I recently picked up a UDM Pro and I’m planning to transition from pfSense to UniFi’s zone-based firewall. I’m looking for advice on a migration path that makes sense based on my current equipment and setup—not necessarily the easiest path, but one that’s logical and clean.
Current Setup
ISP: AT&T Fiber 1Gb (BGW320 in passthrough mode)
Firewall: pfSense
Switch: UniFi US-24
UniFi Network Controller: Cloud Key Gen2 Plus
Protect: UNVR
Additional context:
I currently have no special port forwarding rules and no MAC address reservations in place. The setup is fairly straightforward.
The UDM Pro would eventually take over as:
Firewall / gateway
UniFi Network controller
From what I can tell, I have two main options:
Migrate UniFi Network from the Cloud Key using a backup
Start fresh and rebuild everything on the UDM Pro
What I’m Hoping to Learn
Pros and cons of migrating vs starting from scratch
Any “gotchas” with UniFi zone-based firewall rules compared to pfSense
Whether migrating configs creates more headaches later (legacy rules, VLAN quirks, etc.)
Best order of operations to minimize downtime
I’m comfortable rebuilding if there’s a strong long-term benefit, but I also don’t want to create unnecessary work if migration is clean and reliable.
Appreciate any real-world experience or lessons learned from folks who’ve made a similar move.
The only thing migration will do is save you from having to setup the switch again so I would not bother with it. Just make note of any port settings and labels you have, remove it from the Cloud Key and then adopt it to the UDM Pro.
Once you take the time to learn the Zone Based way of setting things up it’s pretty straight forward.
Just a question are you using IPv6 with the pfSense with prefix delegation from AT&T? I know in pfSense I had to run a custom connect script to delegate the IPv6 addresses to the right VLAN. I found this to work well but not reusable in UDM Pro.
When I moved to the UDM pro I decided that IPv6 delegation and multiple ISP’s would be a issue so I transitioned to ULA and NAT Masquerade for IPv6 traffic. So I never tested if the UDM picked up the 8 blocks of IP’s that the AT&T RG supports.
Perfect, thanks, Tom! That sounds like a breeze. I was expecting it to be a bit more complicated than simply un-adopting the switch from the Cloud Key. For some reason, I thought I’d need to un-adopt all devices except the UNVR because it is a stand alone device.
Looking forward to installing the UDM Pro and getting familiar with the Zone Based firewall. Thanks again for the help and the link to the firewall video, much appreciated!
Hi RonV42, I’m not using IPv6 in pfSense. Setting the modem to passthrough mode worked well for me. There are several YouTube tutorials that walk through the process; I’ve included one here for reference.