I’ve recently purchased an UDM SE when it was on sale. I use it as my main router moving away from OpenWRT (for this role). Especially the “recent” improvements including the zone-based Firewall configuration as well as beginnings of “usable” IPv6 support are what allowed me to make the jump.
I first chose to import my old self-hosted Unifi Network setup, but chose to redo it from scratch, because it seemed “buggy.”
I’m happy overall. The new zone-based firewall is a HUGE improvement (there’re specifics below)!
My gripes1 with the setup (as of January 2026):
You cannot–under any circumstance–create a working allow rule from a network in the Guest zone … there seem to be “hidden rules” that prevent this. Finding this out ate a whole weekend.
Firewall rules can’t have “any” zone as a source or destination. E.g. you can’t create a pure WAN egress rule.
Using the object policies you can get an error, saying you can’t create any more “ACL rules.” … why?!? I’m not using ACL rules (knowingly)! How many can I use (IIRC I had four or five)? How do I find out which ones they are? They count even when they are all paused?!?!?! ☠️
If you want to use the zone-based Firewall to allow Internet access to specific domains only make sure your UDM/etc. is the device’s DNS server. It doesn’t work with external DNS servers.
The Intrusion Prevention System blocks connections (e.g. www.privacy-handbuch.de) even when it’s set to only “notify.” In the logs it doesn’t say what the reason for blocking was, I just found out by elimination. 🤮
It seems not all blocked connections are shown in the flows/logs. I’ve had to create firewall rules for devices and services that were blocked, but didn’t show up in the flows/logs view (even with all the extended logging settings set). I only found out because of my internal monitoring setup (yay, Prometheus Blackbox Exporter and Ping Exporter). 😱
You cannot use device groups in Firewall rules, only in object policies.
You can select devices as sources in Firewall policies, but not as destinations.
You can’t add comments to Port or IP lists. Neither on the whole list, nor on the individual entries.
“Add multiple” fields won’t filter duplicates automatically … they will nag you until you’ve removed them manually. 😞
There’s no way to bulk export or import for DNS records … or firewall rules.
You can’t use IPv6 in WireGuard VPNs! 🤬
You can’t change the settings of the WireGuard Server or Clients. I know why they don’t allow it, but it’s rubbing me the wrong way.
- according to the principle: “if you want to nag at least have the courtesy to be specific!” ↩︎