I know some folks are anti Ubiquiti Unifi on here, but you can run pihole (along with a bunch of other stuff) right on a UDM/UDM-Pro. IMO it makes the most sense to run this on the router, and you can run it in a docker container. If you're looking for a fun hour or two project, check out:
I have another point of view as a non-pro user. The leas thing my router is doing the better. I want my router software be as simple as possible to reduce possible bugs. Plus I want it to put all cpu time onto processing packets.
I would consider using pihole like functionality if it’s baked in firmware. But definitely don’t want to install extra software.
Unless you are doing deep packet inspection, which isn't useful in most home setups anyway, even mediocre hardware is going to be more than powerful enough to process packets while running PiHole or AdGuard home.
Never heard of smoothwan but I've been running PiHole on LXC on OpenWRT for years. It was never difficult to set it up, I just created a Debian (or Devuan, can't remember now) container and ran the PiHole install on it.
I run a PiHole and a Tailscale exit node on my Unifi routers (previous generation). The Tailscale exit node lets me do both site-to-site VPNs and site-specific egress. The one thing keeping me from site network nirvana is that I haven't quite figured out how to set up a wifi network on the Ubiquiti device that routes all traffic through a given other exit node, however. Someday!
I'm afraid to ask, but why are people anti ubiquity? I freaking love my udm-pro and am waiting for their cams to come back in stock so I can ditch my nests.
I saw your exact question elsewhere, so I'll reply with my exact same answer:
I personally grew a strong distaste for several reasons. When I first started my homelab I was ready to go all in with Ubiquiti. Equipment looked nice, great looking UIs, great price. Seemed like everything was perfect for the prosumer. I bought some access points and a UDM pro to start, with plans for some POE switches next. First thing that irked me was that I had to log into everything through the cloud. And it wasn't possible to set up the UDM and access points at the time without a cloud account, though I know this has since changed. Second was that they were sending all kinds of telemetry to HQ. One of the reasons I set up a homelab is for privacy and data sovereignty, so having my low level network equipment spy on me is a huge no-go. The third thing that really pissed me off is that there was no way to manage any clients on my network that didn't go through a Ubiquiti access point. I had an old Airport Pro that I was using and all the clients that connected through it were not visible to the UDM pro. Both official support and the reddit forums said it wasn't possible and it didn't make sense anyway, and gaslit me and even removed some of my posts and comments. What is the point of a firewall if you can't disable traffic to some clients (e.g. I didn't want my robot vacuum phoning home to china). I SSH'd into the UDM and indeed see the vacuum in the ARP table so there was no technical reason to not allow me to set firewall rules for it in the UI. I mean the UDM gave these clients DHCP addresses, so it's obvious that the UDM was aware of them. It became clear - it's a business lock-in strategy to force you to go all-in on Ubiquiti equipment. They don't support heterogeneous mixed-vendor networks. I said fuck that and returned it all. Switched to open source products like OPNSense and used professional equipment from EBay and couldn't be happier. Way more control for the same price, no spying, and no vendor lock-in.
Forcing users to use a cloud account and an app for setup, and enabling telemetry without disclosing it to users, although once they were called out on it by folks noticing a bunch of traffic to their servers they eventually confirmed it was happening and added an opt-out option (see https://www.theregister.com/2019/11/07/ubiquiti_networks_pho...), also there was something about NVR and not being allowed to self host it, or use old hardware... I never bothered to really look into that one, but it seemed to come up a lot.
Stupid bugs caused me to move away from them, conveniently only days before the breach became public.
Bug #1 was when they stopped supporting 32-character SSIDs, so my main network called "Smart Meter Surveillance Network" suddenly was no longer editable. Switching routing platforms is easier than setting up all my devices again.
Bug #2 was the one I wrote up here on Reddit (https://www.reddit.com/r/UNIFI/comments/ghs4bg/arp_for_clien...), which was where ARPing for a client on a meshed wireless AP, from the wired network, would fail. If the client was on a non-meshed AP, it worked.
I expect better from my network, so I dumped Unifi and went to OPNsense on a fanless PC.
- Synology DS1019+ for storage, Plex, and Pi-hole via Docker
- 2x Rucuks R610 APs running Unleashed firware (off-lease eBay purchases, enterprise grade APs, about $150/ea, both wired/non-mesh)
- Brocade ICX6430-C12 Switch (4x 802.11at PoE, handles the APs, another eBay special, cost around $90)
This is working well for me, and unlike the UniFi stuff I can now pretty easily swap out any piece of it with another brand of the same function and things will be fine. The single ecosystem of Unifi always bothered me a bit.
If I want a new VLAN (or special WLAN) it's a little harder than on UniFi, but it's really just setting it up on OPNsense, defining it on the requisite ports on the switch, and turning up the new SSID (if needed).
I also don't miss Unifi's single pane of glass view either. All the shiny threat stuff isn't particularly actionable, and there's a bunch of gaps (IIRC like how it'd wouldn't have usable timestamps for some things) so I was never able to use it to make decisions.
I run the Synology with a LACP link; that's plenty fast as its more a storage/backup box than anything that needs to be performant. Speeding all that up would just be a matter of replacing the switch and adding a card into the Synology, but I don't need that for now. (I'd probably get a new NAS before that.)
• lies about supporting older versions of APs, telling me I need to upgrade to get x-such-feature, and then they support it later on the older hardware.
• Various features sold as _coming_soon_, that really take several years to come about.
• making more and more of their setup require a total buy-in of the whole infrastructure when I only wanted one piece of it.
• It just wan't very reliable. I'd have to reboot all the APs every now and then to get them communicating well again (this seems to be limited to myself and not my friends, but happened on two generations of the UBNT hardware)
But what did them in on the end for me was some version upgrade totally blew up my network, that does depends on different SSIDs mapping to different VLANs, but after the upgrade, they bridged everything together.
Found that unacceptable, so I gave up fighting them, dropped in another enterprise vendor, and now things are truely rock solid.
Yes, they give out many enterprise features for a very low cost, and the feature set does far surpass any of the consumer price range gear that they hover their price points around.
OOTH, since I do work with lots of Enterprise gear, I know when used gear is falling off in price to affordable for home levels, and how much more life I can reasonably get from it. Sure, I don't have 802.11ax, but I don't think my last round of UBNT AP buys can upgrade to 802.11ax either, would have had to buy another round of UBNT gear.
"On Wednesday, a former Ubiquiti developer was arrested and charged with stealing data and trying to extort his employer while pretending to be a whistleblower.
"Federal prosecutors say Nickolas Sharp, a senior developer at Ubiquiti, actually caused the “breach” that forced Ubiquiti to disclose a cybersecurity incident in January."
No matter how good your security is, a rogue employee with high-level access will always be a threat. Since they now have experience with this situation, I trust that Ubiquiti has dedicated more resources to preventing both employee sabotage and external breaches.
This also shows that not every breach is what it seems, and investigating fully before publicly disclosing can sometimes help prevent disinformation. The “whistleblower” in this case was intentionally lying, and every customer that dedicated time to mitigation had to pay part of the cost.
Yeah, reminiscent of the (apocryphal?) story of the stuntplane mechanic whose negligence almost cost the pilot his life; assuming he'd be fired, the mechanic was shocked when the pilot said he was now the only mechanic allowed to touch his plane, bc he knew, with certainty, there'd never be another such mishap.
I had six unifi protect cameras for over a year until I replaced them all. Rain at night means motion notifications every 30 seconds, bugs at night, same thing. Unifi cameras are terrible for outdoor applications.
Be aware that UI is planning to consolidate the UDM/UDM Pro software (1.x) into the UDM Pro SE / UDW software branch (2.x) in the near future, and the 2.x software doesn't use Podman and instead runs the software "bare metal".
IIRC the udm-utilities also work on the UDM Pro SE, though i'd be a lot more worried about "messing up" when it's not confined to a docker container.
I caught a bug related to this in Project Zomboid in an early multiplayer version.
Often when someone joined a server there would be a tiny bit of lag for all of the users.
I figured out the server was using a java method that indirectly was doing a blocking DNS lookup.
I think it was reverse DNS but I forget which method it actually was, and if it was blocking the main thread or just the networking thread.
(PiHole still wouldn't have created an additional cost though.)
No expected impact. If for some insane reason a game is also calling as servers your performance will be improved.
Consider the case of a web page. The content you want (the news article) consists of say 100 get requests totaling 1mb. The content you don’t want (ads) consists of 120 get requests totaling 1.2mb.
When pihole is in use the content you want does not have to contend with adversarial content. You have half as many requests, there’s 50% less data in the pipe, you get what you wanted faster.
Gaming is not impacted because your games don’t call advertising servers. If they did (for some insane reason) the real game requests get served immediately not having to wait in line behind the ad content.
I run it on my NAS computer in a ubuntu server vm. It was 20 minutes to set that up and another 5 to install and point my router's DNS to it. Maintenance is a monthly login, and a biannual update after puttying into the box.
If you want a one-purpose device for it, then you would be looking into buying a SOC computer like a Raspberry PI 3 (should be cheaper than the 4) and about an hour to set it up.
One little thing I have done is set my router's secondary DNS to 1.1.1.1, just in case the power fails or the PI goes down. When I set mine up I completely forgot to set ESXI to auto-power on the VM, so after a brief power outage I had no internet for almost an hour because I had no redundant DNS configured. I got blindsided by my own mistake. Now everything is on a UPS and the VMs are correctly configured in case power is lost long enough to require a shutdown.
You will not have any extra latency once the DNS resolution is done.
The resolution has to be done a way or another, by default this is your ISP and they usually suck. I had hand-picked DNSes before (there is a utility that tests plenty of them from your connection) and after adding a pihole on a simple RPi it was even faster.
Any recommendation on hardware piholes? I have a UDM Pro but honestly i don't know how much i trust modifying it at all - i've found Ubiquiti software to be iffy... so i'm a bit hesitant to modify anything.
I run two Pi4s with the filesystem on a usb drive, which is probably a bit overkill but I keep some monitoring on them too. In Unifi Routing, give the piholes a fixed ip and swap your dhcp server to have manual DNS entries - you might need to do this in the classic settings view.
I run 2 raspberry pi zeros connected (and powered) to my router as usb network devices both running pihole. I've been running this for years and have had zero issues.
You can run Pihole on any crappy raspberry pi you have around.
I ran mine on a Raspi Model B. You know, the one with the RCA plug and SD card slots. From 2012. At some point the SD was so messed up I couldn't ssh into it any more, but it still worked.
Now Pihole is running on my Thinkcenter minipc as a Socker image along with a good dozen others. I don't have to worry about SD corruption or sudden shutdowns any more.
https://github.com/boostchicken-dev/udm-utilities/tree/maste...