Ubiquity USG sudden weirdness that breaks the network


Sorry for the torrent post, I try to be clear to have interesting answers :slightly_smiling_face:
I have a few Unifi hardware I bought 3 years ago. My home network basically look like this:

ISP → USG → US-8-60W
Connected to that switch I have a UAP-AC Lite and a Cloud Key gen. 1.

Until this week, everything was working fine. Which brings me to the part I don’t understand and don’t know how to fix.

This week while on the phone (so I was not even doing anything on my main computer, my work laptop or the Unraid server) I lost internet access to all my computers. I thought OK, maybe there is some network hardware that is updating or rebooting and it’s going to come back.

It did not obviously. So I thought that the CK was doing stupid things again as CK gen.1 can be annoying because of its power even though I’m French and we have a pretty reliable power grid. I think it was stupid to think that as I don’t need the controller to have the Unifi hardware to work but… I did reset the CK and restored a backup from the microSD without getting my network back.
Root problem became clearer later when I saw my main computer had an IP address starting with 169.254.x.x which is definitely not what it is supposed to be, it should start with 111.0.x.x.

As I was not entirely sure which Unifi equipment is giving the IP on the network I started at the beginning by connecting to my ISP router which was giving a correct IP address to the WAN port of the USG. Then I did reset the USG to reconfigure it which worked and got me back my network but I had to adopt again which is always a pain to me for some reason (related or not to the CK, not sure).

All was fine again. Until the next day and I got a 169.254.x.x IP address again.
I did reset the USG once more and got my network back again but can’t have to do this every day, right?

By the way, I’m having issues adopting the USG and my UAP-AC runs version, shows an update is available. If update it, it is doing its thing, reboot and still shows an update is available.

What is wrong on my network? I don’t know what happened but I would love some help to understand what is wrong in my setup.

The USG is what will hand out DHCP addresses, try doing a firmware update to it, if that fails it may be going bad.

Thanks Tom.

I’ll try that. It is not what I consider a long lasting firewall, really disappointing. If it is dead I am considering a pfsense to replace it, what do you think of the Protectli Vault FW4B?

1 Like

The Protectli should be fine.

If you have to replace, and you plan on using some heavy usage packages like Snort, Suricata, or pfBlockerNG you’ll probably want the Protectli VP2410. The FW4B would be useful for light duties but not heavy. I had to recently order the VP2410, which should come tomorrow.

Thanks :blush:

I actually have not thought of that yet but yes I plan on using a IPS, IDS and NSM but I’m not really well informed on that. Which software would you recommend to look into?

Is there that much power difference between the two? I thought theFW4B was already way more powerful than the USG.

Well, the FW4B would be and is more powerful but it has a limit of 8GB of RAM. It’s a quad-core with up to 8GB of RAM. Versus the dual-core and if I remember not that much RAM. With pfSense without any packages installed I’ve seen it use about 22% of RAM, about 250’s MB. But Suricata I know takes up about 1.5GB of memory on startup. With my 2GB, it kept crashing on me due to swap space. If that’s the only package you plan on running then the FW4B should work just fine with 4-8 GB of RAM.

Even a couple more other packages, like OpenVPN, and Wireguard. I’m not sure about their resource requirements, Tom would be a better SME on it. But if you start adding more packages you need to take memory into account. This is partly why I went with the Protectli VP2410 because I can upgrade to 16 GB if I need to.

In terms of IDS / IPS / NSM based on Tom’s suggestions and my own research, these are what I either use or plan on.

pfSense Packages

Host / Agent-based

  • Crowdsec
  • Wazuh
  • Zabbix

While Snort seems to be the recommended for IDS / IPS in the Netgate documentation. The Negate IDS / IPS section in their forums shows a lot more users use Suricata. So to start I would look into Suricata and pfBlockerNG. Then look into the others listed to see if they fit your needs.

Of course, there is more to it when it comes to security. I tend to go a little overboard. And I’m waiting for someone to point that out to me. I also use more complex firewall rules than what you might see Tom set up.

In the log management area, I’m going to be adding Graylog from Tom’s YT video. But I also found documentation that took Graylog further and use Grafana to build a nice UI for everything going on inside pfSense. So I’ll be spending time on that these next few weeks/months.

1 Like

And I was thinking I tend to go overboard :sweat_smile:
Thanks for the explanations.

What did you get with VP2410? Do you buy it “naked” and get your own RAM and m.2 SSD? What size did you pick? I guess a linux OS with a few packages does not require a large SSD, like 120GB would plenty right?

TBH, part of it is for the learning experience. I was a DevOps and Security Engineer which was a nice word for saying, Ethical Hacker. But sadly that career ended before full movement due to disability. So I like spending time setting up, learning, and researching. But I also like it because of security.

For the storage on the VP2410, I didn’t get the storage. But I did buy it with 8 GB of RAM. I had a 1 TB SSD so I could have a little more storage for logging. But yes an m.2 SSD with 120GB should be enough. You could then offload them to a logging server if you wanted to.

Yeah, don’t worry I get it. :wink:

I am not a DevOps but my job is programming automation in the industry and I always cared about security for myself and it is also very interesting for my job. Plus I like to know how stuff works :grin:

I do not have the budget right now for the VP (just got a new bike) so I’ll wait a bit but the first reason I did get a USG is I already had other Ubiquity hardware and a good performing pfsense box is kind of expensive. I should have saved a bit and go that route right at the beginning.
We live, we learn.