Guest Network with EdgeRouter Lite and UniFi Access Points

Last year, I wrote about setting up a guest network with the EdgeRouter Lite. The post was focused on using an Apple Time Capsule as the wireless access point. Since then I’ve switched away from the Time Capsule and am now using Ubiquiti UniFi APs, so parts of the post are no longer relevant to me and a few people have asked me how to do this with the EdgeRouter Lite and the UniFi APs.

While the UniFi controller software has the option to do a guest network, as far as I can tell, it isn’t exactly what I want. With my setup, you can’t just use the checkbox to turn on the guest network as the current firmware apparently slows things down. So if you don’t check the box, my instructions appear to still be needed.

All of the EdgeRouter Lite steps are taken from my original post, so they may look familiar.

Here are the steps:

1. On the EdgeRouter Lite’s Dashboard, click Add Interface and select VLAN.

   

2. Set up the VLAN as 1003 and attach it to the physical interface of your LAN. Give it an IP address in the range of a private IP block, but make sure you end it in a /24 to specify the proper subnet. (Make sure it is different than your normal private IP block.)

   

3. Click on the Services tab. Click Add DHCP Server. Set it up similar to the image below.

   

4. Click on the DNS tab under services. Click Add Listen interface and select the VLAN interface. Make sure you hit save.

   

5. Click on Firewall/NAT and then click on Add Ruleset. This is for packets coming into the router destined for somewhere else (not the router). Set up the default policy for Accept. Click Save.

   

6. From the Actions menu next to the Ruleset, click Interfaces.

   

7. Select your VLAN interface and the in direction.

   

8. Click Rules and then Add New Rule. Click on Basic and name it LAN. Select Drop as the Action.

   

9. Click Destination and enter 10.0.1.0/24 or whatever your LAN IP range is. Then click Save. This will drop all packets from the VLAN destined for your LAN. Save.

   

10. Repeat 1 and 2 above (name it GUEST_LOCAL). From the Interface, select the VLAN interface and the local direction.

11. Add a new rule. Set it to Accept on UDP port 53 (DNS).

    

    

12. Save.

Now it’s time to move over to the UniFi Controller.

1. After you login to the controller, click the Settings in the lower left.

   

2. If you’re using your UniFi AP connected to a UniFi Switch, you have to setup the switch to pass traffic for your guest network. If you aren’t, you can skip to step 5.

   

3. Click Create New Network

   

4. Setup the network as indicated in the next image and then click Save.

   

5. Select Wireless Networks on the left side.

   

6. Configure the network similar to the next picture. Note that I didn’t turn on guest policy.

   

Now you can test this by connecting to the guest network and accessing the Internet. Then try connecting to a device on your LAN or connecting to the EdgeRouter Lite. Both actions should fail.

I know that there are a lot of steps to configure this, but they’re not that difficult and you only have to do it once!

I’ve tested this and it is working well on my network; if I’ve missed anything, please let me know!