Pfsense and unifi questions

I’m in the process of upgrading my home network. I want to somewhat “future proof” it. My current setup consists of a custom pfsense build as my router, D-Link unmanaged switch, an Asus gt-ax11000 as an access point for my basement and an asus gt-ac5300 as another access point for my upstairs. My isp is Shaw (I’m in Canada) and I’m running 1.5gig fiber with the xb7 modem (not able to use a 3rd party modem. They don’t let us do that in Canada).

I’ve got a ton on iot devices, game systems, multiple computers, phones, etc… so I want the maximum best performance possible.

I’d like to keep it all one brand, so I’m leaning towards changing everything to unifi. I really like the whole ecosystem deal provides. I wanted to get the dream machine pro until I found out it’s also a router and from what I’ve read it’s a pain in the ass and/or takes away from the point of the device to use a pfsense router and have the dream machine do everything else. My pfsense is pretty overkill which is what I like about it, so I’d like a little more insight and opinions from what seems like the biggest user group of the 2 brands that I’ve come across.

Would my pfsense router, dream machine pro, unifi Poe switch and 1-2 unifi u6LR access points be a good setup?

My end goal is have everything 10gig capable.

One thing I don’t know is with the sfp ports, can I use an sfp+ to rj45 adapter to take advantage of the full 1.5gig I have available? I’m building a pc with a gigabyte z590 master motherboard that has an on board 10gig nic.

Will this setup work? Or should I just stick with the pfsense router and go a different route?

Don’t get the Dream machine, go with pfsense as it has WAY more features. As for the SFP+ NIC cards, most will not support plugging in an RJ45 to SPF+ adapter. You will need a NIC card that supports the speeds the ISP modem to get the most speed. The UniFi switches and Access Points are great, its just their routing equipment that is not great.

kind of how i felt on the routing side as well.

in short, would daisy chaining them be a viable option for the time being?
pfsense doing the routing, dream machine doing the security and network controller/monitoring, then eventually add a 10gig switch when the price comes down?

i will have the 10gig NIC’s on my new pc build, thats why i’m asking if the sfp+ to rj45 adapters would work for the time being. everything else i have hardwired (xbox’s and an older pc) only have 1gig nic’s so i could use the 8 1gig ports for those devices. since the U6LR access points dont run off 10gig, they could also run off the 1gig ports with poe injectors.

everything is going to be rack mounted. my new pc build is going in a rack shelf, i will be taking my pfsense out of its current tower and adding that to a rack shelf, so id like to add the dream machine to the rack as well.

the price of a switch vs. the price of a dream machine isnt very far off, so i just want to make the most from my money and get maximum performance/security and the added ease of the unifi ecosystem to control everything

If you’re looking to use the UDM for “security,” you’ll be daisy-chaining another router into the equation and effectively be double NATing your network. At that point, the pfSense wouldn’t be doing a lot of routing, just passing through traffic based on it’s ruleset. Any port forwarding you do would have to be done twice and your VLANs and firewall rules would still be done on the UDM.

If anything, I’d recommend just getting a CloudKey Gen2 Plus to use for your controller. You’ll still get some network insights based on logging from your switches/APs to the controller. The IPS in the UDM Pro is actually just a customized Suricata backend, so if you still wanted that security you could just install the Suricata package in pfSense. However, it’s really only recommended to be used by experienced users as you have to constantly monitor and tune it for it to be effective and not counter-productive. That being said, you would want at least an SG-5100 for that and I would not enable the automatic blocking until you are confident Suricata is only blocking actual threats. That being said, Suricata isn’t necessary unless you are hosting something on your network that is port forwarded out to the world (not including an OpenVPN server, that is reasonably secure on it’s own without active protection).

ahhh i never thought of double natting

ok just looked up the cloud key. glad i didnt pull the trigger on the dream machine before checking the forum.

if i do the cloud key gen 2 plus, that will cover me for when i swap out security cameras to unifi and also cut a couple hundred dollars off for a switch!

thank you for the insight!!

Just keep in mind that if you’re trying to switch over to using Protect on the CloudKey it can only handle a handful of G3 cameras at best and G4 and anything 4k is out of the question on those. You may want to actually look at a UNVR for that instead depending on what they have.

Also, I did suggest the SG-5100 at least but if you’re doing a 10Gbps network you’ll need at least an XG-7100 with SFP+. There are also the UniFi XG switches that have several SFP+ ports on them if you need to connect multiple devices at 10Gbps. Otherwise, so long as your UniFi switch has SFP+ on it you can uplink using that as well.

ya i would only be using 5 cameras max. its just for my home network.

my pfsense that i built from my old pc can handle all of that, i just need to swap out the NIC’s with a 10gig card

question on the sfp’s though… can i use conversion adapters to rj45 and get the same performance?
sfp’s are all new to me. i’ve never even seen them before until recently. canada is slowly releasing faster internet. i have the fasted “home” internet i can get through my ISP at 1.5gig. i realize 10gig is complete overkill, but when i do pc builds i do them so i dont need to do any upgrading for a long time. so with a full home network upgrade i want to do the same.

i’ve got all my cables switched to cat8.

So long as the cable medium you’re using supports 10Gbps, which CAT8 I imagine would. You would then obviously need a 10Gbps NIC on the computers you’re connecting as well to do that. Just be sure to remember SFP supports up to 1Gbps, SFP+ supports up to 10Gbps.

ya i’d prefer not to switch to spf+. cat8 supports “up to 40Gbps”

Yes, but the interface it connects to must also support the speeds you’re looking for. Most ethernet NICs are going to only support 1Gbps, so you’ll need to make sure you have a NIC that supports 10Gbps.

yes, i am swapping the NIC from my pfsense with 10gig cards. same with my new pc build, motherboard comes with an on board NIC