this post was submitted on 19 Jul 2025
21 points (100.0% liked)

Sysadmin

10411 readers
61 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 2 years ago
MODERATORS
 

We are looking at upgrading our network equipment from old HP switches and Aruba access points, we have a Fortinet firewall that we are happy with, so we'll probably keep using them there, but for the rest we are looking for new stuff.

And we are looking closely at Ubiquiti for switches and APs, but two things have appeared on our radar.

Ubiquiti does have a cloud admin UI, this means that Ubiquiti needs to have access to our network controller to access this feature.

But what if we don't use that, will Ubiquiti still be able to access the network controller?

I guess that what I am asking is how does the access control work?

Also, updates, I see that they seem to be very frequent and also see some scattered reports that they have required admins to reset their configs and loosing camera footage, can you set updates to be delayed for X days?

top 22 comments
sorted by: hot top controversial new old
[–] RelativeArea1@sh.itjust.works 7 points 6 days ago* (last edited 6 days ago) (1 children)

most of their stuff are local, unless you have activated remote access on your unifi controller which will require an online account on unifi (ui.com)

i only have their aps and my unifi controller is hosted on a local machine, and so far i haven't found any suspicious queries from them, i havent done any packet trace or port checks because they seem ok for me

where the unifi controller hosted on a deb machine

one of the ap

as for access control, if your unifi controller is hosted on a local machine then it will just use specific ports that ubiquiti utilizes that im not familiar with (or too lazy to do a port scan). you may also host your controller online via hostifi or other providers or a diy cloud server (if you're onto that)

for updates, unifi controller will notify you if there are updates but its still up to the controller admin if they decided to do so.

as for janked device configs, i mostly experienced it on controller version 6.x.x and 7.x.x but not on most recent one (9.x.x) and yes it requires a unifi controller admin acct, you may also do scheduled backups of your configs so you can revert back just in case. and if you have no choice then you could locate device > poke reset > re provision on controller.

[–] stoy@lemmy.zip 2 points 6 days ago (1 children)

Thank you very much for a very thorough run down of the system, we are based in the EU and are trying to make sure that we have as few mandatory ties to US manufacturers as possible while running a modern IT system.

We have thought about MikroTik and Extreme but our CTO wants us to investigate Ubiquiti as it has a nice web UI for all devices on the network which would be a big advantage for our small network.

I will push for a small POC network or demo so we can get a better understanding of it.

[–] RelativeArea1@sh.itjust.works 3 points 6 days ago* (last edited 5 days ago) (1 children)

Thats understandable and fair, some US/publicly traded companies are kinda nutsy nowadays.

At first I was also drawn with Mikrotik but setting them up is a bit...yea, I'm not thrashing them, it just made me realize "do i really want to spend a lot of time setting this up?"

but don't get me wrong, they're amazing. I've seen my cousin doing his ISP business with 1000+ clients using their CCR line up and the cost to perf ratio is crazy.

[–] stoy@lemmy.zip 1 points 6 days ago

Yeah, I have a small Milrotik home router that I opened once, checked out Winbox for 15 min, realized I was WAY out of my depth and got an Asus router instead, this was about 8 years ago though, so things may have changed.

At this moment we are not really big enough to justify a dedicated network tech, which is why Ubiquiti have caught our eye.

[–] redlemace@lemmy.world 8 points 6 days ago

I am using their WiFi at home. The AP' have no internet access an I am self hosting the controller which also has no internet access. You can download the controller as a deb package on your PC transfer to the server and install or upgrade. I'm shutting the controller when I briefly open the FW for upgrading Debian. Don't think they have info or control over my network

Personally, I like unifi. I haven't noticed any strange traffic from the APs or the controller (local). One note, though: always go with backwards compatibility (for example, if some of your APs can handle wifi6, but even just one can't, turn wifi6 off for all SSIDs that are on both models).

[–] zorflieg@lemmy.world 3 points 6 days ago

Buy the 5yr warranty extension. Yes you can delay updates/make them manual. If I were you and weren't ready to give up the fortinet I'd double NAT it for a while, I think you'll find the benefit of using the complete ecosystem will convince you to give up the fortinet even if there are a few features that fortinet do better.

You can buy a firewall model that has the required controller built in requiring cloud connection or 2nd to that I'd setup a VM using the http://glennr.nl/ scripts as the controller. The scripts are reliable and capable.

I used to run 3rd party, like Sonicwall, firewalls with Unifi wifi for a few years but recent improvements to their approach has made me switch to the whole eco system now and I prefer it.

[–] LifeCoffeeGaming@lemmy.world 4 points 6 days ago* (last edited 6 days ago)

Just a note we use Ubiquiti at our office with an on prem network controller so none of the devices talk to the cloud. However some of the nice to have features on the controller require a unifi gateway (router) to use, such as some of the web filtering. Double check which features require what before you commit.

Honestly tho they're such a step up from most enterprise bullshit I can't complain.

[–] Link@rentadrunk.org 4 points 6 days ago* (last edited 6 days ago)

I’m using Ubiquiti at home (a switch and an access point) and self host the controller too.

You can disable automatic updates in the controller and then upgrade the firmware when you please.

Regarding if Ubiquiti have access to our hardware a cloud account is optional so you can just use a local login to your controller instead.

[–] bacon_pdp@lemmy.world -3 points 6 days ago (1 children)

If you don’t flash custom firmware images on them that you built yourself from source code; then you have a massive backdoor that you can’t turn off. (Same goes for all other networking vendors, especially Cisco)

[–] ramble81@lemmy.zip 8 points 6 days ago (1 children)

Just note, this is the extreme interpretation of software in general (“if you don’t compile the compiler by hand it could insert a back door!”)

For the purpose of your question, as others have stated you can run things isolated on your network with local accounts and not use their remote services (incidentally that’s how I run it)

[–] bacon_pdp@lemmy.world -5 points 6 days ago (2 children)

No, proprietary software by default is malware. Either currently active malware or will likely to turn into malware whenever they get the urge to increase their stock price by bricking your shit, extracting data from you or any other thing that they might choose to do to bump those numbers up.

[–] stoy@lemmy.zip 3 points 6 days ago (1 children)

That is a very idealistic way of looking at the issue, and I am very impressed if you have the skill and time to maintain your computer systems completely free from proprietary software.

However, we do neither have the skill not the resources to follow that path, so while I agree with you on principle, reality does make those principles impossible for us to work under.

[–] bacon_pdp@lemmy.world -2 points 5 days ago (1 children)

My husband buys hardware which has excellent Linux support and by investing in quality products, he maintains a source code only home environment that I quite enjoy.

[–] stoy@lemmy.zip 1 points 5 days ago (1 children)

I am sorry but this is an argument on par with a 5 year old saying "my dad can beat up your dad!"


I am glad that you have an environment that works for you, but unless you yourself maintain it to the standard you set earlier, I find it difficult to take you seriously.

[–] bacon_pdp@lemmy.world -1 points 5 days ago (1 children)

More like, I don’t discount the contributions of others who helped me. Having to expect everyone to be everything and do everything is such macho bullshit. When everyone works together and puts in the little help that they can, things you consider hard/impossible can be achieved in a rather short time frame.

[–] stoy@lemmy.zip 1 points 5 days ago (1 children)

Having to expect everyone to be everything and do everything is such macho bullshit.

Didn't you say that everyone should only run software that they have access to the source?

This is litterarly what you sat on your high horse and yelled out that people should do, yet you decide that you don't.

Not really consistent.

[–] bacon_pdp@lemmy.world -1 points 5 days ago (1 children)

I in no way implied that I did not have access to the source code.

The source code is readily available with reproducible builds such that anyone can verify that the source code corresponds to the binary running with just a couple of key presses.

All of it has a bootstrap chain from stage0. So no binaries or generated files anywhere in the build chain.

The horse is not high when anyone who wants to get on can and the FSF community is willing to help lift people up rather than try to tear them down.

[–] stoy@lemmy.zip 1 points 4 days ago (1 children)

Wow, this conversation has really shifted from a sysadmin question to an ideological discussion.

As an IT professional, I have to say that I believe that you have a highly unrealistic view of the world, not everything can be about supporting open source, most of the time you gotta be rational and select the best tool for the job and move on.

[–] bacon_pdp@lemmy.world -1 points 3 days ago

You are right; it is wildly unrealistic to follow industry best practices. Companies like Google, Amazon and Microsoft who demand to have source code for everything that is core to their infrastructure are unrealistic ideological organizations uninterested in profit. /s

The best tools are the ones that you can depend upon not to screw you over.

[–] ramble81@lemmy.zip 1 points 6 days ago (1 children)

I am curious how far you take that. Do you compile your own compiler? Do you have an open BIOS that you can truly audit. Do you know about every piece of firmware on your system and have you been able to audit that code too? Hell, let’s take it to its logical conclusion, how do you know nothing is actually embedded in the silicon? All of that could be malware and do every single thing you mentioned. At some point you either have to trust something (but who do you trust) or build it all yourself from scratch.

[–] bacon_pdp@lemmy.world -1 points 5 days ago

Well my husband bought me a T500 which has libreboot installed along with Debian. He deals with that sort of stuff