Which router has the best GUI for Bandwidth Management?

I am in the process of building a new network and evaluating which router, switch, and access points I am going to go with. I have tons of experience with Unifi Ap’s and I love the unified experience they offer, but they have dropped the ball on the capability of their USG routers. However, their Edgerouter line offers the features and control I need, but the GUI sucks, and I would need to rely on CLI to make the router do what I need.

I don’t know CLI, so I am hoping to find a router that can do what I need via GUI.

Features I need are…

OpenVPN server.
Internet Link speed 600mbps down / 100mbps up.
Max of maybe 30 users.
Extensive Gateway Bandwidth Management.
Deep Packet Inspection.

It would be nice if the router could be powered via POE from the switch.

If need be, I can learn CLI. But there may be solution out there that does will not rely on me configuring the unit via CLI.

Is there a router that you would recommend that can do what I need via GUI?


A lot of people here use PfSense … that will do most of what you want, as for Deep Packet Inspection you might want to look at Security Onion. You can install PfSense on pretty much anything, just install it in a VM and take a look for yourself.

1 Like

My preference is pfsense but another option would be Untangle. pfsense does not offer the deep packet Inspection, but unless you are going to install certificates on each system DPI is less and less insightful each day due to encryption.

Question… has anyone ever put a pfsense in front of a USG (nat turned off)? Just to have that unified ecosystem of USG, Unifi switches, and Unifi AP’s all working harmoniously in the cloud key or Network Controller?

The idea of a glorious interface where I can see and modify everthing seems like it would be heaven on earth… Or is that really not all that great…???

If you have several things in the usg turned off just take it out of the picture? Basically I am asking what would be it’s purpose. The UniFi will work without the usg.

I think the only thing I would have turned off on the USG would be nat… I think most of the features would be turned off on the pfsense… I think I would only be using the qos / bandwidth management features of the pf sense because that is where the USG falls short.

I think the reason to do a redundant setup like this would be to take advantage of the Unifi “Single Pane of Glass”, Dpi, etc…

Apparently there are many other people doing what I thought about… a quick google search for “pfsense in front of usg” generated links to many people discussing how to do it, and why they are trying to do it. https://www.google.com/search?q=pfsense+in+front+of+usg

I am baffled that unifi doesn’t just update the USG to be able to do better QOS and Gateway Bandwith Managment.

I agree!

I read a couple topics in the google search you provided. I am ok with the reasons but most likely would not setup my network this way. It is a good discussion though. The discussion in my mind what is the proper tool for each task.

I haven’t but the process should be fairly straightforward. I also understand why you want this too since having the USG opens up more options when dealing with your switches and configuring them via the controller. I had considered doing exactly the same thing myself,

Simply make sure you have a dedicated interface port on your pfSense for your WAN side on the USG.
Be sure to put that Interface on an IP range totally different to what your using for your private network. eg if your using for your private network then use something like as your IP for that interface.
Probably best to make your pfSense box and your USG .2 etc
On the pfsense put a single rule in to allow everything in that interface’s network out to any on any service. So allow all from LAN to WAN basically.

IF you have inbound rules then simply set those up as if you didn;t have the USG.
eg MY_WAN_IP TCP 80 Redirect To Target TCP 80 etc
Then add a static route on your pfSense to state that can be reached via
Not sure if on the USG you can set it up so that the WAN side can route back into your network. I know you can on pfSense as i’ve done it with a secondary firewall I have at work, I haven;t got a USG so don;t know if it’s possible.
IF you run into issues with that setup then change the NAT rule on the pfsense to Redirect to Target instead of the internal IP and then setup another NAT rule on the USG to redirect to the actual internal target IP. If that makes sense.

I’ve done something similar to the above with a 2nd broadband line we have at home which handles our personal traffic and is less restrictive, leaving our business broadband to cater for our servers etc. So we have 2 routers for our personal broadband. Only difference is our pfSense router is the 2nd one and not the 1st one like it would be for you.

Id have to Say Untangle UTM for the best gui! The live stats is awesome! The Home pro is 50$ a year and really good…

1 Like

Looking at the Mikrotik hEX RB750Gr3 5-port Ethernet Gigabit Router $56.90

The performance results are located at https://mikrotik.com/product/RB750Gr3#fndtn-testresults .

According to my brief google search regarding “routeros bandwidth management”

There seems to be a few different ways this is handled within RouterOS.

A few ways I see mentioned is to use Simple Queue, Tree Queue, or use Layer 7 mangle rules…

Have any one used these features, and can comment on how they worked and if 1 implementation is better than the other?

My recommendation for what you described would be Untangle (software router) on Protectli hardware. Untangle would have the most intuitive GUI.

How extensive bandwidth management do you need on the EdgeRouter? I do the majority of what I need in the GUI. Now setting up L2TP does require some CLI, but not much and is a cookbook that can be copy/paste.

Quick update for anyone that may be following what I am trying to do…

I have ordered a few different routers to play with to help my decide which way to go.

On paper the Grandstream GWN7000 looks really good. I have plenty experience with the Grandstream IP Pbx’s and phones, but never used there router. Anyone here have any experice using it?

Grandstream GWN7000 features…

  • 7 Gigabit ports (2 WAN + 5 LAN)
  • Hardware accelerated VPN including PPTP, L2TP/ IPSec and OpenVPN
  • Embedded controller to manage 300+ GWN WiFi APs
  • Can be powered by 802.3at PoE
  • QoS VLAN, TOS, supports multiple traffic classes, filter by port, IP address, DSCP, and policing
  • Deep Packet Inspection (DPI), with 7-layer network/application monitoring
  • Link to complete Grandstream GWN7000 Data Sheet

If I decide to go with Mikrotik, I would probably go with the MikroTik hEX S RB760iGS due it supporting all the Poe standards and the SFP Port vs the hEX RB750Gr3. I don’t think I really like the CapsMan wifi management that Mikrotik has, so that rules out me needing the MikroTik hAP ac2.

I will also be sending an email to all the various tech supports asking for assistance with setting up Vlan / Group Bandwidth Policies and building OpenVpn user profiles. Their responses will help me get a feel of the quality of support offered by the various vendors.

Will keep you all posted!

From my personal experience the support of all those vendors is not great. They may have an attractive product due to cost, but that savings will disappear when you spend the hours it’ll take to figure something out. I can tell you Fortinet and Juniper are pretty good and their price tags aren’t too bad. Cisco and Palo Alto are really good, but you will pay for it too.