Protecting my old faithful friend NethServer-7.9 with a firewall

Hi all,

Here is a way to protect a NethServer-7.9 and keep it running.

UniFi-101, Cahier-02:UniFi Cloud Gateway Ultra en pare-feu – Boutique Micronator.

Canada => Cloud Gateway Ultra - Ubiquiti Store. $169 CAD / $120 USD / €114
Germany => Ubiquiti Unifi Cloud Gateway Ultra. €118
Italy =>: Cloud Gateway Ultra - Ubiquiti Store. €90
UK => Cloud Gateway Ultra - Ubiquiti Store. £75.00
Brazil => Cloud Gateway Ultra - Loja Ubiquiti. R$ 789

Michel-André

3 Likes

Why not using OPNsense? Or pfsense? Or NS security?

Salut @schulzstefan,

Been there, done that…

Because UCG Ultra just works and mainly, much easier.

And for NS security - hoping you’re joking…

Michel-André

Uhmm, it would’t be fair to judge NS security - I didn’t (and will not) try or test it.

Since years I’m fine with OPNsense. Never touch a running system at this point. My NS7 is well protected behind my FW. Besides - all certs are frequently fetched from ACME client of the OPNsense and deployed (not only) to the NS7. Converted and copied to all correct places.

Right now I have no need to change anything in my setups.

Salut @schulzstefan,

If it’s working, don’t touch it…

Michel-André

PS: For the cert, not needed, The UCG examines the received packet and as it is transparent, il just relays it to the destination party and let it start the encryption conversation.

These products like UCG Ultra really looks nice and I was shown that you can easily merge networks and setup things fast and it has nice packet flow diagrams…but it has no reverse proxy for example.

But the main disadvantage for me: It seems to be NOT Open Source, at least I couldn’t find unifi os source code.

1 Like

Hi @mrmarkuz

The included and working DNS part is able to do it.
Much easier and faster to set than with NethServer-7.
Same for port forwarding.

image

Surpsingly, for the Open Source, I do not know, I wil have to check that

Michel-André

1 Like

Salut @mrmarkuz

From: Software Downloads - Ubiquiti

Release software components are licensed under the GNU General Public License, as well as other open-source and free software licenses.

But this is for the download of UniFi Network part, not the UniFi OS.
As the title of the page says: " Download UniFi Network Server"

I will have to look further…

Michel-André

EDIT:
My first ever “talk” with GPT and it cannot answer my question…

UniFi GPT
Unfortunately, I am unable to provide a response to your inquiry.

Second question:

Is GPT better than human to elude a question?

UniFi GPT
Unfortunately, I am unable to provide a response to your inquiry.

My answer to my second question

Lot better… but not as much as a politician.

2 Likes

Hi

AFAIK Unifi OS is NOT Open Source.
And in my opinion it does not “need” to be.

It is specifically programmed for their very efficient hardware and not intended to run anywhere else.

I use Mac, and Windows to support my clients running Windows.
Both are closed source - I have no issues with it. (To be honest a little more issues with Windows than Mac, but other reasons than Open Source!)

@schulzstefan
I used OPNsense too, still do. But only for special purposes.
For most of my clients, I can’t beat the price of UI with even chinese hardware, yet I still have to install and maintain OPNsense.
UI is less than half the price of hardware I’ld need to handle 1 GB/S Internet, very common in Switzerland.

And we also have 10 GB/S (Up and Down !!!) for 59.-, 20.- if you want a static IP (more IPs available if needed).
I can’t beat a fixed price of 350 CHF, no license fees at all! (Uinifi UDM-Pro, 10 GB/S Firewall).
And full 3 GB/S IPS/DPI capabilities locally. OPNsense needs a VERY powerful Box for 1.5 GB/S IDS/DPI…

My 2 cents
Andy

PS:

Unifi allows SSH access to all their gateway boxes, you have to allow it from the Console (Unifi lingo for the built in Unifi-OS Web Interface).
At your own risk, you can actually install stuff!
But I let UI do it’s stuff
A reverse Porxy is included in NS8, but a VM or LXC in Proxmox is just as easily set up for specific tasks.
This entails much less risk!

1 Like

Salut @Andy_Wismer

Thank you for your 2 cents.

According to my limited knowledge, the SSH part of the UI belongs to the UniFi Network, so it is GPL compliant according to one of my previous post.

Michel-André

1 Like

@michelandre

Unifi OS brings it’s own SSH server.

AFAIK, all known used implementations of SSH are all based on OpenSSH (Even Windows and Mac, also UI).
OpenSSH is from Theo de Raadt, the creator of OpenBSD, still the most secure OS out of the box. And not surprising, Theo will even review Apache code to make sure it’s secure!

My 2 cents
Andy

IMHO a good track record… (History below)

1 Like

AFAIK unifi is designed to be connected to their cloud. What I don’t want and like.

It is, but can be used with or without - you decide!

It can run completly locally.

My 2 cents
Andy

1 Like

I took some time to read through their forum. I think I understood their concept und idea behind all this. Yeah, you can cripple the stuff without a cloud account or beeing connected to their resources. Does it make sense at least? You decide. I did already. No need to make things complicated.

@schulzstefan

You needs are covered, you use OPNsense since years now. Fine.
Germany isn’t really moving on upgrading their Internet, most areas are limited to 100 or 200 MB/S.

I won’t go into politics here, but the issues are much deeper and longer term…

My OPNsense boxes are limited to about 4-500 MBit/S - some clients got a free upgrade to 600 or 1 GB/S and I had complaints my firewall couldn’t handle the speed…
Some clients had twice the Internet speed - more or less out of the blue…

I can get a new china box for 200-300 €, but still need to install and maintain OPNsense.

Or get the client a UCG-Ultra or UCG-Max for less price and faster installation.

It’s almost a no-brainer in my situation.

My 2 cents
Andy

1 Like

Salut @schulzstefan,

Then can you elaborate on how it cripple the stuff ?

Michel-André

Perfect. For you and your clients.

@schulzstefan

This world does not have a “One size fits all”.

That’s why its good to have options - but also to have discussions on options, etc.

My 2 cents
Andy

1 Like

As I understood, at least you’ll get no updates without account or beeing connected to their cloud.

You might want to have a look at https://community.ui.com/

A lot of issues to read and come to conclusions for your own.

Without using the Unifi Cloud, you CAN mesh 10 sites with VPN and full connectivity manually.
If you do the math, you’re getting close to 100 VPNs.
Even for a script wizard, that takes time!

With Unifi Cloud, this takes 1-5 minutes, depending on complexity of needed connections.

You can’t beat that advantage.

There are other such examples.

My 2 cents
Andy

1 Like