VLAN based Guest Wi-Fi Network
Even though my network building motto is “keep it simple”, Hotspot approach limitation (lack of bandwidth restricting and SSID based authentication) were significant enough. So I have decided to use VLAN approach for my guest network creation.
With the newer version of UniFi OS, this involves 3 steps.
- Create Guest VLAN
- Create Guest Bandwidth Profile
- Create Guest Wi-Fi Network using Guest VLAN & Guest Bandwidth Profile created in step 1 and 2.
Creating Guest VLAN
Setting > Networks > Add a New Network
I named “Guest LAN” myself here but you can name whatever.
In contrast to the Guest Hotspot, VLAN approach provides many additional network customization. One of the option is content filtering. This is one way to restrict what type of webpage client device(s) can access to.
*Not confirmed but if I believe Hotspot uses primary/default LAN setup so content filtering is most likely carried out from the default LAN.
Guest Network Isolation
Turn Device Isolation On.
In order to achieve what Guest Network really supposed to do, we need to expand “Advanced” setting.
One major option we should turn on is “Device Isolation”. Turning this option on will ensure Guest Network connected devices have no access to your other networks, which I believe most of us want when creating guest network.
What’s New in 6.0?
[…]
Add new Device Isolation (creates guest network if turned on) and Internet Access (blocks WAN access if turned off) toggles.
UniFi Network Controller 6.0.20
I have tested this myself. Indeed by keeping the Device Isolation option off (default setting), I was able to access my UDM Pro hosted network controller and main network connected NAS from a client device connected to the guest network.
VLAN Creation
For those of you unfamiliar with Virtual Local Area Network (VLAN) concept, think it as a way to separate network without actually having separate hardwares (switches). It is similar in concept to creating multiple Wi-Fi network on a single access point. While separate SSID for Wi-Fi network limited to WiFi for network isolation, VLAN applies at the level of LAN i.e. even wired devices can be separated into different networks.
For the minimum setting/configuration, you can just specify:
- VLAN ID
- Auto Scale Network “On”
Without going into technical detail, VLAN ID is just a number based ID for your VLAN. If you have not created any VLAN before, it is most likely started with default value of 2. I can change that to 10, 100 etc. In above I changed it to “10”.
Auto Scale Network is a new added feature that takes away couple additional manual settings.
Auto Scale Network
feature automatically adjusts subnet size and DHCP range with avoiding network collision.
UniFi Network Controller 6.0.20
Manually selecting Gateway IP and DHCP Range
My recommendation is just have Auto Scale Network “on” and skip this step all together.
However, if you have a reason to then turn Auto Scale Network off and then you need to set following two parameters:
- Gateway IP/Subnet
- DHCP Range
These two parameters are specifying what IP addresses are used when client device(s) are connected to the VLAN network. Auto Scale Network essentially fill these automatically.
For consistency, I like to keep the VLAN ID and network IPs in sync. IP addresses have some specific rules (ref). In a big picture, for Gateway IP/subnet value of 192.169.X.1/24, think of as X is only your variable i.e. keep rest of the numbers unchanged. Since I chose VLAN ID of 10, I use 192.168.10.1/24. If VLAN ID was 2, I would have used 192.168.2.1/24.
DHCP Range need to match Gateway IP/Subnet. In fact, after you change Gateway IP/Subnet, you can click Auto-Configure under DHCP Range section (not Gateway IP/Subnet section). This will automatically adjust Start and Stop IPs to match as 192.168.X.6 and 192.168.X.254.
Create Guest Bandwidth Profile
*If you plan to have no restriction for amount of traffic the guest network can use, you can skip this step entirely.
Now we are going to create a Bandwidth limitation rule that can be used to restrict how much traffic is allowed.
Setting > Advanced Features > Bandwidth Profile > Add Bandwidth Profile
Here you can specify whatever number you want for max data bandwidth the user in the Guest Network can use. I named the rule as “Guest” and set 50/10 Mbps.
Create Guest Wi-Fi Network
Finally, we are creating a Guest Wi-Fi Network (SSID). The reason it took so long to do this is because other two steps ensures Guest WiFi network to be isolated (VLAN) and have bandwidth restriction (Bandwidth Rule).
Setting > WiFi > Add New WiFi Network
Name here will be the SSID of the Wi-Fi. Password will be the password prompted for using the SSID at the time of WiFi connection.
Network is where you choose “Guest VLAN” that was created on the first step.
Under the advanced setting you have various options. One of which is Bandwidth Profile. This is where you add “Guest” bandwidth profile that was created on the step above.
AP restriction (optional)
I’ve also chosen to restrict which APs my guest can use. This is an entirely optional step. For this, I created New AP group, called “Guest AP group”.
To create AP restriction, first you need to create a new AP group (if you do not have one for guest network target APs yet).
- Click “create New AP group”
- Name the AP group
- Check APs that will be broadcasting/supporting the guest network
I have chosen to have only 3 of my APs broad cast guest network and reserve other two just for my home network.
Now you just choose that AP group for broad casting AP group.
All the rest are default setting. In fact, I personally recommend keeping most if not all options default/off at first and ensure proper functioning of the guest network before changing any parameters. This is because in network, there are way too many variables involved so if something goes wrong, it becomes extremely difficult to troubleshoot when too many settings are changed.
For example, I had issue with High Performance Devices option or Enable Fast Roaming option “on” before on my primary network even though they sound great by reading their descriptions.
Reset Access Points
Creating Guest Network will re-provision the AP(s); however, this is not the same as rebooting the AP(s). So I recommend rebooting AP(s) at this point.
Device > Hover a mouse over the target AP > click Restart on the right
Test
That’s it. At this point, you should have new WiFi SSID broad casting from your AP(s). You can connect to it by entering the SSID password. Now, try accessing to your controller locally i.e. typing IP address e.g. 192.168.1.1. It should fail as your guest network is isolated from the primary network. You can also try internet speed testing where you should see the speed won’t go beyond bandwidth restriction you have set.