Hello, I found Lawrence Technology Services from excellent content on your Youtube channel and was hoping you could advise on a problem related to my Ubiquiti UDM-Pro.
So a little bit of history - I initially had a slow FTTC connection with a MikroTik RB2011 router and recently our ISP decided to upgrade the whole area to FTTP. Initially this was a 330/50 connection and about a month later they were bringing out a 910/110 package so knowing that I was going to get a gigabit internet connection and having had a good experience with Ubiquiti APs in the past I decided to upgrade to a UDM-Pro. The UDP-Pro is specified to handle IPS & DPI at 3.5gbps so it should have been plenty fast. The unit I purchased is the later release version with the 1gbps connection between the 8 port switch and the CPU.
Long story short, my 910/110 service was activated and I initially only had a download speed of around 450mbps, but the built-in speed test was reporting the full speed. After some investigation, I’ve found that IPS, DPI and Smart Queues were all killing my throughput and I now have just DPI enabled. With this configuration, I around 700-750mbps down.
Ubiquiti support told me that Smart Queues disabled the hardware offloading and therefore were not expected to perform well. They also said that IPS is a beta feature and that support would only be provided by community members within their beta forum, despite their store page advertising the 3.5gbps throughput with IPS enabled and having no mention of it being a beta feature.
I started a couple of forum threads but sadly the community members were also stumped by this as it seems that it is working fine for some people: https://community.ui.com/questions/UDM-Pro-Performance-Issues/4dbe3629-c89a-4848-9f88-1271e762b7e4 & https://community.ui.com/questions/UDM-Pro-IPS-DPI-Performance/7336cc70-13ce-4a6c-80db-e1372898b1e3
I’m at the point where I’ve given up trying to resolve this directly and have purchased a Dell R220 to offload the IPS workload onto. I still want to use the UDM-Pro for as much as possible because the interface is really nice - One of the things I especially is the ability to manage my static DHCP assignments in the same area where I manage all of my client devices. My plan was to install opnSense (It could be pfSense, I’m not really sure which one to go for in truth but I believe they are mostly the same) on the R220 (Baremetal, not using ESXi as I don’t want to the box to be hosting its own DHCP server) and put this in front of the UDM-Pro.
The R220 would be configured to handle the PPPoE connection, IPS, and provide a DHCP server to an intermediate network (10.0.0.0/24) - I think it would also need to be setup with DMZ on the port going to the UDM-Pro.
The UDM-Pro’s WAN connection would be connected to the R220 and configured as a DHCP client for the 10.0.0.0/24 network. It would then have the standard firewall / NAT / DHCP server configuration that I currently have for my 192.168.1.0/24.
This configuration should allow me to access my R220 via the 10.0.0.1 IP which would be routed through the UDM-Pro and should also mean that I don’t have to touch the R220 when configuring port forwarding.
The R220’s NAT setup is essentially only there to provide an intermediate IP address so that I can still manage it from my LAN and also to provide a place for the IPS to perform the actual blocking.
I’ve not actually configured this yet so I’d love to receive any advice on this proposed configuration before I go ahead with it. I should point out that this is a home network, it’s not a business. I’d also like some advice on choosing between pfSense and opnSense.
Thanks,
-Andrew.