Great news! The Free Tier is back and accepting new users.

Learn how to get started
Open Markdown

setting up vlan for guests in ubiquiti networks

When you want to hand out Wi‑Fi access to guests, you don’t want them wandering around your main network. Printers, file shares, security cameras, no thanks. A guest VLAN keeps all that separate. It’s like giving guests keys to an entrance hall, not your whole house.

This post walks you through everything: from creating a guest VLAN to testing, and even setting up a captive portal. And we’ll keep it casual and straightforward, like a chat, not a manual.

Let's dive in !!

Before we dive in, please don't self-host your UniFi Controller if you take care of client networks. Sooner or later this will cause issues! It's fine for home users, but definitely not recommended for IT service businesses and MSPs. If you want secure, reliable and a scalable hosting solution check out UniHosted.

why guest isolation matters

Imagine you’re in a coffee shop. Guests connect, browse the web, and that’s fine. But if their traffic isn’t isolated, they might accidentally reach internal resources, maybe your NAS or printer. Worse, if a malicious actor connects, they could scan your devices. Not ideal.

With a guest VLAN, you assign all guest traffic to a separate network segment. They can access the internet, but nothing else. That’s clean and safe. UniFi controllers make this pretty easy with built‑in VLAN support and guest network features.

what you’ll need

Before diving in, make sure you have:

  • A UniFi controller: this could be a Cloud Key, Dream Machine, UniFi OS Console, or a cloud‑hosted controller.
  • One or more UniFi access points.
  • If you need wired guest access, a UniFi switch.
  • A UniFi gateway (USG, UDM, UDM‑SE, or similar) for routing and firewall control.
  • The controller should be online and accessible, whether you’re hosting it yourself or using a service.

If you’re hosting your controller in the cloud (say, with us at UniHosted), you just log in and configure. We handle the server end.

step 1: create a guest VLAN network

Log into your UniFi Controller, then:

  1. Go to Settings → Networks.
  2. Click Create New Network**.
  3. For Name, use something clear, like Guest VLAN.
  4. Set Purpose to Guest—that will auto‑apply firewall restrictions.
  5. Pick a VLAN ID: let’s use 20.
  6. Under Gateway IP/Subnet**, set something like 192.168.20.1/24.
  7. Keep DHCP enabled unless you have another DHCP server.
  8. Click Save.

You’ve just created a logically separate network called before. Easy.

step 2: set up the guest Wi‑Fi

Now link that VLAN to an SSID:

  1. In the controller, go to SettingsWi‑Fi.
  2. Click Create New Wi‑Fi Network.
  3. Use a guest‑friendly name like Guest‑Wi-Fi.
  4. Decide whether to secure it with a password or leave it open for captive portal.
  5. Expand Advanced settings.
  6. Enable Use VLAN, enter 20.
  7. Toggle on Guest Network :this adds firewall rules to block LAN.
  8. Save.

That SSID now funnels traffic into VLAN 20, isolated from your main networks.

step 3: configure switch ports (if needed)

If guests might plug in:

  • Go to Devices → select your UniFi switch.

  • Click on the port you want (or multiple).

  • Change Port Profile:

    • For a trunk port (carries guest VLAN + others), tag VLAN 20.
    • For a port only for guests, set that as Native/Access on VLAN 20.

If there’s no profile already:

  • Go to SettingsProfilesSwitch Ports.
  • Create a profile—name it “Guest VLAN 20” or similar.
  • Add VLAN 20 in “VLANs” section, choose Tagged or Untagged correctly.
  • Save.

Then go back to the device, assign that new profile.

step 4: test your guest network

Grab a phone or laptop and connect:

  1. Join Guest‑Wi-Fi.
  2. Check your IP, should be something like 192.168.20.x.
  3. Try to access the internet, should work.
  4. Try to ping or browse your main network (e.g., printers or NAS), should fail.

If you get an IP and internet but no LAN access, success.

step 5: optionally enable a captive portal

If you want a splash page or login:

  1. Go to SettingsGuest Control.

  2. Enable Guest Portal.

  3. Choose from:
    • Simple password (one-time, static).
    • Voucher-based access.
    • Social login (Facebook, etc.).
    • No authentication (just show splash).
  4. Customize the splash page if desired.
  5. Save.

Guests now land on a page before they get full access, good for cafés or shared spaces.

step 6: review firewall rules

Under the hood, UniFi adds firewall rules for guest networks:

  • Block VLAN 20 → VLAN 1 (or your LAN).
  • Allow VLAN 20 → WAN (Internet).

To view or customize:

  1. In the controller, go to SettingsFirewall & Security (or similarly named).
  2. Look under “Guest-to-LAN” or “LAN IN”.
  3. You can edit or add rules, e.g., allow guests to reach certain services (like a captive portal server).

Just be careful, making it too open can defeat the isolation.

step 7: optional QoS or bandwidth limits

If you want to restrict guest bandwidth:

  1. Go to SettingsProfilesWi‑Fi.
  2. Edit your guest SSID profile.
  3. Enable Advanced bandwidth settings.
  4. Set max upload/download per client.

Or use FirewallGroupsTraffic Shaping to control at VLAN level.

troubleshooting guide

Here are some quick checks if things go sideways:

“Can’t get an IP on the guest SSID”

  • Ensure the controller is running and DHCP is enabled for VLAN 20.
  • Check switch or AP port settings, VLAN might not be tagged/untagged correctly.

“No internet, but IP assigned”

  • Verify gateway IP: 192.168.20.1 (or your setup).
  • Check firewall: ensure VLAN 20 → WAN is allowed in Rules.
  • Confirm gateway device has route for VLAN 20.

“Guest devices can see printers”

  • Guest VLAN may not be treated as a guest network. Ensure “Guest Network” is active on SSID.
  • Or explicitly add a firewall rule to block VLAN 20 → VLAN 1.

“Captive portal not showing”

  • Make sure the SSID is set as Guest Network.
  • Ensure Guest Portal is enabled under Guest Control.
  • Check splash server (cloud-hosted controller needs internet).

wrapping it up

Setting up a guest VLAN in UniFi is quick:

  1. Create VLAN (e.g., 20 with DHCP).
  2. Create guest SSID tied to VLAN 20.
  3. Configure switch/AP ports accordingly.
  4. Test connectivity and isolation.
  5. Optionally add captive portal and bandwidth controls.

This setup keeps guest devices off your main network while giving them internet access. It’s secure, tidy, and straightforward.

final thoughts

You’ve now got a guest VLAN in place that does its job quietly and reliably. For most setups—homes, offices, shops—that’s all you need. If you want more visibility or multi-site control, using a hosted controller is ideal. You focus on the network; we handle the uptime, backups, updates, and security backend. That’s what we do at UniHosted, and it makes life easier when managing multiple sites or relocating.

Once you test and confirm everything, drop in a summary of your current setup: VLAN ID, IP range, SSID name, captive portal settings. That makes it easy to reference later, or hand off to someone else.

conclusion

So there you have it: guest VLANs in UniFi, done right. It’s quick to set up, and the result is a network that stays organized and secure without extra effort. If you ever want this broken down by screenshots or multi‑location automation, just say the word. And if you're already thinking about managing multiple controllers or want someone else to handle the hosting, we’ve got that covered too.