UniFi Guest Network and Captive Portal Done Properly

A “guest network” on UniFi is one of the most misconfigured things in home and small-office networking, because the name oversells it. People create a second SSID called “Guest,” hand out the password, and assume visitors are now walled off. They usually aren’t. This guide separates what a UniFi guest network genuinely does from what people think it does, and what to actually turn on.

A separate SSID is not isolation

The single most important idea: an SSID is just a network name. It is not a security boundary by itself. Creating a second SSID called “Guest” on the same network/VLAN as everything else gives guests a different password and zero isolation — they’re on the same Layer 2 segment as your computers, NAS, and cameras. They can reach those devices exactly as if they were on your main Wi-Fi.

Real guest isolation comes from two mechanisms working together:

• Putting guests on their own network/VLAN, separated from trusted devices by the gateway’s routing and firewall (the same principle as full VLAN segmentation).
• Client/guest isolation, which stops guest devices from reaching each other on that guest network too.

Without the first, “Guest” is cosmetic. Without the second, one guest device can see another guest device. You want both.

What UniFi’s Guest network type gives you

UniFi has an explicit Guest network/SSID type, and choosing it is meaningfully different from just making another normal SSID. The Guest type is built to enforce the isolation people assume any “guest” network has:

• Guest devices are blocked from reaching private network ranges by default. The intent of the Guest type is internet access for visitors without lateral access into your internal networks.
• Client isolation keeps guest devices from talking to one another.
• The captive portal can be attached to it (more on what that is, and isn’t, below).

The takeaway: if you want a guest network, use UniFi’s Guest network/SSID type rather than rolling your own from a standard SSID and hoping. The Guest type exists precisely so the isolation is enforced by design instead of by you remembering to add every firewall rule yourself.

The captive portal is presentation, not protection

The captive portal — the splash/login page a guest sees before getting online — is the part people most overestimate. Be clear-eyed about it:

What the captive portal is for: presenting terms of use, branding, an acceptable-use notice, optionally a simple password or voucher, and gating internet access until the visitor acknowledges it. It’s the lobby sign and the front desk.

What the captive portal is not: it is not what isolates guests from your internal network. Isolation is done by the Guest network type and VLAN/firewall separation, not by the portal page. A beautiful portal in front of a guest SSID that shares a VLAN with your computers is lipstick on an open network. Conversely, a properly isolated Guest network is safe even with no portal at all.

So decide the portal on its own merits — do you want a terms screen, vouchers, time limits, simple branding for a café or office lobby? Use it for that. Do not treat enabling the portal as “now my guests are secured.” Those are unrelated layers, and conflating them is the core mistake here.

Voucher and access controls: scope them to the use case

UniFi’s guest features include options like voucher-based access, expiration/time limits, and bandwidth limits. Match them to why you have a guest network:

• Home: usually you just want isolation and maybe a simple shared password. Vouchers and per-user time limits are often overkill. The win is the isolation, not the ceremony.
• Café / retail / lobby: a portal with terms, possibly time-limited or voucher access, and a sane per-client bandwidth cap so a few guests don’t saturate the line for everyone (including your point-of-sale and back-office traffic).
• Office with visitors: isolated guest SSID so contractors and visitors get internet without touching internal resources; a portal with an acceptable-use notice is reasonable; keep it separate from any staff network.

Add controls because a specific need calls for them, not because the options exist. Every extra mechanism is something to maintain and something that can lock out a legitimate guest.

Bandwidth limits keep guests from starving the business

One control that’s genuinely worth setting in shared environments: a per-client (or per-guest-network) bandwidth limit. Without it, a single guest doing a large download can degrade the connection for everyone, including traffic you care about more than a visitor’s download. A modest cap per guest client is usually invisible to normal browsing and prevents one guest from monopolizing the uplink. In a home with occasional guests this matters less; in any business it’s close to mandatory.

Don’t forget the things guests still need to reach

Lock a guest network down too hard and you create support calls:

• Guests still need DHCP and DNS for that guest network (typically served by the gateway for that segment). Isolation must not block address assignment and name resolution, or “the Wi-Fi doesn’t work.”
• The portal itself must be reachable before the client is “authorized,” or the splash page can’t load and nobody can get past it.
• Guests should not reach the gateway’s admin interface or the controller. Internet yes; your management plane no. The Guest network type’s default posture handles this; don’t undo it with a careless allow rule.

A guest network that’s actually a guest network

1. Use UniFi’s Guest network/SSID type — not a second standard SSID you intend to “secure later.”
2. Put it on its own network/VLAN so separation is enforced by routing and firewall, the same way trusted/IoT are split.
3. Enable client/guest isolation so guests can’t see each other, not just so they can’t see you.
4. Treat the captive portal as branding and terms, scoped to your use case (home vs café vs office) — never as the thing providing isolation.
5. Set a per-client bandwidth limit anywhere the line is shared with traffic that matters.
6. Verify guests can still get DHCP/DNS and the portal, and verify they cannot reach your LAN, the gateway admin, or the controller.

Done this way, a guest network is genuinely a guest network: visitors get the internet, your internal devices stay invisible to them, and one guest can’t snoop another. Done as “a second SSID with a nice login page,” it’s an open door with good signage. For the segmentation model this builds on, see VLAN segmentation and the rest of our UniFi guides.