The Problem With Unifi SDN
From the outset, I would like to make the following abundantly clear. Shaw IT and our customers are using Ubiquiti equipment extensively. It is reliable (for the most part, see below), inexpensive compared to competitor products, and has enabled smaller companies and consumers further access to very capable networking equipment. . .
This article specifically focuses on the Unifi line. It is not meant to be an in depth review of Unifi but and overview of what is is and isn’t. We are not Ubiquiti fanboys and we are also not particularly critical.
However, there is a problem. Features normally found in more expensive products are now more widely available to people that don’t know what they’re doing. In other words, Unifi based networks are being deployed by a lot of non-pros or ‘power users’. Networks are often badly designed as a result, silly errors are made, causing poor network performance, or even complete failure. What actually happens in many cases is the blame is unfairly targeted at the equipment.
We are managing many customer Unifi networks and we often take over management of networks already deployed. It’s often a nightmare to pick apart what’s been done. Putting things right often involves more spend on new equipment as the wrong kit was initially deployed, or proper network topology dictates different purchases. Unifi has created a lot of ‘experts’ that are not really experts.
I’ll give you a real world example. We have an MSP client in Australia. They have a lot of hotel customers, many of whom use the hotel’s LAN network to deploy television services. More and more hotels are also making the jump to VoIP telephony as existing LAN networks can be used. When our client realised that they didn’t have the expertise to properly configure VLANs and all the other requirements associated with this kind of setup (poor quality VoIP due to QoS issues etc) they came to us for help. . .
It was very difficult for us to be honest with our client. We had to explain that they had made some very silly mistakes with their networks. For example, our client had deployed a UDM-Pro at one particular hotel that required load balancing. However, when he asked us to configure that, our client had failed to realise the UDM-Pro is not capable of load balancing, only failover. It was just a simple case of the client failing to read the spec sheet of the product. In other words, he just hadn’t done his homework. For large networks such as those found in large hotels, while we would readily deploy Unifi APs and switches, we would never recommend Unifi gateways, they just don’t have the capabilities required and are more suited to smaller networks.
Another example, one particular hotel was having many Unifi switches failing. The switches were blamed as being unreliable. In fact, we discovered that the problem was actually separate buildings with their own power systems had been connected together with copper LAN cables. Every time there was a phase to phase variance in voltage due to grid issues, or a nearby lightning strike, the voltage differentials followed the interconnecting cables and the equipment failed. This was a disastrous and very costly deployment error that should never have happened. Certainly, the Unifi equipment should NOT have been blamed.
I will list the advantages and disadvantages of Ubiquiti gear as we see them.
- Obviously, there is a significant cost benefit.
- There is nothing stopping you from mixing network equipment from other vendors, if you can accept there is a separate management interface.
- From our experience, Ubiquiti line is usually very reliable (caveat: see disadvantages).
There are some small but annoying problems. . .
- The blue status LED lights on the APs and some switches quickly fail. The switch continues to operate normally, but the status light fails after a year or two in almost all cases. This is a minor annoyance, but it never seems to get fixed through board revisions.
- Even though the management interface makes things easy for prosumers or the inexperienced, you still have to know what you’re doing.
- Ubiquiti have a very bad habit of pushing out firmware that’s not been properly tested. Anyone using the Unifi line should not be click happy in the sense they click the ‘upgrade’ notification as soon as it appears. Staying on your current firmware if there are no good reasons to upgrade will often save you a world of pain, lost days and spelunking.
The gateways cause a lot of confusion. USG, UDM, Cloud Keys, Cloud Keys that can or can’t do Unifi Protect, features on lower end UDMs that are missing on higher end UDM-Pro. In our opinion, Unifi gateways of any kind should only be deployed on home networks or very small businesses. The threat management feature is OK for those that want a “click and I’m protected” feature but quite frankly it’s pretty useless in any true enterprise environment. In nearly all cases, we recommend a pfSense gateway to businesses, particularly in a multi-WAN environment, the load balancing capabilities and Policy Based Routing features of pfSense are vastly superior.
Unifi is a reliable VLAN capable WiFi platform and we never hesitate to deploy the APs and switches. However, many of the features that would make it truly enterprise are either only available via command line, or simply not there. It will satisfy the needs of any home user, and most small offices, but beyond that it’s a stretch of the imagination to describe it as enterprise.
To reiterate, we have sites with hundreds of APs deployed. They work perfectly, failures are extremely rare. . . but the gateways are pfSense.