How to Use The UniFi Dream Machine Pro With pfsense

pfsense toturials
lawrence.technology/pfsense/
UniFi Tutorials
ua-cam.com/play/PLjGQNuuUzvmvxayWV93dbBleXzt6RCvXP.html
DIagrams.net tool review
ua-cam.com/video/mpF1i9sfEJ0/v-deo.html

I used pfSense, thanks to Tom, before I was bitten by the Unifi Bug. I always liked pfSense and wanted to use it with my UDM. I connected my system a little differently. I used pfSense as the DHCP Server. Made the UDM one IP address above the LAN DHCP. Connected Port 1 (LAN) to LAN. Connected Port 5 (WAN) to LAN2. Everything worked perfectly. No need to Forget and Adopt Unifi Devices.

I bought a Netgate after your videos and only a couple months after a Dream Machine. I set it up just like you suggested. Works great so far. Thanks for the guide and thanks for getting me exposed to pfsense.

You have are the inspiration for my current lab projects.
Thank you so much.

Great video! Would love to see a more in-depth setup of this scenario.

Thanks for putting this together. I've got an ERPro8 and those are getting a bit long in the tooth. I can't avoid double-NAT as it stands, as my ISP's router won't disable NAT due to IP4/6. I have to DMZ/port forward from that router to mine. I hope to finally replace the ERPro8 with a pfSense box later this year, so this will be very handy.

What about using routing instead of two networks. I mean the pfsense still connects to the internet and handle the NAT but it will act like an edge router. You keep the UDM and configure to do routing instead of NAT and route all trafic to the pfsense. It's possible?

What's the problem with UDM Pro? I had a pfsense for years and it was OK but the weird firmware updates and OS versions turned me off. I did like open vpn but I can setup an open vpn server and forward traffic. If I really want it.

In the configuration you showed, can you connect a unifi switch directly to pfsense and use the dream machine pro just to control the switch?

I'm thinking of adding pfsense to my all Ubiquiti network. I'm glad I remembered I watched this a while back because I was going to implement this without the UDMP WAN connection which would have hosed it's ability to phone home. I would sell the UDMP SE but I don't want to hoist those problems onto others so I'll just treat it as a fancy 8 port switch that's driving a bunch of slow POE devices and configuring my switches and APs. At least my high throughput traffic will circumvent the UDMP. The problem I'm trying to solve here is that the UDMP SE seems to lockup when I download games on steam over a 1Gbps google fiber connection. I think the UDMP SE is just getting overwhelmed although my usage isn't too out of the ordinary.
Using this topology the UDMP SE won't be moving anywhere near the traffic I am now plus this will help decouple me from Ubiquiti in the future if the need should arise. I like Ubiquiti's 10Gbps + 2x25Gbps enterprise switch and have a boatload of their access points scattered around the house so my experience aside from the UDMP SE have been fairly good.

Would you consider making a setup video for a standalone UDM/UDMP? This would be aimed at someone who has purchased a UDM/UDMP and doesn’t have the funds to purchase another firewall device.
I understand that you don’t recommend this but this would be a best case scenario. Making the UDM/UDMP as secure as possible.

Hi Tom, after using untangle on a dedicated device for a couple of years (was happy with it), along with Unifi AP's using the software controller in a VM - I had a stroke of luck where I acquired a Unify UDM Pro and additional 8 Unifi 8 Port POE switch for free (it came from a site my company took over and they don't use Unifi so I was the beneficiary).
I've since removed the untangle box and now use the UDM Pro as the main router for my house. Have to say I love the simplicity of creating VLANS and I have Wiregaurd, OpenVPN and VPN clients using Express VPN. It all works perfectly and I'm very happy with it.
But I've seen that you're not particularly impressed with the UDM as the main firewall. Assuming the firewall is configured correctly, is there any reason I shouldn't continue with the UDM Pro as the main firewall? Are there any security reasons for not using it?
Not sure if your opinions are from before the UDM Pro had support for things like Wireguard etc, but it seems to have everything now.
Thanks for all the great content you provide, all my home network projects pretty much come from your channel.

What about DHCP option 43 for automating the adoption of the unifi devices, would that work re an IP change?

Thank you this, Tom! Very helpful. My question is how does the UDMP re-adopt protect cams and APs if we turn off DHCP and it’s not handing out IP addresses? Is that something that the PF sense FW will do going forward?

New to networking, why do i need to use a switch port and the wan1? Can i just use the wan1? Im trying to put a fortigate in front of my udmp with as minimal disruption as possible.

Why not static route from PFSense and plug in on the DM WAN port a let the DM do DHCP? Sorry if this is a stupid question.

Can't you just avoid double NATing by adding a static route from the router at the edge to the router behind and then disable NAT on the other one? If it's a /16 route you'll be fine for a while

The Unifi UI is completely different than it was at the time of this video and I can't get a single VLAN packet to go through the UDMP. It only passes through the netgate native traffic for the port.

I started out with a USG and moved to pfSense mainly due to your videos.
For a while I kept the USG as the graphics were "nice", but had it configured the other way round.
If there had been a bridge mode I might have kept it, but as you say it was a pain managing pass-through ports, etc.
In the end I sold it and never looked back.

I've had good results for a couple of years now using Pfsense as a transparent bridge behind the UDM Pro. I get the benefits of Pfsense's filtering for the lan and just use port forwarding from the UDM Pro for the VPN aspects.

In this scenario, will Wifi Man app still give the extended features when managing Unifi APs? That's what I'm really looking for.

I’ve giving this a try and it seems like my UDM pro can access the internet for the dashboard.
Should both the LAN port and WAN port provide internet to the UDM PRO?
Or should the LAN port just provide VLAN & DHCP?
thanks in advance

I know this is highly unlikely and hard, but would it be possible to flash a udm-pro with something else?

How may NIC's are you running out of the PFSense box as I'm running only dual 10GB NIC's in a PC. I'm curious as to how you had PFSense on 10.2 and UDM on 10.3 as I can not get my UDM Pro to take the x.3 - it says it over laps the Primary Range.

Do you need a crossover cable to connect the WAN port to the LAN port of the pfsense appliance, or will a regular patch cable do?

Would this work the same with a UDR? And keep the AP that's part of the UDR?

Thank you for this info Tom! I am thinking about doing this in my new home build.......grin

What if you configured dhcp proxy on the udm pro? Would you get the client management in the UniFi gui then?

Great video!! Thanks so much! This worked like a dream! You saved me a ton of time!! Subscribed!

Can you plug the Unifi switches directly to pfSense if you use the configuration you shown in the video?
I am thinking to the case when you want to use UDM as a controller but, as you know, UDM has no 10G LAN ports and maybe you want a 10G LAN (switches that support 10G connections). You can connect the main Unifi XG switch to pfSense (let's say pfSense has 10G ports), but, in this case, can you use UDM to manage the Unifi devices?
What if you connect the Unifi XG switch to pfSense, a UDM LAN port in this switch and UDM WAN port to pfSense? This way, you don't need 4 ports on pfSense (1 port for WAN, 2 LAN ports for UDM and 1 LAN port for Unifi XG switch) but just 3 ports.
If you decide to manually update the UDM, do you still need the WAN port to be connected to pfSense?

I really really wish the UDR had a better way to handle firewall logs, I am pretty content with everything else included in the UDR for home use but the fact that I cant (easily) monitor FW logs is really annoying.
At the moment I am considering getting a pfsense box infront of my UDR so I can monitor FW logs in Graylog.
I would like to see better logs overall in Ubiquiti products and I think they would benefit greatly if they improved them and gave the users more freedom

Disable nat in the UI and create static routes in pfsense would be a step for me.

If the PFsense is connected to the UDM via LAN2 that goes to the UDM on its WAN port, why would there be a need to also attach the LAN from the pfSense to a LAN port on the UDM, as the LAN2 connection would be the default truck and carry all the networks and VLAN's... Please explain

I Used the 3rd party gateway setting in Unifi with a VLan created on a SonicWALL and that seems to be working out great.

Works the same way for setting up vlans for unifi switches and ap without a usg or udm/p

What about setting DHCP Relay as the option for UDM Pro and have pfSense be the DHCP Server?

So in this config your basically turning it to a managed switch?

can you stil use the threat management of the udm in this config?

Can we assume the setup will be the same when using the Unifi Cloud Gateway Max?

Can I use Wan4 10G on the Netgate to the WAN 10G on the dream machine... do I have to change the Netgate to a LAN4 10G?

Perfect timing. I have a udm pro and just bought a pfsense box because I want the dual wan. Thank you.

Rather than managing DHCP that far upstream and having DHCP Clients travel to Narnia and back just for a lease, wouldn't it make more sense to just manage DHCP further downstream on the Unifi L3 switch?

Whoa....it's like this was a coordinated release. This is the second how-to for UDM Pro & PFSense for today. :) Love seeing the community coming together to support folks wanting to do this.

Hi
I’m needing a VPN for my UDM SE as I’m moving countries and need to combat geo locks.
Will adding a PFSense router, running a VPN, between the modem and UDM work?

What other options would you recommend instead of the dream machine?

Well, if I follow this path, WHAT IF I disable DHCP on pfsense and keep DHCP on UDMP? UDMP is already working this way (it's default).
My pfsense box have 4 ports where 2 are WAN1 and WAN2. Ports 3 and 4 will be LAN and LAN2. There will be no other devices directly connected on pfsense and everything else is already on UDMP.
I think this makes more sense.
I tried to configure UDMP WAN coming from pfsense LAN which already have it's WAN coming from a MODEM-ROUTER. And it's TRUE: double NAT is pain in the ass.
I want to backup everything and test this way.

@LAWRENCESYSTEMS - just wanted to check, is this scenario still valid today? A couple of questions off the back of it:
1. Would devices attached to an access point or switches be told to use 10.2 as their default gateway (via DHCP) or 10.1? If it's 10.2, are we assuming that Unifi is using the 'WAN' network as it's default gateway to reach other networks?
2. Can this be done by jusing using the 'third party router' network option - I assume in that scenario we'd still need a network for the cameras, APs etc so they're still manageable.
Thanks again for the video - very helpful.

Hey Tom, great details as always! I understand not having the statistics from but are you also saying one would need to host the controller software somewhere else to be able to manage/view 'UProtect' Cameras, storage space, etc.?

Hi @Tom, I have a US-16-XG aggregation switch which aggregates all my other unifi switches. Can I just connect this directly to my Netgate 7100 pfSense device on one of its built in 10 Gbps Intel x553 SFP+ ports or does it first have to connect to my UDM Pro which in turn connects to the 7100 (in other words, must the UDM Pro always be part of the route to internet or can it just be a network device that is managing the other Unifi devices on the network)?

A easier solution is to sell the UDM pro 😂

Hi Tom, your videos are great, very professional advice. I have a question: if I wanted to run pfsense and the unifi controller for a small home network, where I have wifi and 5-6 vlans and maybe 2-3 vpns max, can I install and run the controller on the same device (eg a small fanless server) as the pfsense ? I am already running pfsense and it runs linux.
PS: and a follow on question: if I want to extend my wifi so I have multiple wifis each on their own vlan, which Ubiquity WAP would I use, to avoid having to rewire my house?

How can a implement this by using a DMZ? ISP -> Firewall -> web servers - Firewall -> LAN.
A little hint or direction would be lovely:)
Thanks for your videos, they have helped me so much in networking!

Is it better to have pfsense handle DHCP compared to the UDMP?

GREAT video and information as usual.
I have a scenario where for some unknown reason, my UDM-PRO looses connectivity to the UNIFI cloud dashboard. It does connect after a reboot of the UDM, but after 2 hours, sometimes multiple days, the dashboard shows that UDM-PRO as offline. On the client side, people are still able to access the internet through the UDM-PRO UAPs and wifi networks created and configured on it. But I loose connectivity via the UNIFI cloud dashboard to manage the UDM-PRO.
I also find that without a LAN port connect to your source router (or your modem), there is NO routes to be able to connect directly to the URL of the UDM-PRO. Unless I am missing something....

I have a Unifi controller as a Linux virtual machine, but I would like to have all Unifi OS experience about the Inner space to create a map for all devices. My question is: I don't need the routing and firewall services and I have more than 40 APs, Could I use the UDM pro for that? because it supports up to 75 APs and I would like to keep locally my Controller.
Thanks all.

Can I use a transparent bridge instead?

So why not use PFSense as a router without NAT and use the UDMP for DHCP, NAT, etc. You should still be able to use PFSense for the VPN as well as Suricata, PFBlocker, ntopng, etc. Soo many possible combinations that could be done without double natting.
Edit: I'll have to eat crow on this one as I didn't think it through completely. You would need to use bridge mode or 1:1 NAT to get what I said to work. If you had multiple public IP's then what I said would work, but then that's too easy. You would then have one of the public IP's on the UDMP and route it through PFSense. 1:1 NAT is still not a terrible idea.

I got protectli after watching your videos and now I got flexHd and udm pro. Thanks for the video. i was having the same config in mind

Where is the video you talk about what I buy a Dream Machine Pro

Hi Tom, i´m using UID for VPN and WIFI in our company, we are putting a pfSense in front of our UDMP, but I can't get the UID cloud capabilities working :( , do you have any idea how to? Greetings from Barcelona!

You are essentailly putting the UDM into useless mode and throwing off to the side. May as well get rid of it and replace with a UCK2 and a UNVR....

Hello sir,
Here is a setup of 1 unifi dream machine pro controller with 20 access points connected with it, In lab if more than 400 users connect this, it got crashed all connected users faced disconnectivity. 1200 users is actual limit as advised by unifi support team.

actually we need to connect more than 2000 users at a time and 5 controllers is not a solution
Is this possible to make pfsense setup with it and unifi APs utilize cpu and ram of pfsense software (instead of controller) or something like that
Please suggest how to overcome this issue , I am new to unifi so please share a little detailed instructions
Your kind response will be highly appreciated

How about Pfsense and Mikrotik?

thats the same way I did it.

Wouldn't it be better to let the udm pro do everything as normal then just set up pfsense as a transparent firewall/proxy in front of it? That would give you the analytics on the udm dashboard and eliminate the weird middle subnet between the udm and pfsense.

Yes.. Been holding off on doing this for some time. Thanks for posting this!!!

Not an ideal solution. Losing the analytics, despite their shortcomings, is a big detractor. At that point, you might as well swap out the UDMP for a PFsense box and an NVR and call it a day.

Done this method a year ago so I know it works well 👍🏼

Seeing UDM-PRO and Ubiquiti don't have a native HA proxy or plugin support but pfsense does, I had to do something similar to this video. It's a common request and sad is still missing from the prosumer UDM-PRO.

Just ditched my UDMP for a Netgate because... Well that's self explanatory. My only regret is that I tried to make the UDMP fit my needs for the last 4 months since I bought it.

Confused me even more.

arnt you are effectively straddling the firewall DMZ. isnt the UniFi Dream Machine Pro bridging the DMZ network being connected to two networks (internal lan and DMZ). sounds like a big security risk.
ideally have an inside DMZ firewall arm (before devices inside DMZ can reach internal network) and an outside DMZ arm (before devices can reach public networks such as the internet) these dmz networks ideally should be physically separate networks and firewall devices (but if a security assessment and client accepts risks could be logically separated on the same firewall device through vlan trunking etc). devices in the DMZ should not be physically connected to the internal LAN without a firewall sitting in between the traffic

Overpriced and not that solid(imho).

So you bought a crappy unifi dream machine... Here's how you can pretend it's useful!
I just don't get ubiquiti, they make some great gear. Then they make some awful gear, all of the routing equipment is just sub par.

Oh my gosh.....FIRST!!!!

First

But why? Just use pfSense and be done with it.