Using USG Behind Pfsense? Does it make ...sense? :)

About my home lab:
I purchased three ubiquiti UniFi switches in my home lab. I have an 48, 24(non PoE), and an 8(60watt PoE). I went ahead and picked up a cloud key cause I plan to log in from offsite from time to time, mostly to do demos at the makerspace/hackerspace meetings I go to and collab. w/ some security firms. However, I did not pick up a USG.

My APs run DDWRT for VPN clients, I am happy with those so I don’t plan on replacing them in the next couple years. I have a pfsense (home built) at the head of my network. After watching Tom’s videos (re: Unifi, edge, which firewall to choose for what environment etc etc) and fiddling with the unifi software, I see that some Unfi features are not supported without the USG. I am not sure if I care about those features but with the USG being fairly inexpensive, I wonder if there are any downsides (or major upsides?) to running pfsense with the USG downstream from it? I assume I can just allow it to pass the traffic through the USG (any advice on how to do that?)? Or would it perhaps be just overkill for a couple features I already have set up via pfsense?

What I do in the lab is simulate client sites. I.E. doing a lot of logging/IDS and creating synthetic traffic to replicate an airport. I do security research as well.

Most of the features in the USG I might be missing out on is duplicated (and more powerful) on my pfsense box. It’s probably just a OOooo “pretty” aspect of seeing all green in the dashboard with a USG. Also, for client sites I would deploy a USG, not build a custom PfSense box. Getting familiar with the USG could be a good learning experience.

Thanks for taking a minute to read the rambling, I would love some input. Cheers.


1 Like

Hi om, its cool to read what kind of people come here together.

I had the same idea to try the USG because of the fairly inexpensive price and the nice DPI overview.
What I found out was that you can’t turn off the NAT so its not possible to just pass through the traffic to “scan” it.

There is a way to disable the NAT but its not an official way, here is the link to the forum post: Guide to disabling NAT on USG
and a second link: without NAT and WAN

Would be nice to here some feedback from you in case you get the USG for testing purposes.


1 Like

There is a long discussion about that on the official ubnt forum about that USG passthrough/monitor mode

1 Like

Ok @Lluke thanks for the links. I will put it on the laundry list if I end up going forward with that project. I definitely will post back my findings if I head that direction.


1 Like

Sounds like you have the justification and answer to part of your question right there. Knowing the equipment you know you’ll be deploying for clients is always a good thing! Not only that, but if there’s something you need to investigate down the road for a client, then you’ve already got it and can jump right into finding the answer you need for your client. Within reason, whatever you need to provide the best value for your clients is always a smart investment in the long run!

Good luck, keep us posted!

1 Like

I’m currently doing the inverse, internet > USG > pfSense. USG then serves internet to wifi devices and pfSense. My lab (and desktop for that matter) sit behind pfsense.

I do this because I’m always tinkering with pfSense and also because my pfSense installation is virtual. I just didn’t want anything I was doing to my lab to effect the “house”.

1 Like