Infrastructure Change Advice

Currently I run a complete Unifi setup. All hardware from the UDP-Pro to the APs and switches. I have a need to use a couple static IPs in the network and need to make a change. I am very familiar with the Unifi controller and what it can do but I know it has its limitations…

My question is pretty simple but it has variables that I’m not sure how to address…

I’m looking at a pfSence appliance as the new firewall to replace the UDM-Pro and adding a Cloud Key for the network controller.

I run a few VLANs that need inter-VLAN routing ACLs in place (Isolation, limitations, etc) that is currently handled by the UDM-Pro. I can easily recreate these VLANs as ‘Switch Networks’ and move the virtual IPs of the VLANs from the UDM-Pro down to the USW-Pro-48 which will start to handle the VLAN routing but I’ve heard that the VLANs now become open to themselves and will not follow routing rules.

I could create the VLANs on the pfSence and let it handle all the routing but this seems silly as the USW-Pro-48 should do all that work. That’s what its made for.

Also… i have a 10G uplink from the USW-Pro-48 to the UDM-Pro. I would loose that moving to a pfSence.

So my question is…

  1. Is replacing the UDM-Pro with a Cloud Key & pfSence the way to go?
  2. Is forwarding all traffic to the firewall for inter-VLAN routing ideal? seems inefficient to me


I prefer pfsense due to it being more flexible. As for the inter VLAN routing, I am not a fan of the way it works in UniFi and I am not clear on how fast their system can handle the traffic. If you have things that need to route faster they generally should be on the same VLAN (such as storage). I do have a video where I cover the basic of how UniFi does Layer three routing

thanks Tom…

So you’d recommend replacing the the UDM-Pro with a pfSence (I’m leaning that was as well) and keeping the VLAN routing at the firewall? Is that the default concept during most network installs?


Yes, most of the intervlan is handled by the firewall for smaller networks.

regarding the 10G connection - just get a big enough pfsense. The XG-7100 has 10G interfaces, but can’t firewall at wirespeed. For wirespeed you would want something like the XG-1537