1 minute read

As Ubiquiti seems to have abandoned any development for their UniFi Security Gateway - the last “stable” update (version 4.4.51) was more than a year ago, wasn’t all that stable and doesn’t fix many outstanding issues - I’ve decided that it’s time to move to something else to fill my routing/firewalling needs.

Ubiquiti actually has a lot of other products in the UniFi range:

  • the UniFi Dream Machine, which integrates too many functions into one device
  • The UniFi UXG, in early access, and no non-rack version available

They also have the EdgeMax range, with many varieties of the EdgeRouter. Unfortunately, this doesn’t integrate with the UniFi controller, which was the big selling point of the USG.

So, time to switch. Since I’m switching, I’d just as well go to something that has more flexibility, so I’m switching to OPNsense!

Why OPNsense and not PfSense?

  • OPNsense feels more modern
  • Deciso, the company behind OPNsense, is based in the Netherlands, which is sort-of nextdoor ;)
  • The crusade perpetrated by PfSense when OPNsense forked

They’re both great products, so check what you want and go with that. YMMV.

For the router hardware I went with PCEnginesAPU2E4 - an embedded platform with an AMD GX-412TC quad-core CPU, 3 Intel i210AT NIC’s and 4GB of RAM. I added an SSD and some other peripheral stuff. The bootloader is based on coreboot, and the source and builds can be found on https://pcengines.github.io/.

The hardware is more than sufficient to route my 300/20Mbps internet connectivity, and can also handle 1Gbps traffic over multiple VLAN’s. One caveat is that FreeBSD/HardenedBSD is not able to push through 1Gbps on one stream, but there’s little IP traffic that actually only uses one stream.

Deploying OPNsense on it is as easy as:

  • Connecting the APU2E4 with a serial cable to your system
  • Updating the Coreboot bootloader to the latest and greatest (comes with several important fixes over the pre-flashed version)
  • Flashing OPNsense to a USB stick, and booting with it
  • Installing OPNsense
  • Configuring your interfaces / DHCP / …

Things I’ve configured which was a royal PITA on the USG:

  • Selective routing over specific interfaces
  • WireGuard support built-in
  • Forcing DNS/NTP traffic to predefined hosts without just blocking access
  • QoS

Comments

You May Also Enjoy

SSH’ing to Unifi equipment with Fedora 37

less than 1 minute read

Connecting to Unifi equipment (Switch 8/AP AC Pro) from Fedora37 fails out of the box with a very useful error Bad server host key: Invalid key length. This is because the dropbear used on these devices is woefully out of date, and still requires the use of ssh-rsa (with SHA1), which has been deprecated by OpenSSH in 2021,

Now using less external services!

less than 1 minute read

So back in 2019 I moved the site from WordPress to Jekyll (using Minimal Mistakes), and from Gandi to AWS Serverless.

Lenovo Thinkpad T14s Gen3 (AMD)

3 minute read

10 years ago I bought a Dell XPS13 L322x ultrabook as a replacement for my white Macbook 2,1. This week I replaced the Dell with something newer: a Lenovo Thinkpad T14s Gen3 (AMD).