New Unifi single site basic Wireless network - opnsense overkill?

Hi everyone, new to Unify, OPNsense and this forum - from Brisbane.

I’m putting together a network for a friend and seeking some feedback. I will install a 6RU wall mounted cabinet housing a Ubiquiti Wifi system patched into structured cabling consisting of about 4-6 Cat6A outlets and 2-3 Unifi Wifi APs within a two story house which is connecting to 1000/50 Mbit/sec FTTP internet.

The house internal walls are primarily wooden so figured that likely one Unifi U6+ AP downstairs will be enough to support a couple of rooms with up to no more than 10 phones and laptops used by four people, and maybe two U6+ AP upstairs supporting no more than 2-3 wireless phone and tablet clients.

The 4-6 Cat6A outlets will support a couple of laptops and printers, and an ATA VOIP phone, with some spare outlet ports.

This infrastructure is for wired and wireless network only. No cameras or physical access control now or in the foreseeable future.

I will work with an electrician to put this infrastructure cabling together.

Initially I considered purchasing just a Ubiquiti UDM SE and de-activating the PROTECT and ACCESS applications. However, this friend is moving to Proton Ultimate which will cover email, vpn, cloud storage, and password management and I was wondering if I should consider installing a pfsense/opnsense hardware device to manage all routing and firewall services and downgrade the UDM SE to a basic Unifi switch (USW-16-POE) to manage the Wifi infrastructure.

If a opnsense hardware device can be used to run a virtual instance (a container instance if BSD supports something like LXC containerisation) or an installed instance of pihole running alongside pfsense/opnsense then it might make sense to consider this alternative mixed vendor solution. The friend will only be connecting to services on the internet and won’t need any sophisticated VPN server setup.

The Ubiquiti switch I was thinking of to manage the Wifi infrastructure is the USW-16-POE. The only downside is that the USW-16-POE switch only has 1Gb/sec switchports. However, if we were to install a NAS I would connect it directly to the pfsense/opnsense 10G switchport.

At some point I will not be available to support this infrastructure so my consideration is usability and ease of documentation. In this way the UDM SE route without anything else is the clear choice. However, if there are some compelling privacy and network security arguments I will happily reconfigure to accomodate pfsense/opnsense into the solution.

Thanks all - regards, Nick

If the needs are basic and you will not be there to run the updates I would just go with the UniFi Dream machine and make sure it’s set to auto update.

I’d suggest running two lines to each room instead of a single. Much less hassle to do it now rather than in the future, with only a marginal cost. The user probably won’t have any idea what a LAGG is but if they ever do they will appreciate the second line.

You seem to alway suggest LAGG but I fail to see a practical reason especially in a use case like this.

There is an English expression, “measure twice cut once”.

It’s more to do with running cable in the home, that’s usually a lot of hassle, costs nothing to run two when doing it the first time, then it can be used in a LAGG between switches if it’s not used for anything else.

In my opinion, worth having, like two engines on on a plane !

Thanks guys, I’ll get the UDM SE and two U6 Pro APs. And will run more cat6 into a 1RU patch panel than we have switchports — to cater for additional locations and the possible addition of a 16 port switch utilising the 10G interconnect on the UDM SE.

One of the requests by my friend has been the ability to schedule the AP radios to turn off at night. Is this possible or will I have to buy smart plugs and use PoE injectors (or smart injectors)?

I’ll keep open the possibility of adding a pfsense/opnsense device at some point in the future, as my friend is keen on being able to access, from her phone, a unique collection of iTunes music on a small NAS attached to the UDM SE or “*sense” firewall, which would be done via VPN.

It would be good to see more SFP+ and RJ45 10G switchports for switch, router and NAS interconnects. 10G is coming up on fifteen years and is mature and inexpensive. Even 100G fibre solutions have been around for over five years and is are no longer an expensive proposition for local interconnections, having been superceded by 400G recently).

Curious where Ubiquiti goes with this. So much opportunity to capitalise on their UI and UX integrative design advantage. Cheers.

I’ve continued to review the design of this infrastructure and now looking at finding a way to supplement the Ubiquiti UDM SE firewall capabilities with more feature rich solutions without introducing overlap that will cause network traffic issues.

Ideally it would be good to have a layer-2 only Ubiquiti infrastructure (switch and wifi using the Network controller software, and a third party routing firewall that is controlling all layer-3 and above traffic.

The Firewalla featureset looks great but the commentary is that there is too little configurability, although it isn’t easy to ascertain what the reality is.