Bye Bye UniFi? - Replacing my UniFi UDM-Pro with a OPNsense Router! 

That unit now seems to be gone, what would be your pick if you were choosing today?

Yeah, would have been better if I'd had time to record the screen and actually explain what I was doing but at that point it was probably around 1am and I was in "just get it working and go to bed" mode 😅

@@camerongray1515 haha fair call esp given you had work the next day - bet you were delighted when the cloud key dropped off and couldn't see any of the kit 😂😂😂

There may have been some swearing.... 😅

I just fancied a change, I use PFsense extensively elsewhere but those are all production systems, my home setup was the safest place to give OPNsense a go in a "production" environment but not where it would be a disaster if it caused problems.

I could do although I prefer keeping my router as simple as possible and run it bare metal. I already have a server that I run VMs on however since I already need to use the CloudKey for UniFi Protect, I may as well run the controller on it as well. In other places where all I use are UniFi APs, I do run the controller in a VM.

​@@camerongray1515100%. It's always better on standalone hardware

Afaik on Mikrotik switches (on SwitchOS) you can force any port to run at 1gb/100mb/10mb, even the SFP+ ports

Juniper EX3300-48P with Noctua fan mode is move IMO.

That's my plan for this setup, UniFi was great but with this setup I can easily swap out different parts and try out new things. I always make a conscious effort to try out different technologies and learn new things rather than becoming siloed into a single set of technologies that I never venture outside of.

I actually already have plans to deploy a Proxmox server soon and I'm sitting on the hardware waiting on getting around to making the video on it! However, it's not something I'd really want to run on my router, I'm probably a bit old-fashioned however I personally prefer to run my router bare metal on a dedicated machine and then have a separate VM host. In terms of the UniFi controller - if all I needed was the controller then I would definitely run it in a VM (and already do in other environments), however I currently use UniFi Protect as an NVR which needs to run on a Cloud Key, Dream Machine or UNVR. Based on my current plan, I'll have retired all my UniFi hardware before I get around to replacing the NVR so there isn't really a point in time where I'd need to run the UniFi controller without also running UniFi Protect.

I think he was just testing it. He has another identical 24 port Unifi switch in his office for more ports

All will become clear in a future video I've never been able to get around to making 😉 (it's also probably not nearly as exciting as my secrecy makes it seem!)

I am, although I'm not sure I necessarily recommend it and having used it at home, I'm continuing to use PFSense elsewhere and I'll likely move my home router to PFSense or something completely different like VyOS in due course. OPNSense has some nice improvements in terms of UI over PFSense but I've found a few reliability/stability issues/bugs that put me off using it long term. In particular - the Unbound service seems to stop itself and need manually started after making configuration changes, bit of a nightmare if you don't realise! I also found pressing enter in the new interface box will instead trigger one of the "Delete Interface" buttons, not ideal if you don't read the confirmation message properly and accidentally delete an interface! OPNSense also has a much more frequent update schedule which some see as an advantage, however it often requires updates to be installed before installing new addons which can be annoying on a production router.

I don't have any sort of UPS - power issues are pretty rare around here and I don't have anything that's super sensitive to power loss. Both racks are just fed from surge protected PDUs. I had a UPS many years ago however the batteries failed, got extremely hot and started producing gas. While this can generally mitigated with regular maintenance, I don't feel it's really worth the risk and additional maintenance/costs for my particular setup.

@@camerongray1515 I see, glad that you have a stable power connection. Last time my SD card on my RPi stopped working after a power outage. While the power outage is massive, but there is only 1 to two power outage every 2 to 3 years. But if you have Routers / servers or nas it’s better to have UPS, because sometimes the power will went out for 1 to 3 seconds thus causing the access point and router restart.

This one here ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-hSk2VLt_T5c.html

@@camerongray1515 Thank you!

I used a Brother PT-E550W label printer - video coming soon on that one! It has desktop software that can print graphics so I used that and printed on to 24mm white on black tape. There's also a slightly tricky to find option to print at a slower, higher resolution so needed to use that too. I love how it turned out!

@@camerongray1515 Looking forward to that one, thanks!

When it first launched I had a lot of issues with stability as well but I can tell you the last 2 years of updates. I do some pretty advanced stuff with VPN tunnels zerotier bridging. Some pretty crazy firewall stuff aliases all the normal stuff and I haven't had a single issue in almost two years and I've installed every update that's came out. But I understand where you coming from

Yeah, it'll be interesting to see how stable it is long term. I use PFsense elsewhere, the extremely rapid updates on OPNsense has definitely put me off using it in more critical situations. For those I'd rather slower feature releases with regular security patches.

Second most viewed video on the channel.

Generally they are not liked because 10Gbps RJ45 SPF modules like to run really hot and can self destruct and burn at higher power-levels on longer runs or poorer quality cat6 cable. It's a lot of electronics to be shoved into a small space with no cooling. So fiber or DAC is preferred.

I made a video about it here: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-hSk2VLt_T5c.html. Essentially all I have is a cheap access point configured as a station to connect to my phone's hotspot connected to my router's secondary WAN interface. If my primary connection goes down, all I need to do is turn on my phone's hotspot which the AP will connect to and provide a connection to the router which is configured to fail over to it. Works really well!

The links seem fine to me - AliExpress Affiliate links tend to trip up ad blockers as I suspect they operate on the same domain as some of their ad serving stuff.

Yeah, it'll be interesting to see how I find it long term since I use both PFsense and now OPNsense in different places so can compare them pretty well. So far I do prefer the OPNsense interface - the search feature is a huge time saver! However, I've found a couple of bugs which are a bit concerning - saving the Unbound DNS settings causes the service to stop and needs manually started again and pressing enter in the box to add a new interface on the interface assignment page pops up a "are you sure you want to delete this interface" box which is a bit concerning! It definitely has potential but I can't see myself using it commercially in its current state.

​@@camerongray1515 For some reason I had some real trouble with OpenVPN config in OPNsense, and site-to-site VPNs too. Went black to a clean install of Pfsense and I had no bother configuring it. I will admit there was probably something I was missing but after spending a couple of evenings on it, I just wanted it to work so went back to Pfsense. Though it had to be a dev build for the Intel I225 support, which I wasn't totally keen on using but it's been fine so far. The other driver for Pfsense for me is just the ease of using pfBlockerNG. I know OPNsense has it's own methods. Will be interesting to see your thoughts on OPNsense going forward. Maybe I should have given it more time, or more likely I'll install it on my Proxmox server in the future to have a good play with it in an isolated manner.

I've already installed some new switching that has a bunch of 10GbE ports in various places, can't see me needing any more ports on the OPNsense box however. OPNsense seems nice and I do prefer the UI to PFSense, however I've found a few weird bugs which I can deal with, but I can't see myself using it commercially for a while. Not sure what you mean about having 24/7 packet capture though, it's not something I have any need for. The built-in Netflow stuff in OPNsense is more than sufficient

One of the reasons why I use pfSense Plus on physical hardware. For those who run it as a VM don't need it as they can create snapshots before upgrading.

It's an interesting option but I'd rather stick with open source options where possible. PFsense Plus makes sense for where you want the business support but if rather use CE instead of the "free for homelab" plus version. I ended up using OPNsense purely to give it a proper go, I already use PFsense extensively elsewhere.

@@camerongray1515 Ah ok, I watched the vid now, sure give it a spin see how it plays. Yes it's a fork of pfSense so worth having a look. Just on the Plus+, you can now install it on any hardware, just register, nothing to pay, then upgrade. I'd suggest it's worth knowing the features, then just play around with. I'd be curious on how you tweak opnsense / pfsense to get a more "snappy" web experience, I've applied fixes for bufferbloat but feel my connection could be better. BTW came across your vids when wiring my home with ethernet, they were handy thanks. Would be interested in hearing your take on using LAGGs between devices also.

@@Darkk6969 yep that's a lifesaver feature which I see they haven't put into 2.7 CE as yet

@neogrid9999 Yeah, I'm not a fan of the direction they seem to be going where they are adding in new features to PFSense Plus as a proprietary product and not CE, makes me worry about the future of CE. I much prefer the idea of an open source product with commercial support offerings. PFSense now seems to be starting to split into two separate products.

Because I referred to it as a router? Realistically it's both a router and firewall (and NAT gateway, DHCP server, DNS resolver... the list goes on) - most people will happily use the terms interchangeably - in this situation it is being used both as a firewall and performing routing functions.

@@camerongray1515 I see a lot of people mix up routers and firewall, even see people call routers modems. Firewalls are more powerful at filtering, and is restricted by default, until you allow things. While routers allow by default untill you deny thing. Routers are not good firewalls, and firewalls are not good for advanced routing. Simply a matter what the device is optimized for.

​ @kjakobsen I get the frustration with people getting mixed up with terminology - try living in the UK where many ISPs have started referring to their supplied all in one modem router type devices as "hubs" however ultimately it's just terminology and as long as the other person knows what you mean, it doesn't really matter! Likewise, if I ask someone for their WiFi password and they say "it's on the back of the modem" I'm not going to go all "Well, actually it's not a modem, it's a firewall, router, switch and access point combined into a single device connected to your fibre ONT" Sure, back in the day when you would explicitly buy separate routers and firewalls.etc the distinction was a bit clearer - if you wanted a router you'd buy something like a Cisco ISR, if you wanted a firewall you'd buy something like a Cisco ASA. However, nowadays with x86 boxes it's just a server running a UNIX-like OS with a mix of routing and firewalling software. Sure, OPNsense comes pre-configured with more of a firewall focus, but it still includes standard static routing functionality from FreeBSD and can easily be configured with packages to support all manners of dynamic routing, you could even disable the firewall if desired. Likewise an OS like VyOS comes out of the box configured more as a "router" however it also supports a pretty powerful netfilter based firewall. In my case here, is "firewall" potentially a more accurate description of what the device is doing? Sure, maybe. Is it a big deal? Not really.

This chat is about to be a bidding war lol

Only flaw with that placement is the test button protrudes from the front of it and is the perfect level to hit with the top of my head when working in the rack... 🤦‍♂️

I’m running Unifi controller and Untangle as VMs inside Proxmox. Considering moving to either OPNsense or Unifi UDM Pro SE. Afraid the UDM would feel like a toy compared to OPNsense?

I love MikroTik and use it a fair bit elsewhere, they're my "go-to" device where I need a low cost device, usually in some sort of really strange, bodgy situation. This project was actually a toss up between this setup and an RB5009. However, I just fancied trying OPNsense this time, this isn't a learning lab, it's my production home network so I'm not too fussed about how much I can do with it from a learning perspective. Although for learning, you can definitely do a tonne with a few cheap MikroTik devices!

Yeah, this isn't an official appliance - the logo on the right hand side is just a sticker that I printed myself on a Brother label printer. With these "Open Source Firewalls" you're completely fine to run it on your own hardware, even a cheap old desktop PC would work. The "official" appliances are there either for people who want to support the project or for businesses who want to buy a solution where they can receive complete hardware and software support from the same vendor.

MikroTik devices are great and I use them myself, however they're a completely different product. When I first planned this project it was a tossup between this option, an RB5009 and a CCR2004. I decided to go with this option for now however I'm totally open to looking at MikroTik devices in the future. With a MikroTik router you are relying on their proprietary RouterOS operating system whereas with this you have the flexibility to run whichever OS you want. A MikroTik would be fair comparison against another embedded router type device such as an EdgeRouter, Cisco ISR.etc but an x86 device will almost always cost more for the same level of performance but has the benefit of complete software flexibility.

I do love UniFi, but I also like other platforms too. I pride myself on being relatively platform agnostic compared to many RU-vidrs who act as if UniFi is the only option out there. The idea behind this project is to allow me to try out other technologies which offer some interesting features that UniFi lacks. UniFi is still an excellent option and is my go-to recommendation for people who want an easy to manage, relatively simple network deployment. I'm not quite sure what you mean about reading a book though?

@@camerongray1515 I *think* the commentor above is saying that because you "changed your mind" with regards to Ubiquiti gear, then why should a viewer believe your opinion. the book part seemingly is saying that to make a video talking about something, you first must have read up on it, seemingly, the commentor believes that a field such as technology can be distilled into books to read and learn the entirety of, without that book being terribly out of date by the time it is published. I'd argue, instead, that you having changed your mind on something shows that you have got a solid understanding of the subject at hand. Not because Ubiquiti gear is good or bad, but because you're willing to adapt and learn and find new things out. That aspect of a person makes them infinitely more trustworthy than someone who would read up information and regurgitate it, as if that makes something an original opinion.