Guest Network with EdgeRouter Lite and UniFi Access Points, Take 3!

I’ve written about guest networks with UniFi Access Points twice before and since I’ve written those articles, the UniFi software has just gotten better and better. My instructions are close to no longer being needed, but not quite. In the latest versions of the UniFi controller (5.x), Ubiquiti has fixed issues with network slowdowns when turning on the guest network. This has excellent news and really simplifies the configuration.

For this post, I’m going to reuse some of my pictures and steps as I don’t like to duplicate my work!

Start on the EdgeRouter Lite and do the following:

  1. On the EdgeRouter Lite’s Dashboard, click Add Interface and select VLAN.
  2. Set up the VLAN as 1003 and attach it to the physical interface of your LAN. Give it an IP address in the range of a private IP block, but make sure you end it in a /24 to specify the proper subnet. (Make sure it is different than your normal private IP block.)

  3. Click on the Services tab. Click Add DHCP Server. Set it up similar to the image below.

  4. Click on the DNS tab under services. Click Add Listen interface and select the VLAN interface. Make sure you hit save.

Now it’s time to move over to the UniFi Controller.

  1. After you login to the controller, click the Settings in the lower left.
  2. Click Networks.

  3. Click Create New Network

  4. Setup the network as indicated in the next image and then click Save.

  5. Select User Groups on the left side.

  6. Click Create New User Group.

  7. Enter appropriate values to limit upload and download.

  8. Select Wireless Networks on the left side.

  9. Click Create New Wireless Network.

  10. Configure the network similar to the next picture. Of course, set a password that isn’t bullets!

  11. Select Guest Control on the left side.

  12. Configure the guest access how you find appropriate. Since I already have a WPA2 password, I just put in no authentication and some basic text. The important part of this screen is access control at the bottom. This area basically isolates guest clients from connecting to your LAN. In my prior configurations, I had to do this at the router level. This is much simpler and cleaner to setup.

Now you can test this by connecting to the guest network and accessing the Internet. On my network, I now get a captive portal; nothing fancy, but it’s kind of cool.

Then try connecting to a device on your LAN or connecting to the EdgeRouter Lite. Both actions should fail.

I know that there are a lot of steps to configure this, but they’re not that difficult and you only have to do it once!

I’ve tested this and it is working well on my network; if I’ve missed anything, please let me know!

This configuration is much cleaner than my previous 2 attempts as most of the configuration is in the UniFi Controller. I’ll be writing one last follow up on this topic when I swap out my EdgeRouter Lite for a UniFi Security Gateway (USG). While the EdgeRouter Lite is a great box, the USG is basically the same hardware, but all configuration is done through the UniFi Controller. I’m not quite ready to do the swap (I have one sitting on my shelf that Ubiquiti sent to me) as I’m waiting for the UniFi Controller to add a few more features like static DHCP assignments, static DNS entries, and IPv6 support (all via the GUI; this can already be done on the command line).

2 Replies to “Guest Network with EdgeRouter Lite and UniFi Access Points, Take 3!”

  1. Scott

    Do you have both a private WLAN and the guest WLAN configured on the AP?
    I’m trying to do it and define separate vlans on the router. I would think I’d have to define a port on the router as a trunk but I don’t see how to do it or if it’s the right approach.
    Also I m using the edgerouterx so it anyone different than the light.

    1. Hi Matt,

      Configuring the EdgeRouter X should be the same as I’ve documented. The instructions have a separate WLAN for guest access. You don’t have to define a “port” on the router, but you do have to define a VLAN with an IP address.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.