Segmented guest wifi

September 22, 2020

An initial stab at it

One of the things I’d like to do with the Unifi Dream Machine I have sitting in my livingroom is to enable some kind of guest wifi that has zero access to any of the internal systems I’ve been setting up. The long-term goal might actually be to segment as much as possible across separate VLANs, but let’s dip our toes into the water first.

I’m aware of VLANs. I’ve monitored them, detected them, indexed them, but I’ve never actually set one up. I browse over to unifi.home.lan, create a new wifi network, apply a VLAN ID to it, enable Guest Policies and wonder if that’s really as simple as it is. After all, Unifi’s interface seems to suggest it is:

Apply guest policies to this network, including hotspot authentication, hostname restrictions, and subnet restrictions

Double-checking the guest policies configuration page, post-authorization restrictions seem pretty clear:

Restrict guests from accessing specific hostnames or subnets after they have authorized

And yet, nothing.

I’m not overly concerned about breaking things, as one of the steps I took last week was to synchronize backups into FreeNAS, so I can always restore from a functioning state. At worst, I’m going to make my wifi non-functional for 10 minutes while I restore from backups. Best to do this work while everyone else is asleep.

Documentation, community support

If the process for enabling this isn’t as straightforward as I had hoped, the next step is to go diving into the documentation. Reading over Unifi’s documentation on creating a guest network suggests that what I’ve done is sufficient. Looking around in the forums, I find posts about similar issues, but nothing recently.

Perhaps a bug was recently introduced? If that’s the case, I worry about the stability of the product and whether or not a UDM was a hasty decision. I’ve certainly run across other bugs in the UI (e.g. old clients not disappearing from the clients page until the UDM is rebooted), but I don’t want to jump to conclusions.

I make a post of my own and continue hunting. Community support is really hit or miss.

Sometimes there’s a quick and clear answer
Sometimes you’ll feel like you’re intruding on others' time
Sometimes people entirely misread your question and the answer isn’t relevant

Try to be verbose enough to include all the relevant details, but also concise enough that you get to the point before folks start skimming. If I had more time, I’d have written a shorter post.

The solution

Eventually I found the solution on Server Side Up’s YouTube channel while trying to watch others implement the same feature. In short, one also needs to create a separate LAN, specify Network Purpose: Guest, and apply the Wifi Network to this guest LAN. I’m honestly unclear why Unifi’s documentation fails to mention this, but I’ve updated my forum post with hopes that it helps others in the future.

The result at the end of the day is that I now have guest wifi and can keep untrusted hardware from accessing the rest of my network. I might even make a QR code and print it on to a coaster or into a picture frame.

qr-code-coaster