[REQUEST] Need recommendations for UniFi USG

[mdownes]

Hi all,
For the past few years, I’ve been concentrating on UniFi equipment, but that hasn’t extended beyond WAPs and POE switches. I now want to install a USG for the first time.

This is the scenario: building 1 has maximum 300 active Wired/WiFi clients. WiFi is through UniFi access points, managed by a controller on the server. Everything is UniFi except the router, which is Lancom.

Now, I am fitting out a new place (building 2) in another town. It will have roughly the same volume of users and will have all UniFi equipment. But users will need access to the server in building 1, so I need a reliable site-to-site VPN (another first for me).

So I need recommendations for the router/firewall/gateway device. I’m thinking I should also replace the building 1 router with a USG. Here are the basic requirements:

• Easily able to handle the volumes of clients
• Straightforward site-to-site VPN
• Building 2 has 2 comms rooms, joined by fibre, so SFP slot might be useful (but I could just get a UniFi switch with that)
• If there is a model with a built-in UniFi controller, it would be nice to have, but I can just as easily get a cloud key.

What would you guys recommend?

 

[Moltuae]

If you need lots of VPN connections and plenty of bandwidth, I can recommend the DrayTek 3910. (See also the comparison chart here)

I replaced a couple of ageing ZyXEL USGs a few months ago that were providing the VPN service for remote workers and a site-to-site VPN tunnel. Like you, I've used lots of UniFi devices over the years (mainly switches, WAPs) so I looked at the UniFi firewall/router offerings at the time but I found them somewhat lacking in features. In particular (and this was the deal-breaker for me) was the lack of multiple public IP address support. I don't know if there have been any updates since to address that major shortcoming, but it's something to bear in mind if you need to use multiple public IP addresses now or in the future.

 

[mdownes]

Thanks for that Moltuae - I've used Draytek in the past and they're great. From a VPN point of view, I'm just looking for site-to-site. Also, having dealt with multiple hardware vendors in the past, I'm leaning towards sticking with one and learning as much as I can about their way of doing things. Less time reading and banging my head on the desk, is my thinking . There also seems to be a lot of people using UniFi Worldwide, so I'm thinking there'll be a lot of peer-to-peer advice, should I need it.

 

[YeOldeStonecat]

The base model USG won't be enough power for that. You'll want the Pro 4 model or the Dream Machine Pro. I keep the little USG-3 model just for networks under 25 or so....generally light use.

The Unifi series VPN for mobile/remote users isn't too solid....but their site to site is fine and easy.
The ability to have multiple public IPs on the external interfaces managed within the GUI isn't here yet. I do wish they would hurry up and complete that. It's been on the community wish list for years now. Tricks to do it n the JSON file but when an upgrade comes that can get wiped out so that's not really a method to use in production on clients. When Unifi version 6 was released a few days ago I quickly looked at it...thinking "Maybe it supports multiple WAN IPs now!". Not yet.

We do a tremendous amount of Ubiquiti deployments...but for our clients with stronger "router" needs, we use Untangle. I'd say about 75% of our clients are behind Untangle. 20% behind Ubiquiti...either Unifi or Edge.

 

[Markverhyden]

I've not checked the specs on all models but I doubt there's one that has the actually controller built into the unit. You cloud keys are great but you should also look at spinning up your own controller in the cloud. That way can have all you customers on one controller.

On the site to site VPN. You first need to get a handle on the traffic. As in how many and how much. The Unifi works fine for a handful of users with minimal requirements like RDP or grabbing some files now and then. How big is the pipe at each site? Big pipes need big hardware to be able to use it all. I added 1gb Google fiber recently. The most I could get out of a USG3 was maybe 150-200mb. I know I had the 1gb because a laptop w/ gb nic directly connected was well over 900mb. Tossed an untangle router using a regular desktop, i5, 8gb ram on it and I was where I needed to be.

 

[YeOldeStonecat]

The Dream Machines have a built in controller. You can bind them to your UI.COM account for easy portal access in one spot.

We have quite a few dozen accounts of ours up there....since they have local Unifi controllers. Most of 'em on cloud keys, a few on locally installed Unifi controllers.
We have about twice that now..on our own Unifi controller which I recently moved to Hostifi...they're great, they do all the maintenance, support, and backups.