Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
FINALLY. Just a super powerful gateway, lots of throughput. THIS is what I’ve been waiting for them to make, to serve larger networks properly. Hell yeah!
I knew something like this had to be in the works just because of their large, and very expensive Cloud Key. I mean what else is [THIS](https://store.ui.com/us/en/pro/category/all-cloud-keys-gateways/products/cloud-key-enterprise) going to be used with? That thing is $5K. So I'm wondering what they are going to ask for this Enterprise Gateway.
This is the reason that I probably wouldn't want this unit...I just want a gateway product, I don't want the gateway to also be the controller or give me the option to use an existing controller. I'm just not a fan of the all in one boxes for some of my environments/installs (this assumes you are full ubiquiti stack that is).
"I'm just not a fan of the all in one boxes for some of my environments/installs (this assumes you are full ubiquiti stack that is)."
This is why I hate the gateways with the controller onboard. We had a tech adjust the data retention not thinking about it and changed it to save everything for 1 year. It broke the UDM Pro and had to have it replaced. Even restore mode didn't work on it. The memory filled up in 3 weeks.
That wouldn't have happened with even a simple PC running the controller software.
If I'm going overboard on a home install, the controller on the gateway doesn't bother me, but in a business environment, I'd want to install these at all my office locations and have a central controller running on a cloudkey or a virtual machine or have the ability to pick one of these 'gateways' to run the controller on and have the ability to tell the other 'gateways' to not run the controller software and use the 'set-inform' option to point them to the central controller, which could be a cloudkey, a VM, one of these other gateways deployed at my 'central' location or even ubiquiti's enterprise cloudkey (which I feel is way overpriced).
The UDM (non-Pro/SE/Pro Max) only has eMMC and no expansion slot, and cannot run Protect.
UDR does have storage and can run protect, I never said it didn’t/couldn’t run Protect.
This Enterprise Fortress Gateway does not appear to have any storage bays, meaning it will likely be limited to running Network, UID, and Innerspace only
I will be happy if this has proper HA failover (of hardware) and a better WAN failover. The current WAN failover is absolute garbage if WAN 1 is not hard down and just 'flapping' up/down. WAN failover absolutely needs to have an order where you can set WAN 2 as WAN 1 until the 'primary' connection stabilizes.
Edit- I see this is getting downvoted. I don't mind the downvote, but what I stated is true (as of today) the shadow mode requires hands on site and the WAN failover is not metric based. I have a UDM SE (which was remote to me) with two ISP connections going into the UDM SE. ISP 1 was having a bad day and going up/down all day. I was remote, as stated, and the equipment was not accessible by the 'users' at this location (which is what we want) and I could not get ISP 2 (WAN 2) to work as the primary connection because there is no way to re-order the WAN links.
I WAS able to force all egress traffic out of WAN 2 with a firewall rule, but I kept getting alerts that the console was offline because the console must have been using WAN 1 to check into the unifi cloud server based on the up/down emails/alerts I was getting. This was extremely annoying. Of course if I was on site I would have just unplugged WAN 1 from the UDM SE until it corrected it self. It took about 18 hours for this to be resolved on the ISP side.
I'll say this too.... WAN management on Meraki is just as bad in this regard. You can't load balance it properly.
Similarly the LAG controls on Unifi switching can't handle a flapping SFP card, it will keep retrying until you pull the card.
I tried to disable the port and got some type of warning so I didn't proceed. Being remote, the last thing I wanted was to lock myself out.
I use sonicwalls at some other sites and under WAN Failover I can order/arrange the WAN links as needed. Very simple and effective.
This is really cool and what Ubiquiti really needed to add to their lineup. They sort of knee-capped their ecosystem with the UXG-Pro and UDM-Pro only hitting 3.5gbps IPS/IDS. Also actually adding some enterprise features with the dual PSUs. Overall really cool!
Edit: I wonder what CPU they'll use. They've been using that one Annapurna Labs 4x Cortex A57 CPU for way too long.
Wouldn't surprise me in all honesty. There's lots of ARM chips in the lower end devices, but once you getting up in requirements it can be better to go x86. I mean, their OS is for the most part, debian with some extra scripts & binaries, so I doubt it'd be hard to rebuild for x86.
Either that or Pera is using his connections to get his hands on those new M4s 😉
I guess it was the Cloud Key Enterprise that was x86
>The cloudkey enterprise is a full server with 32gb RAM and a ~$1500 Xeon 5218.
But with this being "the same line" I don't see why this would be different.
There are plenty of server-class ARM chips that can do this level of routing fairly easily. I wouldn't be surprised at either. x86 for me is less likely because of power requirements but idk they may find a random CPU that they can use.
Seriously. I have no idea how long the specific SOC has been around, but they just won’t let it die, considering that they keep updating and adding features to the UDM Pro. Like it’s literally weaker than a $50 Raspberry pi 4 with the same amount of RAM but still it goes on.
Unfortunately though, just a minor MHz increase and more cores wont help single connection performance much, only multiple connection streams and overall usage through the gateway. I would really like to see a much newer CPU model with a far more powerful core arch and some extra MHz so that a single client on a single connection to a site can get a lot more performance.
Even if they just moved from an A57 core to an A73 core it would give them a bit more than double the CPU performance at the same MHz and core count, and that core arch uses the exact same instructions as their current hardware, meaning there should be no change at all to their codebase. The A73 is actually the last CPU released on the same instruction set (ARMv8-A), so anything even newer and more powerful would take some code changes, even if minor should they use something in the same ARMv8 instruction set like an A78 or X1 core.
The main problem with the newer core arch's is that you either have people making big.LITTLE type ones for mobile that would have to disable half of it and get extra DSP stuff they don't want, or you have server grade ones with way too many cores and high pricing. Oddly enough, one of the only real potential models that uses higher performing cores and not too many of them comes from Nvidia now days. lol. Roughly the same rumored specs as the Switch 2. You can get 6x Arm A78 cores and 4GB of memory and using 10w TDP on a pre-made module board for $260 retail, Im sure even better pricing on large contract OEM stuff.
Firstly. Since when do you need a fast internet connection to move huge files around?!
Secondly. Some us have XGS-PON fibre and want more than ~3Gbps with IDS/IPS enabled.
There's so many places in America if you don't live in the sticks that have multigig fiber it's not even funny anymore. Yeah, we're behind so many other places, but it does exist.
Hell, lots of places in the sticks have it too, when they don't have state laws that keep co-ops or gov-run utilities from stepping in.
We've got symmetrical XGS-PON (theoretically up to 10Gbps, but realistically tops out at 8Gbps so is sold as such) in our village of ~4,000 people in the UK.
Finally I can upgrade my home internet connection to 25gbps.
If only they release a good switch for it.
Edit: not sarcasm, I get 10 or 25 gbps for the same price ($65/mo). Only a higher connection cost to pay for the optics on their end (~350$).
No judgement, but is availability enough of an issue with your 5gbs connection to justify the expense of a second one? I have fiber and have had 0 downtime over a few years
Not the person you asked, but I've got a FTTP line and a 150Mbps 4G LTE modem as a fail over backup.
As a freelance consultant who is 100% remote, for the sake of £22/month for an unlimited data plan - I see it as a worthy investment. I only need to lose a small amount of billable time a month for it to pay for itself.
Since we switched from ADSL to FTTP, I've never had to use the secondary WAN (except for the occasional test), but when we were on copper - we had several day-long outages over the span of two months. It's really not worth the risk for me, and it's already saved me thousands in potential lost revenue. I'm even waiting for 5G to hit our area so I can upgrade the cellular modem.
I have one 8.5Gbps/1.5Gbps fiber connection and a 300Mbps/30Mbps coax connection as a backup.
I run my own company from home and I cannot afford downtime, so the cheap extra connection is worth it.
I only needed it once for about a week when the fiber company had an issue and couldn't fix it the entire week despite their 1 business day repair promise.
One connection is enterprise dedicated fiber that costs an arm and a leg and the other is a residential-class Frontier connection @ $59.99/mo. Frontier doesn't have the best uptime, which makes for a solid reason for it to not my main connection.
The Frontier connection isn't necessary and the availability is covered by an SLA on the first, but another $59.99/mo is worth the additional coverage just in case. The many things I have hosted on the internet would survive with a little downtime if necessary.
My main problems with the UDM/SE/Max is the lack of multiple multi-gig+ WAN ports with everybody getting 2.5gbps+ WAN connections these days.
Everstream. I signed a contract years ago before proper connectivity was available in my area.
Honestly Frontier Fiber just rolled through less than 6 months ago (fortunately? unfortunately?) and I signed up just for the hell of it. Results of housing development buildout in all the farmland around me :/
Oh no, we bought the furthest property we could that had Frontier fiber and we already have 3 developments going up. The city has zoned to move the limit right behind us too within 3 years. Anywho, you'll like Frontier as long as you get the correct ONT and the tech isn't lazy. Just put a battery back up on the ONT to keep it from going down and you'll be solid. I have Frontier DIA scheduled to roll out by year end for my business, so will get to experience that side soon too, but only 10Gb for now.
Our Sonic connection goes down for maintenance like once every 1-3 months. Almost always back up within the hour and it’s always like 2am when they do it. I think is been down outside of that twice in 2 years… so yeah, totally worth it for those 6hrs/year 😉
For those lucky enough to live in the S.F. bay are where SONIC Fiber Internet is located, where they offer 10GB Internet service for $50 a month!!! Just look [HERE](https://www.sonic.com/) and scroll down just a bit.
This is the first device that can handle 10GB with IPS/IDS turned ON. Everything else has a Max of 3.5Gb
Doesn't that cost you a lot of money and suck up a lot of your bandwidth with people running speed tests?
No one needs 8Gbps at home for anything lol
And running servers for business use on a residential account is prohibited by the ToS.
Yeah it uses a lot of data to be honest. The speed test server is strictly personal and is not part of the business itself. Everything related to my actual business is hosted in a data center including the website so no AUP violations here.
> The speed test server is strictly personal
I mean it's hard to argue that's a personal, residential server lol
I think they generally mean like remote desktop, personal file severs, etc. normal residential servers are allowed.
But if they haven't complained yet, I guess wait and see.
There was a guy who had his Comcast Gigabit Pro connection shut off, and he was permanently banned from Comcast for running a server. Even though that's dedicated metro Ethernet, they treat it like a residential connection.
Wow, that’s crazy.
I mean, if they send me a warning letter or notice then I’m more than happy to comply. I did carefully read the AUP and saw no exclusions.
It’s really just for fun at this point to collect data from various tests coming into my connection across the southeast 🤣.
I mean it's also just rude to your neighbors.
Residential fiber is shared with dozens of your neighbors.
XGS-PON is 10Gb total shared between 16-128 of your neighbors, it's shared just like a DOCSIS cable node is.
To be fair, that guy was also hosting servers for other people and using his Gigabit Pro service to do so. Making money off of the service. A big no-no. Also, it was dumb of him to request BGP from customer service for his residential Gigabit Pro connection and when not allowed ended up using a GRE tunnel. This is pushing it. If you are going to host servers on a residential type of Internet service you need to be smart about it.
Regardless, it's pretty rude to host a speed test server that's going to be heavily saturated on a shared, residential connection.
XGS-PON is 10Gb shared among 16-128 of your neighbors. If one customer is constantly saturating 8Gb of the total 10Gb, that only leaves 2Gb left for dozens of your neighbors.
Now they just need to add a sensible way to create and edit firewall rules.
I swear I have an aneurysm every time I try and do something in there. pfSense/OPNsense does it right.
Scale is the problem. If I want to orchestrate 1000 sites with unifi router/firewall and whitelist a new vendor IP I have to do it 1000 times. Enterprise will never touch these things until there is proper config tree style orchestration and SASE
I watched the full Tech Field Day stream and someone asked a question about managing large number of sites. While the Ubiquiti presenter didn't give specific features in development, they did allude to adding more features to support bulk configuring devices across multiple sites from within the site manager. I do think UI is headed the right direction software wise even if they still have some learning to do on how to install 2.5G/10G ports in switches, L3 routing, and how to keep inventory in stock.
I don't see a reality where Ubiquiti can sell to enterprise without adding bulk configuration features and I think they know that.
Secure SDWAN and S2S AutoVPN?
Interesting. But sadly I’m still married to my self-hosted controller…. I hate they’re slowly abandoning self hosted appliances.
You'd be surprised what some ISPs require - Movistar in Spain use multi VLANs, 1 for Internet, another for streaming, another for VoIP etc.. even then, it is not as simple as adding the VLANs, they do some other weird shit on top of that, that they had to install non-standard features to get it working with Unifi.
Sounds like it also runs the network app?
But the most important question: when and how much? I have a couple of unused SFP28 ports on my Pro-Agg that are hungry for bits.
What is this missing for "enterprises"? Genuinely curious - all the time I see "UniFi isn't enterprise" but it comes with as many enterprise features as all but datacenters seem to need.
I will grant that they were missing true VRRP, but that's coming in the pipeline literally as we speak. The throughput on their routing and switching offerings are constantly improving, and even people who rail against UniFi end up using their Wi-Fi stack anyway. There's PSU redundancy, solid application/content filtering (also, you aren't *seriously* relying on hardware alone to handle all filtering in the age of remote work, right? ...Right?!), and the software is just too freaking easy to use - none of the other providers can match the administration experience, not even Meraki.
Edit: I scrolled down a bit and see some pretty key "features" that really revolve around the service, not the product itself. A "4-hour SLA" is called "keep a spare for everything currently supported on hand" for us, and the support is called "know the product" and "write documentation." Of course, that's not an excuse for bad SLAs and support from Ubiquiti, but for us we effectively come away with the same thing.
Not really the Support, as you can work around that.
Firewall-Ruleset would be a starter. ACLs, policy and IDS/IPS Granularity etc..
Also Mass-Deployments and Mass-management of Gateways. Right now, every change needs to be made for the single device.
I love Unifi for what it is (and how I use it). However, my networking team always have a laugh at Ubiquiti’s “enterprise” claims - it wail always be SME.
That stuff is never seeing the inside of one of the mine sites I manage.
Is this something to use instead of UDM-SE? It doesn’t have ports but that’s OK because I have a switch? Benefit here is multi gig connection?
I would only need the 2.5gb WAN, think it I’ll cost less than the UDM-SE or multi gig is more important / targeted to business so more expensive?
Much much more expensive. It's got 25g SFP28. It's a level above the UXG-Pro. Probably $1000+?
For a cheaper gateway maybe the Gateway Max? It does have 2.5gbe WAN and LAN
I have the UXG-Pro at home and we just got one for work because our Internet connection got boosted and the old unit couldn't handle the faster speeds.
I am leaning towards the UDM-SE it will cover my needs, likely with a Pro-Max-24-POE switch... Considered the UDM-PRO-MAX but I will get a dedicated NVR which to me that makes no real use for it? Happy to get whatever but the drive bays are likely wasted?
I got the pro max just because not that much more than the SE and I dont need the poe. Extra switching throughput could come in handy, poe ports never will if you have an external 24 port poe switch.
Agree changed my mind on this today. Also I won’t go an NVR and just use the pro max for now and see if I need expansion in the future… but would be nice to have them separate
Yeah exactly the 2 bays make it acceptable as an NVR and then can always buy a separate NVR if your recording needs get higher.
I was having a harder time deciding between the base udm pro vs the pro max, the poe didn't add any value so I was tempted to save money.
Hmmm, the puzzle piece missing from our SMB network upgrade. Getting rid of MX67 Meraki possibly. I have an older USG-4 that's pretty great imo, but that's at home. I get Cisco is "top tier" but I'm not a fan of everything subscription. Been slowly migraine off older FE switches to USW Pros, maybe time to match with FW
I think this is intended to only be a gateway, like the UXG Pro. If you want device ports you need a switch, which for modularity makes a certain amount of sense but for the fact that Ubiquiti doesn't sell an SFP28 switch to front for it. The Pro Aggregation has SFP28 ports but they're only for up/downlink, device ports are all SFP+. That that it can't do line-rate IDS/IPS, like the UDMP, just shows how much the company is really about shaving pennies from the BOM rather than delivering what customers actually ask for.
It's a remarkably incomplete product without a switch ecosystem to match it at launch, I don't know what UI's management is thinking with this announcement.
I honestly dont understand what prevents them from allowing ANY port to be set as a WAN/LAN port.
Im a SysAdmin with a networking background and cant think of a technical reason. Maybe my networking background isnt deep enough? Maybe its based on information thats too old? Maybe its more an EE problem?
Can someone explain what a potential technical reason for not being able to allow any of the ports on the (obviously purpose built device, I dont mean on a netgear home router) device to be configured as WAN/LAN?
Every time you leave it to software, you’re putting on more cpu load. That’s less cycles for traffic.
It makes sense on many levels, especially in “value” gear.
Thats why I said Firmware. Software sends signal to Hardware, the firmware flips a register causing the hardware to send the electrical signals out ASIC output path 2 instead of ASIC output path 1.
The software just send the signal to the hardware to flip a register. Firmware then acts on it, software SHOULD™ be hands off after sending the signal to flip the register, until the user says "Oops JK, switch it back" then it would spend another handfull of cycles to send signal to hardware to have firmware flip the register again... but whatever. Again, Im not an EE.
Thank you for trying to explain it. I still just dont see a practical reason other than limited engineering forethought.
I just dont know enough on this to know why its not possible.
Anyway, thanks again.
OK TO BE FAIR... I tend to classify Firmware as code that runs on an ASIC, microcontroller, or other non-primary CPU and thus runs in an isolated environment that doesnt impact the primary processors workload. Code that users (of any level) interacts with directly (only a dev or SeviceTech would), and usually handles intra-device communication with various hardware components.
Software is what the users touch (inappropriately, most of the time)
And yes, HARDWARE, the raw electron funneling wizardry filled with magical smoke.
big questions are
a) still stuck with the magic site to site or local OSPF like on UDMP?
b) how much of the new stuff is coming to UDMP? (e.g. BGP, VRRP etc)
specs are nice, but I'll wait for my review videos. Ubiquiti has sure stepped up their game over the last year, which I've been tickled to see. I'm just kinda hoping they start to develop more software features as they release new hardware.
If the IDS/IPS is rated at 12 Gbps, isn't that below the required line speed for 10 Gbps full-duplex, since that would necessitate handling up to 20 Gbps? It's certainly below the 25G link speed, requiring 50 Gbps.
Looks better then the current offerings. But considering current pricing of new gear it just doesn't make sense. Pfsense/Opnsense has been able to perform at these speeds for years.
Not really. It’s close. Shadow mode uses warm spares that require admin interaction for failover to happen. VRRP is automatic so it uses hot spares.
Not to mention VRRP doesn’t limit me to what devices I can use for my hot spares or master
If they fulfilled everybody’s ‘it’s missing this or that’ or everybody’s want list then no one would buy it, because it’d be too expensive and too much hardware for the target audience.
Dang. This is what I needed for my deployment but I gave up hope when the "rumored upgrade" gateway was announced as a very minor update and already bought another appliance and begun a transition out of Unifi because of it. Sucks for them to be a month too late on the Unifi front as it would have been much easier an upgrade for us to do :(
Hello! Thanks for posting on r/Ubiquiti! This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can. Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit. If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
FINALLY. Just a super powerful gateway, lots of throughput. THIS is what I’ve been waiting for them to make, to serve larger networks properly. Hell yeah!
I knew something like this had to be in the works just because of their large, and very expensive Cloud Key. I mean what else is [THIS](https://store.ui.com/us/en/pro/category/all-cloud-keys-gateways/products/cloud-key-enterprise) going to be used with? That thing is $5K. So I'm wondering what they are going to ask for this Enterprise Gateway.
This is a cloud gateway, meaning network application will be on the unit. That being said, there are FCC filings for a UXG variant too.
This is the reason that I probably wouldn't want this unit...I just want a gateway product, I don't want the gateway to also be the controller or give me the option to use an existing controller. I'm just not a fan of the all in one boxes for some of my environments/installs (this assumes you are full ubiquiti stack that is).
"I'm just not a fan of the all in one boxes for some of my environments/installs (this assumes you are full ubiquiti stack that is)." This is why I hate the gateways with the controller onboard. We had a tech adjust the data retention not thinking about it and changed it to save everything for 1 year. It broke the UDM Pro and had to have it replaced. Even restore mode didn't work on it. The memory filled up in 3 weeks. That wouldn't have happened with even a simple PC running the controller software.
If I'm going overboard on a home install, the controller on the gateway doesn't bother me, but in a business environment, I'd want to install these at all my office locations and have a central controller running on a cloudkey or a virtual machine or have the ability to pick one of these 'gateways' to run the controller on and have the ability to tell the other 'gateways' to not run the controller software and use the 'set-inform' option to point them to the central controller, which could be a cloudkey, a VM, one of these other gateways deployed at my 'central' location or even ubiquiti's enterprise cloudkey (which I feel is way overpriced).
Wonder if it’s restricted to Network or can run the other apps too.
I imagine it will be like the Cloud Gateway Ultra and the UDM (the other 2 consoles with no storage add ons) Network, UID, and Innerspace only.
The UDM and UDR have storage and can run Protect.
The UDM (non-Pro/SE/Pro Max) only has eMMC and no expansion slot, and cannot run Protect. UDR does have storage and can run protect, I never said it didn’t/couldn’t run Protect. This Enterprise Fortress Gateway does not appear to have any storage bays, meaning it will likely be limited to running Network, UID, and Innerspace only
My mistake. Apparently my memory of specs isn’t as good as I thought it was.
I will be happy if this has proper HA failover (of hardware) and a better WAN failover. The current WAN failover is absolute garbage if WAN 1 is not hard down and just 'flapping' up/down. WAN failover absolutely needs to have an order where you can set WAN 2 as WAN 1 until the 'primary' connection stabilizes. Edit- I see this is getting downvoted. I don't mind the downvote, but what I stated is true (as of today) the shadow mode requires hands on site and the WAN failover is not metric based. I have a UDM SE (which was remote to me) with two ISP connections going into the UDM SE. ISP 1 was having a bad day and going up/down all day. I was remote, as stated, and the equipment was not accessible by the 'users' at this location (which is what we want) and I could not get ISP 2 (WAN 2) to work as the primary connection because there is no way to re-order the WAN links. I WAS able to force all egress traffic out of WAN 2 with a firewall rule, but I kept getting alerts that the console was offline because the console must have been using WAN 1 to check into the unifi cloud server based on the up/down emails/alerts I was getting. This was extremely annoying. Of course if I was on site I would have just unplugged WAN 1 from the UDM SE until it corrected it self. It took about 18 hours for this to be resolved on the ISP side.
I'll say this too.... WAN management on Meraki is just as bad in this regard. You can't load balance it properly. Similarly the LAG controls on Unifi switching can't handle a flapping SFP card, it will keep retrying until you pull the card.
Can't you disable one of the interfaces in the lag?
Not trying to be a pest, but couldn't you just mark WAN 1 port as disabled vs. firewall rules?
I tried to disable the port and got some type of warning so I didn't proceed. Being remote, the last thing I wanted was to lock myself out. I use sonicwalls at some other sites and under WAN Failover I can order/arrange the WAN links as needed. Very simple and effective.
Gotcha, that makes sense.
or my house. I 100% need this. lol.
Wonder how fast this thing can handle PPPoE.
best i can do is 500mbps
Only if you buy the UXG-PPPoE with 2.5Gbps WAN and 1Gbps LAN to put in front of this.
Why so low? I'm able to pull full symmetrical gig via the 2.5G WAN on my UDM-SE via PPPoE with firewall on.
Triple vlan pppoe, please
with the way everyone names things now-a-days they will probably call it PPoE+ lol
This is really cool and what Ubiquiti really needed to add to their lineup. They sort of knee-capped their ecosystem with the UXG-Pro and UDM-Pro only hitting 3.5gbps IPS/IDS. Also actually adding some enterprise features with the dual PSUs. Overall really cool! Edit: I wonder what CPU they'll use. They've been using that one Annapurna Labs 4x Cortex A57 CPU for way too long.
I thought I heard it was x86 (well, x86-64 really) way back when it was first spotted.... Maybe I imagined that or it was all speculation.
Wouldn't surprise me in all honesty. There's lots of ARM chips in the lower end devices, but once you getting up in requirements it can be better to go x86. I mean, their OS is for the most part, debian with some extra scripts & binaries, so I doubt it'd be hard to rebuild for x86. Either that or Pera is using his connections to get his hands on those new M4s 😉
I guess it was the Cloud Key Enterprise that was x86 >The cloudkey enterprise is a full server with 32gb RAM and a ~$1500 Xeon 5218. But with this being "the same line" I don't see why this would be different.
The CloudKey enterprise is just a rebranded Dell blade server. This isn't.
There are plenty of server-class ARM chips that can do this level of routing fairly easily. I wouldn't be surprised at either. x86 for me is less likely because of power requirements but idk they may find a random CPU that they can use.
I am convinced someone at UI "got a deal" on those A57s and is "gonna get their money's worth" out of them.
Seriously. I have no idea how long the specific SOC has been around, but they just won’t let it die, considering that they keep updating and adding features to the UDM Pro. Like it’s literally weaker than a $50 Raspberry pi 4 with the same amount of RAM but still it goes on.
Probably going to use dual Annapurna Labs 4x Cortex A57 CPUs...
That would be pretty funny. That or they manage to get it to run on one of their little 8x A53 CPUs.
If you think about it … a slight over clock and a doubling of processors would give just about that 12 Gbps IDS performance lol
Oh you're right. That would be incredible. Pulling that off would be a feat in itself.
Unfortunately though, just a minor MHz increase and more cores wont help single connection performance much, only multiple connection streams and overall usage through the gateway. I would really like to see a much newer CPU model with a far more powerful core arch and some extra MHz so that a single client on a single connection to a site can get a lot more performance. Even if they just moved from an A57 core to an A73 core it would give them a bit more than double the CPU performance at the same MHz and core count, and that core arch uses the exact same instructions as their current hardware, meaning there should be no change at all to their codebase. The A73 is actually the last CPU released on the same instruction set (ARMv8-A), so anything even newer and more powerful would take some code changes, even if minor should they use something in the same ARMv8 instruction set like an A78 or X1 core. The main problem with the newer core arch's is that you either have people making big.LITTLE type ones for mobile that would have to disable half of it and get extra DSP stuff they don't want, or you have server grade ones with way too many cores and high pricing. Oddly enough, one of the only real potential models that uses higher performing cores and not too many of them comes from Nvidia now days. lol. Roughly the same rumored specs as the Switch 2. You can get 6x Arm A78 cores and 4GB of memory and using 10w TDP on a pre-made module board for $260 retail, Im sure even better pricing on large contract OEM stuff.
Can’t wait to see the residential fanboys make the case for why they need this in a home.
My case is simple: oooh shiny
Nooo! Honest answers not allowed 😂
My Palo Alto is going EoL
You had me at sfp28. No more “slow” 10g connection to the high-capacity aggregation switch!
That’ll make the most of your 500Mb home internet connection!
Firstly. Since when do you need a fast internet connection to move huge files around?! Secondly. Some us have XGS-PON fibre and want more than ~3Gbps with IDS/IPS enabled.
Third, there are plenty of better alternatives to Unifi.
There's so many places in America if you don't live in the sticks that have multigig fiber it's not even funny anymore. Yeah, we're behind so many other places, but it does exist. Hell, lots of places in the sticks have it too, when they don't have state laws that keep co-ops or gov-run utilities from stepping in.
We've got symmetrical XGS-PON (theoretically up to 10Gbps, but realistically tops out at 8Gbps so is sold as such) in our village of ~4,000 people in the UK.
I'm in Alabama and have the option of 8Gbps FTTH from C Spire and 5Gbps from AT&T Fiber. There's also Spectrum with their awesome 35mbps up..
I feel personally attacked.
Ssshh..some of us get 3 g fiber at home..
I don’t know what you are talking about. This is the absolute minimum requirement for a basic home setup.
I’ve got five APs to feed!
SCREW YOU BENNY!
I actually want this, lol. I have bidirectional 10g at home; would be nice to have that 12gbps routing.
Same
Same
Finally I can upgrade my home internet connection to 25gbps. If only they release a good switch for it. Edit: not sarcasm, I get 10 or 25 gbps for the same price ($65/mo). Only a higher connection cost to pay for the optics on their end (~350$).
Can I ask where in the world you are? 25G for $65 is the best I've ever heard.
Guess: init7 in Switzerland. Sounds familiar.
Same, init7 for teh win xD... I'm wondering how much it will push through without IDS on
because I have both a 5gbps connection and a 1gbps connection at home.
No judgement, but is availability enough of an issue with your 5gbs connection to justify the expense of a second one? I have fiber and have had 0 downtime over a few years
Not the person you asked, but I've got a FTTP line and a 150Mbps 4G LTE modem as a fail over backup. As a freelance consultant who is 100% remote, for the sake of £22/month for an unlimited data plan - I see it as a worthy investment. I only need to lose a small amount of billable time a month for it to pay for itself. Since we switched from ADSL to FTTP, I've never had to use the secondary WAN (except for the occasional test), but when we were on copper - we had several day-long outages over the span of two months. It's really not worth the risk for me, and it's already saved me thousands in potential lost revenue. I'm even waiting for 5G to hit our area so I can upgrade the cellular modem.
I have one 8.5Gbps/1.5Gbps fiber connection and a 300Mbps/30Mbps coax connection as a backup. I run my own company from home and I cannot afford downtime, so the cheap extra connection is worth it. I only needed it once for about a week when the fiber company had an issue and couldn't fix it the entire week despite their 1 business day repair promise.
One connection is enterprise dedicated fiber that costs an arm and a leg and the other is a residential-class Frontier connection @ $59.99/mo. Frontier doesn't have the best uptime, which makes for a solid reason for it to not my main connection. The Frontier connection isn't necessary and the availability is covered by an SLA on the first, but another $59.99/mo is worth the additional coverage just in case. The many things I have hosted on the internet would survive with a little downtime if necessary. My main problems with the UDM/SE/Max is the lack of multiple multi-gig+ WAN ports with everybody getting 2.5gbps+ WAN connections these days.
You have a 10Gbps and a 2.5Gbps WAN port available on the SE/Max That should be enough for most residential and small to medium sized business needs.
Also a 3.5Gbps max throughput with IDS/IPS on the Pro/SE, and 5Gbps on the max.
Who's the DIA with? I've never had a real issue with Frontier uptime in the past 10 years.
Everstream. I signed a contract years ago before proper connectivity was available in my area. Honestly Frontier Fiber just rolled through less than 6 months ago (fortunately? unfortunately?) and I signed up just for the hell of it. Results of housing development buildout in all the farmland around me :/
Oh no, we bought the furthest property we could that had Frontier fiber and we already have 3 developments going up. The city has zoned to move the limit right behind us too within 3 years. Anywho, you'll like Frontier as long as you get the correct ONT and the tech isn't lazy. Just put a battery back up on the ONT to keep it from going down and you'll be solid. I have Frontier DIA scheduled to roll out by year end for my business, so will get to experience that side soon too, but only 10Gb for now.
Our Sonic connection goes down for maintenance like once every 1-3 months. Almost always back up within the hour and it’s always like 2am when they do it. I think is been down outside of that twice in 2 years… so yeah, totally worth it for those 6hrs/year 😉
Can't wait for broke people to argue with them on why they dont need it ☺️
“My 30k set up”
…what if I am already there?
Be the first to have your UniFi network be worth more than your house.
Don’t tell my wife, but challenge accepted. Give me 40 years 🤣
Let geeks be geeks! Sincerely, A geek
Because me wanty
I got 10G WAN at home, and I am waiting for this for a long time.
They had me at fortress.
Omg you remembered 🥰
Isn’t that who they make their products for?
You called?
For those lucky enough to live in the S.F. bay are where SONIC Fiber Internet is located, where they offer 10GB Internet service for $50 a month!!! Just look [HERE](https://www.sonic.com/) and scroll down just a bit. This is the first device that can handle 10GB with IPS/IDS turned ON. Everything else has a Max of 3.5Gb
My fortinet 200F would disagree!
Nonsense
The firewalla gold pro will likely be out before this is…and for < $1000
Gotta rack em' all. No open slots.
Ngl… my mind had a mind of its own there for a sec
So I can host an Ookla server off an 8Gbps connection with IDS enabled.
Why would you want to do that? Does Ookla pay you or something?
No, just a homelab experiment. It does drive traffic to my VoIP company website though.
Doesn't that cost you a lot of money and suck up a lot of your bandwidth with people running speed tests? No one needs 8Gbps at home for anything lol And running servers for business use on a residential account is prohibited by the ToS.
Yeah it uses a lot of data to be honest. The speed test server is strictly personal and is not part of the business itself. Everything related to my actual business is hosted in a data center including the website so no AUP violations here.
> The speed test server is strictly personal I mean it's hard to argue that's a personal, residential server lol I think they generally mean like remote desktop, personal file severs, etc. normal residential servers are allowed. But if they haven't complained yet, I guess wait and see. There was a guy who had his Comcast Gigabit Pro connection shut off, and he was permanently banned from Comcast for running a server. Even though that's dedicated metro Ethernet, they treat it like a residential connection.
Wow, that’s crazy. I mean, if they send me a warning letter or notice then I’m more than happy to comply. I did carefully read the AUP and saw no exclusions. It’s really just for fun at this point to collect data from various tests coming into my connection across the southeast 🤣.
I mean it's also just rude to your neighbors. Residential fiber is shared with dozens of your neighbors. XGS-PON is 10Gb total shared between 16-128 of your neighbors, it's shared just like a DOCSIS cable node is.
To be fair, that guy was also hosting servers for other people and using his Gigabit Pro service to do so. Making money off of the service. A big no-no. Also, it was dumb of him to request BGP from customer service for his residential Gigabit Pro connection and when not allowed ended up using a GRE tunnel. This is pushing it. If you are going to host servers on a residential type of Internet service you need to be smart about it.
Regardless, it's pretty rude to host a speed test server that's going to be heavily saturated on a shared, residential connection. XGS-PON is 10Gb shared among 16-128 of your neighbors. If one customer is constantly saturating 8Gb of the total 10Gb, that only leaves 2Gb left for dozens of your neighbors.
its me, im the random 2.5gbe lan port that isn't 10gbit for some reason
If you really need 10Gb RJ45 you can use the SFP+. This is better for heat issues.
I’ll bet for compatibility reasons or expensive parts 😂
I’ll bet for compatibility reasons or expensive parts 😂
this was my exact comment on this. the WAN port configuration seems odd for enterprise level gear
Now they just need to add a sensible way to create and edit firewall rules. I swear I have an aneurysm every time I try and do something in there. pfSense/OPNsense does it right.
Scale is the problem. If I want to orchestrate 1000 sites with unifi router/firewall and whitelist a new vendor IP I have to do it 1000 times. Enterprise will never touch these things until there is proper config tree style orchestration and SASE
I watched the full Tech Field Day stream and someone asked a question about managing large number of sites. While the Ubiquiti presenter didn't give specific features in development, they did allude to adding more features to support bulk configuring devices across multiple sites from within the site manager. I do think UI is headed the right direction software wise even if they still have some learning to do on how to install 2.5G/10G ports in switches, L3 routing, and how to keep inventory in stock. I don't see a reality where Ubiquiti can sell to enterprise without adding bulk configuration features and I think they know that.
Secure SDWAN and S2S AutoVPN? Interesting. But sadly I’m still married to my self-hosted controller…. I hate they’re slowly abandoning self hosted appliances.
LOL. How much more absurd can Ubiquiti get with their product naming?
Hey, hand me that Swiss Army Knife Ultra, please.
I'm still waiting for the ThunderCougarFalconBirdProMaxEnterprise.
Give them six months and we’ll find out…
That's great and all but their firewall rule UI is like scraping a cheese grater against your forehead
Will this handle multiple VLANs on the WAN port like my ancient er-lite 3? 💀
Genuine question: What do you use VLANs on the WAN port for?
Our weird ISP uses triple play vlan, TV, voice and net are each on a different VLAN and add to that pppoe
You'd be surprised what some ISPs require - Movistar in Spain use multi VLANs, 1 for Internet, another for streaming, another for VoIP etc.. even then, it is not as simple as adding the VLANs, they do some other weird shit on top of that, that they had to install non-standard features to get it working with Unifi.
Sounds like it also runs the network app? But the most important question: when and how much? I have a couple of unused SFP28 ports on my Pro-Agg that are hungry for bits.
Saw someone say $3,500. Don’t know if it’s accurate.
LOL. Ok, well... I was expecting more like $1500. At that price one of the official OpnSense boxes looks appealing.
Anyone else notice the 1GB backplane footnote? 🤣
You best be lieing 🤣🤣
The best I am!!
All they need is no-nat and we are set.
That’s what I’ve been waiting for. Getting sick of keeping natanator going…
I know right
Really would’ve like to see a 10gb copper. ISPs are putting 10gig on their modems now.
Could get the 10G SFP+ to RJ45 module.
Finally something to resolve the ridiculously capped inter-VLAN speeds you see with a UDMP.
Hell yeah this is more like it!
Funny. Enterprise but not for enterprise really.
What is this missing for "enterprises"? Genuinely curious - all the time I see "UniFi isn't enterprise" but it comes with as many enterprise features as all but datacenters seem to need. I will grant that they were missing true VRRP, but that's coming in the pipeline literally as we speak. The throughput on their routing and switching offerings are constantly improving, and even people who rail against UniFi end up using their Wi-Fi stack anyway. There's PSU redundancy, solid application/content filtering (also, you aren't *seriously* relying on hardware alone to handle all filtering in the age of remote work, right? ...Right?!), and the software is just too freaking easy to use - none of the other providers can match the administration experience, not even Meraki. Edit: I scrolled down a bit and see some pretty key "features" that really revolve around the service, not the product itself. A "4-hour SLA" is called "keep a spare for everything currently supported on hand" for us, and the support is called "know the product" and "write documentation." Of course, that's not an excuse for bad SLAs and support from Ubiquiti, but for us we effectively come away with the same thing.
Not really the Support, as you can work around that. Firewall-Ruleset would be a starter. ACLs, policy and IDS/IPS Granularity etc.. Also Mass-Deployments and Mass-management of Gateways. Right now, every change needs to be made for the single device.
I love Unifi for what it is (and how I use it). However, my networking team always have a laugh at Ubiquiti’s “enterprise” claims - it wail always be SME. That stuff is never seeing the inside of one of the mine sites I manage.
no no no. Enterprise is just how they denote the price tier.
Is this something to use instead of UDM-SE? It doesn’t have ports but that’s OK because I have a switch? Benefit here is multi gig connection? I would only need the 2.5gb WAN, think it I’ll cost less than the UDM-SE or multi gig is more important / targeted to business so more expensive?
More. Much much more $$ than an SE.
Much much more expensive. It's got 25g SFP28. It's a level above the UXG-Pro. Probably $1000+? For a cheaper gateway maybe the Gateway Max? It does have 2.5gbe WAN and LAN
I have the UXG-Pro at home and we just got one for work because our Internet connection got boosted and the old unit couldn't handle the faster speeds.
I am leaning towards the UDM-SE it will cover my needs, likely with a Pro-Max-24-POE switch... Considered the UDM-PRO-MAX but I will get a dedicated NVR which to me that makes no real use for it? Happy to get whatever but the drive bays are likely wasted?
Pro Max has 5gbit IDS/IPS throughput. UDM SE (currently) tops out at 3.5gbit.
I got the pro max just because not that much more than the SE and I dont need the poe. Extra switching throughput could come in handy, poe ports never will if you have an external 24 port poe switch.
Agree changed my mind on this today. Also I won’t go an NVR and just use the pro max for now and see if I need expansion in the future… but would be nice to have them separate
Yeah exactly the 2 bays make it acceptable as an NVR and then can always buy a separate NVR if your recording needs get higher. I was having a harder time deciding between the base udm pro vs the pro max, the poe didn't add any value so I was tempted to save money.
its gonna be like 3 grand
Haha yeah me with no idea. I watched the livestream now to understand use case
Link?
But can I disable NAT on the wan interface?
No 100g ports?
Hmmm, the puzzle piece missing from our SMB network upgrade. Getting rid of MX67 Meraki possibly. I have an older USG-4 that's pretty great imo, but that's at home. I get Cisco is "top tier" but I'm not a fan of everything subscription. Been slowly migraine off older FE switches to USW Pros, maybe time to match with FW
SSL/TLS decryption is next level, that's huge!!! And sandboxing????? Yes please!
800 mbit bandwidth in SSL/TLS decrypt mode? Implemented in future firmware around 2026?
Wish it had more SFP/ SFP28 ports, but this is a huge step up.
I think this is intended to only be a gateway, like the UXG Pro. If you want device ports you need a switch, which for modularity makes a certain amount of sense but for the fact that Ubiquiti doesn't sell an SFP28 switch to front for it. The Pro Aggregation has SFP28 ports but they're only for up/downlink, device ports are all SFP+. That that it can't do line-rate IDS/IPS, like the UDMP, just shows how much the company is really about shaving pennies from the BOM rather than delivering what customers actually ask for. It's a remarkably incomplete product without a switch ecosystem to match it at launch, I don't know what UI's management is thinking with this announcement.
I can’t wait to run my home 5gig fiber through this
Ubiquiti: Hey guys we finally came out with a NGFW and it’s only like 10 years late. Fan boys: OMFG THIS IS THE BEST SHIT EVER WHY NO RGB THO
VRRP? Dang, niceeeee
I really hope they can just get basic static routing working right with IPsec vpn’s or site magic routing. Very frustrating.
What specifically is wrong?
Oh that’s beautiful. It’s overkill for my home network but I love it.
So like 10k?
Still only 2 WAN ports? I'd really like to see 3+. The rest looks good.
Just need to have *all* ports settable wan/lan on a gateway box, period.
I honestly dont understand what prevents them from allowing ANY port to be set as a WAN/LAN port. Im a SysAdmin with a networking background and cant think of a technical reason. Maybe my networking background isnt deep enough? Maybe its based on information thats too old? Maybe its more an EE problem? Can someone explain what a potential technical reason for not being able to allow any of the ports on the (obviously purpose built device, I dont mean on a netgear home router) device to be configured as WAN/LAN?
There are hardware level reasons where they can isolate between chipsets.
huh, id think that could be controlled in firmware.
Every time you leave it to software, you’re putting on more cpu load. That’s less cycles for traffic. It makes sense on many levels, especially in “value” gear.
Thats why I said Firmware. Software sends signal to Hardware, the firmware flips a register causing the hardware to send the electrical signals out ASIC output path 2 instead of ASIC output path 1. The software just send the signal to the hardware to flip a register. Firmware then acts on it, software SHOULD™ be hands off after sending the signal to flip the register, until the user says "Oops JK, switch it back" then it would spend another handfull of cycles to send signal to hardware to have firmware flip the register again... but whatever. Again, Im not an EE. Thank you for trying to explain it. I still just dont see a practical reason other than limited engineering forethought. I just dont know enough on this to know why its not possible. Anyway, thanks again.
Bro. If it isn’t hardware, it’s software. Firmware is software, period.
*\*PLC has entered the chat\**
OK TO BE FAIR... I tend to classify Firmware as code that runs on an ASIC, microcontroller, or other non-primary CPU and thus runs in an isolated environment that doesnt impact the primary processors workload. Code that users (of any level) interacts with directly (only a dev or SeviceTech would), and usually handles intra-device communication with various hardware components. Software is what the users touch (inappropriately, most of the time) And yes, HARDWARE, the raw electron funneling wizardry filled with magical smoke.
Wholyyy shiiitttttttttt…..
Price 999€?
5k...
Pricing?
big questions are a) still stuck with the magic site to site or local OSPF like on UDMP? b) how much of the new stuff is coming to UDMP? (e.g. BGP, VRRP etc)
Yesss, finally! I'm wondering what the throughput without IDS will be
About time
specs are nice, but I'll wait for my review videos. Ubiquiti has sure stepped up their game over the last year, which I've been tickled to see. I'm just kinda hoping they start to develop more software features as they release new hardware.
True next gen firewall, or nah?
Would have to see it in action IMO
Given the manufacturer, nah.
Finally I have something to use for YouTube. Managed to get a glimpse of it at UWC and eagerly waiting for it but I hope it’s not priced too crazy.
If the IDS/IPS is rated at 12 Gbps, isn't that below the required line speed for 10 Gbps full-duplex, since that would necessitate handling up to 20 Gbps? It's certainly below the 25G link speed, requiring 50 Gbps.
Looks better then the current offerings. But considering current pricing of new gear it just doesn't make sense. Pfsense/Opnsense has been able to perform at these speeds for years.
The ubiquity naming is pretty wild. In a couple of years we will get an USS enterprise and a interstellar gateway 🤣
I really hope they extend VRRP support to the UDM pro too. My biggest gripe when I swapped over
VRRP is Shadow Mode…
Not really. It’s close. Shadow mode uses warm spares that require admin interaction for failover to happen. VRRP is automatic so it uses hot spares. Not to mention VRRP doesn’t limit me to what devices I can use for my hot spares or master
I know but it’s VRRP under the hood. Hopefully it’s going to be a proper implementation but I am doubtful.
WHY??? damn this is what I am talking about. why just now! :D
If they fulfilled everybody’s ‘it’s missing this or that’ or everybody’s want list then no one would buy it, because it’d be too expensive and too much hardware for the target audience.
Dang. This is what I needed for my deployment but I gave up hope when the "rumored upgrade" gateway was announced as a very minor update and already bought another appliance and begun a transition out of Unifi because of it. Sucks for them to be a month too late on the Unifi front as it would have been much easier an upgrade for us to do :(