UniFi Dream Machine review

I have recently decided to transform my home network and - during the process - I have acquired some new security gadgets. One of them is the UniFi Dream Machine that acts as a home security gateway. I have been extensively using the appliance for some time now and thought I would share some of my findings with this IoT device. Let me know what tips and tricks have you discovered with your UDM.

The package

Unboxing

• The box comes with cling film wrapping and is fairly light (~2 kg). Inside, we have the white cylinder looking appliance (~1 kg) in a paper holder, an AC power cord and a short quick start guide on how to set up the device.
• The device has a LED halo ring on top of it, which emits either white or blue light depending on the state the appliance is currently in.
• The emitted blue light is a strong one, I do not recommend sleeping next to it or in the same room, as the constant blue light will wake you up.

LED Status

• There is an option to Locate the device in case someone displaces it inside the house. The appliance will start to flash its LED in blue color.

• The device has a built-in speaker, which emits a certain tone when a firmware upgrade is finished or the device rebooted and is ready. This can also be a good indicator when the appliance reboots for some reason.

Connectivity

• The appliance has 5 Ethernet Ports (RJ45), 4 LAN ports, an Internet port, a power port and a factory reset button.
• For the evaluation I had connected Port 5 (Internet Port) to my ISP modem.

Setup

• The initial setup is done via Mobile Phone App (UniFi Network) and took about 2 minutes to do. The UniFi app uses Bluetooth Low Energy (BLE) for this.

• Interestingly, during the initial set-up, when asked to create an UI account or log in as already registered, if you took your time at this stage for more than a couple of minutes (~4-5 minutes), the device lost connection and basically forgets all previously configured setting and forces you to do the initial setup from the start. I had found that if you create the account or log in hastily (within ~1-2 minutes), the setup process goes through seamlessly.
• There is no way to set up the UDM without an active internet connection. If you do not sign up and log in with an UI account, it will refuse to set up the device, also there are zero provisions to set up the UDM offline and then associate an Ubiquiti account later.

Firmware

• During the initial setup, the Mobile App requested an upgrade to be pulled and flashed the device with firmware version v1.5.6, which was released early 2020.

• After this, the device did not offer any further available update. Manually initiated Check new updates from the UI, but this came back as Your device is up-to-date. This mechanism seems to be not working properly, as looking up the support/community forums it was clear that the device can be upgraded to the most recent version v1.8.5, which I did manually through SSH. Link and hash to the v1.8.5 firmware binary:
• UDM-Base uses ARM SoC Alpine AL-324 from Annapurna Labs:

Annapurna Labs Alpine AL-314 @1.7Ghz Quad Core ARM Cortex-A57

• Alpine is a family of ARM SoCs designed by Annapurna Labs and introduced in 2016 for embedded networking devices. Alpine chips are found in various home gateways, routers, NAS devices, and other network devices.

Temperature

• During the first 30 minutes of usage, the appliance was moderately warm.
• After 24 hours of continuous usage, the temperature of the device felt the same.
• The appliance has an active fan inside, which spins up intermittently, usually when the utilization gets higher/more resources are used.
• The sound of the fan can get very high (swooshing), but never spun more than ~30 seconds at that high RPM rate, after which it cools down and stays at a lower RPM, which is inaudible.
• Currently, there aren’t any options to manually set the rate of the RPM.

Speedtest

• After the initial setup is done, the device does a speed-test for Downloading, Uploading and measures latency. The test measurements were consistent and gave the right results for my fiber line.
• From the UI, this speedtest looks to be an implementation of WiFiman.com, which has both web and App version.
• The mobile app also asks for the ISP's promised Internet Speed to be set, as these parameters will be used to determine whether there is an issue with your Internet line. I assume if promised line speed drops by ~25%, the UI will raise an alert.

First Look (UniFi App)

• The App asks you to trust the server after the setup. The certificate is a self-signed one.
• Devices menu will show your UDM (Firmware information, connected status and WiFi experience).
• Opening up the UDM will show UDM name, System Uptime, Utilization, Internet Speeds, currently used network resource, Clients and Most active applications.
• Drilling down further into the device pane, it will show uptime, WiFi channel utilizations on 2G and 5G, active Ethernet Ports and bunch of information on IP address, MAC address, FW version, Memory usage, Load Average.

Operating system

• The UDM-Base runs on a custom Linux OS. You can further add functionalities to your UDM with podman containers. The main unifi system is also a single podman container. You can also install pre-built docker images.

UI/UX (Mobile app)

• Connected client information
• Traffic information/breakdown
• Connected clients (before and after fingerprinting)

UI/UX (Website)

• Main dashboard can be edited with several widgets (widgets can’t be created by you however)
• Login panel and basic device information
• Map for all devices, you can also upload a custom floor plan and spread the devices out on that

VPN Server

For remote connection of your network, you can set up L2TP over IPSec. 

• Under Settings/Services/RADIUS/Server enter a secret password and click apply to enable the RADIUS server.
• Next, choose the Users tab to create a new user with a strong password.
• Finally, go to Settings/Networks/Create New Network and select Remote User VPN to create the VPN server.

Name: VPN
Type: Remote User VPN
VPN Type: L2TP Server
Protocol: IPv4
Pre-Shared Key:
Gateway IP/Subnet: 192.168.50.1/24
Name Server: Auto
RADIUS Profile: Default
MS-CHAP v2: Unchecked

Security Features

Firewall

• Conventional firewall rules can be implemented on L3/L4 level with Allow or Block action on both In or Out direction

• Restrict Access to TOR: When enabled will block access to The Onion Router
• Restrict Access to Malicious IP Addresses: When enabled will block access to IP addresses or blocks of addresses that have been recognized as passing malicious traffic

GeoIP Filtering

• Blocking can be done from the Settings page as well by specifying the country and adding the action to it (Block/Allow) and specify direction (In/Out/Both)

• Maximum number of blocked countries is only 150
• Blocking individual countries can be configured on the Threat Management Dashboard section of the controller. Blocking is as easy as navigating to the map, clicking on a country, and confirming by clicking "Block".

DNS Filtering

• Clients that use VPN, DNS-over-HTTPS, or DNS-over-TLS will have non-standard DNS requests that will not be seen by the device.
• Three filter levels:
• Security: Blocks access to phishing, spam, malware, and malicious domains. The database of malicious domains is updated hourly. Note that it does not block adult content.
• Adult: Blocks access to all adult, pornographic and explicit sites. It does not block proxy or VPNs, nor mixed-content sites. Sites like Reddit are allowed. Google and Bing are set to the "Safe Mode". Malicious and Phishing domains are blocked.
• Family: Blocks access to all adult, pornographic and explicit sites. It also blocks proxy and VPN domains that are used to bypass the filters. Mixed content sites (like Reddit) are also blocked. Google, Bing, and Youtube are set to the Safe Mode. Malicious and Phishing domains are blocked.
• UniFi DNS filter uses a simple host-based filter from cleanbrowsing.org.

Device Fingerprinting

• UniFi UDM relies on 3 ways to identify/fingerprint devices on the network:
• Device OUI
• Propriety Fingerprint Library
• User Submission
• Device Fingerprinting Settings

• When a device is first connected to the network, it gets assigned a fingerprint based on OUI
• A user can decide to manually assign a Manufacturer to the device in case it has a missing icon, or current one is wrong
• Here the device type was determined via the Fingerprint Library

Parental Control

• For Parental Control, we have 3 settings

• All sites are allowed
• Work profile, explicit, pornographic, and malicious domains are blocked
• Family profile, VPN, explicit, pornographic and malicious domains are blocked
• You can also specify which certain Application or Family of applications should not pass the gateway (Youtube/Office/File sharing services, etc.) and these can be individually selected for block
• The UDM also has the option to limit the availability of the WiFi for certain hours, limiting how kids can connect to the WiFi

Adblocking/Privacy

• No specific Ad-blocking capabilities were observed.

Anti-DoS

• Currently no anti-DoS features are present in UDM. Once the IPS module (Suricata) is enabled, you can enable the emergingthreat-dos ruleset, that looks for certain patterns of DoS and can block them, but only on the UDM-Pro appliance, due to memory limitations.

Safe Browsing features

• Blocking malicious domains can be achieved via the:
• Restrict Access to Malicious IP addresses option that use the clearbrowsing.org service
• Or via Suricata IDS/IPS module

IPS/IDS

• Enabling the IDS/IPS module (Suricata) will decrease the maximum throughput of the WAN port to 850 Mbps on the UniFi Dream Machine (UDM-Base) throughput: 850 Mbps and to 3.5 Gbps on the UniFi Dream Machine Pro (UDM-Pro). Enabling Device Fingerprinting will also incur some penalty on the throughput.
• The current Suricata version in use by UDM is version 5.0.5 (as of firmware v1.9.0).
• Due to the amount of available memory (2 GB) on the UDM-Base only a limited selection of threat categories can be enabled.
• While on the UDM-Pro, the following set of ET rules could be enabled, due to the fact it has 3 GB of internal memory.
• The whitelisting function of the IPS engine allows a UniFi Administrator to create a list of trusted IP's. The traffic, depending on the direction selected, will not get blocked to or from the identified IPs.
• Suricata Dashboard
• Suricata Settings Page (increasing the sensitivity level enables further rule files, and eats more RAM)
• ET rule categories

Threat scanner

• This feature claims to auto-scan endpoints connected to the network to identify vulnerabilities.

• It will try and ascertain 3 parameters of a host:
• IP address
• Operating system (best effort)
• Open ports
• The endpoint scanner will initiate the port scanning against a host, when the uptime of the newly connected device reaches 2 hours
• Once the scan is done, results will be displays under Threat Management/Endpoint Scanning.
• If no open ports were found, no entry will be in this action, so for a host to show up here, at least one port needs to be in open state.

The endpoint scanner gets invoked with nmap -sV -O -oG parameters

Honeypot

• There is a feature to turn on an internal honeypot to detect malware, worms and other types of malicious traffic attempting to scan your network for vulnerabilities.
• The "internal honeypot" feature is a passive detection system that listens for LAN clients attempting to gain access to unauthorized services or hosts. Clients that are potentially infected with worm or exfiltration type vulnerabilities are known to scan networks, infect other hosts, and potentially snoop for information on easy-to-access servers.
• First you have to specify an IP address outside of DHCP IP range (for ex. 192.168.2.2)
• Scanning from another host, the IP 192.168.2.2 shows plenty of open ports:
• The scanning activity also shows up under the Honeypot pane on the UI, but there is not many action that you can take
• The only option is to block the IP the client is coming from, so no further scans can be initiated
• Manually calling up on port 8080 reveals some fake HTTP 400 page
• You can also connect to open TCP port 23 and gibberish data and a login prompt will come back, but all default password fails

neo@amp  ~  nc 192.168.2.2 23
??????????!??Debian GNU/Linux 8
login: debian
Password: debian
Login incorrect

Overview of all settings

WiFi

Add New WiFi Network

• Multiple APs, AP groups
• UAPSD Unscheduled Automatic Power Save Delivery
• High Performance Devices, 5Ghz
• Proxy ARP, remaps ARP table for station
• Legacy 11b support
• Mutlicast Enhancement, send multicast at higher datarate
• BSS transition, with WNM
• L2 isolation
• Enable Fast Roaming, .11r compa
• Rate-limiting Bandwith profiles
• PMF, protected mgmt frames
• RADIUS, MAC auth
• MAC address filter
• WiFi scheduler

Add New Guest Hotspot

• Guest Portal
• Auth type:
• RADIUS
• We Chat
• Payment
• Vouchers
• Password
• Facebook
• External Portal Server
• Portal design
• Customizable design
• Custom ToS
• Customizable Landing Page
• Multiple Language
• HTTPS redirection

Networks

Add new network

• Internet Access (Coming Soon)
• Backup WAN Access (Coming Soon
• Add VPN Type
• Content Filtering settings (None/Work/Family)
• Set VLAN
• Device Isolation
• IGMP Snooping
• Auto Scale Network
• DHCP Server Settings
• IPv6 sesttings

Security

Internet Threat Management

• Intrusion Detection System/Intrusion Prevention System
• Customize Threat Management
• Virus & Malware
• Botcc
• Mobile Malware
• Malware
• WORM
• P2P
• Tor
• Hacking
• Exploit
• Shellcode
• Internet Traffic
• DNS
• User-Agents
• Bad Reputation
• Dshield
• Threat Scanner
• Internal Honeypot
• Firewall Rules
• Advanced
• Restrict access to malicious IP addresses
• Restrict access to Tor
• Threat Management Allow List
• Signature Supression

Traffic & Device Identification

• Enable Deep Packet Inspection
• Device Fingerprinting
• Restriction Definitions
• Restriction Assignments

Internet

WAN

• DNS servers
• Set VLAN ID
• Enable Smart Queues (Prioritize traffic)
• IPv4 connection settings
• IPv6 connection settings

System Settings

Maintenance

• Update/Restore
• Statistics Data Retention
• Support Information

UniFi AI

• WiFi AI
• AP switching channels to the most optimal one, avoiding interference

Controller Configuration

• Remote Logging
• Uplink Connectivity Monitor (Monitor AP uplink connection)
• Network Time Protocol (NTP)
• Device SSH Authentication
• Mail Server

Advanced Features

Switch Ports

• Add a Port Profile
• PoE Mode
• Advanced Options
• 802.1X Control
• Port Isolation
• Storm Control
• Spanning Tree Protocol (STP)
• LLDP-MED
• Egress Rate Limit

Network Isolation

• VLAN ID
• IGMP Snooping
• DHCP Guarding

Bandwidth Profile

• Limit download/upload limit

RADIUS

• RADIUS settings
• Enable Wired/Wireless
• Enable Accounting
• Authentication Server

Advanced Gateway Settings

• Port Forwarding
• Static Routes
• Dynamic DNS
• DHCP
• DHCP Relay
• DHCP Options
• Multicast DNS
• SIP
• SIP Endpoint
• UPnP
• SNMP

3rd party addons/plugins

• https://github.com/tusc/ntopng-udm
• https://github.com/boostchicken/udm-utilities
• https://github.com/alsmith/multicast-relay
• https://github.com/shuguet/openconnect-udm
• https://github.com/kchristensen/udm-le
• https://github.com/ntkme/unifi-entrypoint
• https://github.com/mtalexan/udm-instructions
• https://github.com/cpriest/udm-patches
• https://github.com/heXeo/ubnt-fan-speed
• https://github.com/pbrah/eap_proxy-udmpro
• https://github.com/cdchris12/UDM-DNS-Fix

My verdict

It is a feature-rich IoT security gateway for home power users

• Some of those features are still in Alpha or Beta stage and need further development to iron out bugs and inconsistencies
• On UX/UI front, Ubiquiti does more than a great job, visuals are sleek and minimalist
• While old classic settings page shows all features, new settings pane does not show everything, the new settings page is still under development it seems
• Some of those security features are implemented in the most basic sense (DNS filtering with a simple blocklist, no DNS-over-HTTP or other advanced features)
• No Anti-DoS module, but Suricata makes up for that
• No ad-blocking

...

A more detailed version of this review is available on Github.