Ubiquiti UniFi Thoughts and Questions

[rbjtech 4260]

Yep - fully aware what Snort is - I have used it in a commercial environment for years   - I'm just surprised from the logs above that those ports are even opened and thus getting to Snort in the first place.   In the example above - unless you need remote SSH initiated from the internet - why on earth would you allow it into your network in the first place ?  It's all about reducing the attack surface - not just relying on these tools - security 101.

[sooty234 266]

I see what you're saying. You can probably chalk that up to laziness. I had a USG long before I added pfsense. So the USG (and now the UDM pro) is configured for appropriate security. I wanted to add pfsense because I can run interfaces more easily and it has much more processing power. So I just figured, meh, let snort do its thing. I'm not overly concerned about security. If I had more services facing the internet, I would harden it further. And I still might, if I'm bored one day

[lightsout 144]

I'm a little confused with this tbh - the firewall should be configured to silently drop everything except what you explicitly allow in and out. 

Curious to know what this might look like? My UDM is mostly default.

[rbjtech 4260]

.. and this guys may be the issue here.  When I trialled a UDP Pro, I was staggered to see that out the box default settings were to allow ALL outgoing traffic and inter-VLAN traffic - for a 'professional/prosumer' firewall, this is just plain wrong.  You always start with everything blocked (incoming/outgoing and inter-vlan) and then open up what you need - ie least privilege concept.  This is partially why I sent it back - I just wasn't happy with the maturity of the product.

Edited June 29, 2020 by rbjtech

[Spaceboy 2493]

On 6/22/2020 at 1:55 AM, sooty234 said:

@Spaceboy If your pfsense box has enough juice.

 

so i installed Snort, very straightforward following that tutorial. Not sure whether to be happy or not but i'm getting far less interesting things turning up in my alerts log than you seemed to . lots and lots of prot scanning (which i know i can and probably should disable due to excessive noise) but not a whole lot else.

the other thing i have decided to do is go back to using pfblockerng. i've been using pihole for the last 18months or so but watching the comparison videos convinced me of pfblockers additional benefits. and finally i'm going to visualise the pfsense logs in grafana...

[BAlGaInTl 279]

On 4/22/2020 at 11:35 AM, rbjtech said:

To note, the entry level USG cannot handle high internet throughput with packet inspection (IPS), even the USG 8 cannot handle full gigabit with IPS.   Sophos XG can run it no issues at all - but it's dependent on the hardware you install it on obviously .. 

 

On 5/24/2020 at 2:17 PM, MRobi said:

The only way the USG will be sufficient is if your internet connection is under 100Mbit. And those are getting rarer and rarer these days. Even with a slow internet connection I wouldn't recommend it because it's old hardware and with how tech changes you're starting with something that's already outdated. It was fine during it's release back around 2016 but it doesn't cut it in 2020. If your connection is any faster than 100Mbit, by enabling any of the security features on your security gateway, you'll be throttling your internet connection. In order to keep your internet speeds you need to disable the security features, but then what's the point of putting a security gateway in place? 

 

On 5/24/2020 at 4:27 PM, BAlGaInTl said:

My connection is only 100Mbit, and that's the fastest available in my area.

 

I may upgrade to something different at some point, but for now, the USG meets my needs, and it's a good start to learn the UniFi system.

 

On 6/3/2020 at 8:33 AM, BAlGaInTl said:

I don't "need" that....

With that said... I am eyeing up a PoE switch to replace my switch from another brand.  I don't "need" that either but but.... 

I'll worry about upgrading the USG if I can ever get faster internet.  For now, it's fine.

 

So that didn't take very long...

I upgraded my internet to 400/20 Mbit a couple weeks ago and had to disable all the packet inspection on my USG to get the speeds.  It was fun while it lasted.

So I hit the interwebs to see if I could find a deal on a UDM Pro only to find that they are out of stock everywhere.  Looks like a new line of products in imminent, but that doesn't help me right now.

So the question is do I try to spin up a VM with PFSense or Sophos XG and maybe build a 1U server to house it permanently?  Or do I wait for the new Ubiquity kit? I'm assuming that I could continue to operate my wireless network using the unifi controller docker that I have running now sans USG.

Things I learned today.... listen to the Emby community when they tell you spend some more money up front.  Even if you get a really good deal on a USG.

[rbjtech 4260]

The issue with technology is it's always changing and being upgraded lol - you can never 'keep up' ..

I'm not familiar with the USG packet inspection, but you may be able to do 'selective' inspection to try and reduce the overhead.

I know on the SophosXG (and likely the PFSense) you can basically 'not' do packet inspection on categories of products - so if you don't run a SQL Server (for example) then you can turn off all the vulnerability scanning for SQL.  The less you scan, the less overhead you have. 

If it can do this, it might be worth a shot - but at the end of day, the entry level USG was never designed with a 400Mbit internet connection in mind.

I returned my UDM Pro when they first came out as it wasn't anywhere near as capable as my XG system for both firewall and IPS duties.

If you have the ability to spin up a VM with two vNIC's (or VLAN's) then both XG and PFSense are certainly worth a play in my view.   You may be able to create a 'DMZ' IP with the USG - so use that as your 'virtual' internet connection for the VM (but treat it as a DMZ - as it will be!).

On the physical vs Virtual debate - I run the XG on a 1U physical - VM's are ok, but if the host you are running it on goes down, or is rebooted for maintenance or the networking for that host is interrupted by switch firmware updates etc, then of course your internet will be unavailable.

Edited September 29, 2021 by rbjtech

[BAlGaInTl 279]

7 minutes ago, rbjtech said:

On the physical vs Virtual debate - I run the XG on a 1U physical - VM's are ok, but if the host you are running it on goes down, or is rebooted for maintenance or the networking for that host is interrupted by switch firmware updates etc, then of course your internet will be unavailable.

 

Great input.  Thank you.

To the bold... this is exactly why I went with the USG in the first place.  I like my router to be a separate piece of hardware since I also VPN to it in order to manage my network remotely.  

Any prebuilt (or mostly built) 1U hardware you could recommend as a starting point?  I'd also be willing to go with a SFF box that could be mounted on the wall in the closet where my cable modem is.

Edited September 29, 2021 by BAlGaInTl

[rbjtech 4260]

My 1U was just a generic 1U chassis - My cpu for XG is now technically 'obsolete' as it's 5 or 6 years old but it still runs great - I used this :

ASUS N3150I-C SoC Motherboard with Integrated Intel Quad Core N3150 Processor + a Quad Intel NIC

It has 4Gb of RAM and runs my full d/l (400Mbit) with full IPS at about 20% cpu. 

[BAlGaInTl 279]

3 hours ago, rbjtech said:

My 1U was just a generic 1U chassis - My cpu for XG is now technically 'obsolete' as it's 5 or 6 years old but it still runs great - I used this :

ASUS N3150I-C SoC Motherboard with Integrated Intel Quad Core N3150 Processor + a Quad Intel NIC

It has 4Gb of RAM and runs my full d/l (400Mbit) with full IPS at about 20% cpu. 

Is something like this a good deal, or overkill?

https://www.ebay.com/itm/224561639976?hash=item3448eab228:g:xQ8AAOSwLv9hDK2N 

This particular one is pfsense.

I'm not even sure of the real differences between the two yet.

Edited September 29, 2021 by BAlGaInTl

[MRobi 159]

On 29/09/2021 at 11:34, BAlGaInTl said:

So I hit the interwebs to see if I could find a deal on a UDM Pro only to find that they are out of stock everywhere.  Looks like a new line of products in imminent, but that doesn't help me right now

Start browsing facebook marketplace, craigslist, etc.. for used UDM Pro's. The UDM Pro SE is around the corner which adds 2.5gbps capable wan port and PoE. It is literally adding the 2 things I needed to make the UDM perfect for my setup. I'm sure many will "upgrade" to the new model, and the added features may or may not make a difference for your needs. It could also mean the UDM Pro will get discounted to clear it out.

You could also check into the regular dream machine, but it sounds like you're looking for rack-mounted.