How to Set Up a Guest WiFi Network in UniFi

Running a single shared Wi-Fi network for everyone who visits your home — or for all the devices on your network — is one of the most common mistakes people make when it comes to home network security. A guest Wi-Fi setup in UniFi takes about ten minutes to configure properly and gives you proper network segmentation without the complexity of managing it all manually. This guide covers how to do it right: a separate SSID, client isolation, bandwidth limits, and an optional captive portal for a more polished experience.

Why Bother With a Guest Network?

When a visitor connects to your main Wi-Fi, they’re on the same network as your laptops, NAS drives, smart home devices, and anything else you have connected. A poorly secured guest device — or a deliberately malicious one — can probe and potentially access those resources. A guest network places visitors on a separate, isolated segment so they get internet access without being able to touch anything on your main LAN.

This also applies to IoT devices. Smart TVs, robot hoovers, and cheap smart plugs are notoriously poorly maintained from a security standpoint. Keeping them on a separate SSID limits the blast radius if one of them is ever compromised. More on IoT isolation at the end of this guide.

For a broader look at home network segmentation, see our UniFi home network guide and our post on how to secure your home network.

Step 1: Create a Guest Network (VLAN)

The guest SSID needs its own network — essentially a separate VLAN with its own subnet and DHCP pool, so guest traffic is entirely separate from your main LAN at layer 3.

1. Log in to your UniFi Network controller at https://192.168.1.1 (or via unifi.ui.com if using cloud access)
2. Go to Settings > Networks
3. Click Add New Network
4. Give it a name — “Guest” works fine
5. Set the VLAN ID — something like 20 or 30 is conventional for guest networks
6. Set the Host Address to something distinct from your main LAN — e.g. 192.168.20.1 if your main LAN is on 192.168.1.x
7. Leave DHCP enabled — UniFi will hand out addresses automatically in the 192.168.20.x range
8. Enable the Guest Network toggle — this is important. It activates firewall rules that prevent guests from reaching your main LAN while still allowing internet access
9. Click Add Network

The “Guest Network” toggle is doing a lot of work here. When enabled, UniFi automatically applies isolation rules at the firewall level — guests can reach the internet but cannot initiate connections to devices on other networks (including your main LAN). You don’t need to write manual firewall rules for this basic case.

Step 2: Create the Guest SSID

Now create the wireless network that guests will connect to:

1. Go to Settings > WiFi
2. Click Add New WiFi Network
3. Enter an SSID name — something friendly like “Smith-Guest” or “Visitor WiFi”
4. Set a password (or leave open if you prefer, though a password is recommended)
5. Under Network, select the Guest network you just created
6. Click Add WiFi Network

The SSID is now broadcasting and any device that connects will be placed in the guest VLAN automatically.

Step 3: Enable Client Isolation

Client isolation prevents guest devices from communicating with each other on the wireless network — not just from reaching your main LAN, but also from seeing other guest devices. This is good practice for public-facing or shared Wi-Fi.

1. Go to Settings > WiFi
2. Click on your guest SSID to open its settings
3. Scroll to the Advanced section (you may need to toggle “Advanced” on)
4. Enable Client Device Isolation
5. Save the changes

With this enabled, devices on the guest network cannot see or communicate with each other — each client is isolated to a direct path to the gateway only.

Step 4: Set Bandwidth Limits

If you want to prevent a guest from saturating your broadband connection, UniFi lets you cap upload and download speeds per client on a given SSID.

1. In the guest SSID settings, scroll to the WiFi Speed Limit section
2. Enable the speed limit toggle
3. Set a reasonable cap — for example, 20 Mbps down / 5 Mbps up gives a guest a usable connection without impacting your own usage on a typical UK fibre line
4. Save

These limits apply per connected device, not in aggregate — so if you have five guests connected simultaneously, each gets the capped rate independently. Keep that in mind if you’re on a slower connection.

Step 5: Optional — Add a Captive Portal

A captive portal shows a landing page when a guest first connects — useful if you want to display terms of use, require a click-through acceptance, or add a layer of friction to casual connections.

1. Go to Settings > Hotspot Manager (in newer firmware this may be under Settings > Guest Portal)
2. Click Create Portal
3. Choose a portal type — “Simple Password” or “Click-Through” are the most common for home use
4. Customise the portal page — you can add a logo, a welcome message, and terms text
5. Assign the portal to your Guest network
6. Save

Once active, any device connecting to the guest SSID will be redirected to your portal page before they can browse freely. The portal experience works best on devices that support captive portal detection (most modern phones and laptops do).

For most home setups, a captive portal is optional — the password on the SSID is sufficient friction. But if you run a small business from home or want a more formal setup, it’s a worthwhile addition.

Bonus: IoT Device Isolation

The same approach works brilliantly for IoT devices. Rather than connecting your smart TV, Alexa, robot hoover, and IP cameras to your main network, create a separate “IoT” SSID backed by its own VLAN. Enable the Guest Network toggle on that VLAN too, which prevents IoT devices from reaching your main LAN.

A typical home VLAN scheme might look like this:

Each of these gets its own SSID. Your phones, laptops, and trusted devices connect to the main LAN SSID. Smart home devices go on IoT. Visitors go on Guest. For a deeper look at building this structure, see our full guide on how to set up VLANs in UniFi.

Verifying It Works

After setting everything up, test it properly:

1. Connect a phone or laptop to the guest SSID
2. Check the IP address assigned — it should be in your guest subnet (e.g. 192.168.20.x), not your main LAN range
3. Try to access a device on your main LAN by IP (e.g. your router admin page at 192.168.1.1) — this should time out if isolation is working correctly
4. Confirm you can still browse the internet normally
5. In the UniFi dashboard, go to Clients and verify the guest device appears listed against the correct network

If the client can still reach your main LAN, double-check that the Guest Network toggle is enabled on the network in Settings > Networks. That single toggle is what activates the firewall isolation rules.

Summary

A properly configured guest network in UniFi is one of the most straightforward security improvements you can make to a home or small office setup. Ten minutes of configuration gets you a separate SSID with its own subnet, automatic firewall isolation, optional bandwidth limits, and the option to add a portal. If you haven’t already set up your UniFi network, start with our guide on how to set up a UniFi network from scratch — then come back here once your access points are adopted and online.