As Ubiquiti seems to have abandoned any development for their UniFi Security Gateway - the last “stable” update (version 4.4.51) was more than a year ago, wasn’t all that stable and doesn’t fix many outstanding issues - I’ve decided that it’s time to move to something else to fill my routing/firewalling needs.
Ubiquiti actually has a lot of other products in the UniFi range:
- the UniFi Dream Machine, which integrates too many functions into one device
- The UniFi UXG, in early access, and no non-rack version available
So, time to switch. Since I’m switching, I’d just as well go to something that has more flexibility, so I’m switching to OPNsense!
Why OPNsense and not PfSense?
- OPNsense feels more modern
- Deciso, the company behind OPNsense, is based in the Netherlands, which is sort-of nextdoor ;)
- The crusade perpetrated by PfSense when OPNsense forked
They’re both great products, so check what you want and go with that. YMMV.
For the router hardware I went with PCEngines’ APU2E4 - an embedded platform with an AMD GX-412TC quad-core CPU, 3 Intel i210AT NIC’s and 4GB of RAM. I added an SSD and some other peripheral stuff. The bootloader is based on coreboot, and the source and builds can be found on https://pcengines.github.io/.
The hardware is more than sufficient to route my 300/20Mbps internet connectivity, and can also handle 1Gbps traffic over multiple VLAN’s. One caveat is that FreeBSD/HardenedBSD is not able to push through 1Gbps on one stream, but there’s little IP traffic that actually only uses one stream.
Deploying OPNsense on it is as easy as:
- Connecting the APU2E4 with a serial cable to your system
- Updating the Coreboot bootloader to the latest and greatest (comes with several important fixes over the pre-flashed version)
- Flashing OPNsense to a USB stick, and booting with it
- Installing OPNsense
- Configuring your interfaces / DHCP / …
Things I’ve configured which was a royal PITA on the USG:
- Selective routing over specific interfaces
- WireGuard support built-in
- Forcing DNS/NTP traffic to predefined hosts without just blocking access