How to Set Up a Secure UniFi Guest Wi-Fi Network

Why You Need a Guest Wi-Fi Network

Providing internet access to visitors without compromising your network security is crucial. A properly configured guest network ensures:

  • Network Isolation: Guest devices cannot access your internal resources (NAS, printers, security cameras, file servers)
  • Security Protection: Prevents malware on guest devices from spreading to your network
  • Bandwidth Control: Limits guest usage so your primary network maintains performance
  • Management Safety: Blocks guests from accessing your gateway/router management interface

This tutorial covers three methods to set up a secure guest Wi-Fi network, from basic to advanced.

Method 1: Basic Setup with Access Point Only (No Gateway)

Best for: Small setups with only UniFi Access Points, no UniFi Gateway

Step 1: Create a New Wi-Fi Network

  1. Open the UniFi Network mobile app or web interface
  2. Navigate to SettingsWiFi
  3. Click Create New Wi-Fi Network
  4. Configure the following:
    • Name: Guest WiFi (or your preferred name)
    • Password: Set a secure password
    • Security: WPA2 or WPA3

Step 2: Enable Client Device Isolation

  1. In the Wi-Fi network settings, find Advanced Settings
  2. Toggle Client Device Isolation to ON
  3. This prevents connected devices from communicating with each other

Step 3: Test the Setup

  1. Connect a device to the Guest Wi-Fi network
  2. Try accessing:
    • Other devices on your network (should fail)
    • The internet (should work)

Limitations of This Method

⚠️ Important: Client Device Isolation only prevents guest-to-guest communication. It does NOT block access to:

  • Your main network (LAN)
  • Network resources (NAS, printers)
  • Gateway management interface

For true network isolation, use Method 2 or 3.

Method 2: Guest Network with UniFi Gateway + VLAN

Best for: Most users with a UniFi Gateway (UDM, UDM Pro, UDR, etc.)

Step 1: Create a VLAN for Guest Network

  1. Go to SettingsNetworks
  2. Click Create New Network
  3. Configure:
    • Name: Guest VLAN
    • Purpose: Guest Hotspot (this is important!)
    • VLAN ID: Choose an ID (e.g., 100)
    • Gateway IP: Auto-configure or set manually (e.g., 192.168.100.1/24)
    • DNS: Auto or specify custom DNS servers

Step 2: Assign Wi-Fi Network to the VLAN

  1. Go to SettingsWiFi
  2. Create a new Wi-Fi network or edit existing:
    • Name: Guest WiFi
    • Network: Select Guest VLAN from dropdown
    • Security: WPA2/WPA3 with password

Step 3: Customize the Hotspot Portal (Optional)

  1. Go to SettingsGuest Hotspot
  2. Enable Guest Portal
  3. Choose authentication method:
    • Password: Simple password prompt
    • Voucher: Generate access codes
    • External Portal: Custom authentication
  4. Customize:
    • Portal title and logo
    • Terms of service
    • Expiration time

Step 4: Understanding the Hotspot Zone Firewall Rules

UniFi automatically creates firewall rules when you use "Guest Hotspot":

What gets blocked:

  • Access to private IP ranges (RFC1918): 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
  • Guest-to-LAN communication
  • Access to your main network resources

What is allowed:

  • Internet access (port 80, 443)
  • DNS queries
  • NTP (time sync)

Step 5: Test Network Isolation

From a device on Guest Wi-Fi, try:

  1. Ping your gateway (ping 192.168.1.1) - Should timeout
  2. Access your NAS - Should fail
  3. Access internet - Should work

Method 3: Creating a Custom Guest Zone

Best for: Advanced users who want full control over firewall rules

Step 1: Create a Custom Network (Not Hotspot)

  1. Go to SettingsNetworks
  2. Click Create New Network
  3. Configure:
    • Name: Custom Guest
    • Purpose: Corporate or VLAN Only (NOT Guest Hotspot)
    • VLAN ID: Choose unique ID (e.g., 200)
    • Gateway IP: Set manually (e.g., 192.168.200.1/24)

Step 2: Create Custom Firewall Rules

Go to SettingsFirewall & SecurityFirewall Rules

Rule 1: Block Access to LAN

  1. Click Create New Rule
  2. Configure:
    • Type: LAN Out
    • Name: Block Guest to LAN
    • Source: Network → Custom Guest
    • Destination: Network → LAN
    • Action: Drop

Rule 2: Block Gateway Management Ports

Create multiple rules to block access to gateway management:

Block SSH (Port 22):

  • Type: LAN Out
  • Source: Custom Guest
  • Destination: Gateway IP
  • Port: 22
  • Action: Drop

Block HTTP (Port 80):

  • Type: LAN Out
  • Source: Custom Guest
  • Destination: Gateway IP
  • Port: 80
  • Action: Drop

Block HTTPS (Port 443):

  • Type: LAN Out
  • Source: Custom Guest
  • Destination: Gateway IP
  • Port: 443
  • Action: Drop

Block UniFi Protocol (Port 8080):

  • Type: LAN Out
  • Source: Custom Guest
  • Destination: Gateway IP
  • Port: 8080
  • Action: Drop

Block UniFi STUN (Port 3478):

  • Type: LAN Out
  • Source: Custom Guest
  • Destination: Gateway IP
  • Port: 3478
  • Action: Drop

Step 3: Create Wi-Fi Network for Custom Zone

  1. Go to SettingsWiFi
  2. Create new network:
    • Name: Custom Guest WiFi
    • Network: Select Custom Guest
    • Security: WPA2/WPA3

Advanced Configuration: Wi-Fi Speed Limits

Limit bandwidth for guest users to prevent them from consuming all your internet capacity.

Step 1: Create Bandwidth Profiles

  1. Go to SettingsProfiles
  2. Click Create New Bandwidth Profile
  3. Create profiles:
    • Name: Guest Download
    • Download: Set limit (e.g., 20 Mbps)
    • Upload: Set limit (e.g., 5 Mbps)

Step 2: Apply to Guest Network

  1. Go to SettingsWiFi
  2. Edit your Guest Wi-Fi network
  3. Under Advanced, set:
    • Bandwidth Profile: Select your created profile

Verification and Testing

After setup, always verify your configuration:

Test 1: Basic Connectivity

  • Connect to Guest Wi-Fi
  • Open a website (e.g., google.com) - Should work

Test 2: Network Isolation

  • Try accessing a device on your main network:
    bash
    # From a device on Guest Wi-Fi
ping 192.168.1.100  # Your NAS or computer IP
    • Should timeout or show "Destination unreachable"

Test 3: Gateway Management Access

  • Try accessing your gateway's web interface: 
    http://192.168.1.1
https://192.168.1.1
    • Should timeout or show connection refused

Test 4: Speed Limits

  • Run a speed test from a guest device
  • Verify it stays within configured limits

Best Practices Summary

  1. Always use VLANs for true network isolation
  2. Block gateway management access - Never allow guests to reach ports 22, 80, 443, 8080, 3478 on your gateway
  3. Set bandwidth limits - Protect your primary network performance
  4. Use WPA3 when possible - Better security than WPA2
  5. Regularly review firewall rules - Ensure no unintended access
  6. Change passwords periodically - Especially for long-term guest networks

Troubleshooting

Issue: Guests can't access internet

Solution: Check firewall rules aren't too restrictive. Ensure ports 53 (DNS), 80 (HTTP), and 443 (HTTPS) are allowed.

Issue: Guests can access LAN devices

Solution: Verify VLAN configuration and firewall rules. Make sure "Guest Hotspot" is selected as the network purpose.

Issue: Gateway accessible from guest network

Solution: Add explicit firewall rules to drop traffic to gateway IP on management ports.

Additional Resources

  • Video Tutorial: Watch the full video by UniHosted
  • Video Duration: 22 minutes 29 seconds
  • Need Help? UniHosted offers fully managed UniFi hosting with 24/7 support at unihosted.com