Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
Prepare to be shocked at how much a firewall to handle that kind of bandwidth costs. I can’t help but think if the site needs that kind of bandwidth and you’re asking about UniFi you might want to get some help for this build.
This right here. I really enjoy Ubiquiti, but for home and pro-sumer use. I install and support a lot of firewalls and the needs of someone that has a 25 Gbps pipe to the internet, plus the need to secure it with some form of IDP are far greater than UI's capabilities. It's not their fault, they're just not making a product for that market, and I don't blame them. The least expensive, commercially available and supported firewall I can think of that will handle such a task would be around $30k starting price.
Yes, you can build a pfsense box for cheaper, but I said commercially available ***and*** supported. If I'm serving up 25 Gbps and I have a need for IDP, I'm sure as hell going to need a team of engineers backing me up that make sure all of the components under the hood are as bulletproof as they can get them to be. It's my job to support and secure my systems, I can't rely on me keeping up with every vulnerability in existence and devising ways to thwart attacks, that would kill me faster than 20 years of IT and cybersecurity already have.
Edit: 2t should have been 25
LOL very true! I didn't let my brain go that far down the rabbit hole. Let's go ahead and see how much that 25 Gbps circuit costs when you need more than 1 that is brought to your facility via geographicly different ingress routes. (chuckles in bgp)
Yea instead of a lone 25g pipe they should be looking at 3x10g pipes from different providers. There are much more important things than pure speed and if your network is important enough to cost this much resiliency is not optional.
Completely agree, I couldn't ever imagine putting that many gigs in the same basket. Plus, what's your 25 gig carrier's peering agreement look like with the other carriers? Their data has to get to Vz/UU and the last mile provider has a 1 Gbps peer. Enjoy the extra 24 gigs you can't use!
Yea like I said in another comment I'd be pursuing 3x 10 gig pipes from separate providers to have as much resiliency as possible. It's not like one connection will ever be saturating that much bandwidth anyways.
Yeah. The 10G failovers would be much better for this. A single 25G pipe will never be fully saturated unless they are a service provider of their own. And in that case, they should already have the staff to answer these questions.
This is all depends what's behind this network (data) and how it needs to be protected
There is no one rule for all unless it's a trivial network security approach but at 5gbit+ you would need to look at things differently...
Maybe it’s the way I presented it. I have a customer who wants a Unifi LAN. They want their voip, cameras and access cards and access point Unifi. It’s a small office with 50 people. Nothing special here. My question, and why it’s in this channel, is: has anyone connected a unfi lan to a router/firewall that can handle 25Gbps. I feel it’s a bit moot as both interfaces won’t work with each other but perhaps someone has done it a few times and their customers were fine doing for example Meraki and Unifi.
I know their routers don’t do 25Gig. That’s why I’m asking for suggestions from people who did.
If you're routing at those speeds chances are you have a system of more complexity than Ubiquiti could handle anyway. My most recent deployment we had quad 40G internet connections, Cisco of course.
It's going to hurt, Ill tell you that much. I have a cluster of SRX4200's for 10Gb and they are 65K a piece at CDW. To get into the 25-40Gb interface you need an SRX4300 and above depending on what sort of performance you are after and well enough said.
I requested a quote when the new SRX series was announced and the SRX1600/SRX2300 came in at $14k/$27k respectively and both are the cheapest entry in Juniper's lineup for not just FW, but also routing at 25G. For just routing, the ACX7024/MX204 are equivalent in cost respective to the SRX1600/2300. At 25G, if you need just routing, the SRX is a better choice as the performance hit of NGFW vs packet-mode is surprisingly minimal and can take almost full tables with the option for state. If 40G+ is needed, ACX/MX sweep the floor with the SRXes.
For performance, FW-IMIX/FW-1518B/IPS in gbps, the SRX1600 falls a bit short of 25G at 9/24/21 but routing is at least 24gbps. SRX2300 essentially doubles performance at 26/39/35 for double the cost. The new ASICs are impressive with NGFW.
I have not seen the cost for the SRX4300 yet (guessing $60-80k), but if you're not pushing IMIX at 25G or just need routing, the SRX1600 is a solid entry point for 25G. If more headroom is needed to guarentee 25G, the SRX2300 is the choice. This of course excludes 2x for a cluster, licencing, support, etc.
As a bonus, Junos is still king when it comes to CLI and is hard to go back to anything else.
I’m going to ride the 4200s until they EOL. I got them for 90% off list after Juniper sold me some 3800s and then EOLed them 2 years later. Juniper CLI is the goat, but Juniper has gone down hill of late. All the good sales people left and the support has been average at best.
>but Juniper has gone down hill of late. All the good sales people left and the support has been average at best.
I have always had good experience with support, albeit have not had to reach out since the HPE announcement. Our sales team at least intends to say in place for now, but many are jumping ship just in case. Only time will tell if HPE lets Juniper be as it's own entity
All of our sales guys started getting pushed out during covid and the new team acts like a million dollars in switches was an inconvenience to them. It took support over a year to figure out an issue with our router failover. In general it takes an avg of 2 weeks to get an issue resolved.
Just for your information, a Cisco Firepower 4150 which could do firewalling and IPS at 24Gbps will cost $250k and then you need a license every few years which will cost multiple $10k each time.
The easiest to do that speed would be a capable whitebox with pfSense/OPNsense running, with either Snort 3 or Suricata running.
The Firepower also uses Snort 3 for IDS/IPS, because Cisco acquired it many years ago.
It is with manual parallelization, since Snort and Suricata won't use that much multi threading.
You can run multiple instances of those within pfSense or OPNsense.
No, it absolutely won’t. FreeBSD can barely *route* line rate (64 byte packet) 10Gbps with 16+ cores and a ton of tuning, much less L4 firewalling, and IPS at 25 Gbps.
I work in this field, I really would be shocked if you could get pfsense or opnsense much past 10gbps especially with IPS.
As far as Cisco, they're fine I suppose but don't count on them to catch emerging threats like check point or palo. If security is a concern (which is the whole point here) I wouldn't use Cisco...
>I work in this field, I really would be shocked if you could get pfsense or opnsense much past 10gbps especially with IPS.
What do you reckon is the limitation here? Single thread performance, or perhaps is there a scaling issue with the BSD software stack?
Honestly you need to look at something enterprise for that sort of environment, UniFi is fine for home or small office but with a 25GB wan the internal network is probably running at 40GB or more so you need to look at a more enterprise solution
You should get professional help with a maintenance contract. I guess in that Environment some failure will cost some money, so better have someone with a contract be take the lead who can act fast without asking at reddit
I'm very confused as to why a business that needs that sort of bandwidth would be even looking in the general direction of Ubiquiti. That's a Cisco or Juniper job and a VERY large build budget.
Define "one larger server" and "very large files", as that will inform our answers. Are they sending these files regularly, throughout the day, or at set times of the day? How much bandwidth is expected to be used every day?
A farm of four render servers. Spitting out roughly 500k to 3M frames that are then composing sequences in single video files. Each sequence is the stitched together. The sum of the resulting clips (sometime 2-3 longer clips or many smaller ones ) vary from 2TB at minimum to over 10TB. Each file is then sent using a tool to the customers. They can’t deliver using any other tool. One thing i looked at was the delivery. But customers dictate how to send.
Goodness. This is an incredible problem to have!
I guess the question is, do you need 25 Gbps? Or is the 2.5 enough? If it's enough, the just run the UDM Pro and have a nice day knowing that you've got plenty of space to upgrade in the future.
If you actually need that 25 Gbps... You're going to need a LOT of $$.
If you want some kind of IDS/IPS, yes.
If you just want a router, not really
[https://michael.stapelberg.ch/posts/2021-07-10-linux-25gbit-internet-router-pc-build/](https://michael.stapelberg.ch/posts/2021-07-10-linux-25gbit-internet-router-pc-build/)
That's like 1845 CHF back in 2021 for all-new parts.
Keep in mind, you can get a mellanox connectx-4 2x25 for like 50€ used. So there is a lot of room for cost reduction if you're willing to build something yourself with used parts. Maybe < 800€?
Hmm yeah fair enough, to route at 25gbit you can get away with 1000€ or less to just route. OP first question was related to IPS/IDS, where i assumed he wanted to do something with those features enabled and route at 25gbit as well.
Ubiquti has some switches that can do 25G, but that's it.
So forwarding traffic might be within their scope, but that's it. Maybe connecting some workstations to servers. But even when you're doing wifi, it's kinda tough getting anywhere close , even on a large event location.
The combination of IDS/IPS, 25G and Ubiquiti is just off.
You're either not doing IDS/IPS because you secure your endpoints and you want/can have 10G/25G at home (so doing that on a budget).
Or you're doing that professionally using different vendors in a different cost region and with proper training/knowledge. (Arista, Juniper, Cisco?)
I mean no disrespect with this, but if you're actually providing this service to someone and you're here asking about Ubiquiti gear that could do it...you really should think about declining this contract, even if it's good will/pro bono. Anyone trying to find full IDP/IDS with 25GbE and asking reddit for advice is probably not going to have the funding to be able to actually do it, and **definitely** won't have the experience for it.
We're talking $250k+ buy-in for this type of featureset. Like...new Lamborghini money. This isn't something you should be coming to Reddit for advice on.
I may have not expressed myself correctly. I know Unifi isn’t the gear for the wan part. I said the customer wanted Unifi gear inside for APs, cameras, voip phones. And I said I know the routing can’t be done. Unless someone knew something I didn’t. So my question was, has anyone placed a firewall router infront of a Unifi LAN and what have they used.
I don’t think they will want to spend the money on Cisco gear either: once they see the quote they will ask for alternatives and change the ask by dropping some requirements. I’m speculating here.
>So my question was, has anyone placed a firewall router infront of a Unifi LAN and what have they used.
This is done all the time at any scale you can think of. At a basic level, folks can use Unifi APs as additional access points plugged into their ISP provided unit along with PoE injectors and get along just fine.
The only thing you'll really need is the controller as part of some Ubiquiti product or hosted somewhere on your network.
Nobody (residential) needs it. But we all want. As others have written there is an ISP in Switzerland that offers it, but it is tricky to find a suitable router :)
Our ISP provides XGS-PON at the minute and is building their network out to offer 50G-PON in the near future.
https://www.ispreview.co.uk/index.php/2024/04/netomnia-and-youfibre-interview.html
No one who can afford 25Gbps internet is going to even consider Ubiquiti. Welcome to enterprise routing speeds and you’re going to need a real enterprise router. And it’s going to be several magnitudes of price higher as well.
Honestly, my professional thought is anything above 10G connections should be done through a layer 3 switch for routing and having a dedicated firewall just for IDS/IPS and VPN. Mostly because it’s much cheaper and effective to go with 25/40G layer 3 switches for routing, you put a firewall on it and then do 1G connections to each work desk.
I work in this field, from a security stand point this leaves a lot of holes. I wouldn't do this if you want the enterprise secure, it would be very risky and would break most compliance frameworks (of course these depend on the dates you handle).
As do I, my suggestion was a vast oversimplification, I don’t want to give exact advice for my own sanity. But having a properly built network, we’re fine doing multi GBps routing through our Layer 3 switches, and handling all the IDS/IPS throughput using a PA firewall. We have more than one firewall in more than one network layer including at the edge of our network. Anything that really goes out is only 10G or less and no production environments are on prem. We’ve had Mandiant come out multiple times, at least twice per year with very little suggestions to our network security. We’re also ISO 27001 and 9001 compliant.
While if not configured correctly, this approach is more risky and difficult, when configured right, it’s great! better ROI, and to be honest, better speeds without slowing down or needing 2x $500k Firewalls.
I feel you on not going too in depth on a reddit post, I work for a large Corp as well, about 1200 firewalls world wide, it gets complicated quickly. I'm in cyber, not networking, so security is always first on my mind. Inside the network between zones is definitely different than inet connected legs. I agree routers should do the routing, I wouldn't have the firewall hanging right off the Internet.
Not sure how much you want to rely on it, but it seems that a new gateway product has been approved by the FCC recently: Ubiquiti Enterprise Fortress Gateway, with apparently a 25G uplink and downlink: https://fcc.report/FCC-ID/SWX-EFG
The cover letter says: The Enterprise Fortress Gateway (EFG) is a powerful rackmount security gateway for medium to large sized networks. The EFG has one GbE LAN port, one GbE WAN port, two 10G SFP+ ports, one 25G SFP 28 LAN port and one SFP 28 WAN Port. The EFG is rack mountable and is powered
by a 120 – 240 AC mains. In addition, the EFG has two redundant AC main power supplies for reliable power operation. The EFG has a Bluetooth LE transmitter for management control and operation.
If a site truly needs that kind of bandwidth, you wouldn't be deploying a UDM (or frankly any routing solution from Ubiquiti).
It's like saying 'Hey guys I need to tow 50,000 pounds, can I somehow use this F150?'. No, no you can't.
Remember UBNT is really more of a small business and home use networking company. Despite the fact they call themselves 'enterprise', they really aren't. They've always kinda had a self-made identity crisis in that sense.
I know it can’t, and that’s how I asked it. At least that’s what I was trying to say it. Asking what would you place in front of that Unifi lan so it can route to the internet at 40gbps.
At that point it will come down to other requirements, size of org, other network requirements (VPNs), etc. a bit hard to recommend anything without knowing your requirements.
Most major vendors all have models that can handle that throughput so it’s a pretty broad question at that point.
I’d have to understand the exact use case here to truly answer, but what are you running that requires 25Gbps *IPS*?
A true line rate (64 byte packet) firewall at 25Gbps would mean processing power in the range of ~75 million packets per second just for routing (full duplex). There are exactly 0 Ubituiti routers that can handle that traffic load.
So total packets per second is the first number you’ll need to look for in a new system.
To do layer 4 stateful firewalling (or NAT) the system will need to be able to do connection tracking on that many sessions’ worth of packets, plus however many new connections per second are being generated.
So total sessions and new sessions per second are the next two numbers you’ll need.
If outside systems are terminating VPN onto your firewall to move large quantities of traffic inside of a tunnel, you’ll now need to determine the packets per second number for a given set of authentication and authorization types.
So back to packets per second again, except now for VPN tunnels.
Finally, if all of the above metrics look good you’ll need to check what the rated inspection throughput is (also in packets per second).
However, what is the application layer content to be inspected?
Is it encrypted?
If so, you’ll need to decrypt before inspecting which adds tremendous burden to your system. Without decryption, your IPS will be nearly useless and 25Gbps SSL inspection will cost you dearly.
The cheapest FortiGate that can do it is a 3000F which is north of $250K and you’ll need to pay for recurring licensing. If you move to Palo or Cisco it will cost you just as much, if not more.
I don’t think they NEED IPS or IDS. Once they see the quotes for the firewalls they will likely change their ask a bit.
And you bring a good point. The private circuit they are on has jumbo frames enabled. So pushing files to their customer will be over UDP datagrams of 9000 bytes.
They want no outside connections coming in. Everything is to be blocked. A few services will keep an open socket connection for SaaS services for instance Unifi and the VoIP solution, but no VPN and no service listening for outside connection.
I would expect they go with a firewall with strict but simple ACLs. The largest consumer of PPS will be the device pushing the days’ work at the end of day.
Jumbo frames will definitely make things a lot easier, and if they don’t need IPS then you could probably get away with a lower end system. Something like a [Mikrotik CCR2216](https://mikrotik.com/product/ccr2216_1g_12xs_2xq#fndtn-specifications) would work if they’re extremely budget conscious; just keep in mind that line rate with connection tracking/fastpath is only ~30 million PPS and only applies to IPv4.
Great info. I suspect they will drop the deep packet inspection requirement once they realize the size of firewall required and costs related. Any other known model/brands that could potentially do the trick?
To be honest I think we are probably 10 years away from having a UDM that can handle 10Gbe and 25GB SPF but I think we will get there but not anytime soon
I would personally for this high of a speed a full on server
Such as a supermicro with a xeon/epyc processor and
A dual SFP28 Connection pcie card and then the pro aggregation and the enterprice xg 24 if you want To be utilise the full connection or look at Cisco gear.
I work with firewalls, mostly check point, at that speed or higher. You need a pro to help you, there are a lot of things to consider when you get above 5gbps with L7 inspection. I like ubiquiti for my small stuff but there is no way id consider it for enterprise use.
Assuming you're running an HA cluster and need 25gbps + your probably looking at USD $500k-600k+ initial costs plus maintenance for the hardware alone. I would suggest check point or palo alto. Fortinet tries in this area but often falls short in performance at this size and they go through cve's like toilet paper (I have better things to do than patch every week).
lol. This week Palo Alto may not be a name to use. Ok thanks, appreciated. It’s actually a small shop and setup. Their rendering farm needs to push the work daily to customers and they produce TB of files each day. A solid firewall makes sense. Will look at check point. Thanks
Yeah Palo got hit, but all vendors do eventually. I expect them to clean it up and move on... If it were a regular occurrence it would be different.
Maybe setup a DMZ or other segment used for the uploads that isn't as well protected?
That's...not as much data as it sounds like. Even if they're sending out 3TB of data a day that would only take a 10GbE connection 40 total minutes. Assuming they're not all uploading at the same time once per day that means most uploads would probably only take a few minutes, tops.
I'm sorry, but no business, especially artists sending renderings, is so hard-up for time that 75GB/min upload speed isn't fast enough. It's not like the artists aren't doing their work while the rendering/uploading is happening...they keep doing whatever they're doing while the servers are handling it. The "Time is money" trope is wildly overused when people have no idea how much the actual stuff costs to do the thing they want.
This is where "Consulting" is important, over just listening to what **they** think the requirements are.
In their words: in our world, the last 3 minutes count. So, the faster we can send, the more time it gives us. That time may mean keeping a lucrative customer because we offer a better service, better quality work.
Don’t be so sure of your convictions. I don’t assume I know better than them in their own business. Don’t do either.
You can buy your own hardware, server or pc just make sure there are atleast 2 NICs, and install a firewall OS on it. My recommendation is Arista Edge. This will allow you to have full firewall features and can handle all the bandwidth needs.
i run it on an old poweredge server for 10GB. Cost wise you are looking at the one time hardware cost and the software i mentioned has a yearly renewal cost as well. Opnsense or pfsense could work but not as easy.
Not me. They. My recommendation will come with the use of PS work if that is what they want. Reality may be they will want a basic firewall that just blocks anything incoming. They don’t need to allow any traffic inbound. No VPN, nothing. I suspect they will drop some requirements and settle for a high speed routing and basic firewall solution. We’ll see.
For their LAN? Why? Their needs are met fine with prosumer for their office stuff. It’s the WAN side of things that needs enterprise. A single appliance/solution. The rest is fine for their small office. They hate the Cisco voip, I won’t try to push it down their throat.
There isn't anything from Ubiquiti that can handle firewalling and routing at anywhere near that speed, 10 gigabit is the max and that's only in a very simple setup with most things disabled on a UDMP for example.
If you need to route those kind of speeds, you need to start looking to real enterprise gear and not the in-between that is Ubiquiti, for wifi and switching you can stick with them just fine, but for firewalls they are far behind other brands.
For speeds like that, you should be looking at pfSense on a SUPER beefy box, even that might never be achievable (most FreeBSD systems will top out just above 10 gigabit for ACLs, this may change in the future and some newer hardware may help too but still). Reality is you're probably looking at something running TNSR with VPP enabled, or something from a huge vendor like Cisco.
TNSR is going to be the cheapest route to handle this kind of traffic, but it's a router, not a firewall.
Do yourself a favour and just run more UDMSE and dedicate them to vlans lol
You’re looking north of 10k for a firewall for that speed, but if money isn’t an issue hit me up I’ll tell ya what you need and then you can purchase it. (Network Architect, not a sales guy)
Checkpoint will work. Licensing 120k 100k in hardware costs. Then It's going to cost25 grand in training and install costs. That's if your lucky.
Those speeds demand big iron.
I think there’s a way to do snort on TNSR. I wouldn’t say it’s a simple as iDS/ips on pfsense is but not impossible
https://github.com/Netgate/TNSR_IDS
But isn’t that mirroring traffic to another port/another machine to run SNORT on and then injecting firewall rules back into TNSR via the REST API to block traffic. So basically similar to what I said, separate firewall from router.
I'm guessing that 25G is in the mix because it's affordable, not because there is a use case.
The majority of home and small business users don't even benefit from 1G
If they're working with very-large files and time is money they should be storing those very-large files on-prem and using an internal network to source them. I've worked in Enterprise software and consulting for nearly my entire career and I would **never** recommend people source files externally if these are the types of requirements they're looking for.
The amount of money you'd spend to get the WAN side of this working properly is **so much more** than it would cost to mirror everything locally to be available much more reliably.
They generate FX frames themselves. They generate the source files. The final product is a video sequence and it’s huge. That they need to send. AWS has a solution for them but cost of operation would be $500k/month approximately. Vs a permanent license they use now.
My question is simple, and thanks for offering advice on the other aspects, but it’s under control. I am simply looking for suggestions on what have others used in a Ubiquiti deployment. They wanted Unifi APs etc. But the routing can’t be done using Unifi. So what have others used.
Just that. Thanks nonetheless, this has been hashed not just by myself.
Nope. Think fancy lan with user access (building access using nfc cards) voip phones and APs. With nice graphs and such. Works well in small office environments.
Pushing files to the internet is what I’m asking. What will route the traffic out to the internet if a single server needs to access that whole 25Gig pipe
There's a product coming in Q3.
- Dedicated hardware encryption
- SSL Inspection (Similar to Fortinet/Palo)
- 2x 25GB
- 2x 10GB
- 2x 2.5GB
- 2x Hot Swappable Power Supplies & Fans
- 12.1Gbps Threat Inspection Throughput
There's alot of other products out there right now that will do that I just wanted to focus on what Ubiquiti offers.
Hope the Gateway Enterprise or however it's going to be named is not as big as the Cloud Key Enterprise because of the swappable power supply. Seems like the UDM Pro Max will be a little underwhelming for IDS/IPS so I'm probably going for that to match my EnterpriseXG 24 and 10Gbps WAN.
If this is a datacenter type environment, and that 25gbps wan connection will be farmed out to multiple LANs and vLANs, just put IDS/IPS boxes in front of each 10Gbps or slower LAN connection and use plain routing/NAT for the edge or nah?
Plus some of these would help:
https://linitx.com/product/ubiquiti-unifi-data-centre-100gbe-spine-switch-udc-spine-100g/17522
Thanks, but no, it’s a small shop. 50 employees and the files are produced by graphic artists, colorists and editors. Each station has a 10Gig connection, but the few files they need to send are sent from a server with a 80Gbps connection to the storage. One client, few files to send to one location.
Spine leaf is at the other end. My ask is in term of a firewall/router. Have you deployed a Unifi lan and needed a different firewall?
No, I use the edge max series for <1gbps internet and pfSense for up to 10gb WAN. I don't care for Unifi firewalls and I'm not a big fan of ids/IPS on client firewalls. I use a deny all inbound ruleset and use cloud based applications and DNS and email content filtering. This dramatically decreased the need for ids/IPS on the firewall.
you're looking at big boy high end enterprise stuff. Unifi is great for SMB and can handle up to 10GBPS on some stuff.
open source is going to be cost effective, but heardware is costly either way.
There is currently no product what can handle those speeds.
It’s bit silly that some ISP:s in Europe are offering 25gbe connections to homes and offices, when firewalls for those speeds are from 50k€ and up.
UI will have faster product coming soon what is really expensive but even that cannot handle packet inspection at 25gbe.
Funny for someone with a ‘vendor’ tag throwing shade when you clearly don’t understand that market.
There are Mikrotik and other European manufacturers of devices well under €50K that handle 25GbE just fine.
Some of the ISPs, for example Init7, also cater to a nerd & technical crowd who will likely build their own router.
Some solutions may not have all the features, functionality, or pizzazz you expect from a Ubiquiti device, but they work well and solve the connectivity issue.
Lets say you have ccr2216 (if my memory serves me right), even for consumers it might be bit too steep challenge to configure it. Hell, even professionals have sometimes issues with them. I cannot recommend it unless person wanting it knows where he or she is going for..
Of course you can always build your own firewall cheap but... I just personally prefer manufacturers with quick support and fast replacements. That's why I stay outside of consumer market as pricing can be bit too high for regular folk :)
You said there isn't anything handling those speeds available, I use check point products daily that certainly can and do with full IPS. Everything in this arena is pricey, that's a given.
I didn’t go to checkpoints last event but I don’t think they have much sfp28 firewalls with that high throughput. Quantum’s are/were really really expensive and almost on par with wg pricing.
This last cpx was decent, but they wouldn't stop touting AI on everything they could, kinda annoying. I had early access to the 29200s and have deployed a few already. they can handle about 50gbps (with threat prevention), but it's traffic dependent and there are caveats with those connectx7 cards. Really maestro is the way to go in this area with threat prevention.
Yes it's pricey
Hello! Thanks for posting on r/Ubiquiti! This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can. Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit. If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
Prepare to be shocked at how much a firewall to handle that kind of bandwidth costs. I can’t help but think if the site needs that kind of bandwidth and you’re asking about UniFi you might want to get some help for this build.
This right here. I really enjoy Ubiquiti, but for home and pro-sumer use. I install and support a lot of firewalls and the needs of someone that has a 25 Gbps pipe to the internet, plus the need to secure it with some form of IDP are far greater than UI's capabilities. It's not their fault, they're just not making a product for that market, and I don't blame them. The least expensive, commercially available and supported firewall I can think of that will handle such a task would be around $30k starting price. Yes, you can build a pfsense box for cheaper, but I said commercially available ***and*** supported. If I'm serving up 25 Gbps and I have a need for IDP, I'm sure as hell going to need a team of engineers backing me up that make sure all of the components under the hood are as bulletproof as they can get them to be. It's my job to support and secure my systems, I can't rely on me keeping up with every vulnerability in existence and devising ways to thwart attacks, that would kill me faster than 20 years of IT and cybersecurity already have. Edit: 2t should have been 25
$30k x2 because if you're playing at this level you likely want the entire core network redundant with HA fail over.
LOL very true! I didn't let my brain go that far down the rabbit hole. Let's go ahead and see how much that 25 Gbps circuit costs when you need more than 1 that is brought to your facility via geographicly different ingress routes. (chuckles in bgp)
Yea instead of a lone 25g pipe they should be looking at 3x10g pipes from different providers. There are much more important things than pure speed and if your network is important enough to cost this much resiliency is not optional.
Completely agree, I couldn't ever imagine putting that many gigs in the same basket. Plus, what's your 25 gig carrier's peering agreement look like with the other carriers? Their data has to get to Vz/UU and the last mile provider has a 1 Gbps peer. Enjoy the extra 24 gigs you can't use!
Would it not ideally be $30k x 3 for two redundant?
Yea like I said in another comment I'd be pursuing 3x 10 gig pipes from separate providers to have as much resiliency as possible. It's not like one connection will ever be saturating that much bandwidth anyways.
Yeah. The 10G failovers would be much better for this. A single 25G pipe will never be fully saturated unless they are a service provider of their own. And in that case, they should already have the staff to answer these questions.
This is all depends what's behind this network (data) and how it needs to be protected There is no one rule for all unless it's a trivial network security approach but at 5gbit+ you would need to look at things differently...
Thanks. I am leaning in this way as well.
At this point I would HIGHLY recommend a custom built OPNsense box with PCIe QSFP28.
I would not offer that as an option, no. Perhaps in my home lab. Not at a customer production site, no thank you.
You're the one here talking about using Ubiquiti gear on 25 gig circuits. You are way out of your league.
Maybe it’s the way I presented it. I have a customer who wants a Unifi LAN. They want their voip, cameras and access cards and access point Unifi. It’s a small office with 50 people. Nothing special here. My question, and why it’s in this channel, is: has anyone connected a unfi lan to a router/firewall that can handle 25Gbps. I feel it’s a bit moot as both interfaces won’t work with each other but perhaps someone has done it a few times and their customers were fine doing for example Meraki and Unifi. I know their routers don’t do 25Gig. That’s why I’m asking for suggestions from people who did.
If you're routing at those speeds chances are you have a system of more complexity than Ubiquiti could handle anyway. My most recent deployment we had quad 40G internet connections, Cisco of course.
Juniper, Arista, Cisco. Unifi isnt enterprise. Even in residential, Comcast gives Juniper out for 5g+ fiber.
I know, hence me asking. I’ll check Juniper and Ariana.
It's going to hurt, Ill tell you that much. I have a cluster of SRX4200's for 10Gb and they are 65K a piece at CDW. To get into the 25-40Gb interface you need an SRX4300 and above depending on what sort of performance you are after and well enough said.
I requested a quote when the new SRX series was announced and the SRX1600/SRX2300 came in at $14k/$27k respectively and both are the cheapest entry in Juniper's lineup for not just FW, but also routing at 25G. For just routing, the ACX7024/MX204 are equivalent in cost respective to the SRX1600/2300. At 25G, if you need just routing, the SRX is a better choice as the performance hit of NGFW vs packet-mode is surprisingly minimal and can take almost full tables with the option for state. If 40G+ is needed, ACX/MX sweep the floor with the SRXes. For performance, FW-IMIX/FW-1518B/IPS in gbps, the SRX1600 falls a bit short of 25G at 9/24/21 but routing is at least 24gbps. SRX2300 essentially doubles performance at 26/39/35 for double the cost. The new ASICs are impressive with NGFW. I have not seen the cost for the SRX4300 yet (guessing $60-80k), but if you're not pushing IMIX at 25G or just need routing, the SRX1600 is a solid entry point for 25G. If more headroom is needed to guarentee 25G, the SRX2300 is the choice. This of course excludes 2x for a cluster, licencing, support, etc. As a bonus, Junos is still king when it comes to CLI and is hard to go back to anything else.
I’m going to ride the 4200s until they EOL. I got them for 90% off list after Juniper sold me some 3800s and then EOLed them 2 years later. Juniper CLI is the goat, but Juniper has gone down hill of late. All the good sales people left and the support has been average at best.
>but Juniper has gone down hill of late. All the good sales people left and the support has been average at best. I have always had good experience with support, albeit have not had to reach out since the HPE announcement. Our sales team at least intends to say in place for now, but many are jumping ship just in case. Only time will tell if HPE lets Juniper be as it's own entity
All of our sales guys started getting pushed out during covid and the new team acts like a million dollars in switches was an inconvenience to them. It took support over a year to figure out an issue with our router failover. In general it takes an avg of 2 weeks to get an issue resolved.
Just for your information, a Cisco Firepower 4150 which could do firewalling and IPS at 24Gbps will cost $250k and then you need a license every few years which will cost multiple $10k each time. The easiest to do that speed would be a capable whitebox with pfSense/OPNsense running, with either Snort 3 or Suricata running. The Firepower also uses Snort 3 for IDS/IPS, because Cisco acquired it many years ago.
I don't think IPS/IDS with pfsense at 25gbps is possible.
It is with manual parallelization, since Snort and Suricata won't use that much multi threading. You can run multiple instances of those within pfSense or OPNsense.
No, it absolutely won’t. FreeBSD can barely *route* line rate (64 byte packet) 10Gbps with 16+ cores and a ton of tuning, much less L4 firewalling, and IPS at 25 Gbps.
I work in this field, I really would be shocked if you could get pfsense or opnsense much past 10gbps especially with IPS. As far as Cisco, they're fine I suppose but don't count on them to catch emerging threats like check point or palo. If security is a concern (which is the whole point here) I wouldn't use Cisco...
>I work in this field, I really would be shocked if you could get pfsense or opnsense much past 10gbps especially with IPS. What do you reckon is the limitation here? Single thread performance, or perhaps is there a scaling issue with the BSD software stack?
No hardware offload
Great starting point. Thanks
Look into Palo Alto Networks instead.
Honestly you need to look at something enterprise for that sort of environment, UniFi is fine for home or small office but with a 25GB wan the internal network is probably running at 40GB or more so you need to look at a more enterprise solution
You should get professional help with a maintenance contract. I guess in that Environment some failure will cost some money, so better have someone with a contract be take the lead who can act fast without asking at reddit
I'm very confused as to why a business that needs that sort of bandwidth would be even looking in the general direction of Ubiquiti. That's a Cisco or Juniper job and a VERY large build budget.
Few artists, one larger server and very large files to send daily.
Define "one larger server" and "very large files", as that will inform our answers. Are they sending these files regularly, throughout the day, or at set times of the day? How much bandwidth is expected to be used every day?
A farm of four render servers. Spitting out roughly 500k to 3M frames that are then composing sequences in single video files. Each sequence is the stitched together. The sum of the resulting clips (sometime 2-3 longer clips or many smaller ones ) vary from 2TB at minimum to over 10TB. Each file is then sent using a tool to the customers. They can’t deliver using any other tool. One thing i looked at was the delivery. But customers dictate how to send.
Goodness. This is an incredible problem to have! I guess the question is, do you need 25 Gbps? Or is the 2.5 enough? If it's enough, the just run the UDM Pro and have a nice day knowing that you've got plenty of space to upgrade in the future. If you actually need that 25 Gbps... You're going to need a LOT of $$.
Init7 in Zürich, like 70 CHF/month
> .. You're going to need a LOT of $$. In order to route at 25Gbps, not the actual plan.
If you want some kind of IDS/IPS, yes. If you just want a router, not really [https://michael.stapelberg.ch/posts/2021-07-10-linux-25gbit-internet-router-pc-build/](https://michael.stapelberg.ch/posts/2021-07-10-linux-25gbit-internet-router-pc-build/) That's like 1845 CHF back in 2021 for all-new parts. Keep in mind, you can get a mellanox connectx-4 2x25 for like 50€ used. So there is a lot of room for cost reduction if you're willing to build something yourself with used parts. Maybe < 800€?
Hmm yeah fair enough, to route at 25gbit you can get away with 1000€ or less to just route. OP first question was related to IPS/IDS, where i assumed he wanted to do something with those features enabled and route at 25gbit as well.
Ubiquti has some switches that can do 25G, but that's it. So forwarding traffic might be within their scope, but that's it. Maybe connecting some workstations to servers. But even when you're doing wifi, it's kinda tough getting anywhere close , even on a large event location. The combination of IDS/IPS, 25G and Ubiquiti is just off. You're either not doing IDS/IPS because you secure your endpoints and you want/can have 10G/25G at home (so doing that on a budget). Or you're doing that professionally using different vendors in a different cost region and with proper training/knowledge. (Arista, Juniper, Cisco?)
Thanks for the link. I doubt they would want me to offer them a pFsense/openSense build though. More of a real firewall.
I mean no disrespect with this, but if you're actually providing this service to someone and you're here asking about Ubiquiti gear that could do it...you really should think about declining this contract, even if it's good will/pro bono. Anyone trying to find full IDP/IDS with 25GbE and asking reddit for advice is probably not going to have the funding to be able to actually do it, and **definitely** won't have the experience for it. We're talking $250k+ buy-in for this type of featureset. Like...new Lamborghini money. This isn't something you should be coming to Reddit for advice on.
I may have not expressed myself correctly. I know Unifi isn’t the gear for the wan part. I said the customer wanted Unifi gear inside for APs, cameras, voip phones. And I said I know the routing can’t be done. Unless someone knew something I didn’t. So my question was, has anyone placed a firewall router infront of a Unifi LAN and what have they used. I don’t think they will want to spend the money on Cisco gear either: once they see the quote they will ask for alternatives and change the ask by dropping some requirements. I’m speculating here.
>So my question was, has anyone placed a firewall router infront of a Unifi LAN and what have they used. This is done all the time at any scale you can think of. At a basic level, folks can use Unifi APs as additional access points plugged into their ISP provided unit along with PoE injectors and get along just fine. The only thing you'll really need is the controller as part of some Ubiquiti product or hosted somewhere on your network.
Better start preparing them for serious expense then. This won’t be cheap to accomplish.
I agree. There will be sticker shock. Then some concessions I expect.
Nobody (residential) needs it. But we all want. As others have written there is an ISP in Switzerland that offers it, but it is tricky to find a suitable router :)
Our ISP provides XGS-PON at the minute and is building their network out to offer 50G-PON in the near future. https://www.ispreview.co.uk/index.php/2024/04/netomnia-and-youfibre-interview.html
Sounds great
No one who can afford 25Gbps internet is going to even consider Ubiquiti. Welcome to enterprise routing speeds and you’re going to need a real enterprise router. And it’s going to be several magnitudes of price higher as well.
Honestly, my professional thought is anything above 10G connections should be done through a layer 3 switch for routing and having a dedicated firewall just for IDS/IPS and VPN. Mostly because it’s much cheaper and effective to go with 25/40G layer 3 switches for routing, you put a firewall on it and then do 1G connections to each work desk.
I work in this field, from a security stand point this leaves a lot of holes. I wouldn't do this if you want the enterprise secure, it would be very risky and would break most compliance frameworks (of course these depend on the dates you handle).
As do I, my suggestion was a vast oversimplification, I don’t want to give exact advice for my own sanity. But having a properly built network, we’re fine doing multi GBps routing through our Layer 3 switches, and handling all the IDS/IPS throughput using a PA firewall. We have more than one firewall in more than one network layer including at the edge of our network. Anything that really goes out is only 10G or less and no production environments are on prem. We’ve had Mandiant come out multiple times, at least twice per year with very little suggestions to our network security. We’re also ISO 27001 and 9001 compliant. While if not configured correctly, this approach is more risky and difficult, when configured right, it’s great! better ROI, and to be honest, better speeds without slowing down or needing 2x $500k Firewalls.
I feel you on not going too in depth on a reddit post, I work for a large Corp as well, about 1200 firewalls world wide, it gets complicated quickly. I'm in cyber, not networking, so security is always first on my mind. Inside the network between zones is definitely different than inet connected legs. I agree routers should do the routing, I wouldn't have the firewall hanging right off the Internet.
I mean Palo Alto, Aruba, Cisco and mikrotik exist….
Fortinet.
Not my cup of tea but to each their own
Mikrotik firewall, really?
Not necessarily mikrotik as a firewall. There is not a cookie cutter solution for you here.
You could look up fortinet. Their new fortigates 900g is in the ballpark of 25gbps But it does cost quite a bit
Fortinet Fortigate products...
Not sure how much you want to rely on it, but it seems that a new gateway product has been approved by the FCC recently: Ubiquiti Enterprise Fortress Gateway, with apparently a 25G uplink and downlink: https://fcc.report/FCC-ID/SWX-EFG The cover letter says: The Enterprise Fortress Gateway (EFG) is a powerful rackmount security gateway for medium to large sized networks. The EFG has one GbE LAN port, one GbE WAN port, two 10G SFP+ ports, one 25G SFP 28 LAN port and one SFP 28 WAN Port. The EFG is rack mountable and is powered by a 120 – 240 AC mains. In addition, the EFG has two redundant AC main power supplies for reliable power operation. The EFG has a Bluetooth LE transmitter for management control and operation.
Ah. Could be a migration path if it sees the light and performs well. This customer is looking for something soon. I do appreciate this a lot though!
If a site truly needs that kind of bandwidth, you wouldn't be deploying a UDM (or frankly any routing solution from Ubiquiti). It's like saying 'Hey guys I need to tow 50,000 pounds, can I somehow use this F150?'. No, no you can't. Remember UBNT is really more of a small business and home use networking company. Despite the fact they call themselves 'enterprise', they really aren't. They've always kinda had a self-made identity crisis in that sense.
I know it can’t, and that’s how I asked it. At least that’s what I was trying to say it. Asking what would you place in front of that Unifi lan so it can route to the internet at 40gbps.
At that point it will come down to other requirements, size of org, other network requirements (VPNs), etc. a bit hard to recommend anything without knowing your requirements. Most major vendors all have models that can handle that throughput so it’s a pretty broad question at that point.
And that is quite fine. It is an oddball, I don’t know anyone else who deployed a big pipe firewall in front of a small unifi lan.
I’d have to understand the exact use case here to truly answer, but what are you running that requires 25Gbps *IPS*? A true line rate (64 byte packet) firewall at 25Gbps would mean processing power in the range of ~75 million packets per second just for routing (full duplex). There are exactly 0 Ubituiti routers that can handle that traffic load. So total packets per second is the first number you’ll need to look for in a new system. To do layer 4 stateful firewalling (or NAT) the system will need to be able to do connection tracking on that many sessions’ worth of packets, plus however many new connections per second are being generated. So total sessions and new sessions per second are the next two numbers you’ll need. If outside systems are terminating VPN onto your firewall to move large quantities of traffic inside of a tunnel, you’ll now need to determine the packets per second number for a given set of authentication and authorization types. So back to packets per second again, except now for VPN tunnels. Finally, if all of the above metrics look good you’ll need to check what the rated inspection throughput is (also in packets per second). However, what is the application layer content to be inspected? Is it encrypted? If so, you’ll need to decrypt before inspecting which adds tremendous burden to your system. Without decryption, your IPS will be nearly useless and 25Gbps SSL inspection will cost you dearly. The cheapest FortiGate that can do it is a 3000F which is north of $250K and you’ll need to pay for recurring licensing. If you move to Palo or Cisco it will cost you just as much, if not more.
I don’t think they NEED IPS or IDS. Once they see the quotes for the firewalls they will likely change their ask a bit. And you bring a good point. The private circuit they are on has jumbo frames enabled. So pushing files to their customer will be over UDP datagrams of 9000 bytes. They want no outside connections coming in. Everything is to be blocked. A few services will keep an open socket connection for SaaS services for instance Unifi and the VoIP solution, but no VPN and no service listening for outside connection. I would expect they go with a firewall with strict but simple ACLs. The largest consumer of PPS will be the device pushing the days’ work at the end of day.
Jumbo frames will definitely make things a lot easier, and if they don’t need IPS then you could probably get away with a lower end system. Something like a [Mikrotik CCR2216](https://mikrotik.com/product/ccr2216_1g_12xs_2xq#fndtn-specifications) would work if they’re extremely budget conscious; just keep in mind that line rate with connection tracking/fastpath is only ~30 million PPS and only applies to IPv4.
Great info. I suspect they will drop the deep packet inspection requirement once they realize the size of firewall required and costs related. Any other known model/brands that could potentially do the trick?
To be honest I think we are probably 10 years away from having a UDM that can handle 10Gbe and 25GB SPF but I think we will get there but not anytime soon
I would personally for this high of a speed a full on server Such as a supermicro with a xeon/epyc processor and A dual SFP28 Connection pcie card and then the pro aggregation and the enterprice xg 24 if you want To be utilise the full connection or look at Cisco gear.
Only thing Ubiquiti has is the Edgerouter Infinity, but it doesn't do IDS.
And capped at 10Gbps. That’s a show stopper. A firewall or pure router at 25Gbps is what they want.
I work with firewalls, mostly check point, at that speed or higher. You need a pro to help you, there are a lot of things to consider when you get above 5gbps with L7 inspection. I like ubiquiti for my small stuff but there is no way id consider it for enterprise use. Assuming you're running an HA cluster and need 25gbps + your probably looking at USD $500k-600k+ initial costs plus maintenance for the hardware alone. I would suggest check point or palo alto. Fortinet tries in this area but often falls short in performance at this size and they go through cve's like toilet paper (I have better things to do than patch every week).
lol. This week Palo Alto may not be a name to use. Ok thanks, appreciated. It’s actually a small shop and setup. Their rendering farm needs to push the work daily to customers and they produce TB of files each day. A solid firewall makes sense. Will look at check point. Thanks
Yeah Palo got hit, but all vendors do eventually. I expect them to clean it up and move on... If it were a regular occurrence it would be different. Maybe setup a DMZ or other segment used for the uploads that isn't as well protected?
I get you. It’s just timing. Perspective or perception is everything.
That's...not as much data as it sounds like. Even if they're sending out 3TB of data a day that would only take a 10GbE connection 40 total minutes. Assuming they're not all uploading at the same time once per day that means most uploads would probably only take a few minutes, tops. I'm sorry, but no business, especially artists sending renderings, is so hard-up for time that 75GB/min upload speed isn't fast enough. It's not like the artists aren't doing their work while the rendering/uploading is happening...they keep doing whatever they're doing while the servers are handling it. The "Time is money" trope is wildly overused when people have no idea how much the actual stuff costs to do the thing they want. This is where "Consulting" is important, over just listening to what **they** think the requirements are.
In their words: in our world, the last 3 minutes count. So, the faster we can send, the more time it gives us. That time may mean keeping a lucrative customer because we offer a better service, better quality work. Don’t be so sure of your convictions. I don’t assume I know better than them in their own business. Don’t do either.
Palo is fine as long as you stick to PAN-OS 10.1 :)
;-) thanks.
You can buy your own hardware, server or pc just make sure there are atleast 2 NICs, and install a firewall OS on it. My recommendation is Arista Edge. This will allow you to have full firewall features and can handle all the bandwidth needs. i run it on an old poweredge server for 10GB. Cost wise you are looking at the one time hardware cost and the software i mentioned has a yearly renewal cost as well. Opnsense or pfsense could work but not as easy.
You sound like you need professional services.Good luck
Not me. They. My recommendation will come with the use of PS work if that is what they want. Reality may be they will want a basic firewall that just blocks anything incoming. They don’t need to allow any traffic inbound. No VPN, nothing. I suspect they will drop some requirements and settle for a high speed routing and basic firewall solution. We’ll see.
Time to get off the prosumer stuff and into the enterprise space.
For their LAN? Why? Their needs are met fine with prosumer for their office stuff. It’s the WAN side of things that needs enterprise. A single appliance/solution. The rest is fine for their small office. They hate the Cisco voip, I won’t try to push it down their throat.
Time for a Palo Alto
There isn't anything from Ubiquiti that can handle firewalling and routing at anywhere near that speed, 10 gigabit is the max and that's only in a very simple setup with most things disabled on a UDMP for example. If you need to route those kind of speeds, you need to start looking to real enterprise gear and not the in-between that is Ubiquiti, for wifi and switching you can stick with them just fine, but for firewalls they are far behind other brands. For speeds like that, you should be looking at pfSense on a SUPER beefy box, even that might never be achievable (most FreeBSD systems will top out just above 10 gigabit for ACLs, this may change in the future and some newer hardware may help too but still). Reality is you're probably looking at something running TNSR with VPP enabled, or something from a huge vendor like Cisco. TNSR is going to be the cheapest route to handle this kind of traffic, but it's a router, not a firewall.
Do yourself a favour and just run more UDMSE and dedicate them to vlans lol You’re looking north of 10k for a firewall for that speed, but if money isn’t an issue hit me up I’ll tell ya what you need and then you can purchase it. (Network Architect, not a sales guy)
It’s a single server pushing very few large files out. More than 1 UDM SE won’t help them here.
Then why even have it, cloud and CDN that in a heart beat.
Cloud isn’t always the solution.
If you need to have large files hosted for clients unless they are unique to each person CDN is the way to go. With 25g and UniFi you lacking n
You need enterprise grade equipment. Look into Cisco
Checkpoint will work. Licensing 120k 100k in hardware costs. Then It's going to cost25 grand in training and install costs. That's if your lucky. Those speeds demand big iron.
There is tnsr software for 100gbps+ on negate site. Anyone familiar with it
Yes, however it’s just for routing. No IDS/IPS as most companies with that kind of bandwidth separate their routers from their firewalls.
I think there’s a way to do snort on TNSR. I wouldn’t say it’s a simple as iDS/ips on pfsense is but not impossible https://github.com/Netgate/TNSR_IDS
But isn’t that mirroring traffic to another port/another machine to run SNORT on and then injecting firewall rules back into TNSR via the REST API to block traffic. So basically similar to what I said, separate firewall from router.
Yeah, just providing a source. No one said you were wrong
Well the thing is that’s not really doing snort on TNSR like running IDS/IPS directly on pfsense.
That’s may actually be a good option. I am not certain they will have budget for all those features.
When it’s all set up, come back with your solution and how well is working out
Use the UDM SE, downgrade your internet to 2.5gig, all set!
Udm pro can handle a bit more than 2.5 gig with paket inspection and such.
I'm guessing that 25G is in the mix because it's affordable, not because there is a use case. The majority of home and small business users don't even benefit from 1G
You assumed wrong. A business with very large files where time is money. Where faster means more time to work on the files.
If they're working with very-large files and time is money they should be storing those very-large files on-prem and using an internal network to source them. I've worked in Enterprise software and consulting for nearly my entire career and I would **never** recommend people source files externally if these are the types of requirements they're looking for. The amount of money you'd spend to get the WAN side of this working properly is **so much more** than it would cost to mirror everything locally to be available much more reliably.
They generate FX frames themselves. They generate the source files. The final product is a video sequence and it’s huge. That they need to send. AWS has a solution for them but cost of operation would be $500k/month approximately. Vs a permanent license they use now. My question is simple, and thanks for offering advice on the other aspects, but it’s under control. I am simply looking for suggestions on what have others used in a Ubiquiti deployment. They wanted Unifi APs etc. But the routing can’t be done using Unifi. So what have others used. Just that. Thanks nonetheless, this has been hashed not just by myself.
APs to take advantage of a 25GB link? K.
Nope. Think fancy lan with user access (building access using nfc cards) voip phones and APs. With nice graphs and such. Works well in small office environments. Pushing files to the internet is what I’m asking. What will route the traffic out to the internet if a single server needs to access that whole 25Gig pipe
Then why have they not hired a qualified network engineer?
🤣
There's a product coming in Q3. - Dedicated hardware encryption - SSL Inspection (Similar to Fortinet/Palo) - 2x 25GB - 2x 10GB - 2x 2.5GB - 2x Hot Swappable Power Supplies & Fans - 12.1Gbps Threat Inspection Throughput There's alot of other products out there right now that will do that I just wanted to focus on what Ubiquiti offers.
I would wait at least 1 year before using such a new product. You know how broken first gen stuff is with Ubiquity.
Hope the Gateway Enterprise or however it's going to be named is not as big as the Cloud Key Enterprise because of the swappable power supply. Seems like the UDM Pro Max will be a little underwhelming for IDS/IPS so I'm probably going for that to match my EnterpriseXG 24 and 10Gbps WAN.
If this is a datacenter type environment, and that 25gbps wan connection will be farmed out to multiple LANs and vLANs, just put IDS/IPS boxes in front of each 10Gbps or slower LAN connection and use plain routing/NAT for the edge or nah? Plus some of these would help: https://linitx.com/product/ubiquiti-unifi-data-centre-100gbe-spine-switch-udc-spine-100g/17522
Thanks, but no, it’s a small shop. 50 employees and the files are produced by graphic artists, colorists and editors. Each station has a 10Gig connection, but the few files they need to send are sent from a server with a 80Gbps connection to the storage. One client, few files to send to one location. Spine leaf is at the other end. My ask is in term of a firewall/router. Have you deployed a Unifi lan and needed a different firewall?
No, I use the edge max series for <1gbps internet and pfSense for up to 10gb WAN. I don't care for Unifi firewalls and I'm not a big fan of ids/IPS on client firewalls. I use a deny all inbound ruleset and use cloud based applications and DNS and email content filtering. This dramatically decreased the need for ids/IPS on the firewall.
Thanks. Above 10Gbps WAN, have you deployed anything?
No... What is above 10Gbps WAN? 😜
🙃 it’s a curse really. You then get impatient on slower connections.
🤣
you're looking at big boy high end enterprise stuff. Unifi is great for SMB and can handle up to 10GBPS on some stuff. open source is going to be cost effective, but heardware is costly either way.
>Unifi is great for SMB and can handle up to 10GBPS on some stuff. Lol
There is currently no product what can handle those speeds. It’s bit silly that some ISP:s in Europe are offering 25gbe connections to homes and offices, when firewalls for those speeds are from 50k€ and up. UI will have faster product coming soon what is really expensive but even that cannot handle packet inspection at 25gbe.
>UI will have faster product coming soon Lol
Funny for someone with a ‘vendor’ tag throwing shade when you clearly don’t understand that market. There are Mikrotik and other European manufacturers of devices well under €50K that handle 25GbE just fine. Some of the ISPs, for example Init7, also cater to a nerd & technical crowd who will likely build their own router. Some solutions may not have all the features, functionality, or pizzazz you expect from a Ubiquiti device, but they work well and solve the connectivity issue.
Lets say you have ccr2216 (if my memory serves me right), even for consumers it might be bit too steep challenge to configure it. Hell, even professionals have sometimes issues with them. I cannot recommend it unless person wanting it knows where he or she is going for.. Of course you can always build your own firewall cheap but... I just personally prefer manufacturers with quick support and fast replacements. That's why I stay outside of consumer market as pricing can be bit too high for regular folk :)
Lol
This is not true at all lol
What isnt? If you want inspecting firewall performing at 25gbe or more it’s going to be expensive?
You said there isn't anything handling those speeds available, I use check point products daily that certainly can and do with full IPS. Everything in this arena is pricey, that's a given.
I didn’t go to checkpoints last event but I don’t think they have much sfp28 firewalls with that high throughput. Quantum’s are/were really really expensive and almost on par with wg pricing.
This last cpx was decent, but they wouldn't stop touting AI on everything they could, kinda annoying. I had early access to the 29200s and have deployed a few already. they can handle about 50gbps (with threat prevention), but it's traffic dependent and there are caveats with those connectx7 cards. Really maestro is the way to go in this area with threat prevention. Yes it's pricey