Dalen Catt

My Extremely Low-Effort Blog

Dalen Catt > Home-Lab > My thoughts on the UDM Pro

My thoughts on the UDM Pro

An aside for later, growing disappointed in my choice of Ubiquity gear:

I used to love Ubiquity and the gear they produced. It always seemed to be enterprise grade hardware with consumer friendly interfaces and prices. Unifi used to give you so much more power in how you configured your network and exposed much more advanced controls than you would typically find on other consumer gear. This is why so many tech enthusiasts with home labs loved it. There were a few problems that needed solving, mostly concerning the maximum processing power of some of the older devices not actually being enough to keep up with the rated speeds when you started using the more advanced features. That was all supposed to change with the UDM-Pro. A Unifi router with 10GB SFP+, dual-uplink, running on top of the beloved Unifi control interface, with enough raw processing power to handle all the advanced firewall features turned on and maintain its maximum speed. Designed to blur the line between high end home gear and full fledged enterprise class routing, while also integrating seamlessly with Ubiquiti’s ecosystem of other products like security equipment, access points, and communications gear.

Buuuuut, it’s not.

I have a number of other Unifi products, namely security cameras and access points, and of course they do their jobs flawlessly. I invested in Unifi cameras specifically because they were far better than anything else available in the price point at the time, and at that price point I believe they were the only option that didn’t require cloud connectivity to function. Frankly, I will never use a camera system that is purely cloud based. The access points work great, and there are plenty of different ones to choose from depending on your specific needs. Pairing it all together with a Unifi router made everything so easy, and it was lightyears beyond what I had. I was really looking forward to the fact that I could create and broadcast multiple ssid’s from the APs and create virtual segregated networks. That was just something I didn’t have access to with my older gear.

Now that I am trying my hand at some more complicated network topologies, I, along with many other UDMP users, have discovered some pretty serious shortcomings with it that prevent it from being used to its fullest potential in an enterprise-like home lab environment. The one that caught me completely off guard was the lack of link aggregation. Yes, it has a 10G sfp+ port, but what if you don’t have a 10G switch? Barring that, what if the device you want to connect to isn’t 10G? Link aggregation allows you to bond multiple network interfaces together in order to increase the overall throughput of the connection. This is used all the time to connect, say, a router, to a dedicated switch with more ports. If you had a 1G 24 or 48 port switch, you could have dedicated 2,4, or even 8 of those ports to act as the uplink to the router, drastically increasing throughput. This is useful when traffic needs to flow through the router constantly because of firewall rules or internal DNS or DHCP routing needs to take place on a lot of devices. Bonding can also be used to provide failover for a device or multiple devices. In fact, there are a lot of uses for link aggregation! It’s not even really considered an enterprise feature, as most multiport network interface cards support it. The issue however is that both ends of the connection must support link aggregation in order for it to work, and for some reason, the UDMP does not support it. What is slightly more bothersome is the reason why it is not supported. The 1G ports on the UDMP all share 1 single 1gb backplane, meaning that it is not physically electrically possible for the UDMP to compute signals faster than 1gb even if those signals are split between multiple different devices on different ports. This also means that multiple devices plugged directly into the UDMP can actually slow each other down if one or a few devices is hogging bandwidth. This in my opinion is a pretty big oversight. It is also very strange, because currently on Ubiquiti’s website, they show the UDMP as being able to switch at up to 3.5Gbps… Which is not possible on the 1gb ports. Technically, it has a 10g port, but would that mean that its also limited to 3.5G? (the 3.5gb throughput is specifically for the IDS/IPS system) Then again, the original marketing material also stated that LACP would be available… and it’s not… That bit of the marketing was later replaced with ‘Advanced L2 features’.

The second feature that I am now missing, which is certainly more of an enterprise feature, is multicast. Multicasting allows one IP address to send data to multiple clients. In essence, a single IP can be shared. This is useful when you want to do any kind of load balancing on, for example, Kubernetes. I can get around this limitation, but it would have certainly made things a bit easier and nicer to deal with overall. The alternative solutions won’t really provide true load balancing, but this is a home network so it doesn’t actually matter that much.

Finally, I was pretty upset when I first got my UDMP that it actually required me to set up a cloud account in order to configure it. That is super not OK in my book. What’s more, once you have it set up, you can technically go into the user settings and disable cloud remote access, but you can’t actually disconnect the UI cloud account unless you are replacing it with a new account that must also be cloud connected…. Wow. This is even worse considering that not more than a few months ago Ubiquiti reported a pretty major data breach that compromised these very same accounts……. This is not a good look. The fact that I can’t disconnect the cloud account is my biggest concern, especially given that, like I said, I have security cameras, and apparently the accounts are not protected well enough. Even if you disable the cloud access functions, how are we supposed to know if it is really inaccessible? We don’t, we just have to trust. I don’t. The previous USG hardware did not have this problem at all as it was not cloud connected, if only the hardware was better….

At this point I am actually considering building a new server with a bunch of NICs and using something like pfSense. I don’t know if I could keep using the Unifi APs, but I know the cameras would still mostly work. I could run a Unifi controller on a docker node for all the gear that needs it and let a pfSense router do all the actual heavy lifting. Such a shame…

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x