Reply
Emerging Member
Posts: 100
Registered: ‎11-12-2017
Kudos: 26
Solutions: 6
Accepted Solution

After learning Unifi (ROCKS) next steps

[ Edited ]

My home setup: USG 3, 150W 8 port, 3 AP-AC: 2 LR and 1 Pro. Cloud key, 400 mbps down, 35 mbps UP

 

[Don't ask why] I had to reset EVERYTHING and I'm back to square 1. In a way: good since it gives me a chance to make my network even better (I hope). This time, I want to do this step-by-step - slowly, starting with guest network.

 

User group: My kid and his frieds along with my own guests.

 

I am currently able to create a guest Wifi network SSID. Users connecting to this guest network gets a bandwidth restriction of 75,000 kbps (Down) and 15,000 up. They are not able see anything in my main network, except access to Printer - which has a static IP. I don't need Hotspot/Portal features, etc. A simple SSID password is fine.

 

  1. I would like the guest users logging in via SSID = GUEST to be in a separately VLAN. Please advice - how to?
  2. I want all my connected guest users isolated, i.e. they should not be able to see each other also. Not sure - but if by default this is a Unifi feature for guest network, then I don't need anything else. I'm good. Please assist in confirming.
    • If not true, i.e. guests in guest network will be able to see each other and I want to stop that from happening - how to achieve this? 1 option is perhaps Radius assigned VLAN, issued to each guest client as and when they log-in. I don't know how to do it. Any help - appreciated. Another option (perhaps) : Firewall rules? Any help - appreciated.
  3. I have an Apple TV and Xbox which is actively used by my kid and his guests. Should I put the Apple and XBox in the same SSID but in that case - being streaming and gaming devices respectively it will suffer from bandwidth throttling. I feel it'll be better if they are in a different SSID (different VLAN).. let's say : STREAM. In which case how do I enable Airplay from guests into Apple TV and is there anything I need to do for Xbox and my guests' tablets/smartphones?  
  4. From the perspective of security - are there any other recommendations .. only on the perspective of GUEST network/clients? I am a bit confused after going thru the Unifi article (see below / end of this post) w.r.t. port isolation. Should I do it?

An excellent article I already went thru: Linky


Accepted Solutions
Emerging Member
Posts: 100
Registered: ‎11-12-2017
Kudos: 26
Solutions: 6

Re: After learning Unifi (ROCKS) next steps

I was confirmed unlike other enterprise gateways this is not possible in Unifi. Any device, located within the LAN segment will be capable of seeing each other. They may not be able to connect though.

View solution in original post


All Replies
Senior Member
Posts: 16,139
Registered: ‎08-04-2017
Kudos: 2941
Solutions: 796

Re: After learning Unifi (ROCKS) next steps

Hello @BengalTiger,

 

Under the Network tab create a new network, tag the VLAN number to it and apply guest policies.

Now create a wireless network, tag the VLAN number to it and here you can also apply guest policies.

 

Put the IPs of the devices you want the guests to reach to the Pre-Authorization Access list.

Settings > Guest Control

 

I personally have a wired/wireless devices, IoT devices and guest clients.

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-VoIP Installation Scripts
USG-4-PRO • USG
USW-48-500W • USW-24-POE-250W 2x • USW-16-POE-150W 3x • USW-24 • USW-8-150W • USW-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M
UCK-G2-PLUS • UCK-G2 • UCK
Emerging Member
Posts: 100
Registered: ‎11-12-2017
Kudos: 26
Solutions: 6

Re: After learning Unifi (ROCKS) next steps

Thanks. That part I did, I just forgot the "how-to" on VLAN.

 

Anyways - what about this?

I want all my connected guest users isolated, i.e. they should not be able to see each other also. Not sure - but if by default this is a Unifi feature for guest network, then I don't need anything else. I'm good. Please assist in confirming.

  • If not true, i.e. guests in guest network will be able to see each other and I want to stop that from happening - how to achieve this? 1 option is perhaps Radius assigned VLAN, issued to each guest client as and when they log-in. I don't know how to do it. Any help - appreciated. Another option (perhaps) : Firewall rules? Any help - appreciated.
Senior Member
Posts: 16,139
Registered: ‎08-04-2017
Kudos: 2941
Solutions: 796

Re: After learning Unifi (ROCKS) next steps

Hello @BengalTiger,

 

If you apply guest policies they won't be able to see eachother.

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-VoIP Installation Scripts
USG-4-PRO • USG
USW-48-500W • USW-24-POE-250W 2x • USW-16-POE-150W 3x • USW-24 • USW-8-150W • USW-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M
UCK-G2-PLUS • UCK-G2 • UCK
Emerging Member
Posts: 100
Registered: ‎11-12-2017
Kudos: 26
Solutions: 6

Re: After learning Unifi (ROCKS) next steps

Hello - I completed the setup. Thank you. However, my fundamental problem continues to exist. Let me explain:

 

Assume I have

3 devices in SSID: WORK, i.e. D1, D2, D3. LAN: WORK, TYPE: CORPORATE, VLAN = 50

5 devices in SSID: GUEST, i.e. G1, G2, G3, G4, G5. LAN: GUEST_LAN, TYPE: GUEST, VLAN = 10.

Everything is configured correctly, i.e. in Guest control, etc. There's no guest portal.

 

Correctly, when any of G[1..5] does a network scan they are NOT able to find D1, D2, D3. But, they are able to find each other, i.e. G[1..5]. In other words, devices located within the GUEST_LAN are able to find each other. Something I would like to isolate. Any leads - appreciated.

 

 

 

Emerging Member
Posts: 100
Registered: ‎11-12-2017
Kudos: 26
Solutions: 6

Re: After learning Unifi (ROCKS) next steps

I was confirmed unlike other enterprise gateways this is not possible in Unifi. Any device, located within the LAN segment will be capable of seeing each other. They may not be able to connect though.
Reply