Last week I switched my router from Sophos XG to Ubiquiti (UBNT) USG (UniFi Security Gateway).
The setup
The setup was a bit tricky. First I tried to plug it in my existing network with a laptop connected to the LAN-port. I could reach the USG, but as most of the configuration is done in the UniFi-controller, I just had to unplug my existing network and configure the USG where it should be.
The configuration on the USG Web-GUI itself is pretty minimal. Just some simple network settings and a DHCP/arp table of clients.
UniFi controller
Network and DHCP
After adopting the USG in the controller, you can create networks, configure the firewall, etc…
IPS and DPI
IPS (intrusion prevention system) and DPI (deep packet inspection) are default off.
DPI has been a part of Ubiquiti products for a while, but the IPS is a new feature. I have turned it on, but I’m not sure if I have done something wrong as the GUI is pretty blank.
The DPI allows you to see some great stats over what services is using data on your network.
Unfinished?
Ubiquiti is known to create good products and release them with very few features. When I tested the Edge router just after it was released, most of the things had to be done in the CLI. When they released the UniFi cameras, there was very little features other than looking at the video feed and recording video.
The upside with Ubiquiti is that they listen to their users – Creating features their customers want. Not like other brands, that are creating products full with features you will never need and also makes you pay for them. I won’t say that the USG is bad and it’s not fair to compare it to other brands, as their philosophy is different – As that is said, there are some features I quite don’t understand or can’t get to work or are just missing.
Clients
In the UniFi controller, you have a page called Clients. There you can see your clients and if they are connected to an AP or through LAN.
The only problem is that it doesn’t list the clients with a static IP. I never like to use the DHCP for static IP, as if anything fails or I have to change my router, I need to manually set IP in the DHCP for a lot of devices.
If I open the settings page directly on the USG, I can see these devices, as they are discovered with ARP. So the controller knows they are there – and therefor it shouldn’t be a reason to not show them in the controller.
IPS
As I mention above, it looks like the GUI for the IPS is created – but it doesn’t contain any data.
It’s not especially believable that I haven’t had any attacks. My old Sophos XG was reporting stuff all the time.
Configuring hosts
It’s not unusual to have services on the inside that also have to be reachable on the Internet, e.g. my Home Assistant. For a corporate gateway, it’s a bit weird that it doesn’t have a GUI to configure hosts or setting up virtual domains.
Why switch my GW from Sophos XG to Ubiquiti USG?
My Sophos XG was installed on a VM, on my ESXi. This setup worked great, but it requires a bit of maintenance. E.g. when we had a power outage and I was away – I had to explain to my girlfriend that she had to power up a server, set a manual IP on the computer, log in to vSphere and start a virtual machine.
Yes, you can configure autostart on the ESXi.
A few weeks ago, my ESXi started to show some random error messages – where I concluded that I had to upgrade/reinstall ESXi. Running my Internet-gateway on a computer that’s need a lot of configuration to work, isn’t good for the up-time.
Switching to Ubiquiti and the UniFi environment will allow me to have a good and simple management over my network – where I can control my gateway and APs from the same GUI.