openreach netowrk and 15MB from WISP, currently load balanced by a Draytek 2860. But we are about to fix this with FTTPoD. All duct work installed, currently Openreach doing first pull on fibre, so could be weeks away from 330/50. Which leaves the Draytek looking a bit slow. It can handle 300Mbps but 150each way, so would be wasting bandwidth. 

 

From what I can determine I need the USG-Pro-4 not the USG as will need some of the firewall rules and protections meaning the USG will be a little under powered. I take it I will get no further benefit from going for the teriifying USG-XG (price and spec both terrifying but the FTTPoD cost us £12.5k so don't want to undercook the hardware).

 

Is there a benefit speedwise with the new CloudKey Gen2?

Draytek, Cloudkey, 1-UniFi switch, one 24-port netgear switch (I will swap it out), patch panel, CCTV, NAS, & UPS all currently rackmounted in office with top mounted fans.

 

FTTPoD through Cereberus but as soon as its completed we might get a second FTTP line in at 80/20. Sky and TalkTalk both are LLU enabled at exchange, and Sky would be cheap as already have Sky package. Alternatively if Cerberus release 500 or 1gbs packages and cost isn't outrageaous then would upgrade. 

 

So given the above is the USG-Pro-4 the right choice. Will I get the full 330/50 (minus overheads) and is their room for growth?

 

Cheers

Dave

 

 

 

Established Member
Posts: 1,339
Registered: ‎01-29-2014
Kudos: 395
Solutions: 73

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

[ Edited ]

Do yourself a favour and look into pfSense boxes for a gateway.

 

The USG3 is ancient and horribly underpowered; the USG4 is mediocre and massively overpriced. Neither have a fraction of the features pfSense does (in fact your Draytek router is probably superior feature-set wise) and "development" on both staggers along from one unstable release to another. To be fair to the devs, the hardware they're having to develop for is sub-par but ultimately that's UBNTs fault.

 

Do not under ANY circumstances choose a USG if IPv6 is in any way important to you as UBNT seem incapable of developing a stable compliant stack.

 

tl;dr don't buy these ancient, underpowered, overpriced units - they have zero future.

 

Edit - and you'll have to resort to CLI to even login to Sky as MER (DHCP Option 61) is an unknown thing to UBNT. Ditto the IPv6 assignment. Just say no to USGs is my advice Man Happy

 

Edit - Main UK distie has knocked 15% off USG3s, probably worried about getting rid of the hundreds nobody wants to buy before they're EoL Man Wink

Established Member
Posts: 927
Registered: ‎02-18-2017
Kudos: 305
Solutions: 28

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

I agree with @Vestas.

 

Bodyswerve the USG lineup and look at either a Netgate SG-3100 or better yet, the XG-7100. These run pfSense by default and the XG-7100 makes the USG-XG-8 look about 10x overpriced. 

 

It’s high quality hardware and it will easily handle 330/50Mbps with all the security features turned on. 

 

The USG line is very much the runt of the Unifi lineup. Old hardware and shockingly poor firmware. Just don’t do it. 

Established Member
Posts: 1,339
Registered: ‎01-29-2014
Kudos: 395
Solutions: 73

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

[ Edited ]

Another (somewhat expensive) option is a fully-loaded Firebrick (firebrick.co.uk) - you'll have far less problems in terms of auth/vpn/ipv6/everything than Unifi "routers" which in terms of feature set are in the 00s.

 

Oh & when/if you have problems they will get fixed - unlike UBNT.

 

Just say no to USGs Man Happy

 

Edit - I'm a huge fan of UBNT radios but everything else is at best described as meh, with a few "avoid like the plague" bits of kit (PoE switches & Cloudkeys).

 

Edit2 - actually the Firebrick is probably your best futureproof (don't want to think much about it) option. BT use GPON so you're not going to be seeing gigabit speeds down that fibre in the next 10 years (IMHO) and it works with all UK ISPs (even Zen with their /64 and /56 IPv6 provisioning). Failover to pretty much all options, VoIP stuff etc.

New Member
Posts: 40
Registered: ‎04-21-2017
Kudos: 16
Solutions: 4

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

If you still want to continue to use 2 WANs. I'd steer clear of the USG as its never worked correctly with dual WAN in failover mode and Load balancing only sort of works and that depends on which version controller and firmware you're using. I'd agree with the other responders and try pfSense, or my favourite OPNsense.

New Member
Posts: 25
Registered: ‎04-05-2018

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

:-( becuase the thought of the nice single interface to the network was appealing! One place to look to see if all is running nicely would be great (because we run holiday cottages not networks & I have a day job).

 

pfSense XG-7100 1U    £765.00

pfSense SG-5100          £614.00

USG-PRO-4                  £205.41

 

Is quite a leap up in cost, althoug the leap from the 5100 to the 7100 is easily done as it is proper rackmount. Will read up on pfSense but looks complicated. Have used Draytek for 5-years and now know roughly how to configure it. The learning curve I am sure will be shorter next time round.

 

Established Member
Posts: 1,339
Registered: ‎01-29-2014
Kudos: 395
Solutions: 73

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

[ Edited ]

The really annoying thing about this is that the VDSL service in the UK (80/20Mbps) is ideally suited to the USG3. You can choose between IPS/IDS or smartqueues for "protection" or latency.

 

Unfortunately it doesn't support the major ISPs "features*" without CLI/json/general bodging so there goes a big market.

 

Thats never going to happen now & I think we're probably all waiting for the EoL notice on the USG3/4 as neither is really worth buying unless you like CLI....

 

*basic stuff like proper IPv6, support for things like IPTV etc etc.

Established Member
Posts: 1,339
Registered: ‎01-29-2014
Kudos: 395
Solutions: 73

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

[ Edited ]

You can run pfSense on your own hardware if you have that although bear in mind power costs - which are only going to get worse in the UK.

 

Oh and I appreciate the Unifi "pane of glass" is nice, I have it at home but the USG is crap, as is the UC-CK. Its fine for a Sky 80/20 VDSL circuit but you're always wondering when either the UC-CK or USG is going to restart/go AWOL with the latest "stable" firmware is pushed.

New Member
Posts: 25
Registered: ‎04-05-2018

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

Nope - no spare hardware. Ideally I want a box I can buy and configure easily and not mess up. Apart from Drayteks insistence at shipping them with firewall off it has been relatively painless experience. But I know I have to change although £700 on a route seems steep, then a learning curve! Any PFSense gurus want a free winter holiday in North Yorkshire?

 

Established Member
Posts: 927
Registered: ‎02-18-2017
Kudos: 305
Solutions: 28

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

The SG-3100 is the competitor to the USG-4P and it’s £265+VAT

 

https://shop.amicatech.co.uk/hardware/pfsense/sg-3100-pfsenser-security-gateway-appliance.html

 

 

Emerging Member
Posts: 90
Registered: ‎01-02-2018
Kudos: 2
Solutions: 1

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

Interesting discussion I must say. Having USG3 on shelf and the new USG Pro whining away with its annoying fans (I almost wish now I didn't order the quieter fans for it as it wil be just money thrown away if I follow advices on this thread).

 

Long time in past, I used to run an alternative to PF Sense firewall gateway router (run on my own hardware). At the time it was called Pointclark but was renamed to ClearOS, they are based in Toronto, Canada. I wonder if you guys have heard of them. They offer several tiers of  hardware boxes (but you can still run their 'Community' version for free on your own hardware). I didn't research it right now but I believe they offer also a subscription plans where they 'keep an eye on your router' for you.

 

https://www.clearos.com/products/hardware/clearbox-overview

January 2018 USG-3P - (Defunct after ~6mo, PCs lose internet access, reset, can't adopt, shelved)], 1xUS-8 PoE 150W, US-8, UCK, 4xUAP-HD, 4xUAP-IW-Pro

Fall 2018 added USG 4P, UCK-G2, US-24P, US-24P 250W, 2x UAP-AC-HD, 6x UAP-IW-HD
New Member
Posts: 25
Registered: ‎04-05-2018

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2


@Vestas wrote:

You can run pfSense on your own hardware if you have that although bear in mind power costs - which are only going to get worse in the UK.

 

Oh and I appreciate the Unifi "pane of glass" is nice, I have it at home but the USG is crap, as is the UC-CK. Its fine for a Sky 80/20 VDSL circuit but you're always wondering when either the UC-CK or USG is going to restart/go AWOL with the latest "stable" firmware is pushed.


So what should I be running instead of the UC-CK? Is it better to run it on a hosted web server? Or better local hardware?

I was advised to keep it local due to low bandwidth. Clearly that situation is changing. 

New Member
Posts: 25
Registered: ‎04-05-2018

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2


@wja96 wrote:

The SG-3100 is the competitor to the USG-4P and it’s £265+VAT

 

https://shop.amicatech.co.uk/hardware/pfsense/sg-3100-pfsenser-security-gateway-appliance.html

 

 


That certianly would be acceptable (apart from nor a straight rack mount). Is it up to the job described above? Would it be OK with 80 wired and 80 wireless connections, and up to a 1G or dual WAN connection to give me some future proofing.

Is there an emulator/demo for PF Sense so I can have a play and look at the config?

 

Stuff I currently use:

All the wired stuff have DHCP reseverd IPs. It helps Sonos run a lot smoother plus I know where to find things.

VPN (1-remote access when I'm not here)

Load limiting for some clients (currently 2MB but likley a max of 20MB for customers in the future)

Priority for some clients (my laptop)

Timed Access restrictions for some clients (my kids)

A basic content filter to block the worst stuff (currently used on kids but thinking of 2 guest networks safe/unsafe in the future)

 

I look under the hood would help.

Highlighted
Member
Posts: 242
Registered: ‎06-16-2017
Kudos: 113
Solutions: 5

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

I couldn't agree more with what was said here about the USGs! I own 5 of them on 5 different sites and although you can get the job done with them do not expect to reach high speeds nor to use features like multi WAN. And yes, the USG3 is very weak and the USG-PRO-4 super expensive for the piece of outdated hardware it is.

 

I haven't used one myself but I thought maybe the EdgeRouter ER-4 could do the job for you. It is quite powerful, probably enough for what you need.

 

The CloudKey gen1 I have and it is pure garbage. Will crash every ~10 days. I now know how to recover it from the crash and it takes me some 3 minutes to do so, but that is really awful.

 

The CloudKey Gen2 is supposed to fix the hardware limitations that make the gen1 crash (it is 64 bits and removes the limitation for the maximum size of the CK's mongo database), however, I doubt if the crash is really due to the 2GB limit. Anyhow, that is an option and the plus version comes with an NVR.

 

 

 

New Member
Posts: 25
Registered: ‎04-05-2018

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

Only ever had a crash when doing an update on my CK. Are others hosting on an online server or using other hardware for the controller?
Regular Member
Posts: 715
Registered: ‎12-05-2016
Kudos: 218
Solutions: 76

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

@F00tS0re Cloud controller here. I even manage some for others, so that my general opinion best choice for businesses. As to your original question, the USG-Pro is the way to go based on your bandwidth mentioned in your OP. That said, the USG is limited and you may not be able to check all the boxes you have mentioned exactly, but that doesn't mean it won't work for you. I personally only deploy USG's and work with clients to configure it to their need within the limits of what the USG can do. Everyone has been happy with the end result, and I am happy I have a single pane of glass to monitor all my supported gear from anywhere.

Established Member
Posts: 927
Registered: ‎02-18-2017
Kudos: 305
Solutions: 28

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

The issue with the USG isn’t just the lack of features, it’s the achingly slow progress towards anything better. 

 

I’m as big a Unifi fanboy as you’ll find but UBNT just don’t seem to be able to get to grips with what the USG ought to be. They hired on one of the people behind pfSense to lead the USG development team and I have to hope that there is something really amazing going on in the background because I’m not seeing anything special coming through that development channel at the moment. 

 

Im a firm believer in the market and as long as people buy USGs, UBNT have little incentive to improve them. So I don’t buy USGs and I wouldn’t suggest anyone else does either. The hardware is only half the problem though. The USG aspects of the controller aren’t up to snuff and the USG-XG-8 is/was a powerhouse hobbled by bad firmware and poor implentation of features in the controller. 

 

If the OP already has a Cloud Key, for the size of deployment mentioned, I wouldn’t go any bigger because it’s simply not necessary. The single pane of glass still applies for the Access Points and any switches the OP deploys. 

 

If the OP buys a pfSense box now they’ll be able to sell it when the new USG eventually surfaces and recover some of the investment. If they buy a USG, good luck shifting that when a new USG gets released. 

New Member
Posts: 25
Registered: ‎04-05-2018

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2


@cainmp wrote:

@F00tS0re Cloud controller here. I even manage some for others, so that my general opinion best choice for businesses. As to your original question, the USG-Pro is the way to go based on your bandwidth mentioned in your OP. That said, the USG is limited and you may not be able to check all the boxes you have mentioned exactly, but that doesn't mean it won't work for you. I personally only deploy USG's and work with clients to configure it to their need within the limits of what the USG can do. Everyone has been happy with the end result, and I am happy I have a single pane of glass to monitor all my supported gear from anywhere.


I am glad someone is happy with the USG-Pro. The cost of the Pro is somewhat close to throw away territory so not that worried if I can't resell it. The PFSense at £700 aren't throw away. The PFSense at similar to the USG-Pro may be better, and may be the technical best choice - more bang for buck but steeper leaning curve. Having a single pane of glass view has a high value for me.

 

If may be that I try the USG-Pro, as it seemingly can handle the intial 330MB/50MB and other requirements. If they were that bad ebay would be littered with them but isn't. If I need to upgrade later, or if a better version comes out then £200 isn't a killer given I have spent £15k+getting here. 

 

The advice is appreciated, and I have read a fair chunk of the PFSense manual, and it seems like a fair bit of configuration is down to me.

 

 

Established Member
Posts: 927
Registered: ‎02-18-2017
Kudos: 305
Solutions: 28

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

 

 

@F00tS0re - I’m not sure why you think any more configuration is required with pfSense than with the USG-4P.

 

ALL the configuration of the access points and switches will still be done via the Unifi controller. 

 

That just leaves anything with a fixed IP address to be allocated. 

 

With the USG, the only “security” feature feature you get is IPS/IDS which is the same implementation of Suricata you find on pfSense. The main difference being that the Netgate pfSense hardware has the horsepower to easily run Suricata at full line speed whereas the USG-4P will be right at the limits of its capability with IPS/IDS turned on. 

 

With pfSense you get multiple incoming WAN IP addresses, failover, load balancing, proper control of NAT, SNORT, properly implemented VPN control, significantly better Dynamic DNS implementation and a host of other features that UBNT might get round to implementing once they’ve made DHCP work properly. All of these things are configurable from within the pfSense GUI whereas to get the USG to do anything like these features you have to edit the JSON file. Proper low-level command-line programming. 

 

You dont need a Netgate XG-7100 unless you want a 10GbE connection to the switches. The SG-3100 is the same hardware and throughout you get with the XG-7100 for half the money. OK, it’s not a rack mount device, but you may as well buy a plain USG with The Broadband Buyer rackmount kit if you just want the Single Pane Of Glass interface. 

 

No-one in this thread is posting anything other than their honest opinions. Pretty much everyone posting here is a long-time user of USGs and pfSense. If you want to buy a USG-4P, no-one can stop you. It’s just not a very good router in comparison to the alternatives. Yes, you’ll have to do a bit of learning, but you’ll need to do a lot of learning with the USG-4P too. 

New Member
Posts: 25
Registered: ‎04-05-2018

Re: Router upgrade USG or USG-Pro-4 & CK-Gen2

The documentaton for PFSense just seems a lot of work to sort out. I am already familiar with the USG set-up through the controller.

 

multiple incoming WAN IP addresses - I get one, I have no idea what to do with more.

failover - with 330/50 I am not sure if/when I will get a second line, but if cheap enough I might do.

load balancing - unless pricing of 500 or 1Gig is predatory then load balancing unlikely, I'd just up the main pipe.If I had one for failover I suppose I'd direct IoT stuff down it as back ground noise.

proper control of NAT - no idea

SNORT - no idea

properly implemented VPN control - I have a VPN, I turn it on for family holiday, rest of the time either the wife or I are here so no need so I leave it turned off.

significantly better Dynamic DNS implementation - no idea what this is. I just use 8.8.8.8/8.8.4.4 if that is the thing

 

 

It is just down to learning a second GUI, and a preference for single pane of glass view on network availability.

 

I currently use DHCP Reservations, occaisional VPN, and VLANs (5),

and a couple of schedules for kids wifi but would be willing to forgo that (they are getting bigger/responsible for own actions), plus now have phones so can always use data to avoid wifi anyway. We don't do loads with the network. 

 

The DHCP reservations are bascially to help Sonos run smoothly and allow me to find switches, printers, NAS drive easily. Then the rest of the stuff has reservations to allow me to do load balancing which once I move from 4Mb and 15Mb to a single 330Mb connection I can ignore.

 

 

Reply