OVERKILL
$100 Site Donor 2021
My MX subscription was up for renewal so I figured now would be a good time to try out something new. @Rand had told me of his positive experience with his UDM, so I ordered one up to lab it out and see how it compared.
Previously, I was using a Cisco Meraki MX64 w/SEC subscription, which gives you IDS, AMP and content filtering in addition to the basic firewall functions. Before that I was using a Cisco ASA, before that, a Juniper SSG.
On to the UDM:
This unit can be both cloud or locally managed. While you can do pretty much everything through the cloud/WebUI, as @wwillson is eager to point out, since these are just a Linux box, you can SSH into it and manage IPTables directly through the CLI, as well as perform other functions that the GUI doesn't allow you to do.
McCann has a great table that compares the specs of the different models:
With 3.5Gbit of IDS/IPS throughput, it is massively more powerful than the MX64, and this is quite obvious in use where the reduction in latency is quite apparent.
It shows up in a big box:
And this is what it looks like installed (it's rack-mount):
You are prompted to perform the initial setup using the phone app, which wants you to create an account to manage it through the cloud. The process is very straight-forward, I just recreated my VLAN config and everything just "worked" out of the box.
The unit had to reboot 3x times for firmware updates. Despite the unit being fresh stock, it had to do 1x V2 firmware upgrade, then an upgrade to 3.x a then a further upgrade to 3.1.x to get on the current release.
You don't have a lot of control over the switch ports, unlike the MX64, which allowed granular config of each port (the lower end ASA's are the same way).
The Dashboard looks great, and is easy to navigate. However, it's a bit disjointed compared to the Cisco Meraki one, but then you aren't paying for a subscription, so I'm not going to harp too hard on it.
Configuration was very straight-forward, though some of the category descriptions are a tad vague.
I ran into an interesting artifact/bug with respect to trying to control DNS traffic, which took me longer than it should have to figure out:
I created a rule to block all outbound DNS queries, placing it after a rule to allow DNS queries to my specific DNS servers. Neither rule worked. I played around assigning it to different interfaces, changing the scope, changing how it was applied...etc. I even created an explicit single rule to block all queries to Google DNS, I could still hit it with nslookup and resolve queries, but could no longer ping it.
On a hunch, I removed one of the networks from the ad blocking, and then all of a sudden the rules for that network worked. It was at that moment I realized that the ad blocking on the device must re-route DNS queries and it creates a DNS allow rule that you can't see from the GUI, that of course then overrides any of the DNS blocking rules I was creating. Turning off the ad blocking feature removes the hidden rule, and the user defined rules then work as expected.
While this unit is a bit expensive for Joe Average home user, I do think that the more consumer-geared models with integrated Wi-Fi, priced more moderately, are a very good option for people looking for something better than your Best Buy/Walmart special.
Previously, I was using a Cisco Meraki MX64 w/SEC subscription, which gives you IDS, AMP and content filtering in addition to the basic firewall functions. Before that I was using a Cisco ASA, before that, a Juniper SSG.
On to the UDM:
This unit can be both cloud or locally managed. While you can do pretty much everything through the cloud/WebUI, as @wwillson is eager to point out, since these are just a Linux box, you can SSH into it and manage IPTables directly through the CLI, as well as perform other functions that the GUI doesn't allow you to do.
McCann has a great table that compares the specs of the different models:
UniFi Router Comparison: USG vs UDM vs UXG — McCann Tech
Overview and comparison of all UniFi router models: USG, USG-Pro. UDM, UDM-Pro, UDM-SE, UXG-Pro and UDW.
evanmccann.net
With 3.5Gbit of IDS/IPS throughput, it is massively more powerful than the MX64, and this is quite obvious in use where the reduction in latency is quite apparent.
It shows up in a big box:
And this is what it looks like installed (it's rack-mount):
You are prompted to perform the initial setup using the phone app, which wants you to create an account to manage it through the cloud. The process is very straight-forward, I just recreated my VLAN config and everything just "worked" out of the box.
The unit had to reboot 3x times for firmware updates. Despite the unit being fresh stock, it had to do 1x V2 firmware upgrade, then an upgrade to 3.x a then a further upgrade to 3.1.x to get on the current release.
You don't have a lot of control over the switch ports, unlike the MX64, which allowed granular config of each port (the lower end ASA's are the same way).
The Dashboard looks great, and is easy to navigate. However, it's a bit disjointed compared to the Cisco Meraki one, but then you aren't paying for a subscription, so I'm not going to harp too hard on it.
Configuration was very straight-forward, though some of the category descriptions are a tad vague.
I ran into an interesting artifact/bug with respect to trying to control DNS traffic, which took me longer than it should have to figure out:
I created a rule to block all outbound DNS queries, placing it after a rule to allow DNS queries to my specific DNS servers. Neither rule worked. I played around assigning it to different interfaces, changing the scope, changing how it was applied...etc. I even created an explicit single rule to block all queries to Google DNS, I could still hit it with nslookup and resolve queries, but could no longer ping it.
On a hunch, I removed one of the networks from the ad blocking, and then all of a sudden the rules for that network worked. It was at that moment I realized that the ad blocking on the device must re-route DNS queries and it creates a DNS allow rule that you can't see from the GUI, that of course then overrides any of the DNS blocking rules I was creating. Turning off the ad blocking feature removes the hidden rule, and the user defined rules then work as expected.
While this unit is a bit expensive for Joe Average home user, I do think that the more consumer-geared models with integrated Wi-Fi, priced more moderately, are a very good option for people looking for something better than your Best Buy/Walmart special.