UXG-Lite Review: Monkey’s Paw Gateway
Originally Posted: January 6th, 2024
Last Edited: January 9th, 2024
TL;DR:
The UXG-Lite is a new USG-style gateway for a Cloud Key or self-hosted UniFi network
One gigabit WAN, one gigabit LAN, and all the IPS/IDS you want for $129 US
VPN performance is limited, usually to under 100 Mbps
Seriously, TL;DR: this review is long. Don’t say I didn’t warn you.
Table of Contents
UXG Lite Spec Review
As I covered in my UXG-Lite Preview, Ubiquiti describes the Gateway Lite (UXG-Lite) as a compact and powerful UniFi gateway with a full suite of advanced routing and security features, ideal for smaller networks.
Hardware
SoC/Chipset: Qualcomm IPQ5018
CPU: Dual-core ARM Cortex A53 at 1 GHz
RAM: 1 GB DDR3L
Management interfaces: Ethernet, Bluetooth 5.1
Networking interfaces
(1) 1 Gbps RJ45 WAN
(1) 1 Gbps RJ45 LAN
Power Input: USB type C (5V/3A), power adapter included in box
Max consumption: 3.83W
Dimensions: 98 x 98 x 30 mm (3.9 x 3.9 x 1.2")
Context and Components
The main component of the UXG-Lite and its sibling the UniFi Express is the Qualcomm IPQ5018, from their Immersive Home 216 platform. It is the chipset or system-on-chip (SoC) that both are built around. It combines multiple parts into a single board designed for networking devices.
The IPQ5018 in the UXG-Lite features a dual-core 1 GHz ARM Cortex A53 CPU, 1 GB DDR3L RAM, and a single-core, 12-thread network processing unit (NPU) for offloading functions such as NAT. If you added some interfaces, radios, and a case, you could sell it on AliExpress, or do what many companies have done, and build a consumer networking product around it.
The Cortex-A53 is a relatively old ARM core design. It launched in 2012, and has been used in everything from budget smartphones to the Nintendo Switch and the Raspberry Pi 3B. Old CPU core designs aren’t the whole story though. The Qualcomm NPU handles networking functions like NAT. Also, ARM hardware acceleration helps process crypto operations for VPNs.
Altogether, the components inside the UXG-Lite are just enough for gigabit routing, but VPN throughput is weak. I’ll cover the performance impact more in the speed testing section below.
Defining UniFi Terms
Before we go any further, we need establish our marketing to English translation. I already attempted to simply explain UniFi Gateways, so I’ll keep this short.
UniFi networks are “software-defined” meaning the hardware and software are separate.
A UniFi “gateway” is a router AKA firewall AKA layer 3 network appliance. Whatever you call it, it acts as the traffic cop between local networks and the Internet.
Switches expand a wired network, and wireless access points (APs) convert wires into Wi-Fi.
A UniFi “controller” is a general term for anything that runs the UniFi Network application, the software that manages everything.
The UXG-Lite is a “UniFi Gateway” and it is… just a gateway. It doesn’t have built-in Wi-Fi or additional switch ports, and it doesn’t host any UniFi applications. You need a separate controller to manage a UXG-Lite. You can use a hardware Cloud Key or download the software for free and run it on your computer, server, or cloud service.
The alternative is a UniFi OS Console or Cloud Gateway. The Dream Router (UDR) is a UniFi Cloud Gateway because it acts as a gateway and a controller. All Cloud Gateways are controllers, run UniFi software, and manage themselves. Cloud Gateways can’t be used together with a Cloud Key, self-hosted controller, or a UXG-Lite.
The important thing to remember from this marketing madness is that a UXG can’t stand alone. It needs a separate UniFi Network controller. Use your own hardware, buy a Cloud Key, or rent one from Ubiquiti starting at $29/month.
It is also worth noting that Ubiquiti has confirmed more UXG models are coming.
To be clear: UniFi Express is not a direct successor to the USG. For that, consider the UXG Lite - which is an independent gateway similar to the USG. There will be additional products in the UXG series available in the future to complement the currently available Lite and Pro models
That could mean a new top-of-the-line UXG Enterprise, or something in the middle of the Lite and Pro. It could mean both, eventually. For now, we’ll focus on the hardware options we currently have.
UXG-Lite First Impressions
First, the ugly: The UXG-Lite has only two gigabit Ethernet interfaces. One WAN, one LAN. The old USG has a 3rd interface which can be assigned as a 2nd WAN or a 2nd LAN. The new UXG-Lite doesn’t. If you need more than two interfaces or more than gigabit speeds, consider the $499 rackmount UXG-Pro, a Cloud Gateway, or another vendor.
The Gateway Lite does technically support the LTE Backup or LTE Backup Pro as a secondary Internet connection. These attach to a LAN switch port, and the UniFi Network software automatically tunnels and configures them to act as a backup cellular WAN. In the US these are locked to AT&T, and require a $15/month for 1 GB of data plan, plus $10 for each additional GB. This may be an option for some, but the lack of 3rd port is limiting.
The UXG-Lite lives up to its “Lite” status, but it’s not all bad. The actual hardware is small, silent, and pretty nice. It has a white, soft-touch plastic enclosure and an LED on the front for status. It supports all of the latest UniFi features, and claims to support gigabit routing, including with Suricata IDS/IPS enabled. More on that later.
USB-C input for power is a welcome change, but the lack of mounting holes is not. Ubiquiti will happily sell you a magnetic Floating Mount for $29. You can also 3D print one, get creative, or just find something flat to place it on top of.
Moving beyond hardware, there are many software features on a UXG that are not present on the USG. Most of the routing and security features added to UniFi gateways over the past few years are on the UXG-Lite, and very few are on the USG. It’s time to boot them up and compare them.
Initial Setup
As with other UniFi devices, you can use the mobile app or desktop web interface for setup. For devices like the UXG-Lite that have Bluetooth, initial setup with the UniFi mobile app is usually the easiest. If you have an existing network running on a Cloud Key or self-hosted controller, it might be easier to use the desktop interface.
This is a quick look at the setup process, with UniFi Network version 8.0.26 and UXG Lite firmware 3.1.16. It will help you connect to your ISP and guide you through the first time setup process. If you have multiple controllers or UniFi sites, select the appropriate one, hit next a few times, and that is about it.
There is a similar process in the desktop web interface. One way to use that is to plug a computer into the LAN port of the UXG-Lite, and navigate to the default IP of 192.168.1.1 in a web browser. You’ll see a few options for manually connecting to a controller, signing into your ui.com account, and changing WAN settings to get connected.
After it’s adopted, you’ll need to use the Network application for everything else. The UXG-Lite doesn’t have the bare bones post-adoption web interface the USG has, only a “Setup Complete!” message and link to unifi.ui.com.
Setup is less straightforward if you have an existing UniFi network and gateway. UniFi Network sites can only have one gateway at a time. Before doing anything, take a backup, and see if you need to install any updates.
For those migrating from a USG or USG-Pro, you have to remove them first. Then you’ll be able to adopt the new UXG-Lite to take it’s place.
For those migrating from a Dream Machine or Cloud Gateway, you’ll want to setup your new controller first. Import your UniFi Network backup, remove the old, offline gateway if needed, then adopt the UXG-Lite. If you get stuck, try using the UXG’s initial setup web interface to point it in the right direction.
After the gateway shuffle is complete all of your network, security, and firewall settings will be applied. Anything custom you’ve changed in the config.gateway.json file on your USG will not carry over. None of the current UniFi gateways support that backdoor for custom configuration tweaks, everything lives in the GUI.
UniFi Gateway Features
There are a couple of ways to look at the features of the UXG-Lite. The spec sheet lists them out if you just want a quick overview. For those looking at migrating to a UXG from an EdgeRouter or another vendor, it’s worth looking at the current state of networking features for UniFi gateways as a whole. This is a (mostly) complete list of what you’ll get with UniFi at layer 3. As always, asterisks apply.
WAN Networking Features
IPv4 - DHCP, PPPoE, DS-Lite, or static
IPv6 - SLAAC, DHCPv6, or static
DHCP client options and Class-of-Service (CoS)
VLAN ID
MAC address clone, for dealing with MAC address authentication from your ISP
Smart Queues, for automated QoS on connections under 300 Mbps
UPnP
Dynamic DNS
LAN Networking Features
Virtual networks (VLANs) for segmenting traffic, up to 255 on most devices
DHCP server, relay, snooping, and guarding
IPv6
Multicast DNS
Content filtering (Work or Family) for restricting explicit or malicious content
Spanning Tree (STP, RSTP) and Ubiquiti’s proprietary Loop Prevention
Network Isolation
IGMP Snooping and IGMP Proxy
Jumbo Frames, Flow Control, and 802.1X control
VLAN Viewer, Radio and Port Manager, which are new ways to visually configure VLANs, ports, and assess Wi-Fi performance.
Security
Device and traffic identification for clients on your network
Country restrictions to block public IPs or web traffic by region
Ad blocking and DNS Shield — encrypted DNS over HTTPS (DoH)
Internal Honeypot to help detect malicious devices
Suspicious Activity (Suricata) — previously known as Intrusion Detection or Prevention (IDS/IPS)
Port forwarding
Traffic Rules for policy-based routing. They allow you to block, allow, or speed limit applications, domains, IP addresses, or regions on a per-device or per-network basis.
Manual firewall rules
Routing
Static routes
Traffic Routes, another newer feature that allows you to route specific traffic to a VPN or WAN interface. This can be for a single device or an entire LAN network. Together with Traffic Rules, it is UniFi’s solution for policy-based routing.
VPN Options, generally:
VPN Servers: Wireguard, OpenVPN, L2TP
VPN Clients: Wireguard, OpenVPN
Site-to-site VPNs: OpenVPN, IPsec
VPN Options with Asterisks*
*These aren’t supported when using a UXG Lite/Pro with a self-hosted controller. They require either Ubiquiti’s $29/month-and-up official UniFi Hosting service or a hardware Cloud Key.
Site Magic, an automatic site-to-site option available on unifi.ui.com for those with multiple UniFi sites and multiple Cloud Keys or Cloud Gateways
Teleport, which is Wireguard with a QR code scanning setup process
Identity one-click VPN, which is part of the new UniFi Identity application and subscription service. This is not supported on official UniFi Hosting, only Cloud Keys and Cloud Gateways.
USG and UXG Feature Differences
They are old, but the USG and USG-Pro are still supported by current UniFi software. They continue to get occasional firmware updates, mostly for security flaws and small component updates. The last one was v4.4.57 in January 2023, for reference.
Even with the latest Network application version, USGs don’t support most of the new features like Wireguard, Traffic Rules, or Traffic Routes. You’ll only find those on a UXG or Cloud Gateway. Some features that are supported on both USGs and UXGs can have differences, so lets go through all of them.
The USG doesn’t have:
Wireguard server or client, OpenVPN client, Teleport, Site Magic, or Identity VPN options
Content Filtering
WAN MAC Address clone and WAN DHCP Client Options
Device Identification
Ad blocking
Internal Honeypot
Traffic Rules and Traffic Routes
WiFiman
The new port and VLAN viewer, as well as port insights
IGMP Proxy
You can also look at the same thing in reverse. There are some older features or things you can do with a USG that you can’t with a UXG-Lite. Besides the obvious limitation of a single WAN port, these are mostly older options that have been replaced or made obsolete.
The few others that are missing, like SNMP monitoring, will hopefully be added in upcoming firmware updates. It’s possible they never will be though, and you should never buy a product based on the hope that a missing feature will be added.
The UXG doesn’t have (at least not yet):
SNMP monitoring
DNS Shield (DNS Shield added in v3.2.11)
Loop Prevention (Loop Prevention added in v3.2.11)
LLDP
The legacy PPTP VPN option
Hardware offloading settings
The “Traffic Restrictions” system from USG became Traffic Rules
IPv6 RA Valid Lifetime and Preferred Lifetime
Firewall Options: broadcast ping, receive redirects, send redirects, SYN cookies
The ability to edit the config.gateway.json file for custom configuration changes
Routing and VPN Speed Tests
One of the most common complaints about the USG and USG-Pro are the performance limitations. The USG has a weak CPU with optional hardware offloading, which moves some cryptographic and networking tasks onto dedicated hardware. With offloading enabled, gigabit performance is possible. The downside is that you can’t enable offloading and Suricata IDS/IPS at the same time.
For IDS/IPS, you have to disable the USG’s hardware offloading, dropping performance below gigabit. Performance drops even further with IDS/IPS enabled, usually below 100 Mbps on the USG, and maybe 2 or 3 times that on the USG-Pro. This also affects inter-VLAN routing and VPN traffic. This is one of the main reasons people have been asking for an updated model for so long.
There's good news there. The UXG-Lite can handle gigabit IDS/IPS.
Routing vs. Switching
It’s worth briefly covering what routing is versus switching. Let’s look at a hypothetical example of a UXG-Lite connected to a 2.5 Gbps switch with two PCs connected.
If they’re in the same VLAN or network, traffic from PC1 to PC2 just passes into and out of the switch. The UXG-Lite doesn’t have any work to do at layer 3. That traffic is being switched, and forwarded directly. Traffic from PC1 goes directly to PC2. TCP throughput should be around 2.3 or 2.4 Gbps, due to normal TCP and Ethernet overhead.
If you moved PC2 to another VLAN or network, the traffic has to be routed. Packets from PC1 will go to the switch, then to the UXG-Lite, then back to the switch, and then PC2. PC1 has to rely on it’s gateway to escape the network it is on, and reach PC2.
Even though PC1 and PC2 are connected to the same physical switch, if they’re on separate networks, you need a router to be involved. Traffic from PC1 can’t go directly to PC2. The UXG-lite has to coordinate the dance of electrons, and the routing performance of the UXG-Lite comes into play. All devices on the switch will share a single full-duplex gigabit link to their gateway. TCP throughput should be around 940 Mbps, due to normal TCP and Ethernet overhead.
With that out of the way, onto the numbers!
iPerf Speed Test Results
iPerf is an open-source tool that allows you to synthetically test the performance of a network. For these results, I ran three tests in each direction and averaged out the results. This isn’t a guarantee of performance in your network, this is what I got with my test devices, on a mostly idle USG, UDM, and UXG-Lite. Real-world results will vary.
After spending too much time trying different iPerf versions and options, I settled on using iPerf3 with the following settings for all of my tests:
iperf3 -c -i 10 -O 10 -t 90 -P 10 -w 2M -R
This means I’m using iPerf3, as a client, with interim reports shown every ten seconds. I’m omitting the first 10 seconds of the test to account for TCP windowing and slow starts, and then running the test for 80 seconds. There are 10 parallel TCP streams on a single thread. I added the -R option on half of my tests to reverse the direction and choose if my iPerf server would be either sending or receiving.
Routing Speed
UXG-Lite
Same LAN (switching): 940 Mbps
InterVLAN routing: 927 Mbps
USG with hardware offload enabled
Same LAN (switching): 939 Mbps
InterVLAN routing: 924 Mbps
USG with hardware offload disabled
Same LAN (switching): 937 Mbps
InterVLAN routing: 107 Mbps
UDM
Same LAN (switching): 941 Mbps
InterVLAN routing: 936 Mbps
As expected, the USG with offloading disabled struggles, but they’re all capable of line-rate performance otherwise. Next, we’ll enable “Suspicious Activity” and see how much Suricata slows them down.
Routing Speed with Suspicious Activity Enabled
UXG-Lite
IPS/IDS off: 941 Mbps
IPS/IDS on auto: 942 Mbps
IPS/IDS on high: 941 Mbps
USG
Offload on, IPS/IDS off: 937 Mbps
Offload off, IPS/IDS off: 107 Mbps
Offload off, IPS/IDS on (low): 87 Mbps
Offload off, IPS/IDS on (high): 83 Mbps
UDM
IPS/IDS off: 941 Mbps
IPS/IDS on auto: 942 Mbps
IPS/IDS on high: 941 Mbps
As promised, the UXG-Lite can achieve gigabit IDS/IPS. Judging by how much CPU and RAM usage goes up, that might not always be the case. Real-world networks can get messy, and the hardware seems to be just barely pulling it off. Performance will vary based on sender and receiver, other clients, TCP, and a bunch of other factors.
Generally speaking though, for those with gigabit WANs, enabling the suspicious activity setting won’t slow you down.
VPN Throughput Results
The last set of testing was the most disappointing, and required the most research and explanation. I am not an expert on Linux, cryptography, and low-level hardware. Focusing on what matters: this is where you see the limitations of the UXG-Lite hardware.
Also worth noting:
IPsec is a complex kernel-layer protocol suite with many encryption and hashing options in UniFi. I tested with AES-128 and SHA1.
AES and other common cryptographic functions can be offloaded onto dedicated hardware, but high performance usually requires high-end components or custom ASICs. You won’t find either of those in UniFi devices.
OpenVPN is a TUN/TAP solution using TLS. It’s easier to administer, but with OpenVPN packets must be copied between kernel and user space, reducing performance.
Wireguard is the simplest, and doesn’t rely on hardware acceleration. It relies on the good performance of vector math on just about any modern CPU.
iPerf is one way to benchmark, but it’s not always representative of real-world results. I like how Netgate markets their similar SG1100 ($189, dual-core A53) appliance using iPerf3 and IMIX, which is meant to represent complex voice, data, and video traffic.
OpenSSL Speed Benchmarking
I can’t test every hardware configuration, and I don’t have multiple units of every model for true site-to-site results. A standardized, repeatable way to measure cryptography performance from model to model would be useful. Thankfully, the OpenSSL Speed command is one way to do that, and test the raw cryptography power of a system.
These results do not represent what you can expect in a real-world network, but it is a level playing field for comparisons. This also let me gather data from some helpful folks that have hardware I don’t have. It also let me put in some silly data points, like my U6-Pro, and some comparisons to higher-end components, like the M1 Pro inside my MacBook, and the Ryzen 7800X3D in my gaming PC. You can also compare them against other public results, like these Raspberry Pi OpenSSL benchmarks from pmdn.org.
For UniFi routers, we can condense the results a bit. The UXG-Pro, UDM-Pro, UDM-SE, and UDW all share the same heart: an Annapurna Labs AL-324 CPU. The UXG-Pro has half the RAM and there are other small differences, but the results I gathered are within margin of error from each other. I’ll just be showing the UXG-Pro from this group.
I didn’t test every cipher, I focused on MD5, SHA-1, SHA-256 and 512, and AES-128 and 256. Lastly, I included ChaCha20-Poly1305. Besides having a delightfully quirky name, it’s the encryption protocol Wireguard uses.
With these numbers you can make the UXG-Lite look really powerful. You can also make it look underwhelming.
More importantly, since we’re talking about routing and VPNs, you can see the stark difference between the ARM models and the non-ARM models in MD5 and SHA, and in AES and Wireguard.
Dual-Core Drama and Crypto Offloading
Let’s pull back to what we’re hear to talk about: VPNs, networking, and routing performance. The UDM and UXG-Pro are more capable than the UXG-Lite, and that comes down to two things. The UDM has four ARM A57 cores at 1.7 GHz, the UXG-Lite has two ARM A53 cores at 1.0 GHz. Just based on core count, speed, and power consumption alone, the UXG-Lite has a lot less power for cryptography. This results in much lower VPN throughput.
The Cortex A53 has ARMv8 crypto extensions to allow hardware offload, but they to be licensed. On low-end components without a license like in the Raspberry Pi, encryption is done in software by the CPU. Judging by the performance and the output of the lscpu command, I’m assuming the UXG-Lite has these licensed and enabled. There’s just only so much you can do with less than 4W of power available.
WireGuard is an efficient software-only protocol that can't be hardware-offloaded by design. Unlike OpenVPN, Wireguard supports multi-threading. With only 2 cores and other services to run, the UXG-Lite still struggles with it, but it’s better than IPsec and OpenVPN. For those looking to have a simple remote or site-to-site VPN, the UXG-Lite is good for that. Just don’t expect it to go beyond 100 Mbps or support a lot of simultaneous users.
The older processor, small case, and low-power design keep the UXG-Lite from being a VPN powerhouse. You’re not going to get great VPN performance from something this small, or this cheap. Set your expectations accordingly.
UniFi Gateway Lineup Overview
Now that we’ve covered specs, setup, and performance, it’s time for a broader view. Where does the UXG-Lite fit in?
As I covered before, there are two types of UniFi gateway firewalls. There are standalone, independent USGs and UXGs, and then there are Cloud Gateways. Gateways like the UXG-Lite require something else to run the UniFi Network application, whereas the Cloud Gateways like the UniFi Dream Machine run the application and manage themselves.
UXG-Lite: Our Monkey’s Paw Gateway
As a whole, I think the UXG-Lite is a good product. I’m glad we finally have a good entry-level gateway option again. That said, the UXG-Lite isn’t without limits or problems. A few can be addressed in software updates, but a software update can’t add an interface or increase hardware power. If the UXG-Lite sticks around as long as the USG did, it might look just as embarrassing as the performance of the USG does now.
In 2019, the Dream Machines (UDM and UDM-Pro) were introduced. They were new and exciting all-in-one options with some rough software edges. The biggest negative was that they couldn’t be adopted by a self-hosted controller or Cloud Key. They couldn’t be used in centralized multi-site deployments, which is how a lot of people used UniFi. The Dream Machines represented a change of direction, and the future of multi-site support and self-hosted controllers wasn’t always clear.
What users have wanted since then was simple: a new USG. Something that can be a drop-in replacement, without forcing them into an all-in-one. Over four years later, here it is. The UXG-Lite is the new USG we’ve been waiting for, but it’s not everything we’ve hoped it could be. It feels like the result of a monkey’s paw wish.
“Be careful what you wish for, you may receive it." -Anonymous
For those specifically upset about Suricata IDS/IPS limiting throughput, they got what they wanted. The UXG-Lite has just enough hardware to satisfy that need for gigabit networks. Performance can dip below gigabit speeds with complicated rule sets and other factors, and there isn’t much overhead. It’s as if they made the cheapest and smallest box to satisfy that specific need, and to their credit, they achieved that.
What they didn’t achieve is a bit more subjective. Every product requires compromise. It can’t have every feature and a low price. The smallest and cheapest models always require tradeoffs, and they have to lack some things that more expensive models have.
For the Gateway Lite, Ubiquiti chose to compromise on VPN throughput and the quantity and speed of the networking interfaces. They prioritized low cost, low power, and a small size. It does deliver more performance than the USG, and includes most of the modern UniFi features though. This tier is never going to be a VPN or firewall workhorse though, because those require better hardware, more power, and more money.
For many, the UXG Lite is a glass of ice water in hell. Many bought it as soon as they could, thankful for anything that was able to replace their USG or allow them to build the style of the network they wanted with a self-hosted or Cloud Key controller. Now that we’ve had some time to test, digest, and reflect, I’m still mostly positive about the UXG-Lite. I’ve harped on the limitations and downsides enough.
It’s easy to see something about the UXG-Lite you’d want to change. Maybe it’s adding a 3rd interface to use as a WAN or LAN. Some might begrudge the lack of 2.5 Gbps Ethernet. Some might wish VPN performance was higher. Some might wish they could still make custom configurations changes. Some are rightfully annoyed you need to buy a $29 accessory to mount it on a wall.
Maybe it’s the fact that the UXG-Lite could be so much more if just a few things were different. If you’re like me, you can hold on to hope that a no-adjective UXG, UXG-Plus, or some other future model is coming with more features, higher performance, and however much more cost that will require. I bet we’ll still need an accessory to wall-mount it though.