My church is about to ‘pull the trigger’ on replacing our very old router (is a wifi router) and switch with the following Ubiquiti equipment:
Unifi Security Gateway (USG)
US-24-250W PoE Switch
Unifi Cloud Key
Unifi AP AC PRO (3 of them)
I would estimate that we would see a maximum of 100 - 110 clients at a time. Here are my questions:
Yes, the USG can be configured to serve DHCP requests (the 5.7 release of the controller also supports SLAAC and DHCPv6 for IPv6 assignment). The number of clients, in terms of DHCP assignments, is purely limited by what subnet size and address allocation you configure it to use.
In terms of whether the USG is performant enough, though, that depends more on how much traffic your clients will be sending and receiving through it, what your internet speed is, and whether you intend to configure Quality of Service settings or enable the Intrusion Detection or Intrusion Prevention System. Basically, if your internet connection is around 100mbps or higher and you wish to enable QoS or IDS/IPS, you should consider the USG-Pro-4 instead of the USG, assuming that you want to stick with a UniFi gateway so it will be monitored and managed from within the UniFi controller interface. If you don’t plan to use those features, the regular USG can do basic routing, firewall, and NAT at higher speeds (I’ve heard reports of it hitting 800mbps or so with only basic features enabled).
I have all my church clients (and businesses) on Unifi hardware right now:
I don’t recommend the cloud keys as a lot of guys have had issues with them and they aren’t nearly as convenient as getting a $5/month Digital Ocean VM and spin up a controller there (or Vultr or Linode if that’s your thing). Anyhow, a USG will happily bang out close to full gigabit over the WAN as long as you don’t have a ton of VLANs because the US-24-250W is layer 2 only and all the inter-VLAN routing has to go through the USG (layer 3 Unifi switches are in development, and the new generation layer 2 switches will be released soon too).
Now, you absolutely need to plan for whether or not you intend to use the IDS/IPS when the 5.7 controller comes out of beta (likely soon). The USG won’t be able to cut it for IDS/IPS as it doesn’t have the processor for it, there is a new USG in beta but it is not even into the public beta release/early access yet, there is the USG XG in early access now and is soon to be released that will handle gigabit over the WAN with IDS/IPS and DPI (I suspect it will drop for around $1,500 but it’s really designed for 10G SFP+ connections to your switches), finally there is the venerable USG Pro that is rated up to 350 megabit over the WAN with IDS/IPS and DPI.
All the USGs have a bunch of features that include DHCP, DPI, VLAN, Guest Networks, RADIUS (auth and/or server), etc. Hypothetically it can handle giving out addresses to multiple /8 networks… I mean… you wouldn’t want to do that in real life, but you’ll never actually hit the limit. In the lab I’ve pounded one with a few hundred spinning up VMs and it wasn’t fussed. The old AP Pro’s tend to handle at least 30~50 clients each depending on what the clients are up to, I haven’t managed to choke an AC yet as I don’t have any running in environments with a lot of allowed clients, but it may not be able to quite handle the full hundred clients on a single one so bear that in mind when positioning them. Alternatively, the HDs can handle a lot of clients, or you can stick in multiple AC Mesh units in areas that are prone to high usage (you can directionally antennae those mesh units as well if need be).
My USG in my office will happily clock in at 950 megabits sustained download, and my UAP PRO AC will do 850 megabits up/down to AC devices. They are pretty impressive in that regard. Hopefully that helps with making the decision.
Our church has 1GB fiber internet service (bi-directional @ 1GB) so even though we won’t have many clients (church staff of around 10 clients max; guest lan clients of 100 max for the most part) maybe we should go with the USG-PRO-4 vs. the USG, correct? I’m not sure if we need to configure QOS with that light of a load…
Thanks for the responses - they are most helpful!
Rob
The only USG that can do IPS on a full 1gbps link is the USG-XG, which hasn’t been publicly released yet. For general purpose lighter usage, as it sounds like you’d see, the USG-Pro-4 would be fine. The USG-3 would probably be ok, but my gut feeling is that it’s going to be first on the chopping block of having support deprecated because it’s so underpowered for the additional features (e.g. QoS, IPS, etc.) that are being added (with more features promised soon in addition).
Great. Now, how about the fan noise from a US-24-250W switch mounted in the same rack as a USG-PRO-4? Our rack is not in a closet, but rather out in the open in an office with people…
The US-24-250W does have a noticeable hum or whir to it even when it isn’t driving much PoE wise, it’s louder and higher pitched than a computer even at low PoE loads. Some are unfazed by it while others really don’t like it. Network cabinets with side and front panels helps.