I have a moderately complex network with 200-300 total clients, 45 Unifi switches and access points, multiple VLANs.
We have outgrown the USG and I have a new pfSense appliance to replace it, but not installed yet.
My question is regarding how to go about this with minimal disruption of the Unifi setup, and overall network communication. In particular, when you setup a VLAN on a Unifi system with a USG, it automatically creates a new network, DHCP server, etc for you (which is very nice).
I realize that I will need to recreate the VLANs, networks, and DHCP servers within pfSense, but what is going to happen when I “forget” the USG within the Unifi site?
My concern is that all hell will break loose and a chunk of the network will just disappear.
Does anyone have a workflow or best practices to follow when replacing a USG with a non-Unifi router?
I’ve gotten bit by not documenting everything first (port forwards, etc…if any), VLANs, etc… I’ve also tried to do this kind of thing in the middle of the day, thinking it would be a quick flip, to disastrous results with office workers asking when is the Internet going to be back up every 30 seconds. So, don’t do either of those.
You should be able to build everything on the pfSense box before putting it online in the network, and then compare them side-by-side as needed. Are you using Unifi switches or something else? Are there a ton of VLANs or not so much?
Yes I am using Unifi switches and access points. There are 3-4 VLANs (WiFi, VOIP, guest, and I think one more). Good call on documenting everything. I have started doing some of that already.
I think you should definitely plan for some down-time. While there will be no issue creating VLANs in pfSense that communicate just fine with the Unifi switches, in Unifi you’ll need to make all of your current Corporate networks be VLAN only networks. And that will break some things in the process, that you will need to go put back. I think you could do something like this with a Port Profile in Unifi and then swap out the Networks in one place, but don’t quote me on that. You could start by creating these port profiles with all of the current networks the way you want, then apply these to the ports as you find them. Then, later, when you make the switch, swap the networks in the profiles out with the VLAN only versions.
Yes, you will have to create all of the interfaces and DHCP servers in pfSense. I don’t know how much you know about it yet - but Tom’s videos are fantastic for learning this.
I’d also consider documenting the IP address / MAC of your controller and doing a static assign in pfSense. Also document any other static assignments you’ve done in the USG, if any.
