When I first got my Ubiquiti UXG-Lite gateway, I was excited to set it up and integrate it into my UniFi network. The device is powerful, minimalistic, and designed for professional-grade routing – but even the best hardware can run into trouble when firmware updates go wrong.

In this article, I’ll share my personal experience of how my brand-new UXG-Lite became completely unresponsive after a firmware update – and how I managed to bring it back to life using Recovery Mode. If you’ve accidentally “bricked” your UXG-Lite, this guide will help you recover it safely.

Introduction

I bought a new Ubiquiti UXG-Lite gateway and connected it for the first time. It successfully adopted on my self-hosted UniFi Network Application server running on a Raspberry Pi. I configured almost all of my network settings and was ready to finish the setup.

Then I saw a notification that a new firmware version was available. Great! I decided to upgrade immediately – a perfect way to wrap up my network day. However, after the router automatically rebooted, the nightmare began!!!

• The gateway refused to adopt. The UniFi interface kept showing messages like “Reset device to adopt”. After rebooting my switch, I completely lost network connectivity.
• Neither my UniFi switch nor my AP received IP addresses, and even my laptop couldn’t get an IP when directly connected to the LAN port of the UXG-Lite.
• To make things worse, the UniFi mobile app didn’t send any Bluetooth setup notifications, leaving me with no way to re-adopt the router.

I spent over two hours troubleshooting and chatting with Ubiquiti support – but without any working solution.

The reason of failure

The problem turned out to be related to the firmware update sequence. My device was updated directly from the factory firmware v3.1.15 to v4.3.2, skipping several intermediate versions. This large version jump caused the system to fail during initialization.

To resolve the issue, I had to downgrade the firmware from v4.3.2 to v4.1.13, which restored the gateway to working condition.

Prepare UXG-Lite and PC

There’s only one way to perform a firmware downgrade – by using Recovery Mode. The process is simple and takes just a few steps.

1. Download the firmware – Go to the official Ubiquiti website and download the firmware file you want to install. In my case, I downloaded version 4.1.13.
2. Configure your PC network settings – Set a static IP address in the 192.168.1.0/24 subnet. When I performed the recovery, I used 192.168.1.11.
3. Boot the UXG-Lite into Recovery Mode
   • Power off the UXG-Lite.
   • Using a toothpick or paperclip, press and hold the Reset button.
   • While holding the button, power on the router.
   • Keep holding for about 15 seconds, then release the button.
   • Connect your PC to the LAN port of the UXG-Lite.

Recovery process

In Recovery Mode, the gateway uses the reserved IP address 192.168.1.30. Open this address in a web browser – you should see the Recovery Mode interface.

This page displays system information and available recovery actions. In my case, it showed the current firmware version v4.3.2.33ac906. For safety, I checked the file system before proceeding.

Next, upload the firmware file you downloaded earlier.

The downgrade process will start automatically and usually takes about 2 minutes. Once it’s complete, you’ll see a confirmation message and the new firmware version displayed on the page.

Finally, click the Reboot button to restart your UXG-Lite.

Enjoy!

Conclussion

After the reboot, the gateway started working normally again – it was successfully adopted and became fully functional.

If your UXG-Lite becomes unresponsive after an update, don’t panic. Recovery Mode is your best friend. Just follow the steps above carefully, and you’ll bring your device back to life.

Firmware updates can occasionally fail, especially when jumping across major versions. To avoid this issue in the future, I recommend upgrading step-by-step through intermediate versions rather than directly to the newest release.

I have a Postfix mail server, and I regularly check its logs to identify junk IP addresses. On my UniFi Ubiquiti gateway, I created a blacklist to block this suspicious activity. For me, it’s a good idea to block unwanted IPs directly on the router, using its filtering power.

Over time, the list has grown to more than 200 IP addresses. When I tried to copy and paste this IP list from the UniFi web interface, I noticed that only the visible IPs were copied – all others, hidden by scrolling, were ignored. Since I didn’t want to manually copy the list six entries at a time, I decided to extract the IPs in another way.

New name and location of list

After upgrading the UniFi Network Application to version 9.5.21, the Network Objects were renamed to Network Lists.
The UI uses lazy loading, meaning only visible elements are loaded in the browser window. Therefore, when copying manually, I can only get the IPs that are currently displayed.

To view IP Network Lists in the UniFi Cloud Network Application or a self-hosted UniFi instance, do the following:

1. Open Settings
2. Click the Overview menu
3. Scroll down to find the Network Lists section

Where IP Network List located?

I know that the UniFi gateway runs on a Linux-based OS, which means it uses iptables and ipset to manage network rules.
The name of my Network List is Postfix Blacklist, which helps me locate the corresponding rule quickly. To find this list, I need to connect to the gateway via SSH.

Connect to gateway via SSH

Before connecting, I need to make sure that SSH access is enabled. For cloud-based gateways such as UCG Max, this option is found in:

Settings → Control Plane → Console tab

If SSH is disabled, enable it and set a password. Once it’s active, connect using the root account:

ssh [email protected]

Find the IP list

After connecting, I can list all ipset entries using the following command:

sudo ipset list

I found my blacklist under the section named:

UBIOS46894dcc581515d0a7d85e9ba

Example output:

Name: UBIOS46894dcc581515d0a7d85e9ba
Type: hash:net
Revision: 6
Header: family inet hashsize 64 maxelem 10000
Size in memory: 6976
References: 1
Number of entries: 312
Members:
162.142.125.216
204.76.203.231
23.185.120.116
...
128.14.236.41
147.185.133.191
20.163.60.142

The corresponding configuration file is located at:

/data/udapi-config/udapi-net-cfg.json

Now I can manage this list directly from the console — copy, export, or edit the data as I need.

Conclussion

By exploring how UniFi gateways manage firewall and network lists internally, I found that it’s possible to bypass the visual limitation of the UniFi interface and access the complete blacklist directly from the system.

This approach is especially useful for administrators who regularly monitor and block spam or malicious IPs at the network level.
Managing lists through SSH provides more control, easier backup options, and the ability to automate updates – something that the web UI currently limits.

Blocking suspicious IPs directly at the gateway remains one of the most efficient ways to protect the network and reduce unwanted traffic to the mail server.

I recently had to go through the process of returning a router Ubiquiti UXG-Lite according to the program RMA due to hardware failure. This experience turned out to be interesting not only from a technical point of view, but also from the point of view of international logistics and warranty conditions. In this posts i detailed describe each stage.

What is an RMA?

RMA (Return Merchandise Authorization) is an official procedure for returning equipment to the manufacturer for diagnosis, repair or replacement. In other words, this is a kind of “permission to return”, which confirms that the manufacturer has recognized the device as defective and is ready to accept it back.

For Ubiquiti RMA is a key element of after sales service. If the user has hardware problems that cannot be solved by updating the firmware or changing the settings, the support service after analyzing the logs and tests can issue an authorization for RMA. Next, the device is sent to the manufacturer’s service center, where it is checked and, depending on the terms of the warranty and the nature of the breakdown, provided repair or replacement with a new copy.

Background and problem with the router

July 14, 2025 year I first encountered a problem – the internet is gone, while the indicators on the equipment lit up as usual. The ISP confirmed that the problem was not on their end, but within my network. After restarting the gateway, the situation is not improved. Only restarting the switch briefly restored communication, but then the problem recurred. I checked the cable connected between the gateway and the switch – it was good, which I confirmed with the RJ45 tester. I collected diagnostic support files from the equipment and handed them over to technical support Ubiquiti.

A few days later, another, more serious problem appeared: the UXG-Lite gateway began to overload periodically, while the use of processor resources reached 100%. IN logs errors appeared WHO- packages and notice of HLOS Panic [0x47]. I suspected it might be related to a known vulnerability CVE-2023-33063 in chipsets Qualcomm IPQ5018 (on which it is based UXG-Lite). This error causes memory corruption and system crash. I even asked support if there was a patch – they replied that the information was passed on to the developers for future updates.

July 27-29, 2025 year, the situation was repeated every day:

• The network worked for 12–24 hours
• Then the gateway suddenly lost the interface br0 (core bridge VLAN)
• Recovery was possible only after hard reboot

Based on the following symptoms, I received a final conclusion of support:

“Loss of interface br0 indicates an internal failure. This is a hardware issue that is unrelated to the software part and cannot be fixed by firmware.”

2025-07-26T12:23:26+03:00 UXGLite systemd-networkd[1279]: br0: Link DOWN
2025-07-26T12:23:26+03:00 UXGLite systemd-networkd[1279]: br0: Lost carrier

This means that the device’s primary network bridge occasionally just “fell off”what led to before disconnection. It’s official to me recommended to issue an RMA to replace the device.

Stages of the RMA process

Ubiquiti’s official RMA system shows six statuses through which the request goes. Of course, there are intermediate stages, such as sending the router and receiving it. Upon completion process I took a final screenshot and that’s it posts I will describe each stage in detail.

Sending a request

This is the first stage when I act as the initiator of the application. Of course, in order to submit a claim, there must be some proof that the device is faulty, such as a photo of the damage or a report from the support service with evidence in the form of logs. So I submitted an application with the following text:

Application approval

The next day, the application was approved without any comments. From the day the application is approved, the user has 30 days to send the device. I understood that my router was unstable, but I decided to continue analyzing the problem for another 10 days, working closely with support.

Sending the router to the Netherlands

After the application was approved, I was given the following recommendations for shipping and packing the router:

• Need to print packing slip and put it inside the box.
• Provide readability of the sticker with the MAC address on the device.
• No need to send original packaging or accessories.
• If it is part of a kit, it must be returned in its entirety (this is the rule for the AmpliFi Kit, but the UXG-Lite is a separate device).

I packed the router as recommended and sent it to of the Netherlands. I paid for international shipping 544 hryvnias, which is equivalent to $13. In the window Awaiting RMA Item I confirmed the shipment by clicking on the link “Mark as Sent“. After that, the status was updated to “Product Sent“.

Now it remains to wait for the device to be accepted, checked and will send I have a replacement.

Receipt of the router by the RMA

National Post of Ukraine – Ukrposhta delivered the package to the Netherlands quite quickly – in a week, but it was delayed at customs in the Netherlands. I decided to notify the RMA manager about this so that the company can resolve the customs issues and speed up the process of receiving the router. The router was still at customs for more than two weeks until it was cleared. It turned out that in the Netherlands, duty is charged on any product, so Ubiquiti paid an additional €33.63, which caused a delay in logistics.

• August 15 – Request for payment of shipment costs sent
• August 27 – Payment for shipment costs received

The total delivery time was 3 weeks.

Testing UXG-Lite

On the day of receipt of the router, RMA specialists tested it, which I received a message by mail. This message is usually sent with the receipt message.

Fulfillment

Literally in half an hour I received another message about changing the status to “Fulfillment”. Such a quick reaction is most likely due to the fact that the shipment is created electronically through the postal service.

Sending the router to me

When I already physically sent the router by mail to the Netherlands, I was told in support that RMA does not send devices to Ukraine on the way back, so they expect me to eat i hope another receiving address in the EU.

It’s good that I have the possibility to use the services of a remote warehouse in Poland, so I sent a new address that was transferred to the RMA service. According to this address, a shipment was created on the same day. Of course, this is the way Netherlands -> Poland -> Ukraine and longer in terms of time and more expensive in terms of finances, because the shipment will be at my expense.

• Dispatch Netherlands -> Poland was held by a logistics company FedEx by Ubiquiti and the deadline was only 2 days
• Dispatch Poland -> Ukraine was held by a Ukrainian logistics company Meest at my expense, I paid €7.5 and lasted 7 days

Receiving the device

I received a notification from the postal company Most that the package is already in the branch and can be picked up. I was surprised by the size of the box, which was twice the size of the original packaging. After opening the shipping box, I saw a new UXG-Lite router, but with a European revision.

An amazing moment with a guarantee

Official warranty for the UXG-Lite router – 1 year. At the time of my appeal the warranty period has long passed. However, after diagnosis, technical support is still available approved by RMA – obviously, given the nature of the malfunction and the confirmation that it is a non-standard operation of the device. After sending the router, I was not charged additional money, so I consider it free.

Another nuance – although the purchase was made through a website in the USA, I had to send the device not to America, but to the Netherlands. This is due to the fact that Ubiquiti has a European service center that serves customers from this region.

Conclusions

Even after the warranty expires Ubiquiti can approve an RMA if there is proof of a manufacturing defect and the device was purchased directly from the ubiquiti website. The process is clearly structured: from submitting an application to receiving a new device. Logistics can be international, even if the purchase is made in another country. The main thing is to save all evidence of the malfunction (logs, screenshots, description).

Connection Dahua IP camera to a router with a video recorder function Ubiquiti UCG‑Max is a great way to integrate an existing video surveillance system into the ecosystem UniFi Protect, without spending money on a complete replacement of equipment. And although previously only Ubiquiti cameras were supported, now the situation has changed.

Support Third‑Party Cameras (ONVIF-compatible cameras) c UniFi Protect appeared relatively recently – it was introduced in version 5.0 Protect, the release of which was announced in October 2024 year The successful addition of third-party cameras to UniFi Protect has been officially confirmed in the Community Release version UniFi Protect 5.0.33, where support for receiving ONVIF cameras has already appeared.

To configure, you must perform the following sequence of actions:

• Dahua camera settings
• Activation of UniFi Protect
• Adding a camera

I will start sequentially with screenshots.

Dahua camera settings

I have one of the budget cameras Dahua DH-IPC-HDW1230T1-S5, I used to use a software video recorder that was installed on my Raspberry Pi. But after purchasing a new router, I decided to migrate to a built-in solution UniFi Protect.

Camera firmware

You need to select an item System -> Upgrade -> Manual check. In my case, the firmware was updated recently, in June 2025, which indicates that the camera is still being supported.

ONVIF activation

This option is included in the section Network -> Access Platform -> ONVIF -> Authentication -> ON -> Save

For authentication, you need to create an ONVIF user System -> Account -> ONVIF User. Here you can either create a new user or edit an existing one.

Date and time

I thought this setting was not important, but I decided to follow the recommendations. To do this, I selected the System -> General -> Date&Time menu and checked that all my settings correspond to the necessary ones and the time is displayed correctly.

This preliminarily completes the camera setup.

Activation of UniFi Protect

By default, UniFi Protect is not activated. To activate it, you need to go to the section Settings -> Console Plane and in the list of additional services opposite Protect to press Install and wait for the installation to complete.

Installation took about 5 minutes. The latest version at that time was displayed in the list UniFi Protect 6.0.53. An additional tab appeared in the upper panel – Protect, let’s go to it. A feature video has been played in the Dashboard section UniFi Protect and a link to the setup guide. It looks touching!

Adding a camera

To activate cameras from other manufacturers, you need to go to the section Settings -> System ->Advanced and put a check mark opposite Discover 3rd-Party Cameras.

After applying the changes, you need to go to the Unifi Devices menu and my Dahua DH-IPC-HDW1230T1-S5 camera will automatically appear in the list. In order for it to be added, you just need to click on the Click to Adopt link.

A window will open, where you need to enter the login and password for the camera, and click on the confirmation button – Confirm.

Almost instantly, the camera will connect and you can see its status. After the camera has already been added, you can go to the main Dashboard page and see the general information.

Advantages and disadvantages of UniFi Protect

Here we are talking about cameras with ONVIF support, i.e. from third-party manufacturers, like mine – Dahua DH-IPC-HDW1230T1-S5. I have a little experience working with video surveillance cameras, starting with Dahua and Hikvision complexes and with software solutions such as NX Witness. Since I only have one camera, I decided to describe exactly the criteria that led me to try Ubiquiti UniFi Protect.

I bought a router Ubiquiti UCG-Max in order to additionally receive a modern, powerful video recorder with a memory capacity of 512 GB. That is, I was counting on a 2-in-1 device. In general, my expectations were met, because the ecosystem Ubiquitii like I considered the criterion of economy and rationality of using one device instead of two. If you paint it by points, it looks like in comparison Ubiquiti UCG-Max and Ubiquiti UXG-Lite + Hikvision DS-E08NL-Q1 So:

• The price of these sets is almost the same
• Size UCG-Max smaller than a router + video recorder

Unfortunately about disadvantages I found out today while setting up and writing this article. Through a single ecosystem Ubiquitidecided to limit not only proprietary functions such as artificial intelligence for recognizing faces and license plates, but also completely banal unremarkable functions, at least this the absence of the possibility of recording by movement or event this sucks for me, because no one is going to watch 100 hours of video in one stream, it’s very inconvenient!

Conclusion

Adding third-party IP cameras, including Dahua, to Ubiquiti UCG-Max with UniFi Protect is a real opportunity to build a unified video surveillance system based on existing equipment. However, there are limitations to consider: you only get basic 24/7 or scheduled video recording, without full integration of “smart” camera features. This solution is ideal for those who want to centralize the archive and remote access, but do not count on deep analytics in Protect, but definitely not for me!

I will buy a budget camera for this solution UbiquitiG5 Turret Ultra which costs $129, and has basic functionality in the form of a regular one motion or event recording, which suits me perfectly. Otherwise I will be forced to sell Ubiquiti UCG-Max and buy a budget router and a portable video recorder separately.

I bought a Ubiquiti EdgeRouter X router quite a while ago, sometime in November 2020. I chose this router solely because of its compactness and low price. During the first initialization, firmware v2.0.9 was installed there. From that moment on, only hotfixes were released to the firmware, without official stable releases. The last hotfix v2.0.9-hotfix.7 was announced in August 2023. Until today, I thought that the project was already closed, and the router would no longer be supported, which means not receiving firmware updates.

I subscribed to the Ubiquiti newsletter and one day received an email announcing a new firmware version for my router, which I wanted to part with! Indeed, the new firmware version 3 was a long-awaited update after a series of release candidate versions – finally released in the final stable version. I installed it, recording every step, to share with you a comparison of these two versions of EdgeRouter OS.

This article looks at the key innovations and improvements – and will be useful for those who plan to upgrade or are simply interested in the development of EdgeRouter. In this article, I made comparative screenshots first of the old version of EdgeRouter OS v.2.0.9-hotfix.7 and below the same page in the interface of the new updated EdgeRouter OS v.3

Main changes in EdgeRouter OS 3

• New web interface (GUI): completely redesigned design, new left menu instead of tabs, updated “ports widget” element in the top panel
• Dark Mode – dark theme for more comfortable work
• Full support for WireGuard VPN – configuration via GUI and CLI, with the ability to use in Site-to-Site VPN, VPN Server and VPN Client scenarios
• DHCPv6 now ignores advertisements without required fields or with missing statuses
• UISP integration: remote access to local GUI via UISP
• Adjusted system settings theme, added CPU and “hardware” status indication in the top panel, temperature warning
• Security improvements::
  • The firewall blocks all incoming traffic on eth1 by default.
  • File name validation when restoring the configuration.
  • WebSocket client IP logging — to detect brute-force attacks.
  • Better password strength checking.
  • SSH is disabled in the default configuration.

In other words, this is not only about design, but also about functionality.

Upgrade Process

When a new version of EdgeRouter OS is detected, the user will be informed in the top panel of the GUI with the inscription “Ready to upgrade“. After clicking this button, the status will change to “Upgrading“. This process will take about 3-5 minutes. During the system upgrade in the “Alerts” section, where the message will appear: “Upgrade to latest firmware version has started“.

In order for the update to take effect, the system recommends rebooting the router. If you ignore this action, the update will be applied the next time you reboot. Of course, all settings are saved during the update, as the difference between the versions is small.

After rebooting the router, the user will already enjoy the new interface and functionality of their router.

Login page

Compared to the old version, the design has become minimalistic and clearer. The single color scheme is more adapted for light and dark modes.

Dashboard

As you can see on the main page, the menu has been moved to the sidebar and is presented in the form of icons. The new visual interface is very similar to the Unifi OS interface. Users who have previously worked with Unifi OS will find similar features in this structure.

If you are attentive, you can see the uptime value, which was not in the old interface on the main page.

Traffic Analysis

I didn’t enable this feature on both the old and new firmware, as this option doesn’t matter much to me, but I’ll share a comparison of these versions. Overall, this functionality hasn’t changed much, except for the graphical layout of elements such as search. The links to enable traffic analysis have also become more obvious, as the blue color is more noticeable than the gray option.

Routing

As in the previous points, this window, apart from the design, has not changed its logic. All elements have remained in their places, but have become more visible due to the blue color.

Firewall/NAT

In this window, I will look at the Port Forwarding tab. In this menu, unlike the old compact design, the new interface looks wider, which does not allow all the necessary information to be placed on one screen, the user will have to scroll down to see the rules table.

Services

The screens have identical functionality, except for the design.

VPN

I don’t have VPN configured either, but the new interface has a WireGuard section. Of course, you could enable this section in the old firmware, but it’s nice that this feature was automatically activated in the new one. For the user, this is only an advantage, because you can connect the EdgeRouter to another WireGuard host to configure different types of VPN.

• Site-to-Site VPN – connecting to a WireGuard node and dynamically or statically routing traffic between nodes.
• VPN Server – allows remote WireGuard clients to connect to the EdgeRouter and access the local network.
• VPN Client – connecting to a VPN provider and routing traffic through the WireGuard VPN using policy-based routing.

QoS

I don’t have QoS configured either, so I’m only sharing the visual difference.

Users

Unlike most previous menus, the user menu has added a remote control function. That is, in the new version, the connection has been divided into local and remote. Now the user will not need to forward ports, thereby reducing the security of the connection.

Config Tree

In the configuration tree, in both the old and new versions, the menus that have been changed are highlighted in bold. There are no further changes in this section.

Wizard

In this menu, the main items are also highlighted in blue, for better focus on the submenus.

Conclusions

The EdgeRouter OS 3.0.0 firmware was mainly focused on changing the design, which is very similar to Unifi OS. The update is most valuable for those who use VPNs, want a better UI, or value security.

Ubiquiti’s UniFi Network Controller provides a user-friendly interface for network management, but for deeper diagnostics and configuration, command line access via SSH is sometimes required. For security and convenience, you should use an SSH key instead of a password. This article explains how to create an SSH key, add it to the UniFi Controller, and use it to log in to the device.

Generation of SSH keys

I have an Ubuntu operating system installed, so I’ll be using that for all setups. In the terminal, you need to execute the command to generate private and public SSH keys.

ssh-keygen -t ed25519 -C "unifi-access"

You will be asked to specify the path to save the key and its name. Specify where it will be stored, usually it is the user’s home directory, and give the name unifi_key or press Enter for the default path (~/.ssh/id_rsa).

Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/UserName/.ssh/id_ed25519): unifi_key

After that, you will be asked to create a password for the private key. This password will always be requested when accessing this key, however I will add the data to the ssh agent to avoid having to enter this password all the time and keep the system secure.

Enter passphrase (empty for no passphrase): 
Enter same passphrase again:

As a result, two files will be generated:

• Private key: ~/.ssh/unifi_key
• Public key: ~/.ssh/unifi_key.pub

Adding a public key

In the new Unifi Network interface, the remote control settings section has been moved to the devices section:

Unifi Devices -> Device Updates and Settings -> Device Settings -> SSH Keys

To do this, you will need to enter the name of the public key and its content.

To view the contents of the newly created public key, open it:

cat ~/.ssh/unifi_key.pub
ssh-ed25519 AAA.....cpoM unifi-access

We copy this line into the corresponding block and add it to the controller. We click on the Apply Changes button and we have the key, it remains to add it to the agent and check the connection.

How to add a key to the SSH agent

To avoid specifying the path to the public key each time, you can add the key to the SSH agent. If a password was previously created for the private key, it must be entered.

ssh-add ~/.ssh/unifi_key
Enter passphrase for /home/home/.ssh/unifi_key: 
Identity added: /home/home/.ssh/unifi_key (unifi-access)

Checking the connection

Now from this PC, you can connect to any device that is added to the UniFi controller without specifying a password, but the login must already be root.

ssh [email protected]
Linux UXGLite 5.4.213-ui-qcom #5.4.213 SMP PREEMPT Wed Apr 30 13:12:54 CST 2025 aarch64

Firmware version: v4.1.13

Conclusions

Using SSH keys to access UniFi devices is a more secure and convenient approach compared to passwords. Keys are harder to intercept and, if used correctly, can be easily updated and revoked. UniFi Controller allows you to centrally distribute keys to all devices, which simplifies the administration of a large network.

After analyzing my Postfix server’s activity graph using Zabbix, I discovered that every 5 minutes, an attacker attempts brute-force login attempts. To prevent this, I decided to manually configure firewall rules and demonstrate how to create an IP blacklist rule.

On my Ubiquiti UniFi UXG-Lite router, it is possible to block specific IP addresses or subnets by creating Network Objects and using Firewall Policy.

Creating a Blacklist Group

A blacklist is a list of IP addresses and/or subnets, organized as a network object group. To create such a group, follow these steps:

1. Click the Settings (gear icon) menu.
2. Select Profiles.
3. Navigate to Network Objects.
4. Click Create New.

In the Network Objects screen, fill in the following fields:

• Object Name – e.g., Postfix Black List.
• Type – Select “IPv4 Address/Subnet” from the dropdown list.
• Address – Enter the first IP address or subnet.

Click Add to create the list and apply the changes.

Creating a Blocking Rule for Ubiquiti UniFi Zone-Based Firewall

Given that my router has been updated, a new feature has been activated – Zone-Based Firewall. It visually divides rules into groups according to their type. Therefore, I will make settings in the new interface, where rules are already called policies.

According to the zone table, the policy must be added to the cell at the intersection of Source External and Destination Internal. To do this, click on the cell and at the very bottom of the policy list, click on the Create Policy button.

The principle of the policy is simple:

• Detect external traffic for the presence of IP addresses and/or subnets that are blacklisted
• Block traffic from the corresponding IP addresses and/or subnets, provided that the traffic is directed to the local network.

This setting appeared only in Zone-Based Firewall, because before this innovation it was possible to block all traffic. Now the settings are more flexible, so such a policy can be created for each zone separately.

A sidebar will open on the right, where you need to fill in the appropriate fields. The fields are grouped by blocks to make it easier to navigate the settings:

Name: Postfix Black List.

Source Zone block

• The External value will be the default if the required cell in the Zone-Based Firewall table was previously specified, otherwise you must select the External value
• Select the IP value
• Select the Object value
• From the drop-down list, select the previously created Postfix Black List group
• Select the value Port: Any

Action block

• Select the Block value

Destination Zone block

• The Internal value will be the default if the required cell in the Zone-Based Firewall table was previously specified, otherwise you must select the Internal value
• Select the Any value
• Select the value Port: Any

Additional settings block

• IP Version: IPv4
• Protocol: All
• Connection State: All
• Syslog Logging: checkbox enabled
• Schedule: Always
• Description: Block all IP’s from the Postfix blacklist

Click Add Policy. The new rule will appear in the list and be applied immediately.

Verifying Policy Functionality

Blocked traffic logs can be found in the System Log under the Triggers tab. You can review individual entries to confirm that the policy is working as expected.

Conclusion

The Zone-Based Firewall feature in Ubiquiti UniFi allows effective blocking of unwanted traffic using IP blacklists. Utilizing Network Objects and flexible policies in the new interface simplifies network security management.

When I bought the Ubiquiti EdgeRouter X router, the first thing I did was test its speed via the speedtest.net website. The results disappointed me: the efficiency was only 40-50% of the declared characteristics. In this article, I will tell you how to optimize the operation of this router so that it works at 100%!

What is hardware offload?

Hardware offload is used to perform router functions at the level of specialized hardware modules, instead of processing them by the central processor. This allows you to significantly increase network performance and bandwidth.

Starting with the EdgeOS firmware version v1.9.1, all EdgeRouter models support some type of hardware offload. The latest firmware version available at the time of writing this article is v2.0.9-hotfix.7. This means that I can apply the recommendations to improve the speed of my router.

EdgeRouter X and Hardware Offload

My EdgeRouter X is built on a MediaTek chip that supports hardware acceleration for VLAN and NAT. This means that you can port these functions to the ASIC using the hwnat command. In addition, hardware offload also supports other tunneling functions such as GRE and PPPoE.

How to enable hardware offload?

To enable hardware offload, you need to use the command line interface (CLI) or the EdgeOS graphical interface:

Through the web interface

• Go to the Config Tree menu and in the Configuration block, scroll down and find the Offload parameter

• Opposite hwnat and ipsec, enter enable, to apply the changes, click the Preview button

• In the Commands to Commit window, click Apply to apply the changes

• You will see the message: The configuration has been applied successfully

Through the CLI

To open the terminal window, click the CLI button

You need to enter your login and password, and then enter the following commands in sequence

set system offload hwnat enable
commit
save

Check settings

Checking the result

After activating hardware offload, I recommend re-testing the Internet speed via speedtest.net or any other speed test service. In my case, the throughput increased to 90-95% of the declared by the provider, which significantly improved the stability and performance of the network.

Conclusion

If you have an EdgeRouter X and you have noticed poor network performance, enabling hardware offloading can significantly improve the speed of the device. This simple setting allows you to use the power of the router more efficiently and get the most out of your Internet connection. Don’t forget to update the firmware to the latest version to use all the optimization features!

Foreword

My first impressions are incredibly bright because it really is a powerful device with a modern interface, controls, an intuitive configuration tool!

Unboxing

Box in a minimalist design in beige cardboard. The size of the box has significantly increased to 175 x 160 x 80 mm. On the back of the box, on the lower left, there is a label pasted with information about the country of manufacture, the address and a hologram that the product is certified and authentic. As in the previous version, the box is opened by pulling on a special opening tab. After opening the box, as in the previous version, there is a bright blue qr-code in the center, which leads to the instructions for the first connection. That is, at the first stage

After turning this side of the box in the center, the router itself is flaunted in a matte factory film. Under the router, after removing the white tab, in the plastic section there is a 5V 3A charger, a short 15 cm patch cord, legs in the form of a sticker, and a very small paper instruction is inserted into the side pocket. I took a photo of each element separately and larger. Everything was placed compactly and competently, I liked it.

In order to understand the difference in size and number of ports, the location of elements, I decided to physically compare the two models UXG-Lite and UCG Ultra, see how incredible the difference is.

Settings and Speed test

After waiting for the router to fully load, which is about 2-3 minutes, I saw an animated recommendation to continue setting up on the display. The display displays information clearly and interactively, it’s just great!

When accessing the Internet, the setting takes place through the UniFi application via Bluetooth. I made the settings through a Samsung Android smartphone. After opening the application, literally in a few seconds a message appears that a new Cloud Gateway Ultra device has been found with an offer to continue the configuration. The first setup can take from 4 to 20 minutes, so it is better to have the smartphone charged.

Also, the speed is displayed on the display of the router itself

Since this security gateway already has a built-in UniFi controller, there is no need for separate local services or a hardware Cloud Key device.

If you have any questions, ask in the comments, I will be happy to share my experience in using this router!

Each device has both its advantages and disadvantages:

• If you have one ISP and there is limited space to install the gateway, and this gateway will always be behind a closed door of the distribution box, then Gateway Lite is the choice.
• If you need uninterrupted Internet, namely the ability to control two WAN ports, the device will be in an open place, then Cloud Gateway can be the choice.

Let’s now look at the basic comparison table of the main characteristics of these two Unifi security gateways

Features	UXG Lite	UCG-Ultra
Processor	Dual-core ARM® Cortex®-A53 at 1 GHz	Quad-core ARM® Cortex®-A53 at 1.5 GHz
Memory	1 GB DDR3L	3 GB DDR4
On-board storage	–	16 GB eMMC
Management	Ethernet Bluetooth 5.1	Ethernet Bluetooth
Networking	LAN: (1) GbE RJ45 port WAN: (1) GbE RJ45 port	LAN: (4) GbE RJ45 ports WAN: (1) 1/2.5 GbE RJ45 port
IDS/IPS throughput	–	1 Gbps
Power consumption	3.83W	6.2W
Display	LED	LCM 0.96″ status display
Dimensions	98 x 98 x 30 mm (3.9 x 3.9 x 1.2″)	141.8 x 127.6 x 30 mm (5.6 x 5 x 1.2″)
Weight	320 g (11.3 oz)	520 g (1.1 lb)
Enclosure material	Polycarbonate	Polycarbonate
Power	USB type C (5V/3A)	USB type C (5V DC/3A)
Performance	WiFi QoS with UniFi APs Application, domain, and country-based QoS Application and device type identification Additional internet failover with LTE Backup Internet quality and outage reporting	WiFi QoS with UniFi APs Application, domain, and country-based QoS Application and device type identification Additional internet failover with LTE Backup Internet quality and outage reporting Redundant WAN with failover and load balancing
Next-generation security	Application-aware firewall rules Signature-based IPS/IDS threat detection Content, country, domain, and ad filtering VLAN/subnet-based traffic segmentation Full stateful firewall	Application-aware firewall rules Signature-based IPS/IDS threat detection Content, country, domain, and ad filtering VLAN/subnet-based traffic segmentation Full stateful firewall
Advanced networking	License-free SD-WAN* WireGuard, L2TP and OpenVPN server OpenVPN client OpenVPN and IPsec site-to-site VPN One-click Teleport* and Identity Enterprise VPN** Policy-based WAN and VPN routing DHCP relay Customizable DHCP server IPv6 ISP support	License-free SD-WAN WireGuard, L2TP and OpenVPN server OpenVPN client OpenVPN and IPsec site-to-site VPN One-click Teleport and Identity VPN Policy-based WAN and VPN routing DHCP relay Customizable DHCP server IGMP proxy IPv6 ISP support
Application Requirements	UniFi Network Version 8.0.7 and later	Mobile app UniFi iOS: Version 10.12.0 and later UniFi Android: Version 10.11.2 and later

In this case, the main advantage of UCG-Ultra over UXG Lite is the presence of a large number of ports, namely the possibility of configuring one LAN port in the WAN, which allows you to connect a second provider. This is very useful when used in a small office. The second advantage is the built-in management controller, which makes it possible to forget about an external server or CloudKey.

If you find additional differences, then join the discussion in the comments.