I’m helping out fixing some stuff on my church’s network. They currently have a UDM Pro and are running about 50 AP’s at the central campus. There a few issues, such as the network controller freezing up, that I feel could probably be fixed by replacing the UDMP with a Netgate Firewall. I’ve had great experiences with the 7100-1U which has apparently been discontinued. Does anyone have any good suggestions for a suitable replacement for the UDMP?
This will be the Internet gateway, as well as east/west firewall. The internet speeds are only 200/200, but the LAN backbone is 10Gbe. The “normal” network users consist of 300-500 clients, some of which are smart TV’s, cameras, etc. However, on Sunday’s or during events, there is probably closer to 1,000, with the POTENTIAL for 2,000+ depending on how many guests want to connect to Wi-Fi (guests are throttled to ~1Mbps). There won’t be any extras like Suricata or NTopNG, just basic routing/DNS/DHCP/Firewall functionality.
I am pretty confident that pfsense will get the job done for that type of workload. Only thing to consider is if you move away from UDM pro and your access points are adopted in there you’ll need to have a new controller. So either a cloud key or a VM self hosting the controller. Backup the current config and point your devices to the new controller.
The controller crashing is one of the bigger reasons we are looking at replacing it. The hardware does OK I think, but the WiFi is terrible (main reason I was invited to look at some stuff). After logging in, the very first thing I see is that the network application isn’t responding, and they said that happens about every week…
I’m going to try to convince them to move to HostiFi (or at least maybe self host the controller) and add a netgate router.
I’ve deployed networks of this size and larger using Unifi Routing gear. We have built RV parks/hotels with 1000’s of simultaneous users for many years. I wouldn’t recommend a UDM-PRO for a job like this (or any UDM for that matter due to cloud tie ins and performance). I’ve had good success with USG-PRO-4 (1G), Edgerouter PRO (1G) and UXG-PRO (10GB ports) with networks of this size if you want to stick with the Unifi line up. For me the biggest benefits of the Unifi routers, are traffic stats, VLAN creation, and ease of creating site-to-site VPNs if you have multiple locations. Otherwise they are just routers. I don’t think pfsense is necessary for an environment like this, but it does have its benefits, and if you can get one maybe price. At the end of the day you’re really just running a mini ISP if you think about it. Your giving the church members just internet access.
I’d actually be surprised if you’re having throughput limitations with that number of users. You mention they are all throttled to 1mb/s. Are you really getting 1000 devices all streaming at 1mb/s? My general experience is even with 800-1000 devices connected, most are just idle. You’ll generally be lucky if you have more than > 20% actually flowing any substantial traffic. What problem(s) are you trying to solve?
The main concern at the moment is the controller on the UDMP crashing. I’m not sure that it is able to keep up with the ~70 Unifi devices plus all the client information for several hundred devices. From a pure routing perspective, I’m not sure there has been an issue necessarily. But as you know, to get rid of the controller on the UDMP, you have to get rid of the whole thing.
I’ll look at the other Unifi routing options and see what might be a good fit, but I just tend to lean towards pfSense because it’s what I’m more familiar with. Thanks for the help!