{"id":6134,"date":"2022-03-30T07:52:09","date_gmt":"2022-03-30T07:52:09","guid":{"rendered":"https:\/\/really.zonky.org\/?p=6134"},"modified":"2022-04-30T16:35:15","modified_gmt":"2022-04-30T16:35:15","slug":"initial-thoughts-on-ubiquiti-dream-machine-pro","status":"publish","type":"post","link":"https:\/\/really.zonky.org\/?p=6134","title":{"rendered":"Initial Thoughts on Ubiquiti Dream Machine Pro"},"content":{"rendered":"\n

Just set up a UDM pro to replace a really old Cisco 881W and had some initial thoughts on it :-<\/p>\n\n\n\n

  1. The firewall configuration is more than a little clunky; the version I was using still seems to require the legacy interface to configure IPv6 firewall rules. Plus configuring a set of IPv4 rules and a seperate set of IPv6 rules added to the clunkiness – why not allow tcp any to ${addresses} eq ssh<\/em> rather than repeat the same rule with different address types? Anything to keep firewall rule sets simple is good (but I deal with another firewall that has over 200 rules).<\/li>
  2. Whilst we’re on the subject of the firewall, it would be nice if the firewall supported the “apps” identified in the traffic management; not really an easy thing to do, but a firewall relying on port numbers is a bit 1990s to those of us used to next-generation firewalls. <\/li>
  3. Device identification is just a little bit rough; to be fair I’m using a separate DHCP server. But to identify a Linux container as a Windows PC is more than a little off! I had to check that my virtual Windows 10 machine wasn’t actually running when I first saw this.<\/li>
  4. The topology diagram is all very well but very boring if you’re not using all Ubiquiti gear. Not everyone is going to replace all their switches just to get this to work straight away – I have three switches not counting the ethernet-over-power devices that also count as switches. It would be handy if the UDM would at least go to some effort to identify third-party network devices.<\/li>
  5. Oh, and ssh<\/em> access to the command-line is \u2026 confusing. The gooey implies that you set up a password and<\/em> a username, but it seems that whatever the username you use it really only works with the user root<\/em>. And the username you supply isn’t contained within \/etc\/passwd<\/em> on the device. <\/li><\/ol>\n\n\n\n

    Oh! And requiring access to the cloud to generate the first admin (“owner”) account could well be problematic. Apart from the obvious problem of allowing the Cloud admin-level access to a firewall – something the more paranoid may regard as a killer misfeature, what happens if something goes wrong during the creation of a cloud-based account? <\/p>\n\n\n\n

    And having SNMP mentioned within the gooey but requiring command-line “bodges” (from here<\/a>) to actually get it running is not acceptable. Strange that such a feature isn’t supported on a network device!<\/p>\n\n\n\n

    \"\"
    The Bench<\/figcaption><\/figure>\n","protected":false},"excerpt":{"rendered":"

    Just set up a UDM pro to replace a really old Cisco 881W and had some initial thoughts on it :- The firewall configuration is more than a little clunky; the version I was using still seems to require the legacy interface to configure IPv6 firewall rules. Plus configuring a set of IPv4 rules and […]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false,"_share_on_mastodon":"1"},"categories":[4,489],"tags":[2089,2090],"class_list":["post-6134","post","type-post","status-publish","format-standard","hentry","category-it","category-security","tag-ubiquiti","tag-udm-pro","category-4-id","category-489-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"share_on_mastodon":{"url":"https:\/\/mstdn.social\/@grumpygrimnir\/108221989865821637","error":""},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p1f2KI-1AW","_links":{"self":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/6134","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6134"}],"version-history":[{"count":5,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/6134\/revisions"}],"predecessor-version":[{"id":6146,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/6134\/revisions\/6146"}],"wp:attachment":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6134"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6134"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6134"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}