Need a little guidance with a UI USG

In the same spirit of appreciation, I tested this for readability/intelligibility with Siri. On a Mac, select all and press ⌥esc to read out loud. Other screenreaders should work too.

I had one simple mission earlier today, reflash an old UI (formerly Ubiquiti Networks) USG I have as backup to the main virtualized firewall running OpenWRT. The USG was showing signs of wear on its flash drive.

There's no mission simple enough that can't get me distracted though and so I ended up flashing OpenWRT on the USG instead. I wasn't expecting it to work but it did on the first try. (No locks.)

I booted it connected to the console port connected to see its progress. Immediately after it show the line press enter to something-something I issued service network stop and went straight for /etc/config/network to start copying the configuration of the main firewall, adapting the what was needed so it could boot alongside the virtual one, and I re-enabled the ports on the switches.

This is the topology, more or less:

USG-based-OpenWRT2048×1867 379 KB

As shown above, it has dual trunk ports to different switches on the same network. This would of course normally create a loop.

But since I'm hardly versed on the keywords to configure the text file from scratch and I didn't remember if I added the kmods for it to the build; later on LuCI I'd set up a bond or at least spanning tree.

I couldn't copy it off the current OpenWRT, bc it only has one virtual NIC per network [side], the hypervisor handles the rest, no need for STP.

Finally I turned on the network service and immediately the console started getting spammed with receive error code 10. Soon it took down the network. I don't know if it was a loop or simply it was the non-stop flood of topology change BPDUs that took it down. (hence all the STP talk)

On the second attempt I disconnected the last port, but it was still connected to a port on the ONT which would connect it to the WAN port of the virtual firewall. This time it only took down the Internet before I managed to stop the network service it from the continuously spammed console. There's wasn't any reason for it to take down the Internet because though IPoE is basically DHCP, it doesn't have the right MAC address to steal away the connection from the other firewall, it can't loop either because it's firewalled (right??)

Screen Shot 2024-12-21 at 00.38.091275×1191 311 KB

My first question about the USG is, is this code 10 some sort of ultra-egregious low key vendor lock from UI?? I've read a lot of very nasty stuff UI it's been involved in, and the installation was too easy to be true. Or is this like some drivers issue?

Next is, is it worth it?: There's a pinned thread in this section (So you have 500Mbps-1Gbps fiber and need a router READ THIS FIRST - #17 by wind), the first time I read it, like a kid with a toy chemistry set I went straight to test it, and confirmed it to be true; an OpenWRT VM with a single gig of RAM on the best case scenario would very briefly burst close to 1Gbit/s. With a small, albeit unrealistic increase to only 1.2GB of RAM, it could sustain 1Gbit/s.

That said, the USG has only half a gig of RAM and half-a-GHz-clocked pair of RISC cores (vs Xeons on the virtual), and yet still it could sustain NAT at 1Gbit/s while also running a list of unsupported relatively memory-hungry things available if forgoing the GUI: OSPF, RIPv2, PBR, VRRP (different VLANs from OSPF), and FreeRADIUS which it runs by default regardless the need for it. I assume it's able to do it because of either the architecture of the processor or the fact that it can offload certain L3 tasks to some custom chip it has for it. It might not have the needs of a Squid cache or Exchange, but we're talking about 500MB, it's tiny.

Will it still be as snappy with OpenWRT running it? Or should I just call it day and flash what I was supposed to flash? (the modified version EdgeOS/Vyatta).

Advice, scolding, suggestion, anecdote. Any text donation is welcome Thanks!