Ubiquiti UniFi – USG 101

Hello Networking Guys,

In this post, I will try to explain basic USG features and some important configurations to get the most benefit from USG.

UniFi Network Controller

Ubiquiti UniFi family offers Small Office/Home devices at a reasonable price with good performance and network analysis tools. All UniFi devices are managed by a UniFi Controller and they integrate with the controller that is located on-site or remote site.

All configuration changes are committed from the controller and also controller collects real-time metric data from all registered devices to provide you insights about your network activity. For instance, you can check current internet speed, connection status for wired and wireless clients, clients that consume most bandwidth and applications that are used mostly.

UniFi Controller may be installed on a Windows/Mac/Linux computer, also you can purchase a UniFi CloudKey Gen1/Gen2 if you want an always-on controller in your network. UniFi CloudKey is a different product to explain but at least it is a UniFi Controller application installed Linux computer and Gen1 UCK can be powered by PoE! Gen2 device also has disk capacity to integrate with your UniFi Security devices, like cameras.

What is USG?

USG (UniFi Security Gateway) is a stateful L4 firewall with limited UTM capabilities. I will explain that below what limited capabilities mean.

USG works as a central network firewall on your network and inspect all traffic from LAN to WAN or LAN-to-LAN (Inter-VLAN Routing) between your VLANs. So, you can achieve the most network-level security between LAN and WAN and between your local VLANs.

It also provides S2S VPN and SSL VPN features and you can setup VPN tunnels to other USG devices or other vendor devices.

USG has different models but in this post I will examine USG3P, which is entry level 3 port product.

USG-3P (formerly known as USG) has 3 Gigabit Ethernet port and 1Gbps throughput. This means that total traffic cannot exceed 1Gbps on the device at a given time. I think this is really enough for most WAN installations and VLAN-to-VLAN traffic.

USG3P also supports IPS features but it comes with a dramatic negative impact on the device. When you enable the IPS feature on the device, (BLOCK or LOG) maximum throughput is downgraded to 85Mbps, which is not enough for most deployments. Also, this same behaviour applies to the Smart Queue feature of the box, which provides QoS capabilites.

The real reason behinds this drawback is really simple. By default, USG uses hardware offloading and doesn’t use CPU to inspect traffic. However, when you enable IPS or Smart Queues, USG automaticaly disables hardware offlading and all packets are proccessed by CPU. USG doesn’t have a really powerful CPU and it is impossible to inspect all packets for it. So, if you need IPS or Smart Queue features, USG3P may not be a good choice for you. However, espacially for home networks, it is really powerful to handle on site traffic, at least if you don’t have 10G connections in your home.

How to use it!

I just upgraded my gear with UniFi products and they are not in prod in my home yet, so I will try to add posts when I opened and installed each device.

Thanks!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.