I bought a Unifi Dream Machine last year because it was an all-in-one device that seemed like the simplest way to have multiple VLANs on my home network, in order to segregate my IoT devices and security system from the rest of my home network. At the time, I didn't see any similar products.
Are there any other "prosumer"-type devices on the market that could replace a Dream Machine? If Unifi is going downhill it doesn't seem like I'll be going with them for a replacement.
The recommendation I've seen around is to run opnsense or pfsense for the router, then unifi APs. (I first found out about it from a YouTube channel as being a way.
https://youtube.com/user/TheTecknowledge . They are PFsense resellers, which is why they talk about it. But they could go straight unifi but they don't. After running PSNs myself for the last 4 years, I like opnsense being a little more open to community involvement, versus the control that PFsense has.).
Opnsense forums have lots of recommendation for hardware, which is the path I went recently. I went with https://protectli.com/, which are just some rebranded hardware sold on Alibaba, but they provide support ontop of the hardware.
I've been down this path before. I'd argue strongly pfSense is non-trivial and will require significant time investment for most people coming off Unifi stuff to learn the ropes, and should not be considered a serious alternative for most people. They have very different target markets and this is reflected in the software. Unifi is much closer to a "plug and play" user experience in comparison to pfSense. The customization options for pfSense are of-course fantastic.
I actually reversed this choice and am back to using the Unifi Controller again - pfSense is superb in production or more-networking-enthusiast style environments, not so nice for "average" home. I used a 5-ethernet port fan-less Intel Atom box almost identical to the one you linked for my homemade pfSense router while it was running, for that purpose it was pretty good.
Point taken. I've been running linux with iptables since 1999. I also spent a few years at Cisco doing network security stuff. So PFsense was a minimal learning curve for me.
But at the same time, I run Google WiFi points as I don't want to deal with them. :)
If you only need to VLAN-tag the 4 ports on that one device, you can do it with like… about literally anything? e.g. an Archer C1750 with OpenWRT does that easily.
The benefit of UniFi is that you can centrally control a bunch of switches. It's definitely overkill and overpriced if you just want an all-in-one.
I need to set up multiple wifi SSIDs, each on a distinct VLAN, and apply firewall rules to ensure things like: hosts in the "home" vlan can open connections to hosts in the "iot" vlan, but "iot" cannot open connections to "home".
Though you'll probably end up with Atheros wifi chipset on modern hardware... and I've found the OpenWRT drivers to be extremely unreliable when providing multiple SSIDs--- crashing every few days instead of weeks of uptime.
I keep hoping that one of the OpenWRT snapshots will fix it, but this is something I've been fighting with for years on multiple pieces of hardware.
I bought a Linksys WRT3200ACM specifically for use with OpenWRT after a bunch of research. It's modern hardware and based on Marvell, not Atheros. I don't have lots of SSIDs, but I do have separate 5G and 2.4G SSIDs, and they're working well enough.
Separate 5G and 2.4G SSIDs are no issue in my experience-- it's multiple SSIDs on one phy where Atheros goes wrong.
I really want WiFi6 gear... but given that there's no real OpenWRT support yet, and how long it's taken 802.11ac to mature in OpenWRT (it arguably hasn't yet), it's kind of discouraging.
as the name implies, that company made a ruckus in the prosumer segment like ubiquiti but since bought by Arris is declining same same (like you only get FW updates with registration).
It's definitely overkill, but what is a homelab if not overkill? It's not really high maintenance, though. Once it's in and running you'll never have to touch it.
The MSP I work at maintain some 500 MikroTik devices, I wouldn't call it particularly high maintenance. Once they're set up they'll just keep working. I've been auto upgrading my stuff at home with beta software for the last 4 years without encountering any issues. (ROS6, 7 is another story).
I have come across several situations where professional network engineers have accidentally left a Mikrotik in a dangerously insecure state by misunderstanding the UI. I like Watchguard or Draytek in the small business space. They are a bit more expensive than Mikrotik though
The MikroTik UI is... an acquired taste. Honestly I don't think it's bad, I would argue that it's among the best GUIs out there for routers. I would be surprised if it's more common for MikroTik routers to be left in an insecure state that any other router, unless it's only because people who work on routers tend to have been trained on Cisco or Juniper and that training just doesn't translate very well to MikroTik. But I'm also not going to die on a hill of defending MikroTik's configuration design choices, there's a lot to be desired.
I replaced my ISP-provided all-in-one box (Orange in France) with an EdgeRouter 4 and it is many, many times more stable. The crap you get from the ISP does not compare.
The management is horrible and how they designed it is horrible as well (from the OS perspective) but once it works, it works.
Has UI gone downhill ? or is it just because of all the negative feedback ?
Data leaks happen! It shouldn't but that's just how the world is. UI has been honest about it, and informed every customer as a precaution. (I assume they're still investigating).
I can't be sure, but since UniFi Video went offline at the same time the breach was announced, a week earlier than it was scheduled to, that might have been the entry point.
In any case, the UDM (despite all the negative talk) is a fine machine, and does what it promises to do. If you want similar performance you're either looking at building something yourself, or paying twice of what you paid for a firewall appliance. The Netgate SG-3100 has less performance at twice the cost.
You need a UI account to set it up, but that doesn't mean you have to allow managing it from the cloud. Disable the cloud controller access and any access to your firewall configuration will have to happen from your local network. I'm unsure if you can disable the UI account, but i have a spare UDM sitting around so i will test it.
I built up my companies network infrastructure on unifi gear the past two years. I did so because we don't have budget for a professional network engineer, but we do have some important network requirements that I needed to be able to set up with minimal learning curve. For the most part this turned out great, there's a powerful UI that lets you configure all of the basics. And lets you inspect everything without having to relearn a bunch of tools and concepts everytime. I'd say perfect for a situation where the CTO has to 'solve' the network.
What disappointed me is that some aspects are really unfinished, and it looks like there's no intention of it to be fixed.
For example we bought their pro firewall (which has been out for years), it's got 2 WAN ports for automatic fail over. To use the 2nd WAN port I had to switch over the UI back to legacy mode. Ok weird but I guess the new UI is still sort of new. But then it turned out that to configure automatic fail over in the most common way, I needed to ssh in and edit configuration files manually.
It didn't turn out to be very hard, but it was just jarring. One of their flagship products, and of the 4 ports it has, 1 port is not supported in their main UI and it's most common use is not possible even in their legacy UI.
Unifi Protect has similar incompleteness issues.
I don't think there's a company that does it better than Ubiquity right now, just disappointed that it stops there.
I agree there's a lot of unused potential with their existing product line, but as you said, nobody does it better currently.
I've been running Ubiquiti gear for years, from a single 2.4GHz UAP with the Edgerouter products, to my current setup with UDM Pro, 10 GB backbone and multiple NanoHD access points, and to use an Apple quote, "It just works". I don't have a complicated setup, just some basic VLANs, firewall rules, radius assigned VLANs via MAC, and IDS/IPS, so maybe that's why i'm not having any issues with it.
I have the technical skill to set it up from scratch if i wanted a second day job, but i don't anymore. I've run on homebuilt devices, on a Soekris net4801, on an Alix APU1D4, on m0n0wall and PfSense in various configurations, latest on a Netgate SG-3100, and while the SG-3100 comes very close to being a network appliance, it still managed to crash to a point where i was flashing it and setting it up over a USB cable, and while Netgate support was very helpfull, that's hardly something you'd ask the average consumer to do.
On the access point side of things the only real contender would be Meraki, but those are 2-3 times the cost of UniFi gear. You could of course also get a bunch of Zyxel/Netgear/whatever consumer devices and put them in bridge mode, and lose all central management.
In fairness, SSH in and edit a file is the "standard" here. I used to manage a bunch of Cisco devices, and I don't believe there was a GUI at all.
I would generally expect the UI to be for enthusiasts, with the more advanced functionality hidden in the CLI (kind of like Windows). WAN Failover probably isn't super popular among enthusiasts
For the routing/firewall side, I would encourage looking at either pfSense (as others here have suggested), or possibly VyOS.
I used to have several Ubiquit USG devices as well as their EdgeRouter.
I moved to pfSense as it's open-source, more stable, and gives you much better control/configurability on your hardware. There's a great ecosystem of packages on pfSense, that you can install via the web UI - making it a really feature-packed for a homelab.
However, recently I've been moving to VyOS to pfSense, which is basically a stripped-down Linux distro, with a heavily tuned FRR routing stack built on top of it.
VyOS is an open-source fork of Vyatta, which was previously owned/released by Brocade networks.
It operates with a CLI, like many enterprise/commercial routing products. It takes a bit of getting used to, but it's really great to use in practice, and makes it easy to diff configurations, or rollback changes, or copy the same configuration across multiple devices.
And of course, it implements with config-management software like SaltStack/Ansible (via Napalm), which is something that pfSense. If you have multiple pfSense devices, you basically need to point/click via the web UI on each one.
For APs - Ruckus is great, as is HPE/Aruba (they have a new low-cost line that's targeting the Prosumer market) - they have both been leaders in the wifi field for ages, and have things like AP handover, RF tuning/optimisation, adaptive antennas etc down pat.
I have a Mikrotik Audience I can wholeheartedly recommend. The performance is great, it had a great price and doesn’t look half bad. The UI is very much “pro” in the sense that you get all the options you might ever want to play with which for 90% of the time is just too much.
The wiki is good and the community is really friendly. If you have networking experience or want to something to tinker with it’s a nice deal. If you want something you can set and forget I’d look elsewhere though as the UI is not friendly at all.
I would suggest looking into Mikrotik. Bit of a steep learning curve and a prerequisite that you understand networking, but cheap, reliable, feature packed.
Their WiFi APs are behind the curve (no mu-mimo even afaik), but you can just hook up some other wAP if you need the newer protocol features.
What I do is keep a Mikrotik router that does all the heavy stuff and hang wAPs off of it as needed. I especially love capsman for wAP management. They do have all-in-ones of course, just not my cup of tea.
FritzBox is way better than isp-provided or TP-Link-like boxes but certainly not pro-anything (no vlans or ingress-qos, guest-wifi but no real multi-ssid, severely limited dns-customization ...)
fritzboxes are everything but certainly no "prosumer"-type devices. Most of their "mesh" is still dual band. only the latest repeater "FRITZ!Repeater 3000" is tri-band and afaik there is no router yet available that supports tri-band.
Ironically you can do that with pretty much ANY access point. From TP-LINK, assus all the way to arruba ones (unleashed). BUT you can't do that with unifi ones alone. Go figure. You need a usg+key or the discontinued UDM you have.
This is wrong. First, the UDM is not discontinued- it's for sale right now. Second, you don't need a USG+key to do VLANs. You do need to run a Unifi controller, but you can self host that anywhere like on a RasPi or in a VM. You don't need a USG to do the tagging and routing, either... the VLANs you set in the Unifi controller will work with any router/gateway it's just not all streamlined into the controller interface if you use a separate gateway. I know this because I do exactly that, I have a pfSense gateway and Unifi switches/APs.
VLANs are at layer 2 which is switching. Routing is layer 3.
I have several Unifi switches and a controller (running on an rpi) on my network but I use my own router. I can setup VLAN access ports and trunks all day on the switches no problem, but I can't control the layer 3 routing between those VLANs with the controller, which is what you're talking about. By setting up a gateway/network on each VLAN from my router I can control routing. It's just not as slick as having a USG where it's all controlled via the controller UI.
A couple of their top of the line switches can actually do layer 3 switching. I haven't actually tried that, but the docs don't mention it requiring a USG so I don't think it does.
Yes. As I said, I do that myself with a pfSense firewall/router into Unifi switches and APs with multiple VLANs and routing between them. I've also done it with an Edgerouter + Unifi switches and APs, and a Mikrotik router too. Of course the Unifi controller doesn't control a non-Unifi router, but you can set up whatever VLAN arrangement you want in the Unifi controller and then set up your router to match and do whatever inter-VLAN routing you want separately in its own interface.
It is not all nicely integrated together if you use a separate router (obviously), but it's not like it makes it impossible. It's not even difficult... at least not any more than it would be in any other setup.
Same here but with opnsense instead of pfsense. It would be great to have all of the info in the controller's dashboard, but I wasn't thrilled with what ui had available over the last year and figured I'd punt buying a usg or similar down the road a few years.
I personally wouldn't recommend it, the USG and their other Unifi gateways are actually kinda limited feature wise. You get all the stuff in the dashboard, but I'd say it's fairly primitive compared to what you'd be used to in ***sense. It's a good solution for people who want something turnkey, but if you're a prosumer/homelabber type you're better off leaving switching and APs in Unifi but using something else for the gateway. I do quite like the EdgeMax routers like the ER-4 paired with Unifi, however. Just my own perspective having tried all of the above.
It's not, the parent is wrong. I'm not sure if I would 100% recommend one (it depends on your needs and how nervous Ubiquiti's recent business decisions make you), but it's not discontinued nor about to be.
Are there any other "prosumer"-type devices on the market that could replace a Dream Machine? If Unifi is going downhill it doesn't seem like I'll be going with them for a replacement.