Ubiquity vs DIY?

So seeing this on sale today (1) made me wonder if I should go this route or with a DIY solution like a pfSense build? I have a small home network, with a TP-Link Archer C2600 and several PC’s and a confused family member that fell for a support scam and is on a time-out from tech.

1: https://www.newegg.com/Product/Product.aspx?Item=0XK-000W-00060&utm_medium=Email&utm_source=IGNEFL102318&cm_mmc=EMC-IGNEFL102318--EMC-102318-Index--FirewallsSecurityAppliances-_-0XK-000W-00060-S0E&ignorebbr=1

That’s pretty much the normal price, it’s a couple bucks cheaper on Amazon. I have a full Ubiquiti stack myself and like it a lot, but it’s way overkill for a home network. Get it as a toy like me if you think you’ll enjoy setting it up. Otherwise just stick with your consumer-grade router.

I should be more clear, I’m looking for some sort of IDS functionality along with your typical firewall rules and such. Something where a confused family member having been told not to decides to try and open up a PC to a support scammer who then tries to install malware onto the old man’s PC. Making me have to drive 50 miles back to the home to pull the plug manually and give him a time out from computers.

I use both. I have a pfSense build at home and I have my parents running on Ubiquiti gear. Mind I’ve never used their Security Gateway, but their routers and access points provide top notch performance for the money.

So, if you like to tinker and have some disused hardware, I’d strongly recommend pfSense. You’ll definitely learn a lot. If you want a simple, easy to use, set it and forget it deployment, or have limited space, it is difficult to beat Ubiquiti. I’ve found their hardware to be totally reliable, but the most impressive thing about them is that every couple of months, they release firmware updates to patch both security bugs and add additional functionality. You won’t get this with any other consumer-grade gear.

EDIT: For IDS, pfSense offers both Snort and Suricata. Last I looked IDS is not directly supported on Ubiquiti’s SOHO gear and I’m not sure these devices would have the necessary horsepower, even if it was.

1 Like

IDS is fully supported on all Ubiquiti gear but it has a severe performance impact, particularly at the lower-end. If you really need IDS you should be going for pfsense.

But just keep in mind that you’re going to be supporting that install for the rest of your life. Would be less annoying and expensive to just get your nana a chromebook and telling her it’s immune to all viruses, anyone saying otherwise is a scammer, and to just hang up.

3 Likes

Seems dependant more on traffic etc. if you’ve got a 5mbps connection, you’re Neve going to notice the difference. But I was also going to bring up the same point. if you have some specifics or a high bandwidth connection and don’t want to spend the money on the higher end USG for example you could roll your own probably for a little cheaper but also need to manage/setup more, you’d also need to make sure to buy the right hardware.

But otherwise, I run the Ubiquiti IPS with zero issues on bandwidth, its at the limits of its capability of my ISP link though (from what it tells me).

The USG3 supposedly maxes out somewhere from 30-50Mbps with IDS active. So if you have a very poor ISP, that might make sense, I guess.

I’m doubtful you’ll be able to have a set it and forget it setup, that’s effective. It’s more likely your gullible family member learned from the bad experience.

USG: 85 Mbps, USG-Pro: 250 Mbps, USG-XG-8: 1 Gbps.

I’ve not done extensive testing, but my connection has been maxing out on normal use without issue.

<100Mbps is still very slow, even for US ISPs. The USG pro would cover a lot more, but it’s $300 just for the router.

As I said, there is an impact. it turns off hardware offloading. But its not 30-50mbps. If you have over 80mpbs then one of the other USGs is the way to go if you go down that route.

Just saying what I’ve experienced. For under 80mpbs the standard USG works pretty well.

Rotuer and software. Whats the equivalent pfsense with the same throughput with IPS etc. on?

$300 disappears fast when you build your own as well. Theres ups and downs to both.

Yes, it’s tough to build someone capable of running IDS across gigabit for $300. PCengine boxes don’t have the juice and Qotoms are a bit more than that, last I checked.

Edit: Actually you can get a Qotom with a broadwell i5-5200u, 2GB RAM, and a 32GB SSD for $283. That should do the trick. That’s pretty much what I would get if I wasn’t addicted to those green circles in the Unifi dashboard.

https://www.aliexpress.com/store/product/Free-Shipping-4-Gigabit-LAN-ports-Mini-PC-Celeron-3215U-Core-i3-Core-i5-WIFI-using/108231_32829499825.html

The celeron 3215u model (broadwell celeron, not atom) would save $100 and make a fantastic router, but I doubt it has the juice for gigabit suricata.
Edit2: 3215u doesn’t have AES-NI, don’t buy that.

It’s actually silly just how expensive the Qotom boxes are. I bought a mini-PC roughly the size of one and a half NUCs with an i5-6500, 16GB DDR4, and a 256GB SSD off eBay for $300 a couple months ago, and use it as a home server. If only it had a second ethernet port!