Configuring Guest Network on Ubiquiti AP

EXCellR8

Diamond Member
Sep 1, 2010
3,887
790
136
Shouldn't need help with this but for whatever reason I can't get it to work how I want. Basically, I connected a new AP on our office network but I wanted to have guests in the conference room be able to access the internet by connecting to it. Problem is, our DHCP server is a VM on the host server that also hosts all of our company and administrative files and records, which I want inaccessible.

So, shouldn't be a problem but when I enable the guest network any connected devices cannot get online. Is there a simple way to securely restrict access to the file server but still be able to give clients IP's with the VM that's currently hosted by the root server? I removed all default values in the guest policy (which automatically gets applied when a guest network is enabled) and specified the subnet to allow but it doesn't work...

Any suggestions? I have admin control over every device so I should be able to do this no problem.
 

ANetworkEngineer

Junior Member
Jan 4, 2018
3
0
1
Hi! This is my first post here, so hopefully it'll be good.

I am writing this post assuming that you have just one access point, for two networks (SSIDs).

With the Ubiquiti access point, for a decent Guest network you're going to want to combine it with a managed switch that allows 802.1Q VLANs. What this allows you to do is segregate the networks into their own virtual networks so that you can have a different subnet for each of your needs.

For example, you would have a subnet such as 10.0.1.0/24 for your company network, and then 10.0.2.0/24 for your guest network. What this means for your company is that Guests do not sit on the same network as your Company, thus preventing them from accessing other devices.

Note with this setup you would need to configure NAT (Network Address Translation) for any company servers you may want the Guest network to be able to access. You would also need to be running a DHCP server on both subnets (Company and Guest) so that clients connecting to each of them get their network information.

You would also require a router to sit on both networks (this can be done in a variety of ways such as trunking or individual connections) so that you can connect your devices to the LAN ready for WAN connections.

You can configure the VLANs then from within the UniFi controller. See the following screenshot:
 

mv2devnull

Golden Member
Apr 13, 2010
1,405
96
91
... you're going to want to combine it with a managed switch that allows 802.1Q VLANs. ...
In your scenario there is one AP with one wire, but two networks going through them.
If the other end of the wire is directly on the router, then a switch is not required.
If there are separate physical ports on the router for each network, or separate routers, then something in the middle (a switch) has to split the single VLAN trunk wire into separate wires.

In the case of separate AP's for each network, their wires either go to router(s) or to a switch and the wire between switch and router could be a VLAN trunk.


In any case the networks routed via a VM guest do not need to have any access to the VM host; the host is member of the networks that it wants to be. It is up to the router to decide which networks can access the other networks.
 

ANetworkEngineer

Junior Member
Jan 4, 2018
3
0
1
In your scenario there is one AP with one wire, but two networks going through them.
If the other end of the wire is directly on the router, then a switch is not required.
If there are separate physical ports on the router for each network, or separate routers, then something in the middle (a switch) has to split the single VLAN trunk wire into separate wires.
Very good point. I completely skipped over the fact that a router could be the only thing it's connected to (as opposed to a switch).

In the case of separate AP's for each network, their wires either go to router(s) or to a switch and the wire between switch and router could be a VLAN trunk.
Definitely, however if I were to redesign my own home network, I would have utilised both APs for both networks and used trunking at my switch.
 

EXCellR8

Diamond Member
Sep 1, 2010
3,887
790
136
Thanks for the info, useful for my very limited knowledge of building reliable networks.

Yes, this AP is meant for strictly guest access.

So, the Unify AP in question is wired into our utility room where it eventually gets connected to our gateway. Our server is set up the same way in another part of the office (cat5e is amply run throughout the building) but also hands out IP addresses for our internal network. I've got a second firewall set up in the utility room for guest access that's isolated from the rest of the network, so perhaps I'll just place it behind that one and manually assign it an IP.
 

sdifox

No Lifer
Sep 30, 2005
88,181
10,990
126
Yeah if you already have a guest network setup, just hook this AP to that network.
 

ANetworkEngineer

Junior Member
Jan 4, 2018
3
0
1
Thanks for the info, useful for my very limited knowledge of building reliable networks.

Yes, this AP is meant for strictly guest access.

So, the Unify AP in question is wired into our utility room where it eventually gets connected to our gateway. Our server is set up the same way in another part of the office (cat5e is amply run throughout the building) but also hands out IP addresses for our internal network. I've got a second firewall set up in the utility room for guest access that's isolated from the rest of the network, so perhaps I'll just place it behind that one and manually assign it an IP.
Sounds like you've got it under control.
 

EXCellR8

Diamond Member
Sep 1, 2010
3,887
790
136
The isolated firewall is assigning an IP address to the AP but I can't "discover" it on the network, for whatever reason. I can even see the device listed in the lease table yet the Ubiquiti software doesn't "see" it. Gotta be some kind of easy fix, right? Maybe?
 

sdifox

No Lifer
Sep 30, 2005
88,181
10,990
126
The isolated firewall is assigning an IP address to the AP but I can't "discover" it on the network, for whatever reason. I can even see the device listed in the lease table yet the Ubiquiti software doesn't "see" it. Gotta be some kind of easy fix, right? Maybe?

That is the whole point of isolated network no?
 

EXCellR8

Diamond Member
Sep 1, 2010
3,887
790
136
Had to disable my antivirus it wasn't allowing the Ubiquiti software (Java applet) to send or receive data on the network. Basically, our server hands out IP to all of the end users who need access to company files and the firewall hands out IP to guests on it's own separate subnet.
 

ASK THE COMMUNITY