Originally Posted: November 17th, 2023
Last Edited: December 5th, 2023

Note: On November 29th, Ubiquiti announced the UniFi Express (UX) which is a similar device. The Express acts as a gateway and wireless access point, and it also runs the UniFi Network application. The UX can also act as a standalone access point in existing UniFi networks. See my UniFi Express Preview for more details on that device. My original UXG Lite preview is below.

TL;DR:

• The next-gen Gateway Lite (UXG-Lite) is a new gigabit UniFi gateway for a Cloud Key, self-hosted, or cloud-hosted UniFi network

• The UXG-Lite is available in the US starting November 20th for $129, and coming to other regions soon

• This is the UniFi Security Gateway (USG) replacement we’ve all been waiting for

UXG-Lite Preview: A Proper USG Replacement

UXG-Lite Tech Specs

From the UXG-Lite page on store.ui.com:

A compact and powerful UniFi gateway with a full suite of advanced routing and security features

- Up to 10x routing performance increase over USG (tested with IPS/IDS, QoS, and Smart Queues)
- Managed with a Cloud Key, Official UniFi Hosting, or UniFi Network Server
- (1) 1 Gbps WAN port
- (1) 1 Gbps LAN port
- Compact footprint
- USB-C powered (adapter included)

Technical Specifications — Mechanical

• Dimensions: 98 x 98 x 30 mm (3.9 x 3.9 x 1.2")

• Weight: 320 g (11.3 oz)

• Enclosure materials: Polycarbonate

Hardware Specifications

• Processor: Dual-core ARM® Cortex®-A53 at 1 GHz

• Memory information: 1 GB DDR3L

• Management interface: Ethernet, Bluetooth 5.1

• Networking interfaces

  • (1) 1 Gbps RJ45 WAN port

  • (1) 1 Gbps RJ45 LAN port

• Power method: USB type C (5V/3A)

• Supported voltage range: 100–240V

• Max. power consumption: 3.83W

• Operating temperature: -10 to 40° C (14 to 104° F)

• Operating humidity: 5 to 95% noncondensing

• Certifications: CE, FCC, IC

Gateway Features — Performance

• WiFi QoS with UniFi APs

• Application, domain, and country-based QoS

• Application and device type identification

• Additional internet failover with LTE Backup

• Internet quality and outage reporting

• Next-generation security

• Application-aware firewall rules

• Signature-based IPS/IDS threat detection

• Content, country, domain, and ad filtering

• VLAN/subnet-based traffic segmentation

• Full stateful firewall

Advanced networking

• License-free SD-WAN*

• WireGuard, L2TP and OpenVPN server

• OpenVPN client

• OpenVPN and IPsec site-to-site VPN

• One-click Teleport* and Identity VPN**

• Policy-based WAN and VPN routing

• DHCP relay

• Customizable DHCP server

• IGMP proxy

• IPv6 ISP support

*When paired with a Cloud Key or Official UniFi Hosting.
**When paired with a Cloud Key.

My Thoughts on the UXG-Lite

Finally.

The next-gen Gateway Lite (UXG-Lite) is the long-awaited UniFi Security Gateway (USG) replacement. It fits into the same style of deployments, and the same budget as the ancient USG. For $129, it fills a big hole in the UniFi gateway lineup.

The UXG-Lite is made for those who host their own UniFi Network application server, or rely on Cloud Keys or cloud services. These are usually managed service providers, network installers, or businesses, but a lot of home users prefer this kind of setup as well. This is usually the best way to handle multiple network sites, but keeping your components separate has other advantages. Not everyone wants the integrated all-in-one solution Dream Machines provide.

The USG and USG-Pro have been in an awkward position since the introduction of the Dream Machines in late 2019. They were the only standalone gateway options, but their weak performance and low IPS/IDS and VPN throughput held them back. The Dream Machines were more powerful but less flexible, and can’t be managed by another UniFi Network controller. There was a lot of confusion about the differences and if the USG + Cloud Key or self-hosted option was going away.

Since then and until now, the UXG-Pro was the only modern option. USG-Pro owners looking to upgrade might have been happy, but not everyone has a network rack or $499 to spend. Those with a smaller budget or smaller space had to look to 3rd party options, or opt for a Dream Machine.

The release of the UXG-Pro felt both rushed and reactionary, but drawn out due to the long time it spent in early access. It is a poor value compared to the $379 UDM-Pro or $499 UDM-SE, but that was the cost for flexibility. The wait for a cheaper non-pro version felt even longer, but we finally have it.

UXG-Lite Limitations

The most obvious limitation of the UXG-Lite is the low port count and lack of a 2nd WAN interface. There are only two RJ45 ports, and they’re both limited to 1 Gbps. 2.5 Gbps would have great, but Ubiquiti is continuing to keep that as a premium feature for higher-end models.

Having only two gigabit ports will become a much bigger limitation if the UXG-Lite sticks around as long as the USG did. For $129 in 2023 it’s somewhat understandable, just disappointing. On the bright side, it could open the door to another hardware option in the middle of the UXG-Lite and UXG-Pro.

The lack of a 2nd wired WAN is another limitation. With the USG, there were three interfaces, and the 3rd interface could be used as a 2nd WAN or a 2nd LAN port. The UXG-Lite is significantly more capable for routing throughput, but is stuck with a single gigabit WAN and single gigabit LAN.

The only way to get a 2nd WAN connection is to opt for one of the UniFi LTE accessories. The LTE Backup or LTE Backup Pro allow you to automatically fail over to a cellular connection during an Internet outage. It requires the UniFi LTE hardware and — in the US at least — an expensive AT&T cellular plan.

As far as other limitations go, we’ll have to wait until this product is released and put through it’s paces to really know. It’s a simple device, the most exciting part is the role it fulfills in the gateway lineup and how that affects the entire UniFi ecosystem.

Also, USB-C power input is a welcome upgrade from a DC barrel plug in my opinion. It would have been nice to see a PoE input option for power though.

Asterisks

One of the most interesting aspects of the spec list are the asterisks. Those are worth examining a bit closer.

• License-free SD-WAN — when paired with a Cloud Key or Official UniFi Hosting

• One-click Teleport VPN — when paired with a Cloud Key or Official UniFi Hosting.

• Identity VPN — when paired with a Cloud Key

For reference, Cloud Keys are hardware appliances that run UniFi software, like the UniFi Network application or UniFi Protect for security cameras. This software monitors and configures other UniFi hardware, like the UXG-Lite.

The UniFi Cloud Console is a subscription service for hosting the UniFi Network application. Those currently cost $29/month for 100 UniFi Network devices, or $99/month for 1,000 devices in the US.

As far as I can tell, “license-free SD-WAN” is referring to the new Site Magic feature. Site Magic is built into the unifi.ui.com site manager and remote access portal. It lets you automatically create site-to-site VPN connections for multiple UniFi networks. This is a way for Ubiquiti’s marketing department to flex their lack of software licenses or subscriptions. You can still manually create site-to-site or remote access VPNs with the UXG-Lite.

The same goes for Teleport and UniFi Identity VPNs. Teleport is an easy-to-setup Wireguard VPN, and UniFi Identity is an optional identity management subscription. Those won’t be available on a UXG-Lite or UXG-Pro unless you use a Cloud Key. Self-hosted networks won’t support those, but they still have Wireguard, OpenVPN, IPsec, and L2TP.

It’s interesting these features are not supported on self-hosted UniFi Network application installs. It seems like an indication of where they are guiding their customers. The UniFi Network software has always been available for free, but this is the first time a feature line has been drawn between self-hosted and “officially” hosted. It’s possible that more features like this are added over time.

Essentially, for a few of the newest and fanciest features, self-hosted controllers aren’t included. These limitations make some sense, but calling it out on the spec sheet makes it feel like a purposeful design choice and business decision. Maybe there is a technical challenge I’m not seeing, but it feels like a subtle way to encourage hardware sales. At best, it is disappointing. At worst, it’s a sign that self-hosted controllers are becoming second class citizens.

A Question of Priorities

Judging by Ubiquiti’s actions and the hardware and software they’ve released, creating a new standalone gateway for USG customers wasn’t a priority.

The Dream Machines launched in late 2019, and there were several signs that Ubiquiti preferred everyone just buy one of those. The UXG-Pro got stuck in early access purgatory, advertisements for the Dream Machines were placed in self-hosted controllers, and multi-site support was in question. Existing UniFi customers were right to be upset.

Now, finally, USG owners have some new hardware they can buy. That is, if they haven’t upgraded to a Dream Machine, UXG-Pro, or found another vendor.

I’m genuinely happy to see the UXG-Lite released. I’m also a little worried that it took this long, and that self-hosted controllers are starting to be viewed in a separate category. Ubiquiti is giving us what we’ve wanted for four years, while also drawing a line in the sand to prop up their hardware and their services. That could be a wise business decision if done correctly, or a brand-damaging path to go down. Time will tell which it is. I’m excited to examine these topics in more depth, and see which path they choose.