pfSense Support Subscription

Author Topic: pfSense and Ubiquiti  (Read 815 times)

0 Members and 1 Guest are viewing this topic.

Offline Smoothrunnings

  • Jr. Member
  • **
  • Posts: 92
  • Karma: +0/-0
    • View Profile
pfSense and Ubiquiti
« on: December 24, 2017, 01:49:20 pm »
My network is mostly ubiquit except for my firewall which is a WatchGuard XTM (with 8GB of RAM and SSD) running pfSense 2.4 along with HAProxy.

I want the fuctionality of Ubiquiti and would like to buy a USG-Pro-4, i wonder if anyone has had some success connecting the two together, ideally I want (if possible) to put the USG first, and then let the internet traffic in/out go to the pfSense before hitting my network.

Thanks!!
 
« Last Edit: December 24, 2017, 02:03:19 pm by Smoothrunnings »

Offline Gentle Joe

  • Jr. Member
  • **
  • Posts: 37
  • Karma: +2/-0
    • View Profile
Re: pfSense and Ubiquiti
« Reply #1 on: December 25, 2017, 07:11:35 pm »
The USG is not anywhere near as capable as pfsense I'm afraid.

I have a USG, I install it and swap out the pfsense occasionally, then a day later put pfsense back in.

I have thought about using pfsense as the DHCP server, OpenVPN server, DNS server..... then USG do the rest.

Offline Smoothrunnings

  • Jr. Member
  • **
  • Posts: 92
  • Karma: +0/-0
    • View Profile
Re: pfSense and Ubiquiti
« Reply #2 on: December 25, 2017, 10:42:43 pm »
The USG is not anywhere near as capable as pfsense I'm afraid.

I have a USG, I install it and swap out the pfsense occasionally, then a day later put pfsense back in.

I have thought about using pfsense as the DHCP server, OpenVPN server, DNS server..... then USG do the rest.

Thanks for the info, but it doesn't really help me.

Thanks.

Offline Gentle Joe

  • Jr. Member
  • **
  • Posts: 37
  • Karma: +2/-0
    • View Profile
Re: pfSense and Ubiquiti
« Reply #3 on: December 26, 2017, 12:56:21 am »
Well, you can put one behind the other if you want to.

If you want to use the USG for the new security features they just enabled.

The USG's (Unifi's) logging feature are quite poor, not reliable, random times, not clear which scales they use, etc.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14787
  • Karma: +1373/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: pfSense and Ubiquiti
« Reply #4 on: December 26, 2017, 04:28:31 am »
What feature(s) of the usg are you wanting.. The dpi?

I recently updated my internet to 500/50.. At the time pfsense running as vm on older hardware could not handle this speed.. only about 120 down on the connection.  So as a quick solution to the problem I got a usg 3p (gateway) it was 112$ on amazon and was here in 2 days with prime.. I had ordered this before they put in the new line, along with the new modem - why would you pay them rent on something you can by and the rent pays for in less than a year..

Anywhoo. I was correct the pfsense vm could not handle the new speed, and I had to put the usg in.. While I was able to get full speed with the offloading.. If you enabled their shaping speed was in the dirt and only in the 100mpbs range for download..

While the dpi info is slick.. Other than that it is really sad how far they are behind in basic ease of setup.. Can not even setup an alias, while some stuff can be done with cli to get some basic features that are clickity clickity in pfsense.. Make sure you don't have the controller provision the usg or your setting will be lost, etc.  I am a huge unifi fan and love the AP and run beta code on them and the controller.

And was very impressed with the price point and performance of the usg.. But if your wanting to do any sort anything other than get on the internet its not quite there.. Can not easy setup a vpn client connection,  can not setup a easy openvpn server, can not setup a easy HE ipv6 tunnel... Like zero features in their dhcp server, and zero dns features. ZERO... the box doesn't even point to itself for dns so it queries its ping.ubnt.com every single minute because it doesn't even cache the ttl..

If you want a usg 3p I will give you pfsense forum discount on my slightly used one.. But be happy to help you discuss how you could integrate it into your network.. But what feature(s) are you trying to get from it that pfsense does not already supply.. the dpi info would be the only thing.. Just install the ntop package on pfsense ;)

It really was painful using it, I finally got my sg4860 in to replace it and all is right with the world again... But for the price point and the speed at which they add features and fix stuff in a couple years I could see it as nice little product.. And if you do not mind the pain of working with json files and loss of settings on provision from controller, etc.  It can do some good stuff.. Its a slick little product sure..  But its like nice A4 they loan you when you drop off your A8 for service ;)  The A4 is nice and all - but not in the same league..

When your use to driving a Genesis G90 and they give you a Elantra that isn't even fully loaded.. Its a huge difference ;) 
« Last Edit: December 26, 2017, 04:41:24 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Smoothrunnings

  • Jr. Member
  • **
  • Posts: 92
  • Karma: +0/-0
    • View Profile
Re: pfSense and Ubiquiti
« Reply #5 on: December 26, 2017, 08:43:38 am »
I am sorry to hear that you USG-3P couldn't hand your internet. My work friends own the USG-3P, I actually make fun of them not owning the Pro saying they aren't "PRO" enough! Anyhow one them has Rogers Gbit Fiber internet, granted switches max out at 1Gbit/sec the doesn't have any problems getting close to those speeds.

In the past when pfSense was version 2.3.x I was talking to guy on the USG forum who was trying to do what I looking to still do. He found that pfSense wasn't very good at it at the time and the only other firewall software that worked best was Sophos XG which he said was a walk in the park compared to doing it with pfSense. Now that we are on 2.4.x, and I have invested in my WatchGuard XTM 5 (put a faster CPU and 8GB of RAM in it) I would like to keep it a bit longer if that's possible. I have looked that Sophos XG documentation and for what I use pfSense for right now setting it up on the Sophos looks much easier than what I had to go through to get it setup this way. lol

I appreciate your offer on the USG-3P but it's not PRO enough for me. :P

And yes DPI is one of the things am interested in, and possibly VPN...but that's another project down the road.

Thanks,

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14787
  • Karma: +1373/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: pfSense and Ubiquiti
« Reply #6 on: December 26, 2017, 09:00:20 am »
the usg-3p could handle the 500/50 fine as long as it didn't turn the shaping which turns off the hardware offload.. If you left hardware offload on it handled the 500 without any issue..

If you want dpi, then just install the ntop package all the dpi you could want ;)  And pfsense also has layer 7 filtering back... with the snort package..
https://www.netgate.com/blog/application-detection-on-pfsense-software.html

- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Smoothrunnings

  • Jr. Member
  • **
  • Posts: 92
  • Karma: +0/-0
    • View Profile
Re: pfSense and Ubiquiti
« Reply #7 on: December 26, 2017, 09:15:06 am »
the usg-3p could handle the 500/50 fine as long as it didn't turn the shaping which turns off the hardware offload.. If you left hardware offload on it handled the 500 without any issue..

If you want dpi, then just install the ntop package all the dpi you could want ;)  And pfsense also has layer 7 filtering back... with the snort package..
https://www.netgate.com/blog/application-detection-on-pfsense-software.html

It's not the same, I already have it installed. And I already have Ubuiqiti gear in my environment.

My environment now. The main switch on the backside and the UAP's are in the ceiling.
https://youtu.be/w8LTeGWgU8w


Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14787
  • Karma: +1373/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: pfSense and Ubiquiti
« Reply #8 on: December 26, 2017, 09:28:18 am »
I have unifi gear as well, I have 3 AC ap in my home.. Love um... But the dpi info just some eye candy, there was nothing of actual use there in tracking down anything to be honest.. ok client X did 2.3GB of data type XYZ..  When and to where exactly would very useful... I didn't see that sort of breakdown

From what I was reading though was a way to put the usg be it the 3p or the pro models in monitor mode for the dpi info..  Wouldn't you be able to just span a port to it on your switch if you wanted it to report on traffic type, etc.

As to vpn - hands down this is just clickity clickity in pfsense to setup.. be it server or client.. and policy routing using or not use client vpn again click click..

if you gave some exact details of how you want to leverage the unifi.. Be happy to discuss..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Smoothrunnings

  • Jr. Member
  • **
  • Posts: 92
  • Karma: +0/-0
    • View Profile
Re: pfSense and Ubiquiti
« Reply #9 on: December 26, 2017, 03:41:17 pm »
What do you know about setting up pfSense 2.4.2 VPN (OpenVPN) using Windows 2016 NPAS for RADUIS?

I tried it once already and it didn't work out well.

Thanks,

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9589
  • Karma: +1089/-309
    • View Profile
Re: pfSense and Ubiquiti
« Reply #10 on: December 26, 2017, 03:54:45 pm »
Works fine.

If you can successfully authenticate using Diagnostics > Authentication you should be able to leverage that server with OpenVPN.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Smoothrunnings

  • Jr. Member
  • **
  • Posts: 92
  • Karma: +0/-0
    • View Profile
Re: pfSense and Ubiquiti
« Reply #11 on: December 26, 2017, 09:43:45 pm »
Is there a good walk through setting it up?

The stuff I have seen pre-dates pfSense 2.3.x and server 2008.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9589
  • Karma: +1089/-309
    • View Profile
Re: pfSense and Ubiquiti
« Reply #12 on: December 26, 2017, 09:56:46 pm »
Everyone's AD is different enough that making a walkthrough is pretty much useless.

General stuff though:

Create a RADIUS client in NPS for the pfSense source address and password

Set up a RADIUS Authentication server pointing to that.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14787
  • Karma: +1373/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: pfSense and Ubiquiti
« Reply #13 on: December 26, 2017, 10:44:45 pm »
How many vpn users will you have that using radius to auth makes sense?  This is not a home setup I take it then?  Yeah Derelict is right what does the diagnostics auth section tell you?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Smoothrunnings

  • Jr. Member
  • **
  • Posts: 92
  • Karma: +0/-0
    • View Profile
Re: pfSense and Ubiquiti
« Reply #14 on: December 27, 2017, 08:16:05 am »
How many vpn users will you have that using radius to auth makes sense?  This is not a home setup I take it then?  Yeah Derelict is right what does the diagnostics auth section tell you?

I think I need to take a break from this fourm. Instead telling what I want or what I should do you should offer to help me to get there. This isn't directly at only you (Johnpoz) but everyone who has contributed to this thread what I want or should do. I have found myself having to fight a battle here which I should have to do.

Thanks,