I figured it would end up a $159 device but it has landed at $199. My overall opinion remains the same. As a “USG v.Next” it’s alright. As a Protect host, it’s a hot mess.
Author Archives: ubntfan
UXG Pro exited Early Access
Well, guess I lost a bet on that one. At 21 months since announcement, that has been one incredibly long EA cycle. Still $499 — because why shouldn’t you pay a premium to get lower-spec hardware that runs less software?
Speaking of long EA cycles, I’m still very happy with my UISP Console / UISP-R Pro. Still plenty of functionality to wish for but as a basic router they’ve been rock solid.
Why I left the Ubiquiti Discord, again.
^ The mod crew set up that person to @ me that before banning me. That’s ok, I won’t die mad.
UISP Routers
Ubiquiti first teased the UNMS Router Pro back in August of 2020, with the first Early Access sales in October. This is an exciting device, basically the UDM Pro hardware platform shrunk down to a desktop form-factor, minus the drive bay, priced at $299. I bought one and played with it for a minute but at that time it was hamstrung by UNMS/UISP just not providing enough control over routing functionality to be useful in any way.
Last month they released a revised version called the UISP Console. An internal 128GB SSD was added to support running UISP directly and the price dropped to $199.
I imagine the price drop is to incentivize more people to test a router that has been known to be in development for over a year and the price will go up at release. But right now, $199 for a 10Gb router is an incredible deal. And a year of development has brought UISP routing to the point where it’s serviceable.
At the core software level, the UISP routers run UbiOS and really are “the same” as the UDM line, minus everything that happens in the unifi-os
container. It’s running the ubios-udapi-server
and udapi-bridge
and the /config/ubios-udapi-server/ubios-udapi-server.state
looks just like what you’d see on a UDM. It’s the same on the (presumably discontinued) Router Pro and the UNMS/UISP Router Lite UISP Router (based on the same MediaTek platform of the ER-X and its many variants).
All of them are initially configured via Bluetooth on a smartphone running the UISP app. With the UISP Console, it will join to your existing UISP installation if you are currently signed in. Otherwise, it will go through the process of setting up the onboard UISP instance with cloud-based proxying via an *.r.uisp.com
domain.
The “router functionality” is still pretty minimal. You can assign IPs to interfaces, add static routes, configure OSPF, and set Source and Destination NAT rules both pre- and post- routing. Aside from routing, it has Firewalling on par with what an EdgeRouter can do and a DHCP server.
And that’s it.
Still no DNS, PPPoE, DHCP Relay, VPN, Load Balancing / Failover, BGP, VRRP, and a host of other functionality that is common and expected to be found on a router. The latest theorizing is that these products are targeted to ISPs with low technical expertise, so I maybe wouldn’t hold my breath on some of those more advanced features ever arriving, but even with that narrowed scope there are many glaring omissions.
That said, I’ve deployed my UISP Console to proper Home Production use. I recently had fiber Internet installed at my home with an add-on static IP allocation, and the UISP routing platform is perfectly sufficient for dividing that up. Ironically, UniFi 6.5.51 just went GA and finally has the functionality to make multiple WAN IPs useful for most common scenarios, but I have some services I’d like to expose to the Internet directly without any NAT and that’s much simpler to do if I route those IPs directly to a non-UniFi router.
UniFi Disappointment Router?
The UniFi fanbois were aflutter when Ubiquiti released this video promoting an upcoming UniFi Dream Router:
It sounded like a substantial upgrade to the UniFi Dream Machine: WiFi 6, two ports of PoE, 128GB SSD, an SD slot for storage expansion, and the ability to run Protect and other Ubiquiti controllers that haven’t been available to UDM users due to the lack of storage.
Then it hit the Early Access store for $79. Huh?
Continue readingUnpopular Opinion: Don’t use a Raspberry Pi for that!
A Raspberry Pi is great if you have a need for which it excels. GPIO, extremely low power requirements, tight space constraints. But the Pi should not be the first thing you reach for when “Unobtrusive and Inexpensive Linux Host” are the only requirements.
Continue readingRepeating Old Mistakes
Early last month, my 20-month old UNVR stopped working. I pulled the drives, tried the Reset button, and thanked the Deities that I live in an area where a UNVR is something that I can buy. In a store. On a Sunday.
At the time I’d seen hints that wearing out the internal storage was not uncommon. What I hadn’t learned, yet, was that the internal storage is a USB stick. My discovery of this was accidental — I was mucking around on my new UNVR and decided to run lsbusb -tv
and there it was.
With a quick search of the Googles I found fresh knowledge that it is, in fact, a generic USB stick, and that replacing it is as simple as putting in a blank drive and holding the Reset button on boot. I guess they learned some lessons from the EdgeRouter Lite USB failure debacle. Just. Not the lesson that they should never put a USB stick in a device!
I’m tempted to hack this “extra” UNVR into a NAS, though I have concerns about what could go wrong if the USB fails again. I’ve had great luck with Samsung Fit drives but maybe an M.2 SATA SSD in a USB adapter would be a better option.
Migrating
This site has been running from my home Internet connection from Day 1 but my determination to get control over my Docker disasters finally overcame my inherent don’t fix shit that ain’t broke laziness. Now coming at you live from colo in 55 Marietta Street.
Now to work on finding some motivation to create some fresh content…
UniFi OS Hacking
With the UDM / UDM Pro I’ve been regularly expressing disappointment that Ubiquiti is transitioning to a custom Linux distro that doesn’t have a package manager and doesn’t really have any provisions for persisting anything useful across reboots — particularly configuration changes and mechanisms to launch your own scripts.
With the second-stage transition to “UniFi OS” they’ve been moving more things into containers and it has now spread from the UDM Pro to the UNVR-4, which was previously running straight Debian with no containers.
Yesterday it was pointed out to me that “UniFi OS” isn’t merely a re-branding of the “UbiOS” the UDM debuted with. The unfi-os
container is a full Debian environment. A quick investigation on my UDM Pro showed that I could enter the unifi-os
container, apt install
software packages, and make changes which persist across reboots. It would appear that all changes within the container are persistent via an overlay
for /
which goes to persistent storage on the host.
This is not at all how Containers are supposed to be used, it is a gross violation of best practices… but it’s a foot in the door to using these devices in ways that Ubiquiti didn’t bless.
I’m super-disappointed that nobody seems to be exploring the unifi-os
container in public. Google turns up nothing, there hasn’t been anything meaningful on /r/UniFi or ubntwiki.com. Probably all hidden on the Discord.
I don’t love UniFi Threat Management and neither should you
When Ubiquiti put out the first Beta releases of IDS / IPS, I was surprised by the overall excitement of the enthusiast community. People were snatching up $2,000+ USG-XG-8s just to be able to use this feature without slowing down their WAN. Cheaper line-rate IDS / IPS has been a major force behind the UDM / UDM Pro hype train.
I am far less enthused, about IDS / IPS specifically and UniFi Threat Management in general.
My core issue: It’s Free.
Free is not inherently bad. I use lots of things that are free. Ubiquiti is built on lots of things that are free — VyOS, Linux, OpenWRT, hostapd. But security is different. Security is a process, not a deliverable.
Look at how Ubiquiti is offering security. Did they produce an IDS / IPS product? No, it’s just Suricata. Are they employing an army of security professionals to discover new threats, analyze alerts from their customers, produce new signatures? No, they’re just passing along the free rulesets that any Suricata user has the ability to use. Is Ubiquiti adding any value to Suricata alerts, such as making them easier to interpret or correlate? Heck no.
There’s a saying that If you’re not the customer, you’re the product. Does that apply here? Also, no. Enabling UniFi’s IDS/IPS isn’t passing any value back to the Open Information Security Foundation, the Suricata project, or any of their sponsoring organizations.
My other issue: What Ubiquiti is providing isn’t particularly good.
IDS / IPS: Suricata is purely signature based, like an antivirus program from 30 years ago… only worse. Most signatures are simplistic, prone to false positives, and the alerts they generate do not provide much context to decide whether they warrant further investigation or can be ignored. I’m not positive about this, due to the minimal information provided, but I think many of the alerts I’ve received are for traffic that the firewall was going to drop anyways.
There are many things Ubiquiti could be doing to add value to Suricata alerts — pruning rulesets and providing more context would be a great start — but that would require substantial investment.
Zeek (Bro) is generally considered better than Suricata, in that it’s focussed on flagging anomalous traffic instead of depending on signatures, but turning that into a user-friendly solution also requires significant investment.
DNS Filtering: I’ve previously written about this. In short, they’ve delivered an extremely simplistic filtering solution that depends on redirecting DNS traffic to an undisclosed 3rd-party. The manner in which they’ve implement filtering is unsuitable for a broad range of common DNS scenarios and they’ve provided zero control beyond choosing from the 3rd-party’s three filtering options.
It’s not worth using. Use PiHole and / or OpenDNS at home. Subscribe to Cisco Umbrella for business filtering.
Network Scanners: The Endpoint Scanner is basically a point-in-time nmap. No history, no correlation with UniFi’s Client History data. The Internal Honeypot is also extremely simplistic — it seems to alert simply on connection attempts to particular ports.
GeoIP Filtering: Hey, it does exactly what’s expected! I wish it did more tho. In particular, I might like to drop traffic from some countries to particular ports (VPN-related) but not others (HTTP / HTTPS).
IP Reputation: Tor blocking and Restrict Access to Malicious IP Addresses do what they say, tho again, it’s unclear what the information source is and if 3rd-party disclosures are involved.
Missing Features: Competing Unified Threat Management solutions generally have features that Ubiquiti isn’t (yet) providing: A/V scanning, HTTP / HTTPS interception, email filtering, data loss (PII / PHI exfiltration) protection, integration with Network Access Protection / Network Access Control systems, and more.
At some level it’s great that Ubiquiti is making security tooling available to users with less technical expertise or budget. What’s not great is those are the demographics who will read the marketing and believe they’re getting much more than is actually being provided.