UDM Pro kinda sucks

tangoseal

[H]F Junkie
Joined
Dec 18, 2010
Messages
9,743
After running the UDM Pro now for about 2 or 3 years now I have concluded that it kind of sucks. I wont give all the reasons. I assume that if you agree with me you will have experienced many reasons why.

I am convinced that the device is a great cloud management device, a neutered and basic homeowner router, and virtually as basic a firewall, if it even qualifies as a firewall, can be.

The main issue I am having right now are all the little things. One of which I will report here. I use Surfshark VPN beacause they allow you generate and export key pairs for using Wireguard VPN which is a very fast VPN. I want my whole network behind Wireguard in my home while making exceptions for certain devices that can be behind my normal ISP such as TVs etc...

UDM pro absolutely and abysmally fails at allowing Wireguard as a VPN CLient. Sure I can upload all the configurations I want but for many VPN services that allow Wireguard they do not stick the usual MTU of 1450 for Wireguard. They modify theirs for higher performance. In the case of Surfshark their desirable MTU is 1280 bytes. However, the UDM pro will NOT, and I repeat NOT allow you to modify the interface MTU for WIreguard and their response was as expected. You cant when I emailed them. Not even through CLI can I modify it.

I know its an MTU issue, and yeah I know exactly how MTU and MSS clamping works. When I load the Wireguard client for windows and set the config to a max transmission unit of 1450 which is the wireguard design standard it will not pass any traffic. If I set the MTU to 1280 it absolutely blazes at 700 up and down. Im a 1g Symmetrical fiber.

So I am thinking of getting rid of the UDM Pro and going back to PFSense as my router and just get a Cloudkey + Gen 2 to manage my Unifi APs etc...

Am I wrong in doing this? Is there any compelling reason that I am wrong? Anyone else here have issue with UDM pro and think that they barely meet the cut as a router?
 
mine has been rock solid for the last several years. I also have camera's. it seems to do it's job like any other prosumer router/networking platform. sadly you found a gotcha with their platform. nothing is perfect. it should fetch a good $ amount even used
 
Interesting I only ever use vpn or "teleport" through wifiman app on android personally..

I only have the dream router tho.. I wish I had the funds to have bought the dream machine pro/se instead. mine works for current needs but isn't as future proof.
 
I kinda want to get the SE version because I have some 10g but I don't want to invest that kinda cash into it and one or more APs for my house. I think the lack of configuration options in the firmware would annoy me in the long run.
 
Mine has been rock solid, running three cameras and a few APs. I did initially have issues with it running a 3.5" drive for the camera NVR, it was under the rated power limit but kept crashing the Protect app so I had to swap it for a different one.

I don't use VPNs much any more, but when I had an Edgerouter previously it was able to do some pretty customized stuff with VPNs but I never messed around with MTUs. That might be a better option if you want a better 'router' and not an all in one device.
 
I built a PFSense on an old I5 4th gen just for play.
I am going to hold out a little longer and see if Unifi is going to add ability to further customer VPN client functionality in network 8.1 which is probably coming in March if I guess correctly.
After that I think I will go back to PFSense.
 
Ubiquiti routing and switching products are mediocre. I don't blame you for wanting to change. The only thing I'll consider from them is APs going forward, but I'm very happy with my TP Link Omada EAP660 HDs and I have found the TP Link Omada Controller to essentially have feature parity with the Unifi controller. Mikrotik and other vendors have better switches for less money, and rolling your own firewall (OPNsense, pfSense, etc....) is miles ahead of the Ubiquiti firewalls.

I'd give out OPNsense a try over pfSense. Between Netgate's rushed wireguard kernel module, their childish devs, and the fact that the original m0n0wall developer suggests to use it over pfSense. pfSense forked from m0n0wall in 2004, OPNsense forked from pfSense in 2014/2015. But FreeBSD is a SOLID foundation for your firewall so you'll have a good time on either.

There is no need to buy a hardware key to run your Unifi Controller (errr I guess that's deprecated and it's now the "unifi network application?"). You can simply run it in a docker container with minimal overhead on any kind of machine you have.
 
Ubiquiti routing and switching products are mediocre. I don't blame you for wanting to change. The only thing I'll consider from them is APs going forward, but I'm very happy with my TP Link Omada EAP660 HDs and I have found the TP Link Omada Controller to essentially have feature parity with the Unifi controller. Mikrotik and other vendors have better switches for less money, and rolling your own firewall (OPNsense, pfSense, etc....) is miles ahead of the Ubiquiti firewalls.

I'd give out OPNsense a try over pfSense. Between Netgate's rushed wireguard kernel module, their childish devs, and the fact that the original m0n0wall developer suggests to use it over pfSense. pfSense forked from m0n0wall in 2004, OPNsense forked from pfSense in 2014/2015. But FreeBSD is a SOLID foundation for your firewall so you'll have a good time on either.

There is no need to buy a hardware key to run your Unifi Controller (errr I guess that's deprecated and it's now the "unifi network application?"). You can simply run it in a docker container with minimal overhead on any kind of machine you have.
Yes, I can just run the controller in my freenas in a vm. I'll give opnsense a try for sure.
 
Yes, I can just run the controller in my freenas in a vm. I'll give opnsense a try for sure.
Save more resources and run it in an iocage jail (I'm assuming you're using TrueNAS Core aka FreeBSD based instead of TrueNAS Scale aka Debian Linux based). And hopefully you're not using "FreeNAS" anymore, that's been EOL for years and is now TrueNAS Core based on a much newer FreeBSD version.

https://www.freshports.org/net-mgmt/unifi8

Basically create an iocage jail and shell into it then just do:
pkg update
pkg upgrade
pkg install unifi8
sysrc unifi8_enable="YES"
service unifi8 start
Note: if the service name isn't called unifi8 you will need to change the sysrc and service lines (e.g. it might be unifi or something else). But this gets it setup in a FreeBSD iocage jail with literally no overhead sharing your system kernel and resources. Avoid VMs when at all possible on FreeNAS/TrueNAS Core if the software already has a maintained FreeBSD port/pkg. Now anytime you reboot your host or that individual jail it will auto start. To check for and/or apply updates just do pkg update and pkg upgrade.
 
Yup of course it's true nas. I'm old school. I still say Surf the Internet lol so in bad habits I call it freenas.

The NAs is a what... 14 year old Xeon e whatever 1620 haha Quad core. Still running strong.

I've owned it since the chip came out. Still using it as my Nas. Though Its growing tired. Its old and Qnap is looking tasty. Thinking a Qnap ZFS based. It's the apps I like on Qnap. Been using thier Nas's for years.
 
I'm running OPNsense (as of late January) virtualized under Proxmox on an i7-7700K and it's been running well. Scored an Intel X540 and a Mellanox ConnectX3-Pro from eBay and OPNsense can download and upload at 5 gigabits with my ISP. Also pulls very little power. Maybe 50 watts under load which I think is pretty good for such an old set of parts.

I used to be an ESXi guy but recently tried Proxmox and it's awesome. ESXi won't support this old hardware on the latest version.
 
Last edited:
Surfshark their desirable MTU is 1280 bytes
Then blame surfshark for using a very not standard MTU size for Wireguard....Any other provider of Wireguard for VPN's I have seen all use the same defacto...

I use a Pfsense myself and have a Ubiquiti inwall, just use the self hosted manager instead of paying for a cloud key as others noted. How often do you really need to manage your network if your not home?

As for NAS, Synology tends to seem better, QNAP is good, I own a 4 bay one, but stupid little things you can not do, like use a custom SSL cert for your QNAP and being forced to use their Cloud crap for some other things..no likey!
 
Then blame surfshark for using a very not standard MTU size for Wireguard....Any other provider of Wireguard for VPN's I have seen all use the same defacto...

I use a Pfsense myself and have a Ubiquiti inwall, just use the self hosted manager instead of paying for a cloud key as others noted. How often do you really need to manage your network if your not home?

As for NAS, Synology tends to seem better, QNAP is good, I own a 4 bay one, but stupid little things you can not do, like use a custom SSL cert for your QNAP and being forced to use their Cloud crap for some other things..no likey!
No surfshark uses 1450 but performance testing shows thier service runs best at 1280.

Ubiquiti wireguard client is broke af
It's also posted in thier forums if you dig deep enough.

Network 8.1 is supposed to allow modification of MTU settings for VPN client modes. Well see.

Mss clamping the interface doesn't change the mtu cap of the Wireguard interface. An old Ubnt engineer posted that it's broken and the settings will not apply to the interface when you change them in gui. I changed them in CLI and they still won't stick. Ubnt had broken stuff. Sad but true.

I haven't moved to Opnsense yet as I'm holding to see what network 8.1 fixes. I've got a big ubnt ecosystem on my property and would like to keep it if I can. For now I just use Surfshark apps on my phone and PC when needed. It's actually a very fast VPN. I get 700 plus up and down through wireguard using thier apps. And I paid 55 bucks for 2.5 years
 
Last edited:
Back
Top