Important: Free Tier signup is temporarily disabled for new users June 7th - June 16th

How to set up a UniFi guest Wi-Fi network

Published onby Iron

You can create a guest Wi-Fi in UniFi with just an access point and controller. But to properly isolate guests from your main network, you’ll need a UniFi gateway.

Here’s how both setups work, and how to secure them. Lets dive in!

🚨 Before we dive in, please don't self-host your UniFi Controller if you take care of client networks. Sooner or later this will cause issues! It's fine for home users, but definitely not recommended for IT service businesses and MSPs. If you want secure, reliable and a scalable hosting solution check out UniHosted.

Table of Contents

Video

Rather watch a video than read this article? Our own Fernando created a video that shows you how to setup a UniFi Guest network:

If you don’t have a UniFi gateway

If you only have a UniFi AP and a controller (local or hosted, like with UniHosted), you can still create a guest Wi-Fi. But isolation is limited.

Steps:

  1. Go to Settings > Wi-Fi.
  2. Create a new network. Name it something like Guest.
  3. Set a password. (Use something secure. Don’t copy this tutorial.)
  4. Under Advanced, enable Client Device Isolation.

This prevents devices connected to the same AP from talking to each other.

Limitations:

Client Isolation only applies to devices on the same access point. If a guest connects to AP1 and another to AP2, they can still see each other. Worse, this setting won’t block guests from accessing wired devices on your main LAN.

So while it gives some protection, it’s not enough if security is critical. You’ll need VLANs and firewall rules, which require a UniFi gateway.

If you do have a UniFi gateway

Now you can properly segment traffic and enforce isolation at the firewall level. Here's a better setup:

Step 1: create a VLAN network

  1. Go to Settings > Networks.
  2. Click Create New Network.
  3. Name it Guest, assign it a VLAN ID (e.g. 40), and pick the Hotspot zone.
  4. Set the subnet, enable DHCP, and leave DNS on auto.

The Hotspot zone automatically blocks this VLAN from reaching your internal network. It also allows captive portal features if needed.

Step 2: assign the VLAN to your guest Wi-Fi

  1. Go back to Settings > Wi-Fi.
  2. Edit your Guest Wi-Fi network.
  3. Under Network, assign it to the VLAN you just created.

Now guest traffic is routed through a separate network, isolated from your LAN.

Optional: landing page (captive portal)

UniFi enables a landing page by default for Hotspot zones. You can disable it:

  • Go to Settings > Hotspot > Landing Page
  • Toggle it off

Or customize it with a logo, terms of service, or use vouchers/Facebook logins.

Note: If you enable the captive portal in Wi-Fi settings (instead of using the Hotspot zone), UniFi removes the Wi-Fi password. That’s why it’s better to use the Hotspot zone, you can keep both the password and the portal.

Verify isolation

To confirm the VLAN is working:

  • Connect a test VM or phone to the guest network
  • Try to ping a device on your main LAN
  • It should fail

You should also be blocked from accessing the UniFi gateway’s management interface.

Custom zone (if you don’t want Hotspot)

You can skip the Hotspot zone and create your own custom firewall zone.

  1. Go to Settings > Security > Zones
  2. Create a new zone called Guest
  3. Move your guest VLAN network into this zone

By default, UniFi blocks all inter-zone traffic. So this still isolates your guests, but without the portal.

To block management access to the gateway, you’ll need to add a firewall rule:

  1. From: Guest zone
  2. To: Gateway
  3. Ports: 22 (SSH), 80 (HTTP), 443 (HTTPS)
  4. Action: Block

Create a new object for these ports and apply the policy.

Bonus: Set guest speed limits

You can throttle guest bandwidth per device:

  1. Go to Settings > Wi-Fi > Guest network
  2. Scroll to Wi-Fi Speed Limit
  3. Create a new profile (e.g. 50 Mbps down, 50 Mbps up)
  4. Apply it

This applies per client—not per network—so everyone gets their own cap.

Final Thoughts

If you only have UniFi APs and a controller, you can enable basic isolation. But it’s not secure. Anyone on your guest Wi-Fi can still reach wired devices unless you add a gateway and VLANs. Using a UniFi gateway with the Hotspot zone is the easiest way to isolate traffic without writing custom firewall rules. It blocks internal traffic, supports landing pages, and still lets guests access the internet.

We provide managed UniFi hosting, so we’ve seen both setups in the wild. If you need a secure guest network but don’t want to self-host, you can run your UniFi controller on UniHosted and still get full VLAN and firewall support with your gateway.

If you would like me to personally walk you through UniHosted, you can schedule a call with me here.

We host UniFi Controllers in the Cloud

Are you ready to take your UniFi Network to the next level? Deploy a UniFi Cloud Controller in minutes and manage your network from anywhere.

Deploy Now

Free tier available

Get the best support

Join 1660+ customers

No credit card required