Ubiquiti: Enterprise NAS, Built on ZFS

Posted by ksec 6 hours ago

Ubiquiti: Enterprise NAS, Built on ZFS(blog.ui.com)

161 points | 154 commentspage 3

annoyingnoob 6 hours ago|

Looks interesting, but likely lacks FIPS support which makes it an issue for companies that work with the government.

orthogonal_cube 5 hours ago||

Are Ubiquiti products commonplace for companies that contract with the US government outside of the DoD/DoW?

Since DoD/DoW generally requires STIG compliance, and none authored are for any specific Ubiquiti product, we can cross that off the list. Sure they can get exceptions or use a more generalized STIG but stakeholders generally have pre-defined limitations on what they will and will not allow on networks they sponsor.

annoyingnoob 2 hours ago||

The Defense Industrial Base is 10s of thousands of companies. May are small businesses. Many need to obtain CMMC Level 2, which has requirements for FIPS certified encryption. Our systems do not directly connect to Government systems and those STIGs may not apply directly. So, could I use Ubiquiti in some places? Maybe, not to store controlled information in this case. I could probably store previously fips encrypted files there. Would I want to use Ubiquiti cloud services? No.

throw0101c 6 hours ago|||

Maybe worth noting that TrueNAS added FIPS in 2024:

* https://www.truenas.com/blog/truenas-security-in-2024/

stableappendix 5 hours ago||

FIPS mode is the greatest

greggsy 6 hours ago||

Not really deal breaker for most customers

evanjrowley 6 hours ago||

I've never been a fan of Ubiquiti's proprietary solutions, but this might actually be one product that I can be enthusiastic about.

MiracleRabbit 6 hours ago||

They are getting better.

After a long time they introduced ONVIF into their camera products which basically opened it to everyone.

cassianoleal 6 hours ago||

I've recently been convinced to implement a Unifi stack for my home network. I got a Cloud Gateway, a 10G switch and a couple WiFi APs.

The Cloud Gateway will be sold or given away. It's utter crap. I'm now building an OpenWRT container on IncusOS as my Internet gateway/router.

The switch is meh. It's easy to admin, which is nice - though I'm having to run UnifiOS on another container on said IncusOS.

The APs are fine. Decent power and the central administration with the switch is actually quite nice.

If I knew everything I know now, I wouldn't have bought any of those but they will do for now.

mohaine 5 hours ago|||

I love by Dream Machine Pro. Seems to just work and keep everything up to date. I have it running my security cameras as well and it has been pretty much bullet proof.

What needs do you have for a router that the Cloud Gateway is missing or is bad at? A PiHole equivalent is about all I can think I'm missing.

cassianoleal 5 hours ago|||

IPv6 support is basic at best. The zone-based firewall is very prescriptive and limited. ACL stuff is not great. To increase the MTU of the physical interface connected to the ISP I would need to hack a systemd unit that did it on boot (I either need it at 1508 so the PPPoE interface uses 1500, or I need to MSS clamp it and have it effectively reduced to 1492). Initial configuration requires the device to be connected to the Internet.

There were a few other niggles, and in the end I just found it easier to do what I need on OpenWRT.

m-s-y 5 hours ago||

just genuinely curious about your MTU use case and why this is required...?

cassianoleal 2 hours ago||

PPPoE introduces an 8 byte overhead per packet. The "MTU of the Internet" is 1500, so that's what more or less everything defaults to.

This includes physical NICs on Linux, but the PPPoE interface has to tunnel through one of such physical NICs.

If the physical NIC has an MTU of 1500 (and can't be changed), the PPPoE NIC must do MSS clamping, effectively reducing the MTU from my network to the Internet to 1492. This increases fragmentation and overhead.

If I can increase the physical NIC's MTU to 1508 (and the ISP supports it, which mine does), then the PPPoE tunnel can use the full 1500 when talking to the Internet.

So, it's technically not _required_ but it's an improvement I should be able to implement easily (in OpenWRT I literally type 1508 on the MTU box for the NIC, or issue a single uci command).

9x39 3 hours ago||||

+1 for Dream Machine Pro. Own one at home and have stretched them pretty far in SMB environments.

I use it with 8 APs in a mesh and a few switches, all UI, and it just works. I also have a lot of success helping out some local SMBs by setting up UI for them.

SparkyMcUnicorn 5 hours ago|||

I really like the DM Pro and have it deployed to an office of about 50 people. It's a pretty no-fuss solution and fairly simple to manage.

For my personal setup, I decided to go with OPNSense and I couldn't be happier. Much more control, at the cost of being a little more hands on.

I think the best (rough) comparison here is MacOS vs Linux (or more accurately in this case, FreeBSD).

FireBeyond 2 hours ago||

I'm slowly in the process of migrating from an EdgeRouter and Edgeswitches (including the 16XG for my SAN backplane) to Unifi. Am comfortable at the command line (and actually just had Claude help me build a bunch of configs and an IaC harness for my whole infrastructure) but the SPOG will be nice - that and Ubiquiti has basically abandoned the Edge* line. This was prompted by not wanting to by having persistent problems with the Cat 6 STP termination and the length of the run between my office and the rack in my garage, and my Mac Studio and Edgeswitch would generally only negotiate at 5gbps and even then be error prone, so I got a Unifi switch with 8 ports and 2 SFP+ and ran fiber to the garage for the uplink, and just a short 10' run between the switch and my studio gave me rock solid 10gig (I just run the controller, for now, on a small VM, with my 2 WAPs, but will go all in when I pull the trigger, though, oof, $2,500 for everything I need).

mpeg 5 hours ago||||

I went with eero and really wish I'd gone with unifi

Apart from the shitty software and basic features either missing or locked behind a monthly cost, the network itself is not bad at all, I get 600-700mbps on wifi throughout the house and have my servers wired on 2.5gbe

But the one thing I really thought I was buying into by choosing an amazon brand was ease when it came to buying upgrades, and yet I ended up having to buy extra hardware (like the wired gateway) from ebay and sellers in the US as amazon does not sell their own hardware everywhere

AbsurdCensor 5 hours ago|||

I started with Unifi and it's been pretty great overall. I've integrated all the cameras into Home Assistant, it's all local, and can bridge with HomeBridge so it all shows up and plays nicely with HomeKit as well. Rock solid and very few complaints.

wccrawford 5 hours ago|||

I've had standalone routers, Eero Pro, Google Wifi, TP Link Deco, TP Link Omada, and probably some I'm forgetting. They all had something that just enraged me.

I finally bought a Unifi and I'm very happy with it so far, 6 months in. There's a few things I haven't tried, like rebooting it while it doesn't have an internet connection (I'm looking at you, Deco!), but so far my big complaints are that it's opinionated about the initial setup, and setting up a static IP for a device that isn't connected yet is a serious PITA. I had devices on my old system that I didn't want to have to change IPs (because the computers talk to each other) and that was not easy. If I had to do it again, I'd probably just let it do what it wants and deal with changing all those configs to the new IPs.

FWIW, I just have it as a router, and my Wifi is still some of my expensive standalone Asus wifi routers acting as just access points. I didn't see a point in replacing them when they were working great as APs.

threecheese 5 hours ago||||

What were your constraints and how were they not met? Looking to buy the same, Dream Machine specifically.

robinvdvleuten 5 hours ago|||

What do you know now then?

cassianoleal 5 hours ago||

See the answer I gave to the sibling comment.

swrobel 6 hours ago|

Did we decide ZFS is good after all this time?

AdmiralAsshat 6 hours ago||

Who said it was bad? I thought we were all pretty much in agreement that it was good, and the only thing holding it back from wider adoption into e.g. the Linux kernel was the poison-pill of Oracle's ownership and licensing.

ssl-3 1 hour ago|||

Some years ago, there were mud-slinging myths being thrown around about ZFS.

Things like "ZFS needs 1GB of RAM per 1TB of storage" and "it requires that RAM to be ECC" were once common to find online.

These sort of thing seemed to lead to widespread beliefs that it was inefficient, expensive, and fragile. None of that is true, of course, but folks might remember and believe these myths and conclude that it is (or was) bad.

(But it's pretty excellent. I've been using it for about a decade, now. It'd be nice if it fit into the Linux kernel better, but I manage anyway.)

natebc 6 hours ago|||

another thing holding it back is the threat of a lawsuit from Netapp.

source: used to work for a storage vendor that was marketing a NAS based on ZFS and got credible threats from Netapp to the point that we sought a partnership with Oracle that included indemnification under Oracles settlement with Netapp.

throw0101c 6 hours ago|||

Oracle and NetApp 'mutually dismissed' in 2010:

* https://www.theregister.com/off-prem/2010/09/09/oracle-and-n...

* https://www.computerworld.com/article/1585889/opinion-patent...

NetApp originally sued then-independent Sun in 2007, and Sun counter-sued.

Free/TrueNAS/iXsystems has been offering ZFS-based solutions for many years now, and I haven't heard NetApp going after them:

* https://en.wikipedia.org/wiki/TrueNAS

* https://en.wikipedia.org/wiki/IXsystems

natebc 5 hours ago||

I remember all this too. The time period that I was in this scene was AFTER 2010 though so who knows. As mentioned in response to the sibling "credible sources" bro, I was just a lowly support engineer so i had to trust that the CEO wasn't lying to us about all this.

Maybe he was ... they do that sometimes.

I looked around a little. the C&D from Netapp was in ~July 2010 and the partnership and product with Oracle in the Fall (Around the cease fire) and we continued with that (via the Oracle Partnership) through 2011-2015 when the company ran out of cash and laid us all off.

bzmrgonz 5 hours ago||

Do we add this corp. body count to Oracle then? I'm pretty sure that Oracle partnership wasn't cheap.

natebc 2 hours ago||

Who knows. I'm sure it was pretty expensive. Was certainly more comfortable on that side of their legal desk though I'm sure.

smartbit 6 hours ago|||

only threats, no court cases or journalist writing about ZFS indemnification? IOW please provide links to credible sources.

natebc 5 hours ago||

sorry, don't have a link to the CEO telling us that we were signing a partnership with oracle that included the indemnification.

I was just a lowly support engineer so not privy to all the legal details that the executives were dealing with. I too had to just take them at their word.

ETA: I searched a bit. Here's a link

https://www.enterprisestorageforum.com/networking/netapp-thr...

Maybe threats were enough? I certainly wouldn't want to test it myself.

Arainach 4 hours ago|||

ZFS was always good. Linux support for ZFS was not so good for longer than you'd hope, but it's been reliable for some time now.

AndroTux 4 hours ago||

ZFS is amazing. It feels like magic.