Goodbye Ubiquiti, Hello Qotom & OPNsense
By Frank W on
I have been using Ubiquiti UniFi gear as my home networking equipment for a few years now, but have recently become pretty frustrated at the quality of the releases and pace of development by Ubiquiti – and I am not the only one, their forums and Reddit are filled with complaints.
The UniFi USG seems pretty much dead to Ubiquiti, and their new shiny thing is the UniFi Dream Machine (a few more years of shoddy software updates? No thanks). No new features have been released for the USG in years, bugs are not resolved, and certain features do not work at all. Hell, you can’t even get statistics over a specific date range, despite numerous requests for this basic feature! The quality of updates for all equipment leaves a lot to be desired, with many reports of people having to roll back updates. So enough with Ubiquiti.
A new era
To replace these two ancient relics, I needed something beefy that can make the most of a 1Gbps Beanfield fibre line (is 2Gbps coming Beanfield…?) and can maximise througput over a VPN connection, as I am planning to move my Transmission to use multiple load-balanced WireGuard connections…
Enter the Qotom Q555G6 fanless MiniPC, with a 7th gen Core i5-7200U (4 core) and 6 Intel 1GB nics, which along with OPNsense, will replace both the UniFi USG and the UniFi switch.
I would have got the i7-7500U, but it was out of stock at Qotom, so I went for the i5-7200U model with 8GB RAM and a 64GB SSD, more than enough for OPNsense). You can buy these devices on AliExpress for varying amounts, depending on RAM and SSD sizing. Even after paying shipping and duty, it was way cheaper than Amazon (no surprise there).
After a bit of work to set up with a fresh install on OPNsense, the pic on the right is the result of the telecoms cabinet in my condo – which is messy because of all the ISP cabling from Rogers (hell no), Bell (hard pass), Fibrestream (minor issues) & Beanfield (back there now). The Qotom attaches nicely with the provided mounting plate, and only pulls about 15W in power.
The resulting network, with only one piece of UniFi gear left, is shown in the diagram below. One thing that I have done since installing the Qotom MiniPC is to connect my Ubuntu server with both NICs using LACP link aggregation, effectively providing a 2Gbps, fault tolerant connection between the Qotom and the server.
In theory this means I can max out my 1Gbps internet connection while simultaneously watching 4K media from my media server. What’s better, a single lane highway or a two-lane highway with double the speed limit? 😀
Comments
Sergio
Hi Frank, thanks! I have been searching for the right firewall, and thanks to this post I’m decided to buy your same QOTOM device, perhaps with the i7 CPU.
I’ve been recently a victim of ransomware and I want to make sure this will not happen again.
I’ve never had/configured a firewall. I was also considering OPNSense but pfSense seems like it’s having a feature I’d like, that is, a Telegram notification for new DHCP clients, whereas and other types of notifications. Additionally, the community of pfSense seems bigger. Are you using specific packages on OPNsense? I find it somewhat difficult to find documentation and, for instance, just an installation guide of OPNSense on QOTOM.
I also intend to have a web server at the firewall. Does it sound like a sensible approach? or perhaps should I rely on something else? Otherwise perhaps with the i3 CPU, I will be well served. Apart from that, Honestly don’t know how much time will I have/willingness to tinker around Snort, Suricata, log analyzers, monitoring, etc. but if I start using them I don’t know if the i3 would suffice.
And last question: Did you buy the QOTOM without SSD and RAM? I found an old Samsung EVO 860 for mSATA but seems a bit old, I just find it on eBay. There are some listings in which they sell it in new condition, but I don’t know if I can trust that. And I haven’t yet found which RAM would be appropriate to install. I guess DDR4 is available but I’m afraid about the max MHz, I also can’t find some official documentation about it.
Thank you! I believe this should be good material for Part 2 of this post! 🙂
Sergio
I also relied on my QNAP’s Qlink to have a handy URL that always points to my external IP. I don’t know if I would be able still to get that, because I guess I don’t want to mess with ISP’s VLANs and everything else, so I guess I should set up a NAT in the firewall. But I believe this will break this URL-following thing
Frank W
Hey Sergio!
I am happy you found my review useful in your hunt for a router. With respect to OPNsense vs. pfSense, I am considering trying out pfSense when I have time, we will see if I ever get around to it. The reason for this is that port-forwarding for WireGuard does not currently work, although WG support is still experimental. My requests for help went unanswered on the OPNsense forum. Apart from that, it works quite well for my purposes. In addition, pfSense does not yet support WG as it is not officially in the FreeBSD kernel so far.
To install is pretty simple, you just boot off a bootable USB stick and select the install option, just like on any other machine – I don’t think you’ll find a specific guide for Qotom. The only bios setting I changed was to restart after power loss, it boots of USB out of the box. I did purchase the Qotom with a 64G SSD and 8G of RAM, as it was not worth the extra hassle to source separately or open it up and install these items.
If you have not ever configured a firewall, you may need some help, some of the rules can be a little tricky. But when it is up and running, it works well and is completely silent. I have not yet played around with stuff like Snort/Suricata, but I believe this would require an i5 or i7. I purchased the i5 primarily for high bandwidth VPN throughput (which I am currently not using lol).
Web servers…yeah I believe there are some options (nginx/HAproxy, etc), depends what you want to do I guess. I personally just port forwarded to a separate machine for this, leaving the entire Qotom just for OPNsense and Adguard DNS blackhole.
DDNS for your external IP is built in to OPNsense with a bunch of providers, I already an existing solution, but it should be simple to set up. Hope this helps!
Gundu Thadiyan
Hi Frank
Did you upgrade your wireless ap’s too? I have the same identical UniFi set up as yours and exactly the same complaints too. But I have 3 UniFi wireless ap’s around the house.
It works but I definitely don’t get the performance expected when I am in the yard etc although I am pretty close to the ap’s and there is just gypsum drywall and 2×2’s.
G
Frank W
Hey Gundu,
No I kept them for now, I am waiting for some good non-UniFi WiFi 6 AP options, and did not really see anything that compelling. Also WiFi 6E is around the corner, so just holding for now.
Yeah UniFi APs can be a real pain to tune and operate, especially in multiple AP scenarios. I find their software updates just so unreliable. Lastest stable nanoHD firmware has issues where iPhones can’t stay connected…let’s roll back. It’s honestly a joke at this point.
At another site I had 6 APs, and had similar issues to you with poor coverage outside – did you try a Long-Range AP? The best thing would be to install an exterior AP…but how far do you go haha.
Leonard Erickson
What provides the SDN to the Unifi AP in the diagram? Did you ditch the USG?
Frank W
OPNSense installed on the Qotom provides SDN, and yes I ditched the USG.