@@MactelecomNetworks Thanks for this video it was SUPER helpful. Quick question for you. I'm going from a USG with several VLANs to a pfsense soft router. I'm wondering, if I gave my pfsense router the same IP address as my USG, would all my Unifi Networks work as is with them set to CORPORATE networks or do you think I should change them to be VLAN only? Thanks again for this vid- was an excellent guide
Nice tutorial. Just got a pfSense firewall and want to integrate it in front of my Ultimate Dream Machine Pro. I feel prepared now for the next step: integrating it. You earned a bookmark.
Nice tutorial. Pity the UniFi firewall is still so basic. When Chris Buechler one of the co-founders of the pfSense project left 5 years ago to join Ubiquiti I really thought it was to get the firewall in UniFi up to a standard people expect but that hasn't happened sadly. I've been using pfSense since 2007 and I haven't used a UBNT UniFi firewall in all that time as it feels so limited.
Nice tutorial. One thing to note is you will want to turn off DHCP noted in 8:16 as you turned on DHCP in pfSense at 4:17. You don't want two DHCP servers on the same subnet
good catch. of course in this case DHCP server in unifi is non functional since no Unif gateway. in future releases of the unifi controller they hide options that are not available (gray out) when non unifi gateway in network.
14:48 Why does this rule not block a device on Staff from pinging other devices on the same (Staff) network since the RFC1918 includes all private IP addresses including the ones in its own VLAN?
Great video! Question I run a UDM pro actually two one at my home and one at my office, but also have a PF sense box that I would like to experiment with. Is there a possible way that PF sense can work with the UDM dream machine pro utilizing the best features of both if so how would one set this up. I like the way that PF sense Handles internal host domains something that I’m trying to set up on my UDM pro. So basically I registered a domain and want the local machines to be accessed with that domain both internally and externally. I can’t quite figure out how to accomplish this securely with the dream machine pro. Thanks for all the videos.
you talked about linking anotther video for the setup of this. Could you supply that or add it to the description please? This is some REALLY GOOD WORK!! The break down is amazing!!!
Sorry ya forgot to link it was really just looking at the netgate 6100 and doing the initial config but here the link ua-cam.com/video/lgDXYGOMScI/v-deo.html
just one question,,, if you are not using an USG router , how do you get the info from your network ?? i mean the info usually you can get from the dashboard , and from stats
Heh thought router on a stick was long dead, it's still clinging on :) I put a Cheap layer 3 switch in front of my pfSense brings more to the table, reduces downtime, uplink saturation etc. For home environment though this would work a treat 👌
All depends on your needs. If you just need basic firewall connectivity ( no policy based routing, whole home vpn, high availibilty) then the UDM pro is great, As for netgate appliances I recommend the 2100 or the 6100
Great video. Since the launch of Unifi express. Would it be advised to remove the cloud key and install the Unifi express in-between and Pfsense and the usg switch giving me additional network features Intrusion detection and Intrusion prevention. I realize Pfsense can also offer this, but can you run both in addition to ad blocking.
Thanks for the video, much appreciated. I recently replaced my Edgerouter X with a Netgate 3100 and the main reason I chose a Netgate instead of a UDM Pro is the pfSense firewall. In the pfSense firewall I understand what I do and can do my own rules, but in the Edge OS I have no idea. I search UA-cam for settings and try to copy them to my own router with varying results. And the UniFi firewall is also a bit unclear in my opinion.
I don't have the equipment yet, but I have some unifi stuff coming and was wondering, what's better, using unifi for dhcp and such, or pf/opn-sense? Or is it about equal? Either way I'll have to learn it (watch a bunch of YT videos) to set it up.
Now Cody, I run a restaraunt and they have their own system in place for POS. Their system is connected to our system which then goes out to the internet. Wouldnt RFC block the internal IP of the POS router from accessing the internet?
Nice one, but going OT don't like netgate since they EOS 3100 and 5100. Now they points 2100 as successor of 3100. Don't know what kind of business positioniing of this devices is in other countries but in my country (Poland) 3100 was just fine for small business. 2100 is not.
Can you discuss how to update unifi devices that have really old firmware by inputting the link address of where to pull the firmware update from.. I have a few that get stuck if trying the standard update method and either won't complete or want adopted again. Thanks
SSH into device and then use ubnt-upgrade link_of_firmware_file. Dont push the lastest update in your first try but instead do it gradually, ie: firmware v1.0 -> v2.0, v2.0 - > v.3.0 and so on
Does the PC who's hosting the Unifi Controller have to be in the same subnet as other Unifi gears? If not, how can the PC adopt other gears? Thanks a lot!
@Mactelecom Networks Thanks for this video it was SUPER helpful! Quick question for you. I'm replace my USG-3p router with a pfsense soft router. I'm wondering, if I gave my pfsense router LAN network the same IP address as my USG, would all my Unifi Networks work as is with them set to CORPORATE networks or do you think I should change them to be VLAN only? Thanks again for this vid- was an excellent guide
I'm about to do the same thing. I tried just unplugging the USG and put in the pfsense but I can't get out to the net. I can ping the pfsense and login to it. It says it grabbed a new WAN IP. I'm only using the default VLAN. I'm wondering if I have to make a new site in my local unifi controller and move my USW pro 24 and to APs over to it?...
If you use network isolation under advanced features that will allow you to use VLAN only and assign them to switch ports instead of creating dummy networks with fake IP ranges.
Maybe overkill for your scenario but why routing all vlan's over 1 physical NIC instead of segregating it over other physical ports. For instance your camera network would benefit being routed over 1 physical port, especially if you have many camera's. What do you think? You have the 6100, so I would use the advantage of so many ports.
Hi Cody. I may be wrong about this, but I think in the new Unifi UI, the "VLAN Only" network option has been moved to the Advanced Features section. It is now shown as "Network Isolation." I tested this by switching to the old UI, creating a VLAN only network and then saw that the new UI displayed that network in the Network Isolation section. It seems to work how you set it up as well, not sure what the differences are between the two setups without a USG/UDM as the router.
@@MactelecomNetworks When I originally commented I mistakenly wrote "Guest" because I was watching the part of the video where you were creating the guest network. I meant "VLAN Only."
Came here to say the same. It’s odd to me their changing of how VLAN’s are displayed and created in the new interface. But yes, this is where VLAN-only entries are made now.
@@rasamaha2024 all the times I've looked in the past it was always poor. Also required command lining in and the changes some persist after an upgrade. Looking for something more permanent.
damnit! I understand the firewall rules better in pfsense than in udm-pro... ( i have udm-pro, buddy of me uses pfsense). Also it seems you can add rules above or below the existing rules in pfsense? Don't think you can do that in unifi, or can it be done?
@@MactelecomNetworks well I tried it in the past and now tried it again... but I can't drag and drop the fw rules... not by clicking, rightclicking, holding mousebutton etc... Or am I missing something here lol... Do you have a video about it or can you make a quick one lol... Thx anyway... When I create a rule I can choose to before/after predifined rule option, but I can't change the standard rules in the FW. (or is that the purpose that I can't change them perhaps?)
Generally you tend to stick to /24 (255.255.255.0) subnet masks because they are easier for humans to work with and people semi expect it too. As a network engineer I only tend to use smaller segments that aren't end user facing and only IT people will touch because most people like a printer tech will expect a /24 and just blindly populate the subnet mask as 255.255.255.0.
I have been running pfsense with Unifi for a long time, but in the end found that running a fortigate makes much more sense. pfsense over time develops issues with updates, has issues with handling a power outage and VPN just doesn't work that well, having to deal with open source clients.
The new controller software has more bugs than an ant colony. Can no longer assign VLANs to switch ports and my AP constantly drops SSIDs from broadcasting. DO NOT update to this version. Support was supposed to contact me 2 days ago. Not a peep.
Why would you use PFSense instead of a Dream Machine? Giving an example and reason for using this setup would help any non network experts which i am guessing is half or more of your users.
Many reasons, if you need more advanced routing like policy based routing, firewall logs, high availability , etc Don’t get me wrong I love UDM pros but I also like PFsense
Thank you - nice walkthrough - but it hurt my eyes to see how you segment your /24 networks. .10 to .200 isn't very binary. I would like to see something like .64 to .127 or .128 to .254 both can be described in one line of code 🙂 old school i know
@@MactelecomNetworks lol I talk the same, constantly told to slow down because people can't follow. As a business or training video you need to slow down not tell people to play the video slower. You're advertising your business and for people to hire you, will people hire you if they can't understand you? Just food for thought maybe a little bit of a more professional response?
@@OrcD3viler people hire me all the time. It’s not like I can go back and change the speed of my voice now lol. Yes I appreciate the feedback and do try to slow down. But while I’m filming I sometimes don’t realize it.
I still don't get why one would use the new UI in the Unifi Controller ... It is dog shit ... It's missing options .. it's clunky as hell .. and you get 0 benefit from it
This one of the best walkthroughs I have seen for pfsense alone... This one is a bookmark for sure...
Glad you enjoyed :)
@@MactelecomNetworks Thanks for this video it was SUPER helpful. Quick question for you. I'm going from a USG with several VLANs to a pfsense soft router. I'm wondering, if I gave my pfsense router the same IP address as my USG, would all my Unifi Networks work as is with them set to CORPORATE networks or do you think I should change them to be VLAN only? Thanks again for this vid- was an excellent guide
Nice tutorial. Just got a pfSense firewall and want to integrate it in front of my Ultimate Dream Machine Pro. I feel prepared now for the next step: integrating it. You earned a bookmark.
You have the BEST tutorials period!
Nice tutorial. Pity the UniFi firewall is still so basic. When Chris Buechler one of the co-founders of the pfSense project left 5 years ago to join Ubiquiti I really thought it was to get the firewall in UniFi up to a standard people expect but that hasn't happened sadly. I've been using pfSense since 2007 and I haven't used a UBNT UniFi firewall in all that time as it feels so limited.
how do you know if you haven't use it since 2007 ;)
@@psycl0ptic Seen many tutorials in that time, read release notes etc because I was using UniFi for Wi-Fi and a little bit of switching.
Great end to end...covers all the steps. so many tutorials out there missing a couple key steps.
Nice tutorial. One thing to note is you will want to turn off DHCP noted in 8:16 as you turned on DHCP in pfSense at 4:17. You don't want two DHCP servers on the same subnet
good catch. of course in this case DHCP server in unifi is non functional since no Unif gateway. in future releases of the unifi controller they hide options that are not available (gray out) when non unifi gateway in network.
Excellent and easy as eating a pie...Loved and highly appreciated...exactly what I was looking for..🤩
Great job Cody!
Good video. I'm a big fan of PFSense and Unifi. The Unifi UI is about to change again a bit with 7.xx.
Yup seen that
Thank you so much for this video just configured a Netgate 6100 with 10 AP Enterprise pro's
Glad this was able to help :)
14:48 Why does this rule not block a device on Staff from pinging other devices on the same (Staff) network since the RFC1918 includes all private IP addresses including the ones in its own VLAN?
How does the native vlan play a part here
I was pulling my hair out until I saw your video. Video is complete and I was able to figure out my "user error"
NICE AND SIMPLE TO FOLLOW THANKS. my WiFi now connects alot quicker as I re did my vlan setup on my unifi controller.
@Mactelecom Networks Is it possible to link the Netgate 6100 to the Unifi using an SPF+ connection? Any benefit to this?
Great video! Question I run a UDM pro actually two one at my home and one at my office, but also have a PF sense box that I would like to experiment with. Is there a possible way that PF sense can work with the UDM dream machine pro utilizing the best features of both if so how would one set this up. I like the way that PF sense Handles internal host domains something that I’m trying to set up on my UDM pro. So basically I registered a domain and want the local machines to be accessed with that domain both internally and externally. I can’t quite figure out how to accomplish this securely with the dream machine pro. Thanks for all the videos.
you talked about linking anotther video for the setup of this. Could you supply that or add it to the description please? This is some REALLY GOOD WORK!! The break down is amazing!!!
Sorry ya forgot to link it was really just looking at the netgate 6100 and doing the initial config but here the link
ua-cam.com/video/lgDXYGOMScI/v-deo.html
@@MactelecomNetworks appreciate it. This really is good stuff.
just one question,,, if you are not using an USG router , how do you get the info from your network ?? i mean the info usually you can get from the dashboard , and from stats
Heh thought router on a stick was long dead, it's still clinging on :) I put a Cheap layer 3 switch in front of my pfSense brings more to the table, reduces downtime, uplink saturation etc. For home environment though this would work a treat 👌
Would you recommend pfSense or Dream Machine Pro for FW configurations? Also any recommended appliances for pfSense?
All depends on your needs. If you just need basic firewall connectivity ( no policy based routing, whole home vpn, high availibilty) then the UDM pro is great,
As for netgate appliances I recommend the 2100 or the 6100
RFC1918 is a group of the other LANs you have in pfsense?
Great video. Since the launch of Unifi express. Would it be advised to remove the cloud key and install the Unifi express in-between and Pfsense and the usg switch giving me additional network features Intrusion detection and Intrusion prevention. I realize Pfsense can also offer this, but can you run both in addition to ad blocking.
Thanks for the video, much appreciated.
I recently replaced my Edgerouter X with a Netgate 3100 and the main reason I chose a Netgate instead of a UDM Pro is the pfSense firewall.
In the pfSense firewall I understand what I do and can do my own rules, but in the Edge OS I have no idea. I search UA-cam for settings and try to copy them to my own router with varying results. And the UniFi firewall is also a bit unclear in my opinion.
Doesn't the router drop down in the network settings allow you to select Third-party Gateway? if you use that it gets rid of all settings
I don't have the equipment yet, but I have some unifi stuff coming and was wondering, what's better, using unifi for dhcp and such, or pf/opn-sense? Or is it about equal? Either way I'll have to learn it (watch a bunch of YT videos) to set it up.
Now Cody, I run a restaraunt and they have their own system in place for POS. Their system is connected to our system which then goes out to the internet. Wouldnt RFC block the internal IP of the POS router from accessing the internet?
The RFC1918 rule just blocks the networks for seeing each other not the internet
do i need a cloudkey? i tried connecting sg1100 LAN straight to switch and nothing is happening.. wont show up on unifi network application
Nice one, but going OT don't like netgate since they EOS 3100 and 5100. Now they points 2100 as successor of 3100. Don't know what kind of business positioniing of this devices is in other countries but in my country (Poland) 3100 was just fine for small business. 2100 is not.
downsides of running the unifi controller on the pfsense box? Not asking if it can be done, but asking from a security and topology perspective
Do you still get the unifi network stats and insights using pfsense as a router and unifi as a switch?
Can you discuss how to update unifi devices that have really old firmware by inputting the link address of where to pull the firmware update from.. I have a few that get stuck if trying the standard update method and either won't complete or want adopted again. Thanks
SSH into device and then use ubnt-upgrade link_of_firmware_file.
Dont push the lastest update in your first try but instead do it gradually, ie: firmware v1.0 -> v2.0, v2.0 - > v.3.0 and so on
ua-cam.com/video/KileMaE0SFo/v-deo.html
Bit older of a video but should still be relevant
hoping someone could explain why i dont see STAFF net. In my environment its IoT and i dont see IoT net as source?
Does the PC who's hosting the Unifi Controller have to be in the same subnet as other Unifi gears? If not, how can the PC adopt other gears? Thanks a lot!
if you're using a PC as your controller it needs to be in the same subnet as your gear
awesone tutorial
Excellent!!
@Mactelecom Networks Thanks for this video it was SUPER helpful! Quick question for you. I'm replace my USG-3p router with a pfsense soft router. I'm wondering, if I gave my pfsense router LAN network the same IP address as my USG, would all my Unifi Networks work as is with them set to CORPORATE networks or do you think I should change them to be VLAN only? Thanks again for this vid- was an excellent guide
I'm about to do the same thing. I tried just unplugging the USG and put in the pfsense but I can't get out to the net. I can ping the pfsense and login to it. It says it grabbed a new WAN IP. I'm only using the default VLAN. I'm wondering if I have to make a new site in my local unifi controller and move my USW pro 24 and to APs over to it?...
If you use network isolation under advanced features that will allow you to use VLAN only and assign them to switch ports instead of creating dummy networks with fake IP ranges.
Been told that a bunch of time on this video lol. Added a note to the description. I have no idea why Ubiquiti would add it there makes no sense to me
Maybe overkill for your scenario but why routing all vlan's over 1 physical NIC instead of segregating it over other physical ports. For instance your camera network would benefit being routed over 1 physical port, especially if you have many camera's. What do you think? You have the 6100, so I would use the advantage of so many ports.
You could do that but I would much rather put all the vlans down multiple links using a lag group that way you have redundancy
@@MactelecomNetworks great feature. I didn’t know that was supported.
Hi Cody. I may be wrong about this, but I think in the new Unifi UI, the "VLAN Only" network option has been moved to the Advanced Features section. It is now shown as "Network Isolation." I tested this by switching to the old UI, creating a VLAN only network and then saw that the new UI displayed that network in the Network Isolation section. It seems to work how you set it up as well, not sure what the differences are between the two setups without a USG/UDM as the router.
Network isolation I believe is to make a “guest” network if you have a Ubiquiti router but I’ll take a look
@@MactelecomNetworks When I originally commented I mistakenly wrote "Guest" because I was watching the part of the video where you were creating the guest network. I meant "VLAN Only."
Came here to say the same. It’s odd to me their changing of how VLAN’s are displayed and created in the new interface. But yes, this is where VLAN-only entries are made now.
@@mikegill1669 good to know I rarely ever use the new interface
This is really a great video! Learnt a ton. It's there a way to put a pfsense box in with a udm-pro behind it as a passthrough/bridge?
I too would like to know this
Yes u can, just connect wan port to one lan port on udmp. You can find answers if u google topic in Unifi community forum.
@@rasamaha2024 all the times I've looked in the past it was always poor. Also required command lining in and the changes some persist after an upgrade. Looking for something more permanent.
damnit! I understand the firewall rules better in pfsense than in udm-pro... ( i have udm-pro, buddy of me uses pfsense). Also it seems you can add rules above or below the existing rules in pfsense? Don't think you can do that in unifi, or can it be done?
you can add rules above or below in ubiquiti you just need to grab the rule and drag and drop it. You can also do rule ordering in pfsense
@@MactelecomNetworks well I tried it in the past and now tried it again... but I can't drag and drop the fw rules... not by clicking, rightclicking, holding mousebutton etc... Or am I missing something here lol... Do you have a video about it or can you make a quick one lol... Thx anyway...
When I create a rule I can choose to before/after predifined rule option, but I can't change the standard rules in the FW. (or is that the purpose that I can't change them perhaps?)
Why do people make subnets "wide" open, Do you really need a 254 addressed subnet for the camera system ? I always see this. Good video Sir.
Could make it smaller sure but they are private subnets anyways so no harm. If you’re thinking because of security we would do that other ways
Generally you tend to stick to /24 (255.255.255.0) subnet masks because they are easier for humans to work with and people semi expect it too. As a network engineer I only tend to use smaller segments that aren't end user facing and only IT people will touch because most people like a printer tech will expect a /24 and just blindly populate the subnet mask as 255.255.255.0.
I have been running pfsense with Unifi for a long time, but in the end found that running a fortigate makes much more sense. pfsense over time develops issues with updates, has issues with handling a power outage and VPN just doesn't work that well, having to deal with open source clients.
Never had an issue with PFsense. Also I’ve never used fortigate maybe I’ll give it a try
Have not experienced the problems you describe. Also don't see that as a common theme in the forums. Sorry you have had that hassle.
The new controller software has more bugs than an ant colony. Can no longer assign VLANs to switch ports and my AP constantly drops SSIDs from broadcasting. DO NOT update to this version. Support was supposed to contact me 2 days ago. Not a peep.
The blaring question is, where is the camera recording to?
In this video no where This is jsut a lab. But when I do a review on the Reolink camera it will be connecting to my Synology
@@MactelecomNetworks ahhh, surveillance station. You purchasing the license or going the "other" route?
Each Synology NAS comes with two licenses. I won't be having the reolink active for long just to do my video. I use Ubiquiti cameras for my house
Thanks.
Did someone say hosted Protect??
Nope I don’t think so lol
Why would you use PFSense instead of a Dream Machine? Giving an example and reason for using this setup would help any non network experts which i am guessing is half or more of your users.
Many reasons, if you need more advanced routing like policy based routing, firewall logs, high availability , etc
Don’t get me wrong I love UDM pros but I also like PFsense
Muti WAN?
Money
Thank you - nice walkthrough - but it hurt my eyes to see how you segment your /24 networks. .10 to .200 isn't very binary. I would like to see something like .64 to .127 or .128 to .254 both can be described in one line of code 🙂 old school i know
Everyone has different ways of doing things
Hostifi went from $49 a month to $99 a month, it's a rip-off, there are other options of which self-hosted FTW
I don’t think it’s a rip off at all. I use it for business for home use I wouldn’t though .
Slow down on talking its not a race
Its how i talk. Slow down the video if its to fast for you
@@MactelecomNetworks lol I talk the same, constantly told to slow down because people can't follow. As a business or training video you need to slow down not tell people to play the video slower. You're advertising your business and for people to hire you, will people hire you if they can't understand you? Just food for thought maybe a little bit of a more professional response?
@@OrcD3viler people hire me all the time. It’s not like I can go back and change the speed of my voice now lol. Yes I appreciate the feedback and do try to slow down. But while I’m filming I sometimes don’t realize it.
I still don't get why one would use the new UI in the Unifi Controller ... It is dog shit ... It's missing options .. it's clunky as hell .. and you get 0 benefit from it
I use the classic controller more than anything. But there are some things you have to do in new UI
@@MactelecomNetworks oh? Did I miss something? Because so far classic controller has had everything I need