Set up new WLAN (SSID) for guest network on UniFi Controller

In many environments, it makes sense to offer a separate guest network. This allows visitors or external service providers to securely access the Internet without jeopardizing the internal company network. In this article, we will show you how to create a new SSID on a UniFi Controller and assign it to an existing VLAN (e.g. VLAN for guests).

Topics

Requirements

UniFi Controller with access to the web interface.
Already configured VLAN(Configure VLAN on Sophos Firewall and UniFi Switch).
VLAN ID and the associated firewall rules are set up.

Create a new SSID for the guest network

Open UniFi Controller

Log in to your UniFi Controller.
Go to Settings in the menu on the left.

Call up WLAN settings

Select WiFi in the left-hand area.
You will see an overview of your existing WLAN networks (SSIDs).

Create new SSID

Click on Create New.
Assign a name for the network, e.g. GUEST.
Set a password that guests should use. Make sure it is sufficiently complex.

UniFi WiFi settings — UniFi WiFi Einstellungen

Assign VLAN

In the settings under Network, you can now define the previously created VLAN.
Select the previously created VLAN for the guest network (e.g. WLAN Guest).

UniFi WiFi - Create SSID — UniFi WiFi – SSID anlegen

Advanced settings (optional)

Under Advanced, you can configure further options, e.g. Guest Portal, Hotspot 2.0, Captive Portal or Bandwidth Limits.
If required, activate Guest Policies to further secure the network (e.g. isolate clients from each other).

Save and apply

Finally, click on Add WiFi Network to create the new SSID.
After a short time, the WLAN should be visible to guests.

Checking the configuration

Connection attempt: Connect to the new WLAN as a test and check whether you receive a correct IP address from the guest VLAN (if a DHCP Server has already been set up in the network).
Firewall rules: Check Sophos Firewall (or your gateway firewall) to see whether the appropriate rules apply.
Client isolation: Ensure that guests can only access the Internet and cannot reach any other VLANs or devices in the internal network.