Best Practices: Guest WiFi

Ensuring security, isolation, and performance for guest WiFi networks is crucial for protecting your internal network and providing a reliable experience for your guests. This guide outlines best practices to achieve these goals.

To begin, let’s quickly cover the steps to create a Guest WiFi, and then we’ll cover UniFi Network’s various features we recommend taking advantage of.

Creating a Guest WiFi Network

To create a guest WiFi:

  1. Navigate to Settings > Networks and create a New Virtual Network.
  2. Give your guest network a name (this is not public-facing).
  3. Navigate to Settings > WiFi and select Create New.
  4. Give your WiFi Network a public-facing SSID
  5. Set your guest network as this WiFi’s Network.

Now that you have a unique guest WiFi with a unique network, explore the features below to start securing it.

Optional: Create a Hotspot Portal

You can create a Hotspot Portal on a WiFi and customize the landing page, as well as features including payment and expiration time. To implement this:

  1. Navigate to Settings > WiFi and select your guest WiFi.
  2. Enable Hotspot Portal.

To edit your Hotspot Portal, navigate to Insights > Hotspot.

Isolate Guest Devices

UniFi offers a robust toolkit for managing device communication and internet access permissions. When setting up a guest network, it's essential to isolate WiFi clients from each other and from other network devices, while still granting them internet access and maintaining seamless functionality for other network users.

Client Device Isolation

Client Device Isolation blocks devices on an AP from talking to other devices on the same AP.

  1. Navigate to Settings > WiFi.
  2. Select the Guest Network you created.
  3. Enable Client Device Isolation.

Device Isolation (ACL)

Device Isolation (ACL) prevents guest wireless devices from communicating with wired devices on the same Network/VLAN. To implement this:

  1. Navigate to Settings > Networks.
  2. Enable Device Isolation (ACL).
  3. Select the network/VLAN you wish to isolate.

For more information on switch ACLs and supported switch models, click here.

Access Control List (ACL) and Traffic Rules

To ensure that guest devices can't contact devices on other Networks/VLANs, you have two primary options available in UniFi Network. These options provide a robust way to maintain network segmentation and security:

Access Control List (ACL) Rules

Use ACLs for VLAN isolation if the guest network is fully managed on a UniFi L3 switch. To implement this:

  1. Navigate to Settings > Networks.
  2. Enable L3 Network Isolation (ACL).

UniFi Network version 8.2 introduces more granular control over network traffic with the addition of Access Control Lists (ACLs). ACL Rules allow you to define precisely which devices and traffic can communicate on your network.

For example, you can create ACL Rules to isolate guest devices from your internal network or restrict specific types of traffic on the guest network.

For more information on switch ACLs and supported switch models, click here.

Traffic Rules

Use Traffic Rules when the guest network is managed on the Gateway. To implement this:

  1. Navigate to Settings > Networks.
  2. Create and apply appropriate Traffic Rules, such as:
    • Block a specific network from a subset of other networks.
    • Block certain devices on a specific network from a subset of networks.

Ensure Best Performance

Optimizing the performance of your guest WiFi network is essential for providing a positive experience to your guests while maintaining the efficiency of your overall network. By implementing the following practices, you can ensure that your guest WiFi operates smoothly, minimizes interference with other network traffic, and makes the best use of available bandwidth.

ARP Caching

Address Resolution Protocol (ARP) Caching optimizes network performance by storing mappings of known IP and MAC addresses. It reduces multicast traffic by eliminating repetitive ARP broadcasts for frequently accessed destinations. Enabling ARP Caching on your guest WiFi network minimizes airtime usage by DHCP requests and other multicast traffic, enhancing overall efficiency.

Note: This is most relevant for very large networks.

To enable ARP Caching:

  1. Navigate to Settings > WiFi.
  2. Select the WiFi in question.
  3. Enable Proxy ARP.

Speed Limits

Setting a speed limit on the guest SSID is optional but can be beneficial. It ensures fair bandwidth distribution and prevents any single user from hogging the network. Additionally, it reduces traffic on your guest network, which can enhance traffic speed on other networks. To implement this:

  1. Navigate to Profiles > WiFi Speed Limit and Create a new profile.
  2. Adjust the settings to your desired speed.
  3. Navigate to Settings > WiFi.
  4. Select the WiFi in question.
  5. Enable WiFi Speed Limit and select your profile.

Application-Level Traffic Rules

Implementing Traffic Rules to reduce or block speed for non-critical applications can free up bandwidth for more important uses. You can set up Traffic Rules in Settings > Security > Traffic and Firewall Rules.

For example, prohibit users on your Guest WiFi from using BitTorrent with a simple Traffic Rule:

  • Action: Block
  • Source: [Choose your guest network]
  • Destination: App Group
    • Select File Transfer
  • Schedule: Always

To learn more about Traffic Rules, read our article here.

Was this article helpful?
6 out of 10 found this helpful