Amplifi HD firewall is pure hogwash

[Mackintire]

Also i too wanna know USG vs Edgerouter if anyone has an opinion, The setup OP mentions he will get is pretty good, i was thinking of doing the same, USG - 24port POE switch - AP AC LR - etc etc. The thing i cant figure out is if the unifi products are required for them to work with the controller, as in, will edgerouter showup in the unifi controller, or will you in effect have 2 controllers??

Almost identical hardware, but use different firmware with a near identical base code. UNIFI is designed for small business with limited resources, Edgerouter has significantly more features, but the GUI isn't as pretty and you can't see everything from a single dashboard like you can when you use UNIFI.

Evidently you can build more complex configurations into a ERL and load that config into the USG. You may not see the buttons but config should be applied. Doing that same process on the higher models is a bit more difficult as not all the ports number and config are the same.

 

[tangoseal]

Almost identical hardware, but use different firmware with a near identical base code. UNIFI is designed for small business with limited resources, Edgerouter has significantly more features, but the GUI isn't as pretty and you can't see everything from a single dashboard like you can when you use UNIFI.

Evidently you can build more complex configurations into a ERL and load that config into the USG. You may not see the buttons but config should be applied. Doing that same process on the higher models is a bit more difficult as not all the ports number and config are the same.

It's a shame edge router is not in Unifi or I would use that instead. But the USG has everything I need so far and is incorporated into Unifi as a whole.

I wouldn't say that Unifi isnfor small business with limited budget by NO MEANS.

The whole concept of Unifi and in field practice is having entire enterprises under one globally accessible centralized point of management. In Montana where I lived one of the local ISP with thousands of customers had entire WISP networks setup on towers to homes in the mountains using UBNT products exclusively. Millions of dollars. That's not small stuff and Unifi shouldn't be seen as small low budget stuff. It is extremely cost affective enterprise equipment.

 

[Mackintire]

It's a shame edge router is not in Unifi or I would use that instead. But the USG has everything I need so far and is incorporated into Unifi as a whole.

I wouldn't say that Unifi isnfor small business with limited budget by NO MEANS.

The whole concept of Unifi and in field practice is having entire enterprises under one globally accessible centralized point of management. In Montana where I lived one of the local ISP with thousands of customers had entire WISP networks setup on towers to homes in the mountains using UBNT products exclusively. Millions of dollars. That's not small stuff and Unifi shouldn't be seen as small low budget stuff. It is extremely cost affective enterprise equipment.

Edgerouter is integrating with UMNS as seen here. Edgerouter firmware is already available in early alpha form.

The integration roadmap is towards the bottom of the page:

https://unms.ubnt.com/

 

[tangoseal]

Edgerouter is integrating with UMNS as seen here. Edgerouter firmware is already available in early alpha form.

The integration roadmap is towards the bottom of the page:

https://unms.ubnt.com/

That is great news. The ER products are so inexpensive I will just get one then at that time and use it. But for now the USG is literally, within the few days I have ran one at home, been meeting or exceeding my needs.

I have Comcast 150/25 and I am getting 124/24 on my Cisco 1921 but when I switched to the USG I am getting 180/25 so its definitely going to be able to keep up with me until I get a gig ethernet pipe one of these dream days where I live. (Out in the country)

Since configuring a VPN is not in the GUI I am going to have to figure out the CLI tonight and implement my VPN, so I can get in with my phone and Surface Book from the outside.

 

[Mackintire]

Getting VPN into the GUI is on the roadmap for UNIFI USG stuff as well. I think that feature should show up either end of the summer or early fall.

 

[Dead Parrot]

Looked at the website for the gizmo in question. It is advertised as a WiFi Router. Folks need to understand that Router <> Firewall. Two different appliances with two different goals. A properly configured router passes traffic between networks to the desired destination. A properly configured firewall blocks ALL traffic except for that allowed by specific rules.

The "firewall" included in most consumer grade routers is primitive at best. Often only allowing limiting certain inbound traffic and offering little control over outbound traffic.

 

[Agromahdi123]

Getting VPN into the GUI is on the roadmap for UNIFI USG stuff as well. I think that feature should show up either end of the summer or early fall.

Thats what will stop me from implementing USG if i cant set up a vpn client connection. I currently use a combo of mikrotik and unifi, and i want to change, i guess now to all unifi, so my dad can take over managing the home internet with a much easier configuration page etc than mikrotik. also, mikrotik is the shit if you are looking for cheap edge devices or discrete customer endpoints. The Hex router i run has AES hardware based encryption, and was like 50 bucks.

 

[Cmustang87]

Looked at the website for the gizmo in question. It is advertised as a WiFi Router. Folks need to understand that Router <> Firewall. Two different appliances with two different goals. A properly configured router passes traffic between networks to the desired destination. A properly configured firewall blocks ALL traffic except for that allowed by specific rules.

The "firewall" included in most consumer grade routers is primitive at best. Often only allowing limiting certain inbound traffic and offering little control over outbound traffic.

You are splitting hairs when talking about home routers; which people colloquially will use the term "routers".The issue that tangoseal brought up was a well written and investigated concern. Home routers DO have firewalls built into them, which are generally iptables. While not as robust as firewalls you'd implement in a business, they are still firewalls in the sense that they block inbound traffic. Yes, you are correct - you usually don't control of outbound firewall rules.

I'm fairly certain most people subscribed to this thread fully understand the difference between a firewall and a router.

 

[tangoseal]

Looked at the website for the gizmo in question. It is advertised as a WiFi Router. Folks need to understand that Router <> Firewall. Two different appliances with two different goals. A properly configured router passes traffic between networks to the desired destination. A properly configured firewall blocks ALL traffic except for that allowed by specific rules.

The "firewall" included in most consumer grade routers is primitive at best. Often only allowing limiting certain inbound traffic and offering little control over outbound traffic.

Firsty, sorry for cell phone auto-correct typos.

Lol I'm an ex CCNP. I'm well aware. I am referring to the term firewall as in consumer talk. I am not concerned with setting up OSPF or Border Gateway from.my home lol... But what Inam concerned with is a home routing device that actually has some firewall capability and the Amplifi has none in as far as a professional would be willing to look and laugh at.

However digging through the firmware and CLI options in the US and its actually a pretty robust firewall appliance that can route.

And just to clarify my apparent ineptitude with highly detaiked expressions of my level of understanding, YES! any device that can operate on layer 3 and route data between broadcast domains is a router no matter how you want to make fun of it. The USG has .q and can trunk. It also supports OSPF rip bgp....I wish EIGRP but that is Cisco.

I also have a 4948 which albeit is Ethernet only is about as fast of a router as you can ever dream of owning in a typical home scenario. I could use my Switch to route and place the USG behind the switch and it would really have no bottleneck. But the USG appears very capable.

This coming from a guy who had an ASA 5510 not too long ago. But sold it to pay some debt off. I was and am very happy with my 1921 ISR but it's getting dated and cant route fast enough for 150mbps and up.

 

[Agromahdi123]

Lol I'm an ex CCNP..

yea like ios has changed so much that there is such a thing as an Ex CCNP lol dont sell yourself short!

 

[tangoseal]

yea like ios has changed so much that there is such a thing as an Ex CCNP lol dont sell yourself short!

Well I am not into networking or IT anymore professionally. I went back to school to work in the medical field. Thanks for the vote of confidence though I haven't been in the IT field now for 4 years and I am starting to forget some of the deep level terminology etc... don't use it you lose it type thing.

Sorry for all the typos to everyone. I use my cell phone to type on the forums a lot and the spell checker changes things that I don't catch to words I never wrote. This is typed on my pc. Almost every reply above is made via phone.

 

[Agromahdi123]

Well I am not into networking or IT anymore professionally. I went back to school to work in the medical field. Thanks for the vote of confidence though I haven't been in the IT field now for 4 years and I am starting to forget some of the deep level terminology etc... don't use it you lose it type thing.

Sorry for all the typos to everyone. I use my cell phone to type on the forums a lot and the spell checker changes things that I don't catch to words I never wrote. This is typed on my pc. Almost every reply above is made via phone.

Oh man, that would be like the best, a doctor that can also troubleshoot his own network, and knows to stay away from XP lol

 

[tangoseal]

So my two UBNT AP mesh units arrive tomorrow. I'll post some thoughts once they are installed. I'm definitely meshing one but the other will be hardwired. It's good to have the flexibility hence why I purchased two meshes instead of standard APs. Again not looking for top notch thrpughput. I want low latency coverage and generally good speed.

 

[tangoseal]

The mesh units are very nice and pretty darn fast for 2x2. Coverage is epic.

More to come later maybe. I have a lot of ESX stuff to do right now.

 

[benjamin_t_monkey]

From a security standpoint a closed port vs. a "dead" port makes no difference. You also don't hide a system this way. If there is a system on an IP address that just doesn't answer to any requests, you still know it's there because the router _before_ it doesn't give you an address unreachable message.

Stealthing is an obscurity thing from the 90s and has nothing to do with security.

The most important security aspect of a port is whether there is any code behind it that's handling requests. Whether the firewall gives you an additional RST packet makes no difference to your security.

This is an older post that I came across in passing while looking for something else and I had to reply because Shields Up can really be a scaremonger sometimes. It's a great site but as TCM2 pointed out there is really no difference between a closed and a "stealthed" port.

meh ... nevermind. I didn't want to argue. I simply wanted to report for anyone who give 2 shits that the Amplfi HD has a lackluster, featureless, almost neutered and useless firewall contraption.

There is nothing wrong with the Amplifi firewall in reguards to "stealthed" or closed ports.