The Ubiquiti UniFi Cloud Gateway Fiber is the current hotness in 2.5GbE and 10GbE pre-built gateway devices. Onboard, the UCG-Fiber features two SFP+ 10G ports and a 10GbE port, which handle both multi-WAN and LAN-facing connections. There are four 2.5GbE ports for LAN duties, including one PoE port for a simple WiFi setup. All of this is what you can read elsewhere. What we have that makes this special is that we purchased several of these so that we could also take one apart to show you what is inside, since we could not find those photos online. We are also taking our $1M+ Keysight CyPerf load generation setup and showing another capability using this device.
We have a ton to cover today. Just as a quick note, we purchased these units thanks to our STH YouTube members. We have refused to sign the “Influencer Testing NDA” with Ubiquiti that everyone else does because there is a line in there that Ubiquiti would not allow us to remove, saying that we could review the product provided Ubiquiti is allowed to review the post prior to publication, and that we would incorporate that feedback if needed. While we tour data centers, manufacturing sites, and similar locations and let people preview to ensure we are not leaking confidential information, we do not allow vendors to preview and provide substantive feedback that we would be required to incorporate into our reviews. Our readers and YouTube viewers have requested that we review this box, so we purchased it to provide an honest assessment.
Patrick’s Editor’s Note: Ubiquiti reached out the evening after the Ubiquiti Flex Mini 2.5G Review was published and requested edits to be made to the paragraph above. Although disctinctly recall Ubiquiti told me that everyone else signs the “Influencer Testing NDA”, there may be people who did not, so we are going to strike that out. Fair point. We also changed the “standard NDA” to “Influencer Testing NDA” because Ubiquiti, when making the requests, also said that they were not aware of the review and incorporate feedback language in question. While doing that, they had copied the person in Legal who actually e-mailed me the document and who I discussed my concerns with. I have never had a request like this in 16+ years of reviewing products in the industry, especially when we are buying product for editorial review.
Where to buy: Amazon (affiliate link.) B&H Photo (affiliate link.)
Ubiquiti UniFi Cloud Gateway Fiber UCG-Fiber External Hardware Overview
At only 212.8 x 127.6 x 30mm or 8.3 x 5 x 0.5in, this is a fairly small and sleek design. On the front of this machine, there is a little status screen which is a nice touch. That alone is a great feature that you do not get on many lower-end gateway router and firewall devices.
On the back, we get the ports, and for a $279 base price device, you actually get quite a bit here.
For example, there are four 2.5GbE ports. One of them has PoE capabilities and is rated for 30W of PoE output.
We hooked up a Fluke Networks MicroScanner PoE to the port (Amazon Affiliate link), and it only saw a 6.5W 802.3 Class 2 PoE device. At the same time, this seemed off since we have powered Ubiquiti’s WiFi 7 APs from this port, like the U7 Pro and U7 Pro Max. It is certainly capable of powering more than 6.5W.
Despite the fact that the Fluke is one of the best handheld PoE testers available (it is an ~$800 test tool). We have seen this before on some Hasivo and other usually ultra-low cost AliExpress switches, where the autonegotiated power the Fluke tool sees and the actual power provided by the port can be different. We ran this on three of our five UCG-Fiber units (one was destroyed to get the internal photos, and one was used for the CyPerf tool sanity check.) We also rented a second Fluke just to see if our result was a “fluke.” All six combinations gave us the same result. This week’s ASUS ExpertWiFi EBG19P Router and PoE Switch Mini Review has the same Fluke tester finding PoE+ properly negotiated, tested back-to-back. This is one of those things that to most will not matter, but it was an interesting find that we have not seen in other reviews out there.
The other three ports are the 10GbE ports with two SFP+ and one 10Gbase-T. One SFP+ and the 10Gbase-T are labeled WAN, although you can change a lot in the Ubiquiti management interface. The other SFP+ port is designed to be the LAN port. Something of note, however, is that the 10Gbase-T port is a 1/2.5/10G port. It would have been nice to have 5GbE support. (Update 2025-11-08: Despite Ubiquiti’s specs, we remotely set a downstream switch port this is connected to at 5Gbps and it seems to have negotiated 5GbE speeds, so this might be a Ubiquiti spec sheet omission.)
The power input is a 54V DC power input. That is common on PoE devices. One area that would have been nice is some kind of locking/ retention mechanism to keep the unit plugged in. On low-cost devices, pennies count, but if you have ever installed a device like this in an area prone to bumping, you could understand why retention/ locking for DC barrel jacks is common in higher-end devices.
There is also a small reset button recessed in the corner of this device.
One item you will likely notice is that on the side, there is a little cutout.
$279 is the base price. You can get a 1TB SSD kit for $120 more at $399 and a 2TB kit for $529 total. There is also an option for a $19 kit, where you can bring your own SSD. The benefit of this is simple, but also great. You can use this storage for functions like recording video from a UniFi camera device. This is a superb feature.
Here is what the 1TB drive module looks like.
Installing this is super easy so long as you have that little tool to pop the blank out.
On the bottom, we get a flat base with vents. Something we wish is that this had mounting holes for easy wall or DIN mounting. Ubiquiti sells a $39 magnetic mount, but it is also nice to just have a more standard and easy mounting option.
Next, something else folks have likely not seen before: what these look like inside.
Perfect timing for this review for me, thinking of picking it up.
For the Fluke meter test, we had an issue with Aruba APs and Cisco Switches where LLDP had to be enabled to get proper PoE values sent to the APs.
If LLDP was off, the Cisco switch would only output 15w or 30w, with it enabled PoE values would drop to 24.5w.
With all that being said, I wonder if enabling or disabling LLDP would change the results of the Fluke meter’s test.
You’ve got to love STH comments like Scotty’s. It’s so technical here. I’d say it’s a finding in either case that I’ve never seen elsewhere except for older UI devices
I’ve got to say, this is one of the best reviews. I’ve always thought Ubiquiti reviews elsewhere lacked any balance. You’re right that I’ve never seen inside this, and I’ve read and watched so many reviews. You’ve shown and articulated both where there are shortcomings and why for $279 they’re expected. STH knocked this one out of the park
Hi Patrick love this review and how in-depth it is. But I do have a question, when you were performing the attack test against the UCG-Fiber could you clarify if you left the Intrusion Prevention setting “Off”? You can turn this on and configure it without a subscription, Ubiquiti provides regular definition updates and IPS categories.
The premium / subscription version is something else entirely to my understanding, though I haven’t tried it.
Justin you are correct. It was off. The reason is twofold:
1. We wanted to show the default behavior since we were showing failure modes and did not want folks to think we had firewall rules impacting that. Also, I went into this in the video but many will buy a firewall, and not turn on the firewall features. I worry about that less on DIY firewalls and $1k+ firewalls, but in this segment of the market, it happens a lot.
2. We are still honing the security and also the VPN testing protocols we will use. I made the call that I did not want to publish before we had those set. My goal is that we continue to add more testing over time, but I want folks to be able to compare historical data.
The profiling may seem simple, but just to give you some sense, we have had this box up since August, and the UCG-Fiber was literally the first low-speed DUT we used. It has taken some time to get a sense of the application mixes we wanted to show.
This is all not a fast process, but the goal is to get going and then improve. Part of that is really running the test protocol through a bunch of devices to see if there is anything obvious that is not working.
Top left chip is the RTL8238B which appears to be POE controller.
The main switch chip is RTL8372N, which appears to have one 10Gbit link to the core, and another 10Gbit link to the rj45 wan port via TRL8261BEI transceiver
The 2x SFP+ cages appear to be routed direct to the core
The core appears to be one of the (IPQ9570)(Pro 1620) series which has a pretty wide range of options
https://www.qualcomm.com/content/dam/qcomm-martech/dm-assets/documents/Networking-Pro-1620-product-brief_87-PW325-1.pdf
Just so you all know, there is a big flaw with this device if you want to utilize a faster than 1GB fiber WAN connection. Upload speeds are currently capped at half of what they should be. I have tried converting one of the 2.5GB ports to a WAN connection, using the POE 10GB WAN port and even purchasing a 10GB SFP+ to Ethernet (Ubiquiti branded). All of these will cap my 2GB fiber upload to around 1 to 1.1GBps. There is no issue with download speed at this time.
Can you please review the Alta Labs Route10 as the sister/competitor device to this unit? I believe they even share the same CPU: IPQ9574.
The memory chips look like 16Gbit/2GByte ether 2Gx8 or 1Gx16 ddr4 3200 or similar.
Something like k4aag085wa-bcwe or k4aag165wa-bcwe
I wonder if they are running some sort of ECC/parity mode and thats why its only speced at 3GB, or if 1GB is used for a ram drive of some sort?
As an Alta Lab Route10 owner, I’d be interested in seeing a review too – mainly so if I can see if I was right to buy a Route10 and not wait for the UCG fibre :)
“For 10GbE networking, you simply do not need that much CPU performance and offload.”
That really depends on what you’re doing, doesn’t it? Just NAT is one thing, complex firewall rules are entirely another, at least potentially. And then, there’s the question of small packets. If you’re the victim of a DoS attack, you’re looking at ~1.4Mpps for every Gbps of traffic. So if this box can handle ~1Mpps, it will fail even if the DoS doesn’t fill your channel completely.
That may be outside the expected performance of a $279 box too, but honestly I think this is a vastly more important and interesting performance question than the ones actually asked and answered. I hope that this will get a lot more attention with your new all-singing-all-dancing CyPerf.
Also, unrelated side note… the back of the board where the CPU (I think) is is a heck of a mess.
On the note about the WAN port being 1/2.5/10G, on my setup (a UCG Fiber hooked up to an AT&T BGW320), that port negotiated at 5G without any issues.
The one thing that made me power off my udm pro max and use the gateway fiber is that unlike the udm systems, this processor does PPPOE offload. For my 3Gb ISP the UDM would loose its mind over 2.5 Gb at 100% CPU whereas the Gateway Fiber barely breaks a sweat. Now if they would only use that proc in a proper rackmout device…
JM and Korev – I responded to a comment on YT, but I saw a Route10 on the photo/ B-roll set before I left the studio this afternoon.
Agree with @smax. The WAN port is absolutely capable of 5G.
The fact that this device locks up and stops passing traffic with more than 2048 users to me suggests a buffer overflow in the firmware. This may not be ideal for security.
Thank you! But I would really be very very very interested how good the protection (and performance) would be with no IDS/IPS vs stock IDS/IPS vs 99$ subscription IDS/IPS.
I came here for the complete story after viewing the video. 99% of the attacks coming through scared me, but here I read that this was with IDS/IPS off.
So, indeed: I’m also very interested to see the comparison No IDS/IPS vs stock IDS/IPS vs 99$ subscription vs a Sonicwall or other solution.
I know this is a lot of work, but it’ll be very much appreciated by a LOT of people worldwide.
No sales pitch for Unifi or their subscription, but just the real facts so we can make a good informed decision.
Looking forward to the security side of things comparison.
The YT video though left me scratching my head. Script was all over the place, repeating things, way too much excitement about testing equipment. That deserves its own, separate video, cluttered this one up and repeated endlessly. Bit of a kid in candy store. Your YT stuff is usually way more on point.
Protectli Vault Pro VP6650/VP6670 would be a good comparison at 2-3x the price point.
Great review and tear down. Thank you!
I’d be interested in more content on the blocked attacks metric.
For example, how does your blocked attacks metric for the UCG Fiber compare with the default config of OPNsense?
I’ve had the UCG-Fiber since it was launched, and had the same issue of it struggling under load. Logs showed a lot of “nf_conntrack: table full, dropping packet” errors, and the nf_conntrack limits were set very low (can’t remember what it originally was).
Using Gemini for some rough RAM usage guestimation, I set 1048576 for nf_conntrack entries: 1,048,576 entries×320 bytes/entry≈320 MB, and for nf_conntrack_buckets (hash table, Kernel 5.4, 1:4 ratio: (1,048,576/4) buckets×8 bytes/bucket=262,144×8 bytes≈2 MB)
Works perfectly now!
This or the dream 7 router for home use
I would love to see some of these network stress tests on some of the other units you have recommended over the years. I personally bought one of the Fanless Soft Router Micro Firewall Appliance VPN Router PC i5 off AliExpress back in 2023 and so far with no regrets. I run OPNSense on it and it seems to work like a champ. I like that I can put just about anything on this unit and it keeps on ticking, which is more than I can say of my Minisforum UM890 pro with the Minisforum DEG1 Oculink and an RTX 5070 TI. It has some serious mid game freezes going on, but that is not the main point of this comment.
Please consider running some stress testing with your fancy $1M+ Keysight CyPerf load generation setup on other boxes.
We have access to Keysight CyPerf where I work. I’d like to interject some perspective. Judging by the box they’ve showed it’s over $1M/year to run this. They’re lying saying it’s only $1M.
Costs aside, they’re using a powerful tool. I wish they would also get a RFC-2544 tester so they can do L1-L3 in more detail. That’d be valuable too. Their tool is not really designed for L1-3 instead L4-7. In so many ways that’s harder and more valuable. They’re sandbagging the capabilities they’ve got. I hope they just go on like some test everything binge. All those Sophos, SonicWall, Fortinet, Palo Alto Networks, Juniper and more should support them in this, including their VM firewalls.
This is like Tolly but better and way more visible from everyone from homelabbers to hyperscalers like where I work
While this is a tremendous review / test and much appreciated… Another vote for the firewall test being flawed and actually the throughput testing as well. It also significantly impacts the throughput performance testing to have not reported IDS/IPS on/off. Why possibly with this great test setup would you not tick the box, run it again, and give those results as well?
Frankly I think its obvious the testers overlooked this as an ooopsie and now are making excuses about it being intentional choice. Yes sure I agree some naive buyers of this equipment will “miss the tickbox” so yes for sure the “raw dog” results are worth reporting *also*, but the vast majority of educated buyers *who are not going to implement a 3rd party / outboard firewall* will have that turned on. Both performance and intrusion results should have been done with the built-in freebie IDS/IPS off, and then on. This is kind of basic standard stuff guys. Hopefully we see a follow-up review with a 3-way results aka nothing/Unifi/CyberSecure. Otherwise very interesting review.
JanJanJan hit it exactly – another vote for “Hopefully we see a follow-up review with a 3-way results aka nothing/Unifi/CyberSecure.”
Testing it without IDS/IPS was not very useful for the majority of Ubiquiti users. Most of us know to at least turn on IPS.
Hi,
right on time :).
There is a lot of issues that have been identified with this device and most of them seems to be related to software development and optimizations issues.
Some examples:
https://community.ui.com/releases/UniFi-OS-Cloud-Gateways-4-2-12/7603848f-1dc4-4228-9cdd-459f9f8b017a#comment/e8ba4923-775b-46de-a477-ac47adba1695
A lot of the issues have been solved with the 4.3.9 but a lot are still there …
i’m almost sure that you reached two of issues:
– memory optimization issue , you literally need to an SSD , it will be automatically used as swap ( 1.9 Gbytes ) in order to help solving something but this generate a lot of writes for nothing, if not the box crash …
– Simultaneous supported and offloaded sessions, the product initially supported no more that 4096 sessions , but this was improved to 65535 but again it’s nothing. At that moment conntrack is saturated … You reached that limit and this is why you have been stucked. I was able on my side to solve some of that ( up to 260000 sessions , i’m hosting public NTP stratum 2 on ntp pool , i have my one stratum 0/1 setup relying on multiple GNSS constellations). I shared comment on that but comments have been back from some of the (almost cult brainwashed) guys:
https://community.ui.com/releases/UniFi-OS-Cloud-Gateways-4-4-7/3616808e-3c70-4a1d-b035-c01d7b2a0089#comment/d5da5c36-6a33-48e8-be61-c97b91e6a32c
The product can do again way more …
Fell free to ping me , i can share some of optimizations i add to put in place in order to have something working “better” that the default.
It’s not yet at the same level of offload / performance of the low end Edgerouters relying on Cavium components ( even if they have been limited to 4Gbps/s over Bonding / LACP) but this can be improved …
@quartermaster , attention point regarding the ECM engine:
you have way more than that for the memory usage, you also have have almost 4KB per session consumed by the ECM / Offload engine:
https://community.ui.com/releases/UniFi-OS-Cloud-Gateways-4-4-7/3616808e-3c70-4a1d-b035-c01d7b2a0089#comment/d5da5c36-6a33-48e8-be61-c97b91e6a32c
Corrected myself:
Feel free to ping me, as I can share some of the optimizations I had to implement to make something work better than the default.
It’s not yet at the same level of offloading/performance as low-end Edgerouters that rely on Cavium components (even though they’re limited to 4 Gbps/s over bonding/LACP), but this can be improved.
+1 for Alta Labs Route10! I’m really on the fence between this and the Route10! There’s a severe shortage of Route10 reviews, let alone in-depth analysis
Hi there! Two of my comments (with links to the issues) are currently under review. Let’s hope they get approved soon!
I bought one for the Teleport VPN (Wireguard) feature. It’s dead simple to set up and works like a champ.
The UI is awesome and any issue I had was immediately addressed by Ubiquity. Great support and great product.
I bought this last month or thought I did but got the UXG by accident. €30 cheaper but no cloud key/controller software built in. Cue another $300 and I’ve the UCG. Note: You can’t manage the UXG with another Gateway with an inbuilt controller, you have to buy the AI Gateway, a separate device 1/2 the price of the UCG! Anyway, got it working but missed the small print!
Great review overall.
However, talking about this type of network focused SoCs as if they are just general purpose CPUs is misleading. Hardware offloading is why they are interesting.
As someone with an Atom C3758 based VyOS router as well as a Banana Pi BPI-R4 based on the MediaTek Filogic 880 with similar offloading support running OpenWrt, I’ve noticed that the latter will easily handle 10 Gbps routing with single stream iperf3 tests. The Atom C3758 can’t (even with nftables software flow offloading), at least not without the use of VPP. I assume it’s because it only uses a single CPU core in those situations, but I would happily be proven wrong (if there is a setting I can change).
@Michael Russel: You don’t need to buy anything extra to manage the UXG models. The free UniFi Network Application (usually referred to the Unifi controller) or the UniFi OS container should both work fine as long as you have something else to run them on. This has been the case for UniFi gateways for over a decade at this point, and should presumably be listed on the product page too.
The similarity in naming between the two models can easily be confusing though. You’re not the first person I’ve seen who made the same mistake.
I’m just getting ready to install this at my house. Sounds buggy as heck. Upload is limited to 1gig? Did I make a mistake?
@Dave: It might be worth checking the /r/init7 subreddit to find more user reports of how this works in practice. A lot of people there have 10 or 25 Gbps internet connections and I believe this unit has been popular there. I haven’t checked recently though.
you should add to the picture that it has bluetooth capabilities supposedly,
which adds quite a lot in terms of “noise” , especially when it is not “de-activable”
Thanks for the review/teardown. Got my unit and it’s great so far. However, I’ve now (one week into use) noticed a strange noise coming out of the unit. It’s a grinding noise that goes rrrrrRRRRRrrrrrrRRRRRrrrrrr (best I can describe this). When tilting the unit to its side (vertical orientation) the noise reduces significantly but doesn’t go away. I think it has to do with the fan and it’s concerning long term. The unit works fine and exhausts warm air but I don’t think it’s supposed to be like that. I was going to open it up but given how difficult it is and I will most definitely damage it, I’m now wondering if I should just live with that noise (not that audible in vertical orientation; my NAS makes more noise) or consider contacting ubiquiti and try to replace it. Appreciate any feedback. Thanks.
In regard to SETI 5000, I have a symmetrical 1G connection with Altafiber connected to port 7 of the UCG Fiber. My router speedtest also shows lower upload speed, 1.09 Gbps down and 698 Mbps up. But the speedtest result on a wired ubuntu server client shows symmetrical 928 Mbps.