[UniFi] Keep it Simple | UniFi Basic Guide: How to create Guest Network

Since there has been a significant change in UniFi OS since my previous How to create Guest Network guide, I’ve decided to create updated version using the latest Network controller version. My network motto is “Keep It Simple. Do no harm” so this is the basic guide to get you started with the first Guest WiFi Network on UniFi OS 3/Network Controller version 8.

https://www.youtube.com/watch?v=HL_efFR_Ve8

Content

Background

Before creating a Guest WiFi, the question you need to ask yourself is “do I need it?”

The one main reason for setting up guest WiFi is need of complete “isolation”. If you want to share WiFi access to your guest so they can surf internet while they are visiting your home, yet you do not want share your home network password, not want them to access any device in your home network, you are looking for the guest WiFi.

With the latest OS version, UniFi made guest network creation more intuitive than ever.

The general flow for setting up guest network with UniFi is followings:

  1. Define guest network policy under “Hotspot Manager”.
  2. Create Guest WiFi
  3. Assign either Guest WiFi or Guest VLAN to use hotspot policy.

Fortunately, UniFi’s default hotspot manager setting is to block connected client from accessing everything on your network. So step 1 may be skipped by many home users except for one minor tweak, which I will discuss at the end.

This makes the setting as simple as create a new SSID for the Guest WiFi. Then tell either the SSID itself or underlying VLAN to use Hotspot Manager defined guest network policy.

As for reference, if you are using system like Aruba Instant, the default is allow all connections so I had to manually add all blocking policies when setting up guest WiFi in that system.

SSID vs. VLAN?

If should we assign hotspot manager policy to SSID level or VLAN level? For Guest WiFi purpose alone, there is no practical difference, and it may be personal style preference.

If there is one good reason to choose one or the other, you should probably choose VLAN approach if you are making dedicated VLAN. It’s less click so long as you are already making new VLAN.

If you don’t have a reason to make new VLAN, using SSID approach and using exiting LAN or VLAN should be fine as these clients still won’t have any access to your underlying network.

Setup

At the time of this writing, my current set up consists followings:

  • UniFi OS UDM Pro: v3.2.7
  • UniFi Network Controller (on UDM Pro): Version 8.0.24

The guest WiFi I have following features:

  • Isolated from rest of home network devices
  • Isolated from other client devices connected to the same SSID
  • Have own SSID with password

The first option is to create a guest network at the level of SSID. In this approach, you don’t need to create new VLAN.

First you log into your UniFi network controller.

Setting > Networks > WiFi > Create New

Under the network controller left navigation, click setting, then WiFi, and click Create New.

Now fill in the name of the Guest WiFi SSID and its password.

Advanced > Manual

Now under the Advanced section, click manual.

There are several options here. The key to make this into isolated, Guest WiFi mode, you check the Hotspot Portal option.

At this point, you may noticed from the top of the screen we have lost password section. This is because by default selecting Hotspot portal use “open” authentication. This means no password is required to use the SSID. If you are ok with this, you can hit Add and finish now.

However, I believe most home user wants some type of authentication so your neighbors won’t start using your WiFi. You can authenticate through Hotspot Portal’s welcome page by customizing Hotspot Manager setting. But here I will go with more conventional method where we choose SSID to connect and get prompted for password at that time.

Security Protocol > WPA 2

For this, go down toward the bottom of the page, and click Security Protocol dropdown. My suggestion here is to choose WPA2, which is less secure than WPA3; however, some device can have incompatibility with WPA3. Supposedly, these devices include unpatched Microsoft Surface series. Since we never know what our guest brings, I think it’s less hassle to use WPA 2, and for home use I think it’s secure enough.

Now you can hit “Add WiFi Network”.

Now your Guest WiFi should be up and running.

VLAN Based Guest Network

The second option is to assign VLAN as a guest network. VLAN stands for virtual local area network. This technology allows us to create separate “wired” network without actually having the physically discrete hardwares like second router or network switch.

With this approach, there are two basic steps.

  1. Create Guest VLAN
  2. Create new Wi-Fi Network using the Guest VLAN

Create Guest VLAN

Setting > Networks > New Virtual Network

Under the network controller left navigation, click setting, then networks, and click New Virtual Network.

Here you put a name of the local area network. For those of you are new to networking, LAN is not same as WiFi. This is wired backbone side of the network. So you will not see this name when connecting to WiFi. I just call “Guest VLAN” myself here but you can name whatever.

Advanced > Manual > Enable Isolation Network

The key step to enable Guest network functionality in VLAN, click manual under Advanced section. In Isolation section, check network.

This makes any network connection that uses this VLAN to use Guest Network rule.

Optionally if you want to turn on content filtering, you can do so here. This is one way to put parental control type filtering to all devices using Guest VLAN. I will just keep rest of setting as default for simplicity and should work for most of us.

Lastly, make sure to hit “Add” to finish creating new VLAN. You should now see this has been added to the bottom of the LAN/VLAN list.

Create Guest Wi-Fi Network

Now we are going to create a guest specific, Wi-Fi Network (SSID). Unlike SSID based guest WiFi, here all we need to do is associate the new SSID to Guest VLAN.

Setting > WiFi > Create New

This time we go under WiFi setting, and hit create New.

On this page, we fill the name of Guest WiFi SSID, and its password.

In order to have this SSID use Guest VLAN, click Network dro pdown menu and select the Guest VLAN that you have just created.

Now hit Add WiFi Network. You are done.

Hotspot Manager

At this point you should have functional Guest WiFi. If you like, you can try connecting to it and see how it works.

You will notice there is initial web page, which is called captive portal. You may or may not like UniFi’s default Guest page look.

So let’s briefly take a look at how we can customize this.

Network > Hospot Manager

On the network controller, click Hotspot Manager.

Landing Page

Next, click Landing Page. Here you can customize the captive portal webpage. The customization include the visual change as well as adding web page based login including using social media login.

Setting > Show Lading Page (Uncheck)

Some may prefer just regular SSID log in without any captive portal. For this, go to Setting section, and uncheck “Show Landing Page.”

Now hit save.

Summary

Congratulations, you now should have fully isolated Guest WiFi. You can try pinging one of your network device from a device connected to the guest WiFi. You can also try accessing local network device such as router from browser by typing in its ip address. None of them should be working.

After playing with other vender’s Guest Network setup, I appreciate how the current version of UniFi Guest network setup works.

1 Trackback / Pingback

  1. [Network|UniFi] Advanced Setup | Guest Network Tutorial – Game & Tech Focus

Comments are closed.