Why is the UDM Pro considered less favorably?

Hi all - I just want to get some people’s perspective on the current UDM Pro solution (1.9.3 version) relative to pfsense. I’ve run both (been on the UDM Pro for a couple of months now). Here are my views:

Here are a list of upsides that I like about the UDM Pro:

  1. It supports layer 7 in an easy interface so I can tell what apps, protocols are being used by any device on the network
  2. I can with a click of a button block countries if I have port forwarding on from ever connecting. I can block both ways so my network doesn’t reach that particular country and if the country is the source. I get that they can proxy via another country, but that’s not my point. It’s how easy it is to do.
  3. IDS / IPS is just a switch of a button and its activated. No huge amounts of configuration to do, and it does indeed work including with encryption (because it can detect the type of origination form such as whether its a port scan, a bad reputation IP and then take active measures to prevent it from connecting)
  4. Firewall rules and port forwarding are pretty much equal with pfsense
  5. Static routing is pretty much equal with pfsense
  6. Supports dual WAN
  7. Supports 10Gbe
  8. Price point is excellent compared to Netgate’s hardware appliances
  9. If, like me, you have other ubiquity gear on your network, you have a completely integrated solution and dashboard. There is a lot to say about the strength of that.
  10. It supports Peer to Peer IPSEC VPN
  11. It supports remote user VPN
  12. The UDM Pro can be remote managed (this can be disabled as some people don’t like the concept of this).

Downsides

  1. I have to SSH into the box to get some things I like working properly - such as SNMP monitoring of the box so I can see real time bandwidth usage ingress/egress (I use peakhour - peakhourapp.com - check it out as its an awesome little app for macOS users like myself). Good news is that its not difficult at all to do, and you only have to do it once and it survives reboot / firmware upgrades).
  2. I have to SSH into the box to remove downloading from my bufferbloat fq_codel limiter because at gigabit speeds, it can’t handle it and my download speeds drop to 800mbps instead of 930mbps (which is the max for gigabit internet). I have a 400mbps upload and I leave that on as configured out of the box and it works perfectly. I only have to do this once and it survives reboots and firmware upgrades.
  3. There is currently no OpenVPN, wireguard or any routable VPN support yet (its coming) so if I want that I have to run it on a separate box.
  4. The firewall logging is terrible.

So when I look at all of those things together, I see it as a net benefit over pfsense, mainly because of the fact layer 7 is so much easier and nicer to manage, IDS/IPS is so much easier and nicer to manage, I have ubiquity gear and having an integrated solution works fantastically well, and lastly, I can’t think of anything I need from pfsense that I miss - and at the moment, Netgate are a mess in relation to pfsense CE and pfsense+. They have just created mass confusion as to what is really going to happen. But back to anything I miss (not need) is the absence of a fully routable VPN built into the UDM Pro. As I say, its coming, and it is the key piece of functionality I miss. The other thing I miss is the lack of good logging. Again, hopefully this is fixed with time.

Therefore, I’d be interested (as stated in my opening of this post) why the UDM Pro is relegated behind pfsense. I don’t understand why. It performs so much better than pfsense in many areas that I’ve outlined above (layer 7, IDS/IPS), that overall its a net better solution.

Some responses:
Your Upsides:
1: The DPI rules have not been updated since 2018. Yes, they are older than the UDMP itself. The rules have to match on the router side and controller side, and they gave up on doing updates. There is an auto-updating check, but the file on the server hasn’t changed in years. (the auto-update from the server applies to the gateway device - USG, UDM. The controller side doesn’t use this server, it only uses the file included in the controller versions. Therefore if they wanted to do an update, nearly all installs would have a mismatch, which was seen every time they did update it)
2: PFSense may not have a map for this, but you can do the same GeoIP Filtering via PFBlocker.
6: Dual WAN on the UDMP is failover only, no load balancing
7: You can get 10GbE on PFSense, that’s just a hardware choice. Now, I’ll grant that you can’t get hardware capable of 9Gbps+ routing or 3.5Gbps+ IDS/IPS at the same pricepoint for PFSense.

Your Downsides:
#2 why enable Smart Queues at all with that speed? Are you seeing an improvement on your upload traffic?

Whether you see a net benefit depends on how much you value the controller integration and your acceptance level for needing to SSH in and tweak things. The UDMP is definitely a very compelling value for performance and offers a lot of ability to tweak - have you seen UDM-Utilities which helps you run other Docker containers on the UDMP, use a custom kernel, etc? GitHub - boostchicken/udm-utilities: A collection of things I have made to make the Unifi Dream Machine more useful

The hardware is excellent but very hampered by the controller - not really by its own software. (I’m sure you have seen already, at the base level is UbiOS, which handles the routing, firewall, etc. Inside that is a container called UnifiOS that is the controllers. UbiOS and UnifiOS are good, but the network controller is the exact same Java executable that can be run anywhere else - it does slight changes when it detects it is on a UDMP, but otherwise its the same controller)

The reason “why the UDM Pro is relegated behind pfsense” is mainly that for professional environments, where tweaking is the last thing you want to do, and you want to have support when things are going sideways, as well as it being less likely to go sideways in the first place, Unifi Routers are way behind where they would need to be in order to even be considered. Most of your upsides end up not mattering to businesses, or if they do matter they are going to spend more on something else because the UDMP is just not good enough.

Most “advanced” features are in Beta, right?

Thanks for taking the time to provide a comprehensive reply. I found it quite thoughtful. One of the key points I think you make is the part I chose to partially quote which is about what I value and what I don’t or what others value and don’t. The emphasis I put on certain functionality vs others. That’s probably what makes the difference for me.

I didn’t know the DPI rules were out dated so that was news to me. Most of the other stuff I did know, and part of the strength (and weakness) of the UDM Pro is the customisation you can do via SSH with docker containers. I say strength and weakness because its a strength that you can add functionality or change things to do something specific which is great, but its a weakness that you have to resort to doing it that way as they haven’t built it into the GUI.

I live in Australia, and we have one wholesale broadband network called the National Broadband Network (NBN). Anyone who has broadband in Australia buys off a retailer and connects to the NBN. The way the NBN manages the different speed tiers you can buy (in my case 1000mbps down / 400mbps up) is that they use a harsh policer that aggressively drops packets if you hit your maximum upload, and that results in the uploads dropping by about 100mbps due to the that. So if you run your own limiter in exactly the same way as managing bufferbloat, and keep your data just under their policer, you don’t have that problem and you can maximise your upload speed without dropped packets. So enabling SQM is fantastic for my uploads, but not great for my downloads (I presume its single threaded and hits the CPU single core max and can’t reach gigabit speeds). So there is really no advantage to having SQM on for downloads anyway (which is your point), so I enable SQM in the GUI, and then in SSH I run a command that removes downloads from the fq_codel queue. Works perfectly.

1 Like

Good question - I don’t run the beta so I don’t know how far progressed they are. What I have in my GUI is a “coming soon” next to a greyed out non functional button that turns on routable VPNs which is an interesting way to advertise a feature that doesn’t exist yet in a product.

Alright, makes sense.

With SQM and IDS/IPS disabled, the UDMP can hit 9Gbps+ routing, which is over 2Gbps per core. It would be interesting to see what the exact cause is - it seems like the type of optimization issue where interrupts, poor loop design, etc become a problem. But this is why by default SQM is disabled over 300/300 during setup, and enabled under that.

There has been so many “coming soon” features which took years to arrive or never did that the community places no stock in that. Multiple Public IPs took over 5 years, and never came to the product it was originally promised for (USG and USGP). Over a year ago they took a poll from the community when they announced the UXGP (the UDMP stripped down to be just a router/firewall and adoptable to a separate controller) and of the requested features, only Multiple Public IPs was acknowledged. They then put out an Issue Tracker, with about 10 improvements for Unifi, of which 1 was Multiple Public IPs, 2 or 3 were acknowledging that PPPoE and other lesser used configs didn’t work well, and the rest were features that were not the community’s pain points and “noone” was asking for.

Routable VPNs are not in any Betas and people who deep-dive into differences in firmware and controller releases haven’t found anything that I’m aware of.

There isn’t much in the betas in terms of routing, firewall, VPN, etc. - nothing that would tip the balance between UDMP and PFSense for a business that would choose PFSense.

That’s my entire point though. Why is it that the UDMP is relegated behind pfsense? We’ve just had a good discussion of what we both value, and I think we are in agreement of what the UDMP offers today. It does a better job of making it easier to look at layer 7, it has a nice and easy GUI to see what is going on with layer 7, and if someone values that over VPN for a business, then why not UDM Pro? Isn’t it horses for courses meaning that depending on the requirements of a business the UDM Pro might be the perfect fit if they list out a bunch of requirements that the UDM Pro does better than pfsense.

Equally, a business might list out of bunch of requirements that pfsense does better.

The bit I don’t understand is why the generalisation that the UDM Pro is a worse product than pfsense. I can see very clear use cases on why the UDM Pro would be better.

I totally agree with you about Ubiquity proposed advanced features never coming or coming with bugs and then over time they settle. I don’t think pfsense is any different. Their latest upgrade to 2.5 has been terrible, they withdrew wireguard. I’m not crapping on Netgate over that particular point, I’m simply point out that pfsense suffers similar pains. The bit I will crap on Netgate is about the future. It is so unclear when it comes to third party hardware.

Anyway - that’s my view. I think the UDM Pro has grown into a very good product over the past 12 months as its firmware has dramatically improved. I only got mine a couple of months ago so I don’t have the stigma of what happened in the past. I’ve inherited a stable solution. I also think as I say above it compares head to head with pfsense depending on business requirements. I wouldn’t generalise and simply say pfsense is better. That’s all I am saying.

Been a pleasure talking to you about it all. You clearly know your stuff, and I also like your tone in the way you approach the discussion. You don’t attack the player, you play the ball with logic and facts. Thanks for that. It’s exactly what I was after - to get insight into the why UDM Pro is relegated.

When you are communicating in a place that is biased towards business, MSPs, enterprise, etc., then the UDMP is not even considerable due to its flaws. If you move to a different place where the conversation is more about home use and very tech-savvy small business operators, and some MSPs with differing values, then the UDMP is not only considerable, but preferred. Its all about where the conversation is happening. This forum is hosted by an MSP that is not of the Unifi router type, and most people here came from watching the same MSP’s YouTube channel. People who like the channel enough to then come to the forum are more likely to not value the UDMP.

Same point as before, and I’m not trying to beat a dead horse. There are many communities of tech enthusiasts, some feel one way and others feel opposite.

This is exactly the point - PFSense has been stable and has nearly all the features needed by businesses for years. Ubiquiti meanwhile has been behind for years and is only recently making obvious progress as far as a routing product goes.

I’m not sure what you mean by this. Sure there was some bad blood about the AES-NI requirement being announced and then dropped, but most of their profit comes from support contracts from enterprises that aren’t using PFSense on first-party hardware (oftentimes virtualized), so the third party hardware support isn’t going away. And Ubiquiti doesn’t even allow third-party hardware!

I think the number of people who are completely generalizing and saying pfsense is always better is minor. There may be a number of people that are under-playing or aren’t aware of how the UDMP has improved, but I wouldn’t fault them for it. When your job is on the line, you aren’t likely to look into and recommend a new player to the market - and most of the shortcomings of the UDMP were true of the USG line which is over 5 years old and well known. Ubiquiti under-developed the USG to the point that their reputation is fixed and they now need to spend as much time working on a new reputation to be taken seriously. Choices are as much about the business as the product.

That is subjective. I like your other points based on fact, but the statement above is not. We’ve discussed the differences between the two products, and I think we agreed based on the value and emphasis one might apply to those differences would determine which is a better fit.

Yeah, I agree which is why I chose this forum (not reddit) to ask the question. I am genuinely curious as to why people think the way they do and I also think you’ve done a great job in articulating why people feel the way they do (assuming you are representative of what most people think on here).

I mean that Netgate has not announced how they plan to support pfsense+ on third party hardware. Will we still be able to run pfsense+ on bare metal, and if so, will it be limited to certain types of hardware? Or will it be some other virtualised offering? That’s the confusion that commenced in January this year and still has yet to be clarified in July. That leads to significant uncertainty for any business that wishes to forward plan.

Anyway, I’ve enjoyed our conversation. You’ve achieved the outcome I wanted which is to understand my initial question. I think at the end of the day, yes, Ubiquity are coming from behind (the underdog) because of previous poor products over the past 5 years, but they are on par now (in my view) with pfsense with the caveat of depending on what the buyer wishes out of their product (including enterprises, SMB’s etc.). Horses for courses. Thanks for all the info you’ve provided and the effort you’ve taken to explain.

1 Like