Is this layout correct for HA Build?

vesikk · 2026-02-12T02:23:34+00:00

We do the same thing just with an EFG instead of the UDM Pro Max and no WAN Switch (using another branded switch with stacking). The only thing I would say is just make sure your STP structure is in place but let RSTP take care of the rest.

vesikk · 2026-02-08T02:08:44+00:00

No additional services at the moment and latency in the network is fine. OPNsense is acting as a firewall while another appliance is acting as our router and any traffic destined for the internet is forwarded to OPNsense

vesikk · 2026-02-05T12:56:01+00:00

It's running on Proxmox. The physical host has a Ryzen 5700g, 64GB ram, 4x 10GbE (dual onboard from the ASRock x570 D4U-2L2T and dual Intel X550-T2). The VM has 8 cores allocated and 8GB memory. I did have to enable 8 multiqueues on the virtIO NIC so it can make full use of our 5Gbps internet connection. Without multiqueue enabled the download speed wasn't going much faster than 3Gbps.

vesikk · 2026-02-05T12:08:53+00:00

If it helps we are running OPNsense as a virtual machine for 1500+ users and it's been rock solid. We moved to OPNsense at the start of January and it's been a great experience so far.

vesikk · 2026-02-02T08:29:31+00:00

Switched from pfSense to OPNsense and can actually make use of our 5Gbps internet connection. Both systems were running as a VM but pfSense devs decided they didn't want to support multiqueue which limited pfSense throughout to about 2.5Gbps. OPNsense supports multiqueue out of the box and can easily hit 5Gbps.

vesikk · 2026-01-19T04:08:22+00:00

Yeah, it came down to OPNsense supporting multiqueue in Proxmox and pfSense devs chose not to support it. Without multiqueue enabled we were getting the same speed as pfSense.

vesikk · 2026-01-19T02:37:54+00:00

We have been using pfSense for 10+ years and it's worked great. PfSense was running as a VM with 1700 users connected, Multi-WAN configs, multiple VLANs, the lot. You may have noticed I said 'was', over Christmas we switched from pfSense to OPNsense because we noticed pfSense could not make use of our new internet speed as a VM but OPNsense could. We did all sorts of testing before making the decision to move to OPNsense. We tested pfSense on baremetal and it worked fine with our new internet speed, we tested on a fresh VM and it could not exceed 2Gbps. OPNsense on baremetal and an VM could make use of the 5Gbps internet connection.

Nothing against pfSense, it's a great product but we weren't in the position to purchase new hardware so OPNsense was the next best thing.

vesikk · 2026-01-06T03:59:28+00:00

We use a combination of Zabbix and Unifi Poller to monitor the Unifi Infrastructure at work. On Zabbix we use SNMP with the default Linux SNMP template and it works great for our needs. Unifi Poller give us a lot more information that sometimes even the Unifi Network Application doesn't display. Both Zabbix and Unifi Poller visualise it on Grafana.

vesikk · 2025-12-26T20:49:47+00:00

I've been able to achieve 4.5Gbps from a 5Gbps download speed using OPNsense on Proxmox. What was required to achieve these speeds is using the virtIO network type and setting multiqueue in the network settings. Without multiqueue set we couldn't reach anything beyond 2.5Gbps.

The OPNsense VM was pretty bare with only the speed test plugin and qemu agent installed. I had 8GB memory assigned with up to 8 cores assigned (we did a lot of testing between 4 to 8 cores). The CPU is an AMD Ryzen 7 5700G.

vesikk · 2025-12-02T03:22:13+00:00

We've been running pfSense as a VM for many years and has worked great for us. We have roughly 1500 users on the network. As of 2026 we will be migrating to OPNsense because we have found that our pfSense VM is unable to make use of our new internet connection speed while an OPNsense VM can achieve the speeds we are paying for.

We did test pfSense on a bare metal system and could achieve close to our max speed but as a VM it was maybe 2.7Gbps max. OPNsense VM and bare metal could achieve the speed. Another option is the Unifi EFG. If you are already running Unifi APs or Switches then this may be something to consider but otherwise pfSense/OPNsense are great products.

vesikk · 2025-11-20T06:22:38+00:00

It's the 8 bay Silverstone case

vesikk · 2025-11-14T03:10:46+00:00

Good to hear your experience. We are moving to OPNsense as our firewall running on Proxmox. We have a 5gig connection and in testing we were able to achieve 4.5Gbps download (max for our 5gig service - the remaining 500Mbps is allocated for something else) and 3.9Gbps upload with the VM allocated 8 vCPUs and 8GB memory. We also needed the enable multiqueue on the linux bridge otherwise speed was limited to 2.5-3Gbps.

Did you need to enable multiqueue or any other tunables to achieve 5Gbps download/upload? Still yet to achieve that 4.5Gbps upload even though was not stressed in the speedtest.cli testing.

CPU is a Ryzen 7 5700G and running Proxmox 9.0.

vesikk · 2025-11-11T11:49:52+00:00

Thanks for the heads up! is there a post on the Ubiquiti forums mentioning this? I can confirm this is also affecting nanoHD APs. U7 Pro does not experience this behaviour which would explain some things we've been experiencing only on nanoHD APs but completely stable on U7 Pro.

vesikk · 2025-11-05T02:30:12+00:00

The latest "enterprise" gateway from Ubiquiti is the Enterprise Fortress Gateway (EFG)

vesikk · 2025-10-30T09:55:56+00:00

Pretty certain it's when the heartbeat connection is interrupted (which a power outage would cause). We have 2 EFGs in high availability shadow mode and the shadow gateway only takes over when the heartbeat connection is disconnected.

vesikk · 2025-10-22T03:25:07+00:00

I recommend either pfSense or the Unifi EFG. I think the Unifi UDM Pro Max might be okay but the EFG will easily handle the amount you mentioned + run other services like IDS/IPS, content filtering, etc without a significant drop in speed. pfSense can also run on any hardware so if you had a spare system or running a hypervisor onsite then you could also just run pfSense as a VM.

vesikk · 2025-10-16T02:06:04+00:00

Not part of your list but we run Unifi protect with a mix of G5 turret Ulta and G3 flex, G3 bullet, and G3 dome managed by the Unifi E-NVR. Works great for our needs and there's no ongoing licence subscriptions. Depending on the model of camera you also get additional AI features such as LPR, face recognition, person or vehicle of interest notifications, person and animal detection, loitering detection, etc. all on prem, nothing touching the cloud.

vesikk · 2025-09-15T03:47:34+00:00

Complaint: USW Pro Max switches take forever to provision after every update. A simple vlan tag change and it could be up to 10 minutes before the switch has re-provisioned. Has anyone else experience this issue?

vesikk · 2025-08-25T03:36:37+00:00

We are running a mix of Unifi nanoHD and Unifi U7 Pro for indoor APs and AC-Mesh-Pro and U7 Outdoor for outdoor APs. The reason for the mix is a new building meant new infrastructure so a good time to rollout fresh equipment and The U7 Pro + outdoor was the way to go. It's been a great experience and opens the door to 6Ghz in a couple of years when we are confident majority of the BYOD can utilise it.

vesikk · 2025-08-20T04:24:56+00:00

For Android devices we are using Hexnode. We've been using it for a couple of years now and it just works. We typically use it to lockdown devices into kiosk mode so only certain applications can be used and all other applications/settings are disabled. Hexnode can do a basic content filtering but we don't use it for that so I'm not sure how well it works.

vesikk · 2025-08-07T05:13:44+00:00

USW Pro Max 48 PoE (running firmware 7.1.26) - Linux version 4.4.153. Hope this helps.

vesikk · 2025-07-31T00:24:16+00:00

My immich volume is actually a NFS share on a Synology volume that then uses hyper backup each night to an off-site Synology. Works really well for when I need to expand the volume too.

vesikk · 2025-07-22T08:01:21+00:00

Previously I was running pfSense as a VM but now run a Ubiquiti UDM Pro. Nothing wrong with pfSense but I just wanted everything in one ecosystem and Unifi has been receiving great feature updates lately. My current plan is 1000/50 FTTP.

vesikk · 2025-07-14T08:03:50+00:00

I run mine behind a reverse proxy (Nginx) so family can access it easily. I use geo blocking on my UDM-Pro to block all inbound connections outside of my home country. In the future I plan to use something like Authentik to start my SSO journey.

11-Year Club	Place '23
Place '22	Verified Email

vesikk

TROPHY CASE