I have been looking at the Ubiquiti USG for a client (a school). I’d love to put them on a pfSense firewall instead but they don’t have the budget for it. The USG seems a great fit, and looks like it’s very easy to manage remotely on our Unifi Controller.
I have seen lots of people raising that it doesn’t have Multiple WAN IP support built into the controller. However, one comment from someone stated that it can be done by the web interface of the USG itself, but not from the controller… is this true?
From your professional opinions, is it likely that the USG will ever have this option available? It’s a function that the school would like. I don’t think they necessarily need it now, but if they know it will be available soon (in the next year or so) then I think they’ll go for it.
The USG series at this point is over 5 years old, and several possible replacement devices are available now or may be available soon. The replacement devices support Multiple WAN IPs through the controller. Depending on use case, they are UDM, UDMP, and UXGP. There is a hint of a non-Pro UXG which would be placed as a direct USG replacement, but nothing more than a hint so far.
There has been no indication that Multiple WAN IPs will come to the USG/USGP. In the past 18 months the only updates for them have been security related. There has been no feature development.
Even on the new devices, the Multiple WAN IP function is bare-minimum. The additional IPs can be used for port forwards, and you can assign a LAN subnet to use a specific WAN IP, but there is no 1:1 NAT.
At this time I do not recommend any Unifi gateway if you need Multiple WAN IPs. Yes the feature is there now on the newest models but overall Unifi devices are a poor match if you have that type of networking need (more advanced situations).
It depends on what you have to do at the firewall level. The USG-3P you linked a pfSense firewall are from different planets and therefore not comparable.
From what I know you can configure multiple IPs on the WAN interface of the USG via the config.gateway.json in the controller, not the USG web interface. But since it’s not in the UI it’s also not officially supported and in my opinion, not recommended.
They want multiple IPs on the WAN but can’t afford a pfSense or any other more serious firewall? It seems very unlikely for me. Anyway I’d not install any UBNT firewall in a school. They lack too much in functionalities.
Because I follow the Unifi line in the hope that one day it will be a viable alternative to the Pfsense and now Untangle firewalls I have run, I have noticed that with the 1.9 series firmware updates for UDM and udm pro there is now an option for multiple WAN IP’s as an option available in the WAN interface setup.
@aowe1967, do you seriously think that Unifi will catch up with these firewalls? Maybe in the long run, but from what I can see UnifiOS is a backward step compared to the firmware based on VyOS.
At least with the old firmware you could use the .json file on the controller to extend functionality and now you cannot.
It took them 5+ years of it being their top requested feature for them to add it, and even then its only a half-measure that doesn’t have 1:1 NAT which is required for many business use cases. There appears to be more focus now, but we’ve seen this song and dance from Ubiquiti before - their attention is very fleeting.
In terms of the new base vs VyOS, its important to understand how this works together.
The UDM-Pro basically runs two linux OS’s. The first thing to boot, and the first thing you access via SSH, is UbiOS. This is a highly stripped down and customized linux based on buildroot. Then UbiOS starts a podman container (compatible with docker) that runs UnifiOS, which is a Ubuntu derivative. The command “unifi-os shell” puts you inside this container.
UbiOS handles all the routing functions. UnifiOS just sits there to run the controllers.
There is a method to the madness here. New router-only devices, namely the UXG-Pro and UISP routers (UISP appears to be replacing EdgeRouter), run UbiOS without UnifiOS. New controller-only devices, namely the UCK-G2 and UNVR, run UnifiOS without UbiOS.
This means that UbiOS will have a lot of work put into it in terms of a routing platform. UISP is already showing more features than Unifi has, and just like with VyOS the limitation for Unifi is the controller.
Do I think that the ubiqiti line of routers will ever compete in the medium and enterprise sphere? Certainly not
Do I think that they will continue to improve and add features, absolutely
If I was implementing for a business that was looking for business grade firewall features ubiqiti is not even in the conversation
For a home implementation however then yes ubiqiti is certainly in the frame and getting better
Perhaps not for the serious home labbers but for the prosumer group it’s a serious consideration
Don’t get me wrong I understand the dislike for the range
I myself used the usg for a month or 2 before casting it aside for a pfsense and then untangle for my home
But I watch the udm pro and hope for its feature set to head in the right direction
Adam, since pricing is an issue for the school, you might consider putting pfSense on a Protectli 4-port box, https://protectli.com/product/fw4a/, for a little over $300. More expensive than the base USG, but may be less than the newer Unifi routers. 8 Gigs of Ram and 64 Gigs of storage should be enough.
Thank you all for your comments and feedback! Stan - that’s a great idea! Admittedly, I was hoping to find a line of firewalls that were managed by central software (much like Unifi). My only concern with using pfSense is the lack of support that would come with it. While buying a firewall like TP-Link or Ubiquiti would come with some level of support if required.
I am currently looking into TP-Link Omada range. I know they won’t offer all those advanced features that we get with pfSense, but might be suitable for the school. The school only has about 20 computers, but they have more than 1 public IP which appears to be the issue here. The lack of advanced networking features isn’t a massive problem as they currently run a little draytek with just DHCP and DNS services, hardly anything else… they are only looking to move as the draytek keeps failing and is about 15 years old now!
You can do dual WAN in Unifi on a USG now. What you can’t do in the GUI is inbound NAT if you have multiple IPs configured on the WAN interfaces. Also enabling dead peer detection for VPN connections is not configurable in the GUI.
If the school doesn’t have any inbound NAT or VPN peers, the USG will work out of the box. If not, it can be done via .json files.
Support is not a strong point of Ubiquiti. With that said, there are supportive communities, and if you do enough of it, you pretty much don’t need support.
