Remote manageable firewall and APs with Omada/Unifi/Nebula

Hello everyone,

we have to replace some Watchguard boxes at one of our clients, which are EOL now. The IT dude, who managed this customer until now, drove to all 8 branch addresses, if there was any update to do - mostly, the updates weren’t done, or only once a year. Some branch addresses use bintec elmeg, some Watchguard, some Lancom, or a mix of all of them. Basically: it’s horrifying.

Because most of the products are EOL, we need to replace everything. Router, DSL modem, APs.

The basic needs are:
- Main office (1x): Firewall, 2 APs, VPN server to access the storage system from branch addresses
- Branches addresses (7x): Firewall with VPN client, Guest VLAN for minors (<18) with content filter (youth protection) and time limits (I thought about hotspot voucher codes, which is also the preferred solution by the nurturer) and between 1 to 5 APs

I now compared three solutions:

*Ubiquitiy Unifi*
+ nice look and feel
+ seems to just work out of the box
+ router (UDM) works as controller on premise
+ no annual license fees
+ IPS/IDS, content filtering
- high price for UDM-Pro or UDM-SE
- stock problems
- remote management only using Unifi vendor cloud, because UDMs and CKs cannot be adopted to self-hosted software controller

*TP-Link Omada*
+ low prices
+ currently in stock
+ supports hotspot vouchers out of the box
+ software controller can be hosted on VPS (own management, no vendor cloud needed)
+ no annual license fees
- remote management for hardware controllers only over TP-Link cloud, maybe somewhere in asia
- no IPv6 firewall
- no filtering, only via DNS (youth protection)

*Zyxel Nebula*
+ nice featureset
+ Zyxel is well-known
- hotspot (voucher) pack and web filter need extra license
- afaik no self hosted controller (vendor cloud only)
- annual license fees
From a financial point of view, TP-Link Omada is the clear winner, with a self hosted controller on a VPS. An OC200 at every branch office would be great, but that is not possible in combination with a self hosted controller. If possible, avoiding vendor cloud would be great.
Which of this three - or any other - remote manageable SDN solution do you prefer, which offers gateway/vpn firewall, switches and APs?
Thanks in advance!

Why not refresh the Watchguard? Will beat all of those other 3 options on the firewall front and their Wi-Fi 6 aps are pretty decent.

I’ll chime in because we use Fortinet and Unfi depending on how much a client wants to spend.

Unifi is ok, their support sucks, even if you pay extra. But it’s really easy to setup, support and cost effective for clients. I’ve never had an issue with attacks and hopefully never will. Their switching and APs are great in that I’ve had very little issues, it gives you just enough customization for 98% of what you’ll need for a client.

Fortinet is better, their firewall protection is better, management is better and their support is better, but you pay for it. If you don’t keep up on licensing, you mind as well just go for a cheaper option.

I’ll also add a line about Meraki, because it is kind of a mix between the two. High price like Fortinet, probably more expensive, but super easy to use and support plus all the filtering capabilities that only Cisco can provide.

Of the 3 you mentioned I despise Zyxel and Netgear. Unifi imo is the best of the 3 you mentioned, even if they make me want quit the industry, they are so close to having a good product and their support holds them back.

TP-Link Omada if there is even a remote chance of failure without having replacements in stock. You really don’t want to be in a situation where a router fails and you have to wait for ubiquity to come back in stock. That project would quickly turn into migrating everything to TP-Link with some added heat from the customer.

If your client can afford to buy two of everything for each location then Ubiquiti.

Watchguard firewalls managed via watchguard system Manager (self hosted) or watchguard cloud and then Aruba instant on APs. Not too sure on the WiFi captive portal for the minors, there is one on the APs but it’s pretty basic.

We’ve moved almost exclusively to Omada. Really like it. A lot. Prices are great. Can get whatever we need near immediately. Does everything we want.

Mikrotik routers with UniFi AP & Switches works nicely. UniFi has performance problems with their routers.

Mikrocloud has a SD-WAN service in development and it works great in production.

Unifi is garbage. We have a couple clients with them only because they were onboarded with that equipment. Shit support, lack of troubleshooting tools.

For small clients we go with Meraki, large clients it’s going to depend on what device/etc

Fortinet would be my first choice, but cost may change that for some. SDWan is a bit convoluded.

Watchguard would be your best bet, as it is what is there, but YMMV, not worked with them recently.

I would avoid TP-Link anything, straight up avoid it.

Sophos is a pretty good product, as good as many, better than some, cheaper than most. Good VPN solution. SDWan option is as good or better than others.

UBNT is ok for wireless and switching, but not a good router/firewall option.

I run Omada managed switches and access points, and Opnsense firewalls. I do firewall management by VPNning into the network. It’d be great if TP-Link had a good firewall too. I’ve used Unifi before, but they’ve been having supply issues for years. I’m not putting a piece of gear at a customers place that could take a month or more to replace if it fails.

Not sure there is really a right or wrong way to go here. I do like that Ubiquiti is an American company vs Chinese. They also provide a much larger variety of network hardware.

Also to be clear, Unfi content filtering is technically DNS based. They use Clean Browsing as their provider last time I checked.

Finally, unless I’m mistaken you can self host and manage UDMs or use third party provider like HostiFi.

TP-Link Omada - Is a disaster . TP-Link never be a good product .

Fortigate for router/UTM/vpn. Unifi for switching and AP. Done.

Check out pax8 for the watchguard firewalls you can go HaaS with them.

We currently do only Meraki.

I’ve had an itch to try out all Peplink.

Whatever direction you go, make a decision and stick with it. Be consistent across all clients and all networks.

I know it’s expensive but merakis are great for this. We exclusively use merakis and the mx64’s are pretty cheap with decent throughput for small branches. Plus they automatically update if needed. Plus they have L7 filtering and will allow you to content filter.

You should check out Cato as a unified firewall for all the locations. Unified policy management, less site visits and less appliances to manage. Then I’d use HP Aruba instant on for branch wireless (or their full APs if you need more management). Modems should be handled by ISP if they aren’t getting advertised speeds but perhaps upgrade to cable/fiber over DSL.

Warchguard, meraki, or Fortinet are better options. TP or zyxel are great for use at home. Well not even there.

Unifi. Then Omada. Omada is getting closer to Unifi in terms of overall capability and ease of use. So it wouldn’t bother me to go Omada.

Just get new Watchguards, integrate it with the Watchguard panel. Plus make the Watchguard web interface whitelist available to your static IP at the office so you have direct access.

Absolutely 0 need to drive to the on site location to do any updates. I managed Watchguard from overseas.