Ubiquiti Guest WiFi Setup

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to crosstalk solutions my name is Chris and today we're going to talk about how to properly set up a guest Wi-Fi network now when I say properly set up a guest Wi-Fi network what am I talking about well in most situations you're going to want to have two networks or two wireless networks in an organization or even at home and that's going to be one wireless network for internal users where you have full access you have full bandwidth you're on the mainland of that network typically and then the guest network is segregated okay so you've got a guest Wi-Fi network it maybe has no password or a different password it's limited in the amount of bandwidth that a guest can take up it's client isolated so that the guests that connect can't see each other even on that same wireless network and all sorts of other little things that make it a good secure solid Wireless guest network so how do we do this in a complete ubiquity infrastructure that's what I'm going to show you so first things first let's take a look at this Visio diagram that I mocked up really quickly here this is the equipment that I'm going to be working with today but the equipment is similar if you have a different type of edge switch if you have a different type of edge router if you're using different access points but they're still unify access points all of the same concepts will be very very similar okay so what do we have here I've got Internet connection out here that's plugged into eath zero of my edge router light I have e1 putting out 192 168 200 zero that's my mainland my internal LAN and then I want to create a guest VLAN on that same interface and the guests feel n is going to be 192 168 10.0 Network now that is going to come over here to my edge switch which is an edge switch 24 light my main port is port one that's the cross connect between the edge router and the edge switch and then my access point is hanging off of port 7 so over in unify we're going to have two different wireless networks we're going to have my main secure wpa2 secured wireless network that is on my LAN 191 68 200 and we're going to have my guest network that is on VLAN 10 which is 192 168 10 and we're going to firewall that Network off we're going to do some bandwidth limitations and we're going to apply the guest policies so we're going to walk through this entire thing start to finish and we're going to start at the edge router light so let me bring up that interface first here we go so I'm logged into my edge router Lite this is version 1.0 of the edge router lite firmware and we can see here that I have very little configuration right now I've got my Mainland at 192 168 200 dot 1 or dot 0 / 24 is that network so we're going to first add a new VLAN we want to add VLAN 10 so I'm going to say add interface add VLAN and the VLAN ID is going to be 10 the interface that I'm attaching it to is going to be eath 1 that's where my regular network is now my mainland is now and we're just going to call this VLAN 10 for IP address we're going to say manually define and if we look back at our Visio this is going to be the 192 168 10.0 Network and so I always make my gateways dot one and so we're going to make this one 192 168 10.1 / 24/24 being a standard Class C Network that means that I'll have 192 168 10.1 through 192 168 10 dot 254 available ok so we're going to save that and now I've created that VLAN we can see I've now got eath 110 and it's 192 168 10.1 / 24 ok so the next thing we need to do is click on the services tab because I want to add DHCP on this network so that when a guest connects to my guest Wi-Fi network they're going to automatically get an IP address so we're going to add a DHCP server DHCP name we're going to call VLAN 10 subnet is 192 168 10.0 / 24 and then we're going to give a pretty good sized range of IP addresses since everyone in this network should be dynamically assigned there's going to be no static devices all in this network so I'm going to give it 192 168 10.2 through 192 168 10.2 54 the router is 190 168 10.1 dns one is 192 168 10.1 and as DNS 2 I'm going to give it a public backup DNS server 4 2 2 2 and we're going to go ahead make sure that it's checked on enable and we're going to save ok so the next thing we want to do is click on our firewall slash nat tab and we want to firewall off our mainland so that anyone on the guest VLAN 10 network can't get to not only the interface of the edge router so they can't do any configuration of the edge router itself but also they can't get into my mainland so let's go on our firewall policies and we want to add two new policies now I'm not going to go into a very in-depth description of firewall policies I'm just going to set these up very briefly when it comes to firewall policies there are many many ways to skin that cat ok so what I'm going to be doing here is just a very basic simple two rules that say rule number one anyone in my guest network cannot get to my mainland and rule number 2 any one of my guests Network cannot get to the interface of this edgemax router so we're going to add two new rule sets we're going to add VLAN 10 underscore in with default action except and we're going to add another rule set VLAN 10 underscore local with action default action except okay so let's take care of the cross communication between my lands first so we're going to click on the VLAN 10 in rule this is basically a rules that apply to any traffic coming from within the guest's network in to the edge router that's why we call it VLAN 10 in anything that's in VLAN 10 this is traffic coming in to the edge router ok so we want to say edit rule set and we're going to add a new rule and we're going to say drop access to 192 168 200 0 ok so we're going to say action drop and then we're going to say when the destination is 192 168 200 0/24 and save so now anyone in my guest network shouldn't be able to get to 180 168 200 0 which is my main land the next thing we need to do on this rule set is click on interfaces and apply this to one of the interfaces in our case we're going to apply it to eath 110 and the direction is inbound save rule set okay so now if we pop over to our other rule set which is VLAN 10 local this is going to be rules for any traffic that's destined for the actual edge router itself so the destination is the interface IP address for VLAN 10 192 168 10.1 so we're going to add a new rule and we're going to say drop access to 192 168 10.1 so if anyone's trying to get to 192 168 10.1 we're just going to drop those packets so interface destination is 190 168 10.1 and so we have basically drop access to 180 168 10.1 action drop destination drop when the destination is 1 i2 168 10.1 and go ahead and save that rule now of course this rule is only for when stuffs actually getting to that interface directly if stuff will still be able to pass through or traffic will still be able to pass through the interface no problem so now we need to do the same thing we need to assign it to an interface and the interface we're going to assign this to is e1 dot 10 local save rule set ok so again you can go crazy with firewall rules ok there's much more that I could be doing to secure this down more but this is good enough for the purposes of this video ok so close that out and we are now done with our edge router configuration let's switch over to the edge switch and log in there ok so here we are in our edge switch this is an edge switch 24 light I am running firmware version 1.3 oh there's actually a newer version out it's 1.5.0 I just haven't upgraded yet but there's nothing new in 1.5.0 that should be different than what I'm going to do here so we're going to click on the VLAN tab right off of the dashboard this is the VLAN wizard tab and the first thing that we want to do is add our new VLAN so VLAN ID 10 we're going to add there we go and I'm going to change the name oops VLAN 10 just so that it matches everything else I'm going to submit that and we're going to save that configuration okay so now I have my VLAN added let's go back to our VLAN tab and there's two ports that we need to deal with here we need to deal with port 1 because port 1 is the cross-connect from the edge router to the edge switch y'all bring up the vizio again so port 1 which is the cross connect from the edge router to the edge switch and then port 7 which is out to my access point okay so let's bring that back up so now we're already set on port 1 ok I have port 1 set as a trunk port when you set something as a trunk port that means that it basically passes all of your VLANs to those ports right so port 1 being a trunk port any VLAN that I put in to the edge switch will be transmitted from wherever it's coming from to or from port 1 okay so port 7 I have two options here if I only have these two VLANs and there's no other VLANs that I need to pass to the access point then I can just make port 7 also a trunk port ok by clicking this box the reason that you wouldn't want to make it a trunk port is if your access point let's say you have 10 VLANs and you only need to pass two of the VLANs to the access point well then there's no sense in making it a trunk port you just want to set that manually so let's pretend that we're going to set it manually in this case my default land which is 180 168 200 we're going to leave untag so anything that is passing to and from the access point without any VLAN tagging whatsoever is going to be on by default on my main VLAN my default VLAN and that's my mainland 192 168 200 zero down here we'd want to set this to t4 tagged ok so that means that port 7 we're going to have a tea traffic meaning tags traffic anything tagged with VLAN 10 will also be allowed to pass on port 7 of the edge switch so let's go ahead and submit that and save our configuration okay so let's go back and take a look at our VLAN wizard again I just want to make sure that we look good at this point so here we see port 7 VLAN ID status is included for VLAN 10 okay okay so the last thing that we need to do is set up our access point in unify so let me bring up unify now so this is unify version 5 0 7 and we can see I have one access point let's click on our devices there we can see actually let me zoom this in a little bit make it a little bit easier to see there we go ok so we have one UAP a CL are connected to this unified controller this site of this unified controller I'm completely up to date everything's looking good let's go ahead and click on my wireless networks so settings wireless networks now I already have a guest network so let me go ahead and delete that I just want to make sure that we're starting from scratch here ok so I've deleted my guest network at this point the access point should be provisioning and it will come back in just a couple minutes in the meantime though I can set up the new guest network no problem ok so the first thing I want to do is come into my wireless networks and I want to say create new wireless network and the name or SSID is Sherwood underscore guest we're going to make sure it's enabled the security is going to be open again you can choose to have a password on your guest network I live in an area where I'm not too concerned about neighbors popping on to my guest network there's really no one that close to me so I don't need to worry about it I can barely get my own Wi-Fi signal once I step outside my house anyways and we're going to apply guest policies to this network so that is going to be a couple of things client isolation first of all meaning that any devices that connect to this guest network cannot talk to or see other devices on the same guest network and it also would allow me to do some sort of captive portal if I wanted to do captive portal going to do captive portal in this video but that's where you would turn it on to apply those guest policies we're going to save this for now we're going to come back and do a little bit more work on this network in just a second actually let me do one more thing VLAN use VLAN with VLAN ID ten okay so we do want to put it in the correct VLAN which is VLAN ID ten and we're going to save that okay so now we see sherwoodk guest open security it is checked as a guest network and VLAN ID is ten okay so now bandwidth limiting let's go over here to our user groups I see I have a guest user group already let's just go ahead and edit that one basically you could do create new user group and then it pops up there's very few options here so the name is guests and I've checked the box we're going to limit download to ten thousand kbps or ten megabits and we're going to limit upload bandwidth to two thousand kbps or two megabits that looks good we're going to save that now let's go back to our wireless network and edit the guest Network and under here for user group we now want to set the guests user group that I just created or that I just modified so that means that people connecting to this network will be assigned to VLAN 10 so they should get an IP address in one I to one sixty eight ten they will be bandwidth limited based on the settings of the guest user group guests user group and there's no security on the network it's a wide open network let's go ahead and save that and we're going to wait for my access point to provision and come back and then we're going to test it out make sure that it's working ok so I have successfully connected to my guest network there's one thing that I forgot to do I'll show you in a second but if I go to my settings on my phone and I hit info I don't know if you can see this let's see if I'll focus in but we can see that my IP address that I received is 192 168 10.3 ok so I did get the correct address but when I first tested web access it gave me a DNS error and I forgot that I need to in the edge router I need to tell DNS to listen on that VLAN interface so let's go back to our edge router and here I've already added it let me remove it so that we can do it from scratch if I go to let me go back to the dashboard so if I go to services and then I click on DNS tab we can see I have two interfaces listening by default here eath one if two I'm going to add a new listen interface and we see in the drop down box I don't have my VLAN so I'm gonna click other and my listening interface is going to be e 1.10 okay that's the interface ID for VLAN 10 its VLAN 10 running off of eath 1 so the nomenclature is e 1 dot 10 go ahead and save that and now the edge router will respond D it to DNS requests on that interface and that's all there is to it so I now have a secure Wi-Fi network set up how else do you guys set up your Wi-Fi networks for security go ahead and put it down in the comments below if you think I missed anything if you think there's something that I should have done that I didn't I'd love to hear about it but mostly this is how I set up a secure guest Wi-Fi for my clients other than I probably do a little bit more complicated firewall rules than what I showed here ok so that's it I hope you enjoyed this video my name is Chris with crosstalk solutions if you did enjoy this video please give me a thumbs up and if you'd like to see more videos like this please click Subscribe thank you so much for watching
Info
Channel: Crosstalk Solutions
Views: 132,966
Rating: 4.9502072 out of 5
Keywords: wifi, guest wifi, ubiquiti, unifi, unifi wifi, unifi guest wifi, guest portal, wifi guest portal, wifi portal, captive portal, unifi controller
Id: C7CGY0BTFCM
Channel Id: undefined
Length: 18min 8sec (1088 seconds)
Published: Thu Jul 28 2016
Related Videos
UniFi Guest Network with Captive Portal
Crosstalk Solutions
398K
UniFi Guest WiFi
Crosstalk Solutions
334K
Ubiquiti Access Points Explained
Crosstalk Solutions
1.2M
Simple Ubiquiti VLAN Config
Crosstalk Solutions
231K
Ubiquiti Guest Wifi - Correction!
Crosstalk Solutions
35K
Secure IoT Network Configuration
Crosstalk Solutions
309K
Configure a secure guest wireless network using VLANs, firewalls, and throttling
Server Side Up
72K
Best Home Network 2021 - A Guide to the Best Available Network Equipment
Crosstalk Solutions
42K
Home Network UniFi Upgrades
Crosstalk Solutions
36K
Creating Guest Networks
Cole Pixley
21K
VLANs in UniFi - Setup & Configuration
Simple Networks
26K
How To Separate Your Home Guest Wifi From Your Main Network
Quik Tech Solutions L.L.C
52K
Protect G4 Doorbell Pro - Reaction to This Awesome New (maybe) Product!
Crosstalk Solutions
24K
Unifi Captive Portal Voucher System
Mactelecom Networks
16K
AmpliFi HD Unboxing and Setup
Crosstalk Solutions
101K
Synology Surveillance Station 2021 | Full Set Up Guide and Review
InsideWire
4.7K
Unifi Guest Hotspot and Facebook WIFI
Mactelecom Networks
8.4K
The Cleanest Home Network Installation!
Miller Technical Services
37K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.