Today on the hookup we’re going to take a look at the Unifi Dream Machine Pro, check out some of the new advanced features in the unifi controller and figure out if this is a product for new unifi installs or if it’s worth it to upgrade from an existing UniFi Security Gateway.
If you’ve ever heard the old adage if it ain’t broke don’t fix it, this video is a prime example of that. My UniFi network has been basically flawless for over a year now. Wide coverage, zero downtime, and great security, but people have been asking me whether the new UniFi Dream Machine Pro is worth the money over my previously recommended setup, so I got one and I took down my perfectly functioning network to upgrade to the the unifi dream machine pro.
This video was sponsored by HolidayCoro.com. HolidayCoro is one of the worlds largest suppliers of holiday light show props and controllers and accessories. Whether you want to build a simple home display or a full scale drive through park, HolidayCoro has you covered with lights, a modular and expandable range of advanced lighting controllers for both RGB and AC based lights and huge variety of mounting options and props for both beginners and seasoned veterans. Check out holidaycoro’s massive selection at from the link in the description.
If you’re thinking about taking the plunge into a high end prosumer grade network for your smart home, I’d HIGHLY recommend you watch my 3 part series from last year, but if you’re short on time here’s a quick rundown of my network as of a few weeks ago: Roughly 100 devices are spread out over 3 segmented virtual LANS: a cloud based IoT device VLAN that only allows outbound traffic and prevents those devices from accessing the local network, a VLAN for my local IoT devices, which prevents those devices from contacting devices outside my network, and one for our computers, phones and tablets that has basically unlimited access. The system is based completely on the UniFi ecosystem with a UniFi Security Gateway as the router and firewall, and three UniFi access points providing different WiFi networks for each device type.
As I mentioned before, my network has been running frickin flawlessly… like perfect. So I’ve been dreading messing with it to upgrade to the UDM: Pro and unfortunately my fears turned out to be pretty well founded.
So why would I put myself through this torture? The USG is a very capable router and firewall, but as UniFi continues to introduce new features the USG’s relatively underpowered specifications cause it to limit your network speed as you enable them.
Not only does the UniFi Dream Machine Pro solve those problems with sizable upgrades in both CPU and RAM, but the UDM Pro also combines multiple devices into one.
If you were starting from scratch and planning on buying a USG, Cloud Key Gen2 Plus, and 8 Port Switch, you’d be crazy not to just get the Dream Machine Pro instead, but if you already have that equipment, or you don’t need a switch or cloud key, it may not be worth it for you.
I did hours of research before even taking my UDM Pro out of the box, so I knew there may be some pitfalls. Lots of bloggers and youtubers reported that the UDM had trouble finding an internet connection despite being plugged in to a cable modem. Other youtube videos showed the UDM Pro failing to boot, requiring booting into recovery mode. Luckily I got to experience all of these problems and a few more. All said and done, my initial configuration of my UDM took just under 2 hours and required my phone, my desktop computer, and 500 megabytes of mobile data to download a recovery firmware file onto my laptop.
But in the grand scheme of things, 2 hours isn’t that big of a deal. What really mattered was the fact that I was able to pretty easily able to migrate my entire network configuration from my cloud key and USG to the UDM Pro using the backup and restore functionality, which thankfully went off without too much of a hitch.
Here’s how you do it:
First, you’ll need to make sure that your cloud key is updated to the latest firmware, then head over to your unifi settings select backup. You can choose to include historical data if you have a need for keeping statistics, but the more data you choose to backup the larger the file will be and the longer it will take to restore. I chose to keep it simple and only download my settings, without historical data.
Next, you’ll need to shut your controller down, which is more than just unplugging it. According to Ubiquiti, shutting the controller down properly prevents a double controller situation where the rest of your equipment will not automatically migrate onto the new controller. I didn’t have the menu that the ubiquiti documentation referred to, but I found the shut down option in my cloud key management portal, under settings, hardware, then shut down.
Okay, prep work done, time to get this thing set up. I disconnected my cable modem from my old USG, plugged it into the 1 gig LAN port on the dream machine pro, and switched over the LAN cable that connects to my UniFi 16 port switch. I powered on the Dream Machine Pro and then power cycled my cable modem.
The preferred setup method for the dream machine pro is via Bluetooth and the unifi phone app. The process seemed extremely smooth at first and my UDM was almost immediately detected. After fetching initial data for a little over a minute I reached the first hurdle: detecting an internet connection, and just like the videos I had seen, detection failed. I did notice something strange though: At one point I unplugged the UDM trying to get it to detect the internet and the UniFi app didn’t notice… It just kept giving me the no internet detected message, despite the fact that the app couldn’t be connected to the powered off dream machine.
After that revelation I decided to cancel the setup and start from scratch, and lo and behold the internet was immediately detected… so I’m starting to wonder if this issue has to do more with Bluetooth connectivity than internet connectivity. Either way, I was on to the next step: I signed in with my unifi online login and chose an update schedule. The UDM then did an internet speed test to get it’s initial settings, no problem. Next a firmware update message came through, but something went wrong. Retry, retry, retry, retry… It says my unifi app might need to be updated. Nope, retry, retry… no more error message, but nothing appeared to be happening. Cancel setup, lets try this again. This time the setup finished without issue and it was going to update the dream machine pro’s firmware to the latest and greatest. 5 minutes later setup was complete, except my UDM pro was not reachable, so I investigated, only to be greeted with this message on the front panel OLED.
The recovery mode instructions on the ubiquiti website seemed reasonable at first glance: Connect your computer directly to port one, hold the reset button down and power on the dream machine to boot into recovery mode, then you’d just need to manually setup your connection on your desktop and access the dream machine web interface.
Then I ran into an issue, I needed to upload a firmware file to the UDM from my desktop computer that didn’t have internet access, so how exactly was I supposed to download the firmware file without internet access? I ended up using my cell phone as a hotspot to download the 500 megabyte firmware file on a spare laptop and then transferred the file on a thumbdrive to my desktop that was connected to the dream machine. File uploaded, dream machine restarted, and we were in business… time to do the initial setup for a third and final time, this time from the desktop interface.
Everything appeared to work, I clicked on the network configuration button, but nothing happened. Clicked some other buttons, nothing. Then I remembered that I had manually setup a static IP address to use recovery mode, and after reverting back to DHCP and refreshing the page I finally got to see my unifi dashboard.
Based on my previous one and a half hours and my prior research, I was not hopeful that the backup and restore method was going to work. I uploaded the backup file from my previous controller, and after a couple of minutes I navigated to the 192.168.86 subnet that my old network used and all of my devices, settings, and clients were already there. Amazingly, after nearly 2 hours of error messages, the most difficult part of the process went off without a hitch.
There were some mild growing pains with some devices that I thought I had assigned a reserved IP to, but those were just user error, and no fault of ubiquiti and after working out the kinks everything was seemingly back to normal and it was time to check out unifi’s new features.
It’s important to note that with the exception of DNS filtering, all of the options you’re about to see are also available on the USG, but as mentioned earlier, the more options you enable the harder the processor has to work and the lower your total network throughput becomes.
To get access to the latest and greatest features you’ll need to enable them by going to settings, user interface, and then toggling the “new settings” switch.
Starting at the top your WiFi settings will be the new place to add or remove WiFi networks, but now you have easier access to advanced features like scheduling for turning specific WiFi SSIDs on and off, and something called WiFi AI that attempts to continually schedule times to scan your network for interference and tweak the settings on your access points to provide the best overall wifi experience. From a smart home perspective I found that my IoT and NoT devices did not like having this setting on. It says to enable your scans at a time when few wifi clients are around, but IoT devices are always there.
Under the internet heading you have the option to run regular speedtests to make sure your ISP is giving you what you’re paying for, which is kind of cool, but make sure to turn this option off if you have a limited amount of upload and download data per month, because this is an easy to burn through it without realizing.
WAN networks is where you would configure your WAN failover if you had multiple internet providers or a cellular backup, but that’s probably only applicable to a very small number of home users.
LAN networks is where you will see all of your VLANs, which for me is my main untagged VLAN, my IoT network and my NoT network. For some reason the dream machine pro came with a separate VLAN preconfigured on the WAN2 SFP port, and I decided to just leave it there since there’s nothing connected to it anyways.
Internet security is where you’ll find the real fancy new stuff, and the settings that will put the most stress on your dream machine or USG’s processor.
Under threat management you can turn on IDS, the intrusion detection system, or IPS the intrusion prevention system. IPS actively stops threats, while IDS just makes you aware of them.
In the threat management dashboard you have a ton of different options for what threats to look for and protect against. I was fairly liberal with my selections and haven’t noticed any problems with friendly traffic being blocked. Under the threat management tab, IPS has protected me from a bunch of things I don’t quite understand. For instance, take this “shellcode” category that is high severity and labeled as executable code. That seems like a pretty big deal, but if you look at the destination they are directed at completely inaccessible ports on my server… to me, this means that they weren’t really a threat since they had no chance of getting through in the first place… in fact, every identified threat was one that would have already been blocked by my firewall rules, which to me, makes them a bit dubious. Please let me know down in the comments if I am somehow misunderstanding these concepts.
Next is GeoIP filtering which just lets you block out complete segments of the world if you think that nothing useful could come out of them, and again, I’m not too sure about this concept, but it’s nice to have the option I guess.
Content filtering is kind of neat and allows you to filter out malicious websites, or do more broad filtering like adult websites. Applying these rules is limited to entire networks only, so if you were looking to use them for parental controls you’d need to create a VLAN for kids devices and then apply content filters to that VLAN. I’d like to see an option to apply content filtering to IP groups in the future, but for now it’s VLANs only. Don’t forget that content filtering is a unique feature to the dream machine series, so unlike the rest of the features I’ve mentioned, you won’t be able to do this on a USG.
Deep packet inspection or DPI is a useful tool that allows you to examine what your devices are doing and which websites and services they are communicating with. You can also do some content type filtering with DPI, but the categories aren’t being maintained like they used to be, and the “top adult sites” group is missing, so you can’t filter adult websites this way. I get the feeling that DPI based filtering is on it’s way out, and content filtering will be handled via it’s own interface from now on.
Network scanners looks for malicious and vulnerable devices on your network... The endpoint scanner will tell you what services are running on each device, which ports are exposed and which may be vulnerable, while the internal honeypot looks for traffic that is attempting to find those vulnerabilities like malware and worms.
Under advanced you’ve got some broad filtering for blacklisted IP addresses, and then the ability to whitelist any device on your network to completely go around the intrusion prevention system.
Firewall is the last option in this group, but has been and will always be the most important. This is where you’ll setup all your firewall rules to control the flow of traffic on your network and define the rules that govern your devices. You’ll be creating most if not all of your rules in the LAN area instead of specifically the LAN in area like in the previous menus. If you ever want to go back to the previous UI to create your firewall rules so you can follow along exactly with my previous videos, you can just turn off the “new settings” switch to see the old UI again, create your rules, and then switch back to the new UI.
VPN, Gateway, configuration profiles, and preferences have the same options as always, nothing new to see there and the alerts menu lets you configure which events populate in your alerts panel, give popup messages, or send push notifications to your phone.
A word of caution: under the updates tab I would highly recommend against turning on automatic updates for your devices. I have had pretty mixed success in the past upgrading my access points to the latest and greatest firmwares from ubiquiti, and specifically for this video I was about to give the dream machine pro zero stars since my network was a wreck for almost 24 hours after installing it. Thankfully I traced the problem not to the UDM pro, but to the fact that I decided to press the “upgrade” button on all of my hardware after installing the UDM pro, and the newest firmware, 188.8.131.5298, causes my tasmota devices to constantly lose connection, posing a significant problem for my smart home. Point is, you should probably be consciously upgrading your firmware and then monitoring the outcome, rather than relying on automatic updates.
So, bottom line: should you buy a dream machine pro? If you are starting your network today and you were planning on buying a USG and a cloud key the dream machine is a great substitute and you shouldn’t waste time with a USG. However, If you already have a USG and you’re thinking about upgrading to a dream machine, I think you should hold off. Unless you saw an option today that you ABSOLUTELY want to implement on your network, the dream machine still feels like a little bit of a beta product. Firewall rules remain the best way to ensure the safety of your network, and lots of the newer features say “alpha” or “beta” next to them. I personally have my networking equipment mounted in a rack, so the 1U form factor was preferable over the non rack mountable USG, and Cloud Key Gen2 Plus, but my rack is also mounted right under my desk, and while the USG, Cloud Key Gen2 Plus and UniFi Switch 8 are all fanless, the dream machine pro has on demand fans that definitely not silent.
I would 100% hands down recommend Ubiquiti and UniFi as a whole, and I can’t emphasize enough how amazing my network has been over the last year. If you’re new to all of this and serious about a safe, secure, and reliable network for your home, I’d highly recommend you watch my original 3 part series, it’s well worth your time. If you have questions about the USG, or anything else in the UniFi family of products feel free to ask a question in the comments.
Thank you to all of my awesome patrons over at patreon for your continued support of my channel, if you’re interested in supporting my channel please check out the links in the description. If you enjoyed this video, please hit that thumbs up button and consider subscribing, and as always, thanks for watching the hookup.