UDM-SE migration from pfsense / Sophos XG

mikeys · June 23, 2025, 7:59am

With the improvements that have come to the networking stack, how many of made the jump to a UDM device from pfsense, opnsense, Sophos XG etc. I’m running these on ex Sophos XG hardware, XG 135 Rev3 and XG230 Rev2 units, been rock solid.

I’ve been running Unifi networking for a while, but not used their gateway products since getting a UDM-PRO in 2020, was left very unimpressed that I went back to a 3rd party gateway.

Those that have migrated, have you stayed with the Unfi solution or migrated back?

It’s just a home setup, but multiple S2S VPNs, Wireguard, OpenVPN and IPSec in use.

I have a NVR and cloud gateway plus in the rack and the benefit would be that I’d consolidate these into the SE. I currently use Network, Talk and Protect. NVR has a pair of 12TB WD Purple drives, yes I know the SE is only a single drive.

Unifi stack compromises of:

US-8, Switch Flex, Switch Flex 2.5G 5, USW Flex Mini, USW-Lite-16-PoE, USW-Pro-48-PoE, AC Mesh, U6-Pro

The 48 Port is less than half populated, but I picked it up on a decent deal and could use the 10Gb DAC connection between the SE as an uplink. Equally I could migrate all the downlink connections to the SE and change to a 24 Port PoE switch etc.

Multi WAN setup, Virgin Media (1000/100) as primary with Smarty as backup, UK ISPs.

The SE is about £474 in the UK, so not a cheap unit at all.

Stick with 3rd party or migrate? I work in enterprise IT, so do spend a fair amount of time spinning up solutions, vMware, Proxmox for hosting things etc.

What I’ve never liked re Unifi is the lack of crypto acceleration unlike AES-NI, QAT etc. If they are they’re not disclosing the SoC capabilities. So what is their real world VPN performance like, I asked them about these items at the UK Unifi conference along with certificate based IPSec connections rather than PSK, they just dodged the questions tbh.

I see things like port forwarding is quite basic unlike the others were I can get more specific relating to ASN / geo source etc. these are leveraged from pfblockerng on pfsense. Sophos XG I can’t import ASNs, so for some of the rules I’ve added the IP subnets to a network group and configured that way, fine for small groups.

Under Sophos XG Home I have VPN connections integrated with AD and Entra connections.

If I recall from Tom’s video it was circa 25w for a UDM-MAX power draw. Power consolidation is another potential benefit due to high energy costs.

I do wonder what is coming network 10 etc. whether they will be more advanced configurations or just refining what is there.

LTS_Tom · June 23, 2025, 10:36am

Advanced VPN features are still a bit lacking in UniFi, for example you can only have one OpenVPN server VS in pfsense you can setup many. There are also some options in the IPSEC that are not exposed making connecting to non-Unifi system more challenging if a specific cipher is not available.

mikeys · June 23, 2025, 10:48am

Didn’t realise the OpenVPN limit and I agree re the IPSEC aspects.

I’m on the fence re the switch, but leaning towards doing nothing atm.

fxbg · June 24, 2025, 4:58pm

I am just now coming to the Unifi gateway and networking stack in my own homelab. I have loved my pfSense box on the front door of my lab and I am not yet confident I want to move away just yet. I have an extra pfSense box I need to experiment with to place pfSense into ‘transparent firewall’ mode to see if I can keep pfSense at the front door while making the transition to the Unifi gateway functions. I’ve seen a few write-ups and videos on this mode, but not sure what packages become incompatible when as a transparent firewall. For example, will pfBlockerNG still work? I watched Tom’s video on this topic, but it is not quite exactly my use case. It would be nice if anyone else has configured their pfSense box as a front door to the Unifi gateway, and to learn what packages still can be used to filter traffic and how they wire up the box to the backend networking to get to the pfSense management UI from the back end. My equipment is still very new so I have not put a lot of brain-power into it just yet.

LTS_Tom · June 24, 2025, 5:11pm

I assume you want pfsense as a transparent bridge so you can use the either Snot or Suricata IDS? While it’s fun for learning how that works and watching traffic flows it’s not something that provides very robust security.

randybell · June 29, 2025, 6:48pm

Depending on how many cameras and endpoints, using the udm se for multiple functions may not be a great idea. I have used these in replacing sophos, pfsense, and sonicwalls in small business environments, pretty much every time I do not use them for the NVR unless that is all its doing, I like them to completely isolate the camera networks even with under 8 cams, work great for thia scenario too

They have moat of the features needed since the most recent network updates. Specifically I have had success using them for IPSEC alongside pfsense, sonicwall and sophos xg (with some frustration and trail and error)

The new QOS priorities, country blocking and app blocking so pretty well over in real world small offices. As mentioned by others, not as extensive as pfsense and sophos, but good enough for a fraction of the cost of other solutions