Uhmm, it would’t be fair to judge NS security - I didn’t (and will not) try or test it.
Since years I’m fine with OPNsense. Never touch a running system at this point. My NS7 is well protected behind my FW. Besides - all certs are frequently fetched from ACME client of the OPNsense and deployed (not only) to the NS7. Converted and copied to all correct places.
Right now I have no need to change anything in my setups.
PS: For the cert, not needed, The UCG examines the received packet and as it is transparent, il just relays it to the destination party and let it start the encryption conversation.
These products like UCG Ultra really looks nice and I was shown that you can easily merge networks and setup things fast and it has nice packet flow diagrams…but it has no reverse proxy for example.
But the main disadvantage for me: It seems to be NOT Open Source, at least I couldn’t find unifi os source code.
AFAIK Unifi OS is NOT Open Source.
And in my opinion it does not “need” to be.
It is specifically programmed for their very efficient hardware and not intended to run anywhere else.
I use Mac, and Windows to support my clients running Windows.
Both are closed source - I have no issues with it. (To be honest a little more issues with Windows than Mac, but other reasons than Open Source!)
@schulzstefan
I used OPNsense too, still do. But only for special purposes.
For most of my clients, I can’t beat the price of UI with even chinese hardware, yet I still have to install and maintain OPNsense.
UI is less than half the price of hardware I’ld need to handle 1 GB/S Internet, very common in Switzerland.
And we also have 10 GB/S (Up and Down !!!) for 59.-, 20.- if you want a static IP (more IPs available if needed).
I can’t beat a fixed price of 350 CHF, no license fees at all! (Uinifi UDM-Pro, 10 GB/S Firewall).
And full 3 GB/S IPS/DPI capabilities locally. OPNsense needs a VERY powerful Box for 1.5 GB/S IDS/DPI…
My 2 cents
Andy
PS:
Unifi allows SSH access to all their gateway boxes, you have to allow it from the Console (Unifi lingo for the built in Unifi-OS Web Interface).
At your own risk, you can actually install stuff!
But I let UI do it’s stuff
A reverse Porxy is included in NS8, but a VM or LXC in Proxmox is just as easily set up for specific tasks.
This entails much less risk!
AFAIK, all known used implementations of SSH are all based on OpenSSH (Even Windows and Mac, also UI).
OpenSSH is from Theo de Raadt, the creator of OpenBSD, still the most secure OS out of the box. And not surprising, Theo will even review Apache code to make sure it’s secure!
I took some time to read through their forum. I think I understood their concept und idea behind all this. Yeah, you can cripple the stuff without a cloud account or beeing connected to their resources. Does it make sense at least? You decide. I did already. No need to make things complicated.
You needs are covered, you use OPNsense since years now. Fine.
Germany isn’t really moving on upgrading their Internet, most areas are limited to 100 or 200 MB/S.
I won’t go into politics here, but the issues are much deeper and longer term…
My OPNsense boxes are limited to about 4-500 MBit/S - some clients got a free upgrade to 600 or 1 GB/S and I had complaints my firewall couldn’t handle the speed…
Some clients had twice the Internet speed - more or less out of the blue…
I can get a new china box for 200-300 €, but still need to install and maintain OPNsense.
Or get the client a UCG-Ultra or UCG-Max for less price and faster installation.
Without using the Unifi Cloud, you CAN mesh 10 sites with VPN and full connectivity manually.
If you do the math, you’re getting close to 100 VPNs.
Even for a script wizard, that takes time!
With Unifi Cloud, this takes 1-5 minutes, depending on complexity of needed connections.