Guest WiFi Help

Intrepid · February 2, 2018, 2:17pm

Using a Balance 305, SD Switch and Enterprise APs…

What is the best way to allow guest wifi users access to the internet but isolate them from the other devices on the newtork? VLAN, subnet…?

We are new to larger deployments like this and would appreciate any constructive help/feedback.

Thanks in advance.

MartinLangmaid · February 2, 2018, 4:58pm

Create a new VLAN/Subnet, untick inter VLAN routing. assign the Guest Wifi SSID to it.
Then consider setting up a captive portal to restrict usage by time / data.

Don_Ferrario · February 2, 2018, 5:32pm

Assuming these are Peplink APs, I use the Guest Protect option in the SSID. You have to click on the question mark inside the SSID setup which causes the fields to display. We have multiple LANs connected by PepVPN. For the Guest SSID I list all the LANs on the Guest Protect list, and also check “block PepVPN.”

Martin, is my method any more or less secure than using a separate VLAN?

scuba_steve · February 2, 2018, 5:38pm

I use Martin’s VLAN approach, which works well because I also have the wired jack in the guest room on the same VLAN as that guest SSID.

barthold · November 24, 2018, 8:19pm

I found that, in order to fully isolate a guest wifi network on my balance One, I need to do two things:

disabling inter-vlan routing in the VLAN network setup
If you use PepVPN an internal firewall rule to disallow access from the Guest vlan to the other vlan(s) on the other side of the PepPVN tunnel. Note vlans count as internal traffic for the firewall.

Barthold