Some fun with Trooli and Ubiquiti Unifi gear (UK FIBRE INSTALL - RESIDENTIAL)

Hey ya,

I thought I’d split this off from the Recently acquired posts I’ve made about this,

LINKIE TO RECENTLY ACQUIRED THREAD

PHOTOS AND DESCRIPTION

Here’s what I did on the outside, you can see where he’s pulled the cable through the conduit I installed

2025-07-28 12.44.15 - Copy1468×1014 217 KB

Meanwhile on the inside I tidied up the area he’d be working in, put a fan in there and a knee pad, cos I try to be considerate when someone’s working in my house. When I go to other people’s house, they sometimes show some consideration and don’t treat me like a nuisance in their day! You can see the yellow/green line I put in, along with his cable taped to the end of it.

2025-07-28 12.09.561920×1080 184 KB

And voila, he’s put it all in.

2025-07-28 12.59.411920×1080 138 KB

And the results

Screenshot 2025-07-28 1652011114×1211 60.1 KB

IMPROVEMENTS AND MINOR PROBLEMS

My original speed was around 70Mbps…so that’s nice! I have seen 1.1Gbps at times, funny to think that my 1G network cable could be holding me back

I gave it a good few hours, in case they’re doing technical things to improve the connection, line testing, etc. Then I unplugged the cable going to the router and plugged it in to my USG - the cheapest small unit they do.

I thought it would be fun to have 2 WAN’s, but after a lot of playing around, it didn’t really let me turn off one and use the other (only fall over seemed to work, but no evidence). So I unplugged my original ISP (still have 1 month left until I’m out of contract), and popped the new ISP cable into the main WAN port of the USG.

At first it was strange, I was only getting 100Mbps, instead of ten times that.

2025-07-28 15.36.511920×1080 174 KB

After some fiddling, so far I think it’s the USG’s Intrusion Protection that, when enabled, slows it down. I need to research further, but for the moment I’ll be turning it off (which is a shame), perhaps I need to upgrade the USG if I want to maintain protection.

Anyway, that’s all for now, we’ll see how I get on over the next few weeks/months, hope this didn’t send anyone to sleep too quickly!

**When I say conditioned, I mean I’ll be insulated the roof pitch, so instead of having a cold and sometimes humid loft space, I’ll have one that I can store stuff in without any fears.

I forgot some details!

One thing that you need if you’re not using the router supplied by the ISP, is the login details for the fibre connection itself.

Trooli were actually very helpful, I rang them up and as soon as I spoke to sometime and explained, around 10 minutes later I got the details. These are the username

[account number]@cfsbroadband.co.uk
password.

Fill em in here, sorted.

Screenshot 2025-07-28 204149742×420 19.7 KB

When I was having issues, I briefly turned on IPv6, but it didn’t matter in the end so I left it off.

I’ve since found that the USG I have, alas cannot do protection at anything more than 100Mbps.

So I need to decide if I’m really going to bother upgrading so that I can have that feature - always difficult if there’s no evidence that a thing HAS protected me. But there again, should I consider the future threats wizzing around the internet and potentially onto my network? Hmm.

I’ve had a look, and for around £200 I can get a Cloud Gateway Max, that appears to have protection throughput of 1.5Gbps, providing some headroom.

Screenshot 2025-07-28 204756 copy1293×1029 93.6 KB

It’s a bit of a quandary alright. I suppose the alternative would be PFSense or similar.

Oooh, I got to do a test upload.

I did uploaded a video to youtube, around the 800-900MB in size.

The old ISP took around 6 minutes, the new one took around 8 seconds

A nice to have if I have to upload something quickly before heading out!

It’s actually so nice that they’re not aggressively against using anything other than their router! (though, if it makes it here and I do go for it, I probably won’t care/bother about using anything else, unless the one they provide is severely hampered in some way, which it shouldn’t be…)

But what does this protection actually mean? Most of these kinds of devices on the market are more about PR than actual security.

What can a central device actually do in 2025???

A firewall, in other words, basic ingress/egress traffic control at the protocol level, i.e., IP/ports/MAC. There are no magic bullets here, typical traffic control solutions and a few variables for analyzing basic parameters, such as fragmentation. In some cases, the vendor provides a list of IP addresses to block.

Deeper protection, meaning we enter the territory of traffic analysis solutions such as Suricata or Snort. Here, without good, constantly updated rules, we can’t do anything; for this to work, we have to decrypt encrypted traffic. This requires a dedicated certificate on LAN devices, similar to what antivirus software does to scan https.

DNS-level filtering.

All of this can be achieved without paying for a nice box. Most gadgets called NG-Firewalls or other fancy names are usually just a set of a few tools/functions wrapped in pretty paper. Most are more suited to industrial networks that need to expose resources to the world.

I have quite simple recommendations for a typical home LAN. BLOCK absolutely everything coming from the WAN side. If you need to expose something to the world, think twice.

Create a strict policy within the LAN.

DHCP with assigned and static IPs per MAC. Block all outgoing traffic from the LAN and only allow specific IPs, protocols, and ports. Use a per-device firewall. Filter all DNS traffic and prevent access to external servers.

In 2025, in a home environment, if we don’t expose anything to the world, the chance of brute-force penetration from the WAN side is only possible if the device acting as a gateway has an RCE bug or configuration errors.
In practice, LAN infections involve direct attacks on the local machine, usually with user involvement.
We should focus more on protecting and monitoring machines than on beautiful, centralized boxes.

One of the problems facing many companies is precisely this stupid policy. They buy expensive toys and install them centrally, leaving the rest of the infrastructure bare and unprepared.

Even simple OpenWRT with its firewall will provide the basics of traffic control. Personally, I implement a strict firewall policy on every device possible. No process is allowed to access the network without my permission.

Every machine on the LAN must have a set of rules on the central firewall.

I only allow specific traffic and block everything else for each machine.

Traffic from the WAN side is neutered.

Access to the router is blocked, only a dedicated rule for the trusted machine.

DNS traffic blocked, DOH filtered on pihole.

Paranoia plus, central blocking of LAN traffic, if you don’t have a dedicated rule you won’t get out into the world.

Thank you very much @TimHolus , you’ve given me a hell of a lot to think about, I think I need to reassess security, that’s for sure! I generally don’t have anything connectable from the outside world though, no port forwarding or anything like that. I keep it simple…mainly because it’s less likely to get broken!

You’re right about the claim of protection though, it’s not massively detailed in what it actually does:

Screenshot 2025-07-28 2212531038×1159 52 KB

I am going to look into locking static IP machines down though, thank you very much for the headsup and taking the time to inform me!

The only UniFi gateways worth buying right now are the Cloud Gateway Fiber, Cloud Gateway Pro Max, and Cloud Gateway Enterprise. Those 3 fill all product segments UniFi targets.
Of those, the Cloud Gateway Fiber is the 1st of a new generation gateway family, and also is the only one to support multi-gigabit PPPoE internet due to its new hardware offloading ability for that type of connection. So if you have that type of internet, which you do, then the UCG-fiber is the only product you should be considering. Officially, U-CGF also supports between 5-7gbps traffic throughput over full Threat Management IPS mode (The notify and block setting). Unofficially, it can run IPS at line rate 10gbps in most cases but UniFi doesnt want to advertise that or it will murder sales of their UDM Pro Max and Enterprise line.

The UniFi Threat Management runs Suricata under the hood and it pulls form Proofpoint’s Emerging Threat Intelligence. The free version is supposed to be updated at least daily, but not with the entire range of threats, only the most common ones. It isn’t the best still, unless you pay for the subscription, but it is a infinitely better than nothing. The paid for version is $99/yr and gets updated with everything and multiple times a day.

And while traffic itself is encrypted, that doesn’t mean packets aren’t scanned. Encrypted traffic doesn’t not mean nothing about the traffic is known, that is a large misconception now days. Encrypted traffic only has the data payload of the packet encrypted, the source and destination must be readable otherwise the packet cannot be routed around the internet to where it needs to go. So by having a full list of known malicious servers you can already block off a ton of IPs and domains various malware reaches out to whether traffic is encrypted or not. The IDS/IPS uses signature based pattern matching to block these known traffic patterns of malware and known C&C servers. It also does full DPI on un-encrypted traffic.

Is it the best? No. But it is still useful and actually does protections of traffic going in and out the firewall. It also inspects inter-VLAN traffic as well, so infected devices can become detected and blocked off even without reaching out to the internet if you have segmented your network.

Thanks very much for that

That’s why I suggested it’s worth researching what exactly is behind the various slogans of various magic box suppliers.
In the past, I’ve seen various claims that had little to do with reality. Of course, I’m not suggesting that this is the case here, just asking out loud before anyone spends any money.

I’m fully aware that analysis also takes place outside the payload vector. But, to put it simply, this is a rudimentary analysis based on detected characteristics. And as you yourself said, if a service isn’t updated frequently with a full database, its effectiveness decreases. Furthermore, most IDSs detect typical large-scale corporate threats through deep packet analysis and are less targeted at home users.

As for blocking malicious addresses, we have a firewall for that, and we can also use appropriate lists, but there will likely be a $$$ threshold here as well.

Any additional security solution is obviously a plus, but at the end of the day, you have to consider whether it’s actually worth the $$$.

Let’s look at this from the perspective of a home network. DPI won’t play a significant role here. An IDS on its own will be extremely limited without access to the encrypted portion of the transmission. In 2025, unencrypted transmission will be a marginal element, and pattern detection via DPI in home networks will be marginal, I believe.
These are nice solutions, but they’re more useful in large networks.

The concept of DPI is a bit like a gunshot wound to the leg and applying a tourniquet to reduce bleeding, but that doesn’t address the core issue: the open wound in the leg. And that open wound is precisely the endpoint machine on the LAN, which, unprotected, still wants to bleed.

The focus of security should shift to the endpoint machines, not the central point in 2025, I believe. This is one of the reasons for the rise of EDR.

A home user will benefit more from DNS filtering than from IDS with DPI.
Most typical PC-based clutter is based on domains and less on a bare IP address. In the age of CDNs and large clouds, blocking threats based on IP addresses isn’t as effective as it once was. Sure, some percentage will be cut, but…
Most home traffic will benefit more from good domain filtering than from IDS/DPI.

I don’t often hear about mass success in detecting and stopping clutter based on IDS with DPI. I believe it’s not a magic solution.
Which, of course, doesn’t mean you should abandon it… but is it worth spending the extra $$$.

As I’ve already mentioned, I prefer less “super technology” for SoHo and a more rigorous traffic and control policy. Another issue is when we have a larger network or servers with services that need to be exposed to the world. In that case, an IDS is absolutely necessary, but in that case, we also need to go a step further and consider a WAF.

Nice price
€330,87

@ChrisA If price isn’t an issue, you’ll have a nice box.
Although open source fans would probably prefer x86 with pfsense / opnsense / ipfire anyway.

Excellent take. I think as homelabbers and/or IT guys we often ‘wouldn’t mind’ having the same tech at home that we deploy at $DAYJOB.

But really, at home the person responsible is just us (no night shift, no junior analyst to trawl thru logs first, no sickness cover), plus there’s the WAF to consider

I run Opnsense and have been experimenting with Zenarmor. And I must say, “experimenting” is more true than not … since the homeLAB is a part of the home NETWORK, every time I spin up a new VM or something new communicates, Zenarmor alerted. My wife’s devices use the Apple “Private Wifi Address” protection so those MAC addresses change often.

There is only so much time I wish to invest in troubleshooting each day and I suspect most of us are in the same boat.

Thus one must consider the use-case for the LAN. Are we primarily supporting the family & family home or is this a testbed?

Long ago I decided that my firewall would dedicate one interface to a testNET (for want of a better word). At the very least, testNET has one machine with a removable bay in order to use a known-good (or best approximation thereof!) OS which can be used to test new hardware or unknown software. Ofc nowadays this is easier than every with cheap SSD Currently only a few key machines on the LAN are locked down as @TimHolus describes (bidrectional filtering. Given my use case and likely attack vectors I’m comfortable having such “bastion hosts” (to misuse an older term) as being the only more trusted machines.

BTW I found it handy to note what the normal traffic and background activity on the LAN is like. If you know that the Piholes serve only 50 clients and circa 200K requests regularly each day, that your cloud backups run from 0300-0550 each day with most traffic going OUT - well, all this is your LAN baseline and as an admin, one should have a feel for this. Because nothing stands out quite as much as an odd traffic spike or increase in queries, this is also something you might be able to get the family interested in. My wife has view access to the firewall and since she’s a geek too she’ll ask if there’s something she does not understand.

Anyways, sorry for rambling on this interesting thread

Exactly, in general, separation and tight control are the first steps in a home network.
No one at home will spend 5 hours a day analyzing logs and packets.
The typical communication vector for malware on home machines is usually outgoing traffic on standard TCP 443, which masks the malicious traffic with normal traffic, making it very difficult to spot anomalies.
The second level is outgoing traffic on less common ports, regardless of whether it’s TCP/UDP.
If we have a properly blocked WAN, the home PC will be infected 9 out of 10 times through the browser or email client. These are the primary entry points… later, it’s a matter of whether the user clicked something or the code executed itself due to vulnerabilities. The user downloaded something (PDF) or a file pretending to be something else.

This is why protecting the end machine in 2025 is so important.

Hey guys!

Well you’ve been talking about things that are way above my pay grade, but it’s been an interesting read for sure!

I did just wonder though:

I’m inclined to get the Max, mostly due to the cost difference between that an the Fiber - £200 vs £325. I saw the spec and thought that it matched my needs - I’m not a network/security engineer for a living, so @OliverT said, I won’t be spending days looking over logs.

If I have the time, I would be happy to get a PFSense box setup, but that’ll have to wait until I’ve finished the million other projects that are lined up

Welcome any further comments!

Screenshot 2025-08-08 102341957×1106 58.4 KB

Oh and interested to see BT trying to ‘win’ me back (just a reminder but I’m paying £31 a month for 900Mbps and max line speed appears to be 1150Mbps).

Screenshot 2025-08-07 135840790×1126 76.2 KB

Jeez, that is some Large price increases…

I guess at least they let their potential victims know in advance?

If it meets your needs and you have no plans to go above 2.5gb 1gb on the internet or LAN side until you upgrade the router again then it would be fine to go with the Max and save some money.

Edit: I just remembered that because the Max is one of the gateways from the older generation it doesnt really get above 1-1.5gb throughput on PPPoE internet connections.

Oh, was it less than that a while back?

I think they only make their victims aware BEFORE they enter into a contract, probably less so when they’re already in!

Thanks for answering mate I can’t see any time when I would go over 1, let alone 2.5! I’ll save some pennies and get it at some point, thanks!

I mean the plan prices with built in 10% rises each year, built into the plan itself.

Not like “£30/month for 2 years, then market rare at that time” like a phone plan or something

Agree with @EniGmA1987 and for the same reasons.

And ofc a pfsense box or similar can be a future TechProject for a TestNET which has the bonus that if you mess it up Friday evening, you can switch it off and chill without annoying the family