Ubiquiti UniFi Cloud Gateway Fiber UCG-Fiber Internal Hardware Overview
When Sam was taking photos, we realized why so few of these have been opened up. The unit is not easy to get into. Eventually, I just OK’d Sam to destroy one of the units to get it open.
Inside, the design was far more elegant than we expected. Instead of this being a PCB between two pieces of plastic, Ubiquiti has a lot more going on here, including metal layers.
Here is a look at the PCB once it is open.
The thermal pad was covering the main CPU.
Here are the Realtek chips on the 2.5GbE port side.
Here is the Qualcomm CPU package with its memory.
This is a quad-core Arm Cortex A73 design with 3GB of memory total. That is not a huge CPU, but it is a decent one. Something to keep in mind is that this should be slower than something like an Intel Atom C3758. Folks ask if the C3758 is enough for 10GbE networking, like when we did The Everything Fanless Home Server Firewall Router and NAS Appliance piece. For 10GbE networking, you simply do not need that much CPU performance and offload. In our high-end Keysight CyPerf tool, we can get away with generating complex traffic on the 10G ports without even needing DPDK, which we need at 50G+ speeds on the same machine.
Here is one of the memory packages.
Here is the other.
Overall, this seems to be a Realtek and Qualcomm powered device.
Another small item to note is that there is a lot going on here such as the ribbon cable to power the front display.
Taking out the PCB, we can see even more metal and an internal fan. It might not sound like a big deal, but in edge devices, often dust accumulation is an issue. One challenge with this design is that it does not lead itself to easy cleaning for the fan or fan replacement in the future. It is not easy to get this far into the chassis so our guess is that when the fan gets clogged, it would be a replacement rather than a repair item for most folks.
Here is a shot of the fan. Something a bit strange is that, despite there not being a DC barrel jack locking/ retention mechanism on the gateway, the fan is glued onto the PCB.
Here is the other side of the PCB.
Here is the EFD20 661 2512H.
Here is what apepars to be a Samsung eMMC package.
Overall, this is a much more complex design than we were expecting for a device in this price class.
Ubiquiti UniFi Cloud Gateway Fiber UCG-Fiber Management
On the management side, Ubiquiti has a ton of integration and an easy-to-use interface.
It also does a good job of showing you flows of traffic through the device graphically.
It is also very graphical so you can see devices and filter and click things for more detail.
You can also see Ubiquiti devices that are attached specifically.
There are plenty of resources on the Ubiquiti UI out there. If you are coming from an OPNsense, pfSense, or even an OpenWRT-based solution, you might end up lost looking for detailed settings. Ubiquiti has a user flow in mind that does not involve putting every setting wrapped in a web GUI in as shallow a menu structure as possible. For many, that is absolutely perfect and oftentimes too much. If you come from a world of more complexity, this will seem simplistic.
Next, let us get to the performance.
Perfect timing for this review for me, thinking of picking it up.
For the Fluke meter test, we had an issue with Aruba APs and Cisco Switches where LLDP had to be enabled to get proper PoE values sent to the APs.
If LLDP was off, the Cisco switch would only output 15w or 30w, with it enabled PoE values would drop to 24.5w.
With all that being said, I wonder if enabling or disabling LLDP would change the results of the Fluke meter’s test.
You’ve got to love STH comments like Scotty’s. It’s so technical here. I’d say it’s a finding in either case that I’ve never seen elsewhere except for older UI devices
I’ve got to say, this is one of the best reviews. I’ve always thought Ubiquiti reviews elsewhere lacked any balance. You’re right that I’ve never seen inside this, and I’ve read and watched so many reviews. You’ve shown and articulated both where there are shortcomings and why for $279 they’re expected. STH knocked this one out of the park
Hi Patrick love this review and how in-depth it is. But I do have a question, when you were performing the attack test against the UCG-Fiber could you clarify if you left the Intrusion Prevention setting “Off”? You can turn this on and configure it without a subscription, Ubiquiti provides regular definition updates and IPS categories.
The premium / subscription version is something else entirely to my understanding, though I haven’t tried it.
Justin you are correct. It was off. The reason is twofold:
1. We wanted to show the default behavior since we were showing failure modes and did not want folks to think we had firewall rules impacting that. Also, I went into this in the video but many will buy a firewall, and not turn on the firewall features. I worry about that less on DIY firewalls and $1k+ firewalls, but in this segment of the market, it happens a lot.
2. We are still honing the security and also the VPN testing protocols we will use. I made the call that I did not want to publish before we had those set. My goal is that we continue to add more testing over time, but I want folks to be able to compare historical data.
The profiling may seem simple, but just to give you some sense, we have had this box up since August, and the UCG-Fiber was literally the first low-speed DUT we used. It has taken some time to get a sense of the application mixes we wanted to show.
This is all not a fast process, but the goal is to get going and then improve. Part of that is really running the test protocol through a bunch of devices to see if there is anything obvious that is not working.
Top left chip is the RTL8238B which appears to be POE controller.
The main switch chip is RTL8372N, which appears to have one 10Gbit link to the core, and another 10Gbit link to the rj45 wan port via TRL8261BEI transceiver
The 2x SFP+ cages appear to be routed direct to the core
The core appears to be one of the (IPQ9570)(Pro 1620) series which has a pretty wide range of options
https://www.qualcomm.com/content/dam/qcomm-martech/dm-assets/documents/Networking-Pro-1620-product-brief_87-PW325-1.pdf
Just so you all know, there is a big flaw with this device if you want to utilize a faster than 1GB fiber WAN connection. Upload speeds are currently capped at half of what they should be. I have tried converting one of the 2.5GB ports to a WAN connection, using the POE 10GB WAN port and even purchasing a 10GB SFP+ to Ethernet (Ubiquiti branded). All of these will cap my 2GB fiber upload to around 1 to 1.1GBps. There is no issue with download speed at this time.
Can you please review the Alta Labs Route10 as the sister/competitor device to this unit? I believe they even share the same CPU: IPQ9574.
The memory chips look like 16Gbit/2GByte ether 2Gx8 or 1Gx16 ddr4 3200 or similar.
Something like k4aag085wa-bcwe or k4aag165wa-bcwe
I wonder if they are running some sort of ECC/parity mode and thats why its only speced at 3GB, or if 1GB is used for a ram drive of some sort?
As an Alta Lab Route10 owner, I’d be interested in seeing a review too – mainly so if I can see if I was right to buy a Route10 and not wait for the UCG fibre :)
“For 10GbE networking, you simply do not need that much CPU performance and offload.”
That really depends on what you’re doing, doesn’t it? Just NAT is one thing, complex firewall rules are entirely another, at least potentially. And then, there’s the question of small packets. If you’re the victim of a DoS attack, you’re looking at ~1.4Mpps for every Gbps of traffic. So if this box can handle ~1Mpps, it will fail even if the DoS doesn’t fill your channel completely.
That may be outside the expected performance of a $279 box too, but honestly I think this is a vastly more important and interesting performance question than the ones actually asked and answered. I hope that this will get a lot more attention with your new all-singing-all-dancing CyPerf.
Also, unrelated side note… the back of the board where the CPU (I think) is is a heck of a mess.
On the note about the WAN port being 1/2.5/10G, on my setup (a UCG Fiber hooked up to an AT&T BGW320), that port negotiated at 5G without any issues.
The one thing that made me power off my udm pro max and use the gateway fiber is that unlike the udm systems, this processor does PPPOE offload. For my 3Gb ISP the UDM would loose its mind over 2.5 Gb at 100% CPU whereas the Gateway Fiber barely breaks a sweat. Now if they would only use that proc in a proper rackmout device…
JM and Korev – I responded to a comment on YT, but I saw a Route10 on the photo/ B-roll set before I left the studio this afternoon.
Agree with @smax. The WAN port is absolutely capable of 5G.
The fact that this device locks up and stops passing traffic with more than 2048 users to me suggests a buffer overflow in the firmware. This may not be ideal for security.
Thank you! But I would really be very very very interested how good the protection (and performance) would be with no IDS/IPS vs stock IDS/IPS vs 99$ subscription IDS/IPS.
I came here for the complete story after viewing the video. 99% of the attacks coming through scared me, but here I read that this was with IDS/IPS off.
So, indeed: I’m also very interested to see the comparison No IDS/IPS vs stock IDS/IPS vs 99$ subscription vs a Sonicwall or other solution.
I know this is a lot of work, but it’ll be very much appreciated by a LOT of people worldwide.
No sales pitch for Unifi or their subscription, but just the real facts so we can make a good informed decision.
Looking forward to the security side of things comparison.
The YT video though left me scratching my head. Script was all over the place, repeating things, way too much excitement about testing equipment. That deserves its own, separate video, cluttered this one up and repeated endlessly. Bit of a kid in candy store. Your YT stuff is usually way more on point.
Protectli Vault Pro VP6650/VP6670 would be a good comparison at 2-3x the price point.
Great review and tear down. Thank you!
I’d be interested in more content on the blocked attacks metric.
For example, how does your blocked attacks metric for the UCG Fiber compare with the default config of OPNsense?
I’ve had the UCG-Fiber since it was launched, and had the same issue of it struggling under load. Logs showed a lot of “nf_conntrack: table full, dropping packet” errors, and the nf_conntrack limits were set very low (can’t remember what it originally was).
Using Gemini for some rough RAM usage guestimation, I set 1048576 for nf_conntrack entries: 1,048,576 entries×320 bytes/entry≈320 MB, and for nf_conntrack_buckets (hash table, Kernel 5.4, 1:4 ratio: (1,048,576/4) buckets×8 bytes/bucket=262,144×8 bytes≈2 MB)
Works perfectly now!
This or the dream 7 router for home use
I would love to see some of these network stress tests on some of the other units you have recommended over the years. I personally bought one of the Fanless Soft Router Micro Firewall Appliance VPN Router PC i5 off AliExpress back in 2023 and so far with no regrets. I run OPNSense on it and it seems to work like a champ. I like that I can put just about anything on this unit and it keeps on ticking, which is more than I can say of my Minisforum UM890 pro with the Minisforum DEG1 Oculink and an RTX 5070 TI. It has some serious mid game freezes going on, but that is not the main point of this comment.
Please consider running some stress testing with your fancy $1M+ Keysight CyPerf load generation setup on other boxes.
We have access to Keysight CyPerf where I work. I’d like to interject some perspective. Judging by the box they’ve showed it’s over $1M/year to run this. They’re lying saying it’s only $1M.
Costs aside, they’re using a powerful tool. I wish they would also get a RFC-2544 tester so they can do L1-L3 in more detail. That’d be valuable too. Their tool is not really designed for L1-3 instead L4-7. In so many ways that’s harder and more valuable. They’re sandbagging the capabilities they’ve got. I hope they just go on like some test everything binge. All those Sophos, SonicWall, Fortinet, Palo Alto Networks, Juniper and more should support them in this, including their VM firewalls.
This is like Tolly but better and way more visible from everyone from homelabbers to hyperscalers like where I work
While this is a tremendous review / test and much appreciated… Another vote for the firewall test being flawed and actually the throughput testing as well. It also significantly impacts the throughput performance testing to have not reported IDS/IPS on/off. Why possibly with this great test setup would you not tick the box, run it again, and give those results as well?
Frankly I think its obvious the testers overlooked this as an ooopsie and now are making excuses about it being intentional choice. Yes sure I agree some naive buyers of this equipment will “miss the tickbox” so yes for sure the “raw dog” results are worth reporting *also*, but the vast majority of educated buyers *who are not going to implement a 3rd party / outboard firewall* will have that turned on. Both performance and intrusion results should have been done with the built-in freebie IDS/IPS off, and then on. This is kind of basic standard stuff guys. Hopefully we see a follow-up review with a 3-way results aka nothing/Unifi/CyberSecure. Otherwise very interesting review.
JanJanJan hit it exactly – another vote for “Hopefully we see a follow-up review with a 3-way results aka nothing/Unifi/CyberSecure.”
Testing it without IDS/IPS was not very useful for the majority of Ubiquiti users. Most of us know to at least turn on IPS.
Hi,
right on time :).
There is a lot of issues that have been identified with this device and most of them seems to be related to software development and optimizations issues.
Some examples:
https://community.ui.com/releases/UniFi-OS-Cloud-Gateways-4-2-12/7603848f-1dc4-4228-9cdd-459f9f8b017a#comment/e8ba4923-775b-46de-a477-ac47adba1695
A lot of the issues have been solved with the 4.3.9 but a lot are still there …
i’m almost sure that you reached two of issues:
– memory optimization issue , you literally need to an SSD , it will be automatically used as swap ( 1.9 Gbytes ) in order to help solving something but this generate a lot of writes for nothing, if not the box crash …
– Simultaneous supported and offloaded sessions, the product initially supported no more that 4096 sessions , but this was improved to 65535 but again it’s nothing. At that moment conntrack is saturated … You reached that limit and this is why you have been stucked. I was able on my side to solve some of that ( up to 260000 sessions , i’m hosting public NTP stratum 2 on ntp pool , i have my one stratum 0/1 setup relying on multiple GNSS constellations). I shared comment on that but comments have been back from some of the (almost cult brainwashed) guys:
https://community.ui.com/releases/UniFi-OS-Cloud-Gateways-4-4-7/3616808e-3c70-4a1d-b035-c01d7b2a0089#comment/d5da5c36-6a33-48e8-be61-c97b91e6a32c
The product can do again way more …
Fell free to ping me , i can share some of optimizations i add to put in place in order to have something working “better” that the default.
It’s not yet at the same level of offload / performance of the low end Edgerouters relying on Cavium components ( even if they have been limited to 4Gbps/s over Bonding / LACP) but this can be improved …
@quartermaster , attention point regarding the ECM engine:
you have way more than that for the memory usage, you also have have almost 4KB per session consumed by the ECM / Offload engine:
https://community.ui.com/releases/UniFi-OS-Cloud-Gateways-4-4-7/3616808e-3c70-4a1d-b035-c01d7b2a0089#comment/d5da5c36-6a33-48e8-be61-c97b91e6a32c
Corrected myself:
Feel free to ping me, as I can share some of the optimizations I had to implement to make something work better than the default.
It’s not yet at the same level of offloading/performance as low-end Edgerouters that rely on Cavium components (even though they’re limited to 4 Gbps/s over bonding/LACP), but this can be improved.
+1 for Alta Labs Route10! I’m really on the fence between this and the Route10! There’s a severe shortage of Route10 reviews, let alone in-depth analysis
Hi there! Two of my comments (with links to the issues) are currently under review. Let’s hope they get approved soon!
I bought one for the Teleport VPN (Wireguard) feature. It’s dead simple to set up and works like a champ.
The UI is awesome and any issue I had was immediately addressed by Ubiquity. Great support and great product.
I bought this last month or thought I did but got the UXG by accident. €30 cheaper but no cloud key/controller software built in. Cue another $300 and I’ve the UCG. Note: You can’t manage the UXG with another Gateway with an inbuilt controller, you have to buy the AI Gateway, a separate device 1/2 the price of the UCG! Anyway, got it working but missed the small print!
Great review overall.
However, talking about this type of network focused SoCs as if they are just general purpose CPUs is misleading. Hardware offloading is why they are interesting.
As someone with an Atom C3758 based VyOS router as well as a Banana Pi BPI-R4 based on the MediaTek Filogic 880 with similar offloading support running OpenWrt, I’ve noticed that the latter will easily handle 10 Gbps routing with single stream iperf3 tests. The Atom C3758 can’t (even with nftables software flow offloading), at least not without the use of VPP. I assume it’s because it only uses a single CPU core in those situations, but I would happily be proven wrong (if there is a setting I can change).
@Michael Russel: You don’t need to buy anything extra to manage the UXG models. The free UniFi Network Application (usually referred to the Unifi controller) or the UniFi OS container should both work fine as long as you have something else to run them on. This has been the case for UniFi gateways for over a decade at this point, and should presumably be listed on the product page too.
The similarity in naming between the two models can easily be confusing though. You’re not the first person I’ve seen who made the same mistake.
I’m just getting ready to install this at my house. Sounds buggy as heck. Upload is limited to 1gig? Did I make a mistake?
@Dave: It might be worth checking the /r/init7 subreddit to find more user reports of how this works in practice. A lot of people there have 10 or 25 Gbps internet connections and I believe this unit has been popular there. I haven’t checked recently though.
you should add to the picture that it has bluetooth capabilities supposedly,
which adds quite a lot in terms of “noise” , especially when it is not “de-activable”
Thanks for the review/teardown. Got my unit and it’s great so far. However, I’ve now (one week into use) noticed a strange noise coming out of the unit. It’s a grinding noise that goes rrrrrRRRRRrrrrrrRRRRRrrrrrr (best I can describe this). When tilting the unit to its side (vertical orientation) the noise reduces significantly but doesn’t go away. I think it has to do with the fan and it’s concerning long term. The unit works fine and exhausts warm air but I don’t think it’s supposed to be like that. I was going to open it up but given how difficult it is and I will most definitely damage it, I’m now wondering if I should just live with that noise (not that audible in vertical orientation; my NAS makes more noise) or consider contacting ubiquiti and try to replace it. Appreciate any feedback. Thanks.
In regard to SETI 5000, I have a symmetrical 1G connection with Altafiber connected to port 7 of the UCG Fiber. My router speedtest also shows lower upload speed, 1.09 Gbps down and 698 Mbps up. But the speedtest result on a wired ubuntu server client shows symmetrical 928 Mbps.