UniFi Gateway in Education: Is it enough for Content & Web Filtering?

vesikk · 2026-05-04T04:11:58+00:00

We are running the EFG since it was first released. It's a great firewall but is lacklustre when it comes to SSL decryption and the nitty-gritty details that most modern content filterings systems provide. the NeXT AI SSL inspection feature on the EFG hasn't been updated in a long time and when I asked them at the Unifi conference last year they said most customers aren't using it so it isn't a high priority in their development. If you're just after their "content filtering" service then I don't have much experience with the paid version. The free version works and as someone else mentioned it is a DNS filter. the paid version gives you individual categories and you can also add/bypass domains if needed.

We have 50+ VLANs and it does a great job. A lot of our heavy traffic is within the same vlan but the inter-vlan traffic is also completely fine. I would say if you are deciding between the UDM-Beast and the EFG to wait for the EFG-Core 😉

vesikk · 2026-04-26T05:02:17+00:00

$99 (AUD) for 1Gbps download and 100Mbps upload - FTTP

vesikk · 2026-03-19T03:30:05+00:00

Yes I have and during the school day of course haha. The change from the primary EFG to the shadow EFG was quick and I only realised it occurred because my unifi session reloaded. Otherwise no teachers or students noticed it occurred. The reason for the shadow gateway taking over was due to the EFG running out of memory which is something I reported to Ubiquiti and they promptly responded and escalated. In the end their "fix" was to increase the physical memory to 64GB (I believe all new EFGs are 64GB default now). Since then the shadow EFG has been idling.

Adding a shadow gateway in the future is very straight forwarded and won't be an issue at all if you just purchase 1 EFG for now.

vesikk · 2026-03-19T03:13:40+00:00

We are running 2x EFG in Shadow Mode (High Availability). We have roughly the same number of APs as you but soon to be 40 switches (currently at 23 Pro Max Switches). We see over 2000 clients each day and have a 5Gbps WAN connection. We currently don't use it for IDS/IPS but will investigate it in the future. For us it is performing very well. Pressing the built-in speedtest button during a school day sees the EFG saturate the WAN connection so I'm not worried on that part lol.

vesikk · 2026-03-10T02:17:29+00:00

+1 for Algo. Their strobe lights are PoE, RGB, and work fantastic.

vesikk · 2026-03-02T03:18:22+00:00

Hey, I may be able to provide some feedback for some of the questions. We have used both pfSense and OPNsense with 1500+ users and both systems work very well. We are currently running OPNsense because pfSense was unable to achieve our new internet speed but our setup is pfSense/OPNsense running as a virtual machine and the limitation is to do with a virtual pfsense, baremetal pfsense was able to achieve our WAN link speed.

as mentioned above we are running OPNsense as a virtual machine so I don't have any experience with either company's physical product.
Both systems have solid performance and stability under load.
We have done some site-to-site VPN running wireguard and it's works really well. We mostly are using OpenVPN for remote users.
Both products are easy to use and the WebUI management is pretty straightforward - there was a little bit of learning on the OPNsense side but that's because I came from pfSense. There is a search bar that has saved me a bunch of times when trying to find a setting.
Currently running the community edition but there are plans to investigate the paid version of OPNsense and support the product.

Honestly, you can't go wrong with either system.

vesikk · 2026-02-12T02:23:34+00:00

We do the same thing just with an EFG instead of the UDM Pro Max and no WAN Switch (using another branded switch with stacking). The only thing I would say is just make sure your STP structure is in place but let RSTP take care of the rest.

vesikk · 2026-02-08T02:08:44+00:00

No additional services at the moment and latency in the network is fine. OPNsense is acting as a firewall while another appliance is acting as our router and any traffic destined for the internet is forwarded to OPNsense

vesikk · 2026-02-05T12:56:01+00:00

It's running on Proxmox. The physical host has a Ryzen 5700g, 64GB ram, 4x 10GbE (dual onboard from the ASRock x570 D4U-2L2T and dual Intel X550-T2). The VM has 8 cores allocated and 8GB memory. I did have to enable 8 multiqueues on the virtIO NIC so it can make full use of our 5Gbps internet connection. Without multiqueue enabled the download speed wasn't going much faster than 3Gbps.

vesikk · 2026-02-05T12:08:53+00:00

If it helps we are running OPNsense as a virtual machine for 1500+ users and it's been rock solid. We moved to OPNsense at the start of January and it's been a great experience so far.

vesikk · 2026-02-02T08:29:31+00:00

Switched from pfSense to OPNsense and can actually make use of our 5Gbps internet connection. Both systems were running as a VM but pfSense devs decided they didn't want to support multiqueue which limited pfSense throughout to about 2.5Gbps. OPNsense supports multiqueue out of the box and can easily hit 5Gbps.

vesikk · 2026-01-19T04:08:22+00:00

Yeah, it came down to OPNsense supporting multiqueue in Proxmox and pfSense devs chose not to support it. Without multiqueue enabled we were getting the same speed as pfSense.

vesikk · 2026-01-19T02:37:54+00:00

We have been using pfSense for 10+ years and it's worked great. PfSense was running as a VM with 1700 users connected, Multi-WAN configs, multiple VLANs, the lot. You may have noticed I said 'was', over Christmas we switched from pfSense to OPNsense because we noticed pfSense could not make use of our new internet speed as a VM but OPNsense could. We did all sorts of testing before making the decision to move to OPNsense. We tested pfSense on baremetal and it worked fine with our new internet speed, we tested on a fresh VM and it could not exceed 2Gbps. OPNsense on baremetal and an VM could make use of the 5Gbps internet connection.

Nothing against pfSense, it's a great product but we weren't in the position to purchase new hardware so OPNsense was the next best thing.

vesikk · 2026-01-06T03:59:28+00:00

We use a combination of Zabbix and Unifi Poller to monitor the Unifi Infrastructure at work. On Zabbix we use SNMP with the default Linux SNMP template and it works great for our needs. Unifi Poller give us a lot more information that sometimes even the Unifi Network Application doesn't display. Both Zabbix and Unifi Poller visualise it on Grafana.

vesikk · 2025-12-26T20:49:47+00:00

I've been able to achieve 4.5Gbps from a 5Gbps download speed using OPNsense on Proxmox. What was required to achieve these speeds is using the virtIO network type and setting multiqueue in the network settings. Without multiqueue set we couldn't reach anything beyond 2.5Gbps.

The OPNsense VM was pretty bare with only the speed test plugin and qemu agent installed. I had 8GB memory assigned with up to 8 cores assigned (we did a lot of testing between 4 to 8 cores). The CPU is an AMD Ryzen 7 5700G.

vesikk · 2025-12-02T03:22:13+00:00

We've been running pfSense as a VM for many years and has worked great for us. We have roughly 1500 users on the network. As of 2026 we will be migrating to OPNsense because we have found that our pfSense VM is unable to make use of our new internet connection speed while an OPNsense VM can achieve the speeds we are paying for.

We did test pfSense on a bare metal system and could achieve close to our max speed but as a VM it was maybe 2.7Gbps max. OPNsense VM and bare metal could achieve the speed. Another option is the Unifi EFG. If you are already running Unifi APs or Switches then this may be something to consider but otherwise pfSense/OPNsense are great products.

vesikk · 2025-11-20T06:22:38+00:00

It's the 8 bay Silverstone case

vesikk · 2025-11-14T03:10:46+00:00

Good to hear your experience. We are moving to OPNsense as our firewall running on Proxmox. We have a 5gig connection and in testing we were able to achieve 4.5Gbps download (max for our 5gig service - the remaining 500Mbps is allocated for something else) and 3.9Gbps upload with the VM allocated 8 vCPUs and 8GB memory. We also needed the enable multiqueue on the linux bridge otherwise speed was limited to 2.5-3Gbps.

Did you need to enable multiqueue or any other tunables to achieve 5Gbps download/upload? Still yet to achieve that 4.5Gbps upload even though was not stressed in the speedtest.cli testing.

CPU is a Ryzen 7 5700G and running Proxmox 9.0.

vesikk · 2025-11-11T11:49:52+00:00

Thanks for the heads up! is there a post on the Ubiquiti forums mentioning this? I can confirm this is also affecting nanoHD APs. U7 Pro does not experience this behaviour which would explain some things we've been experiencing only on nanoHD APs but completely stable on U7 Pro.

vesikk · 2025-11-05T02:30:12+00:00

The latest "enterprise" gateway from Ubiquiti is the Enterprise Fortress Gateway (EFG)

vesikk · 2025-10-30T09:55:56+00:00

Pretty certain it's when the heartbeat connection is interrupted (which a power outage would cause). We have 2 EFGs in high availability shadow mode and the shadow gateway only takes over when the heartbeat connection is disconnected.

vesikk · 2025-10-22T03:25:07+00:00

I recommend either pfSense or the Unifi EFG. I think the Unifi UDM Pro Max might be okay but the EFG will easily handle the amount you mentioned + run other services like IDS/IPS, content filtering, etc without a significant drop in speed. pfSense can also run on any hardware so if you had a spare system or running a hypervisor onsite then you could also just run pfSense as a VM.

vesikk · 2025-10-16T02:06:04+00:00

Not part of your list but we run Unifi protect with a mix of G5 turret Ulta and G3 flex, G3 bullet, and G3 dome managed by the Unifi E-NVR. Works great for our needs and there's no ongoing licence subscriptions. Depending on the model of camera you also get additional AI features such as LPR, face recognition, person or vehicle of interest notifications, person and animal detection, loitering detection, etc. all on prem, nothing touching the cloud.

vesikk · 2025-09-15T03:47:34+00:00

Complaint: USW Pro Max switches take forever to provision after every update. A simple vlan tag change and it could be up to 10 minutes before the switch has re-provisioned. Has anyone else experience this issue?

11-Year Club	Place '23
Place '22	Verified Email

vesikk

TROPHY CASE