When your hybrid office hosts visitors, contractors, and clients, providing internet access becomes a security balancing act. You want convenient connectivity for guests while protecting internal systems from potential threats. A poorly configured guest network creates an unlocked door into your corporate infrastructure.
This guide walks through setting up guest WiFi that keeps visitors connected without exposing your internal network to unnecessary risk. The strategies here work with enterprise-grade equipment and affordable access points alike.
Understanding the Threat Model
Guest WiFi exists because untrusted devices should never share network space with sensitive systems. When a contractor connects a potentially compromised laptop to your main network, that device gains visibility into internal services, file shares, and management interfaces. The 2024 Uber breach demonstrated how attackers use compromised third-party access as an initial foothold.
Your guest network should assume every connected device is potentially hostile. Design accordingly.
Network Architecture Fundamentals
The core principle is strict isolation. Guest traffic must traverse a separate VLAN from your internal network, with explicit firewall rules preventing any communication toward corporate resources.
For most hybrid offices, this architecture works well:
Internet
│
▼
┌─────────────────────────────────────┐
│ Firewall/Router │
└─────────────────────────────────────┘
│ │
▼ ▼
┌──────────┐ ┌──────────────────┐
│ Corporate│ │ Guest Network │
│ VLAN │ │ VLAN │
│ 10.1.x │ │ 172.x │
└──────────┘ └──────────────────┘
│ │
▼ ▼
Corporate WiFi Guest WiFi
Configure your router or firewall to drop all traffic originating from the guest subnet heading toward the corporate subnet. Only allow DNS and HTTP/HTTPS outbound to the internet.
Implementing VLAN Isolation
Most business-grade access points support VLAN tagging. Here’s how to configure this using an UniFi setup as an example:
{
"name": "Guest-Network",
"vlan_id": 172,
"subnet": "172.16.0.0/24",
"dhcp_server": {
"enabled": true,
"range": "172.16.0.100 - 172.16.0.200",
"gateway": "172.16.0.1",
"dns_servers": ["1.1.1.1", "8.8.8.8"]
}
}
Create this network profile in your controller, then assign it to your guest access points. The DHCP server ensures guests receive addresses in the isolated range, preventing IP conflicts with corporate resources.
Captive Portal Authentication
For tracking and basic access control, implement a captive portal. This displays a landing page where guests must accept terms or enter an access code before connecting to the internet.
A simple self-hosted solution uses CoovaChilli or ndss:
# Example ndss configuration snippet
NAS-IP-Address = 127.0.0.1
NAS-Port = 3799
NAS-Key = "yoursecretkey"
DHCP-Interface = eth0
uamserver = "https://your-portal.example.com/guest/"
uamsecret = "portalsecret"
The portal captures MAC addresses, which helps with logging and time-based access codes for contractors who only need temporary connectivity.
Wireless Security Protocol Selection
Never use WEP—it takes minutes to crack. WPA2-AES provides adequate security for most scenarios, while WPA3-Personal offers improved protection against offline dictionary attacks.
For guest networks where you distribute passwords to visitors, WPA2-AES with a rotating passphrase works well. Generate unique passwords for each visitor or event:
# Generate a secure random WiFi password
openssl rand -base64 12
Change these passwords regularly, especially after hosting large events or when contractor engagements end.
Rate Limiting and Traffic Shaping
Guests streaming video or running large downloads can degrade performance for everyone. Implement rate limiting at your router:
# Example tc (traffic control) rules for Linux router
# Limit guest upload to 5Mbps
tc qdisc add dev eth1 root handle 1: htb default 10
tc class add dev eth1 parent 1: classid 1:10 htb rate 5mbit burst 15k
# Limit guest download to 20Mbps
tc qdisc add dev eth2 root handle 1: htb default 10
tc class add dev eth2 parent 1: classid 1:10 htb rate 20mbit burst 15k
These limits prevent any single guest from monopolizing bandwidth while maintaining acceptable performance for browsing and video calls.
Content Filtering and DNS Security
Even with isolation, guests can still access malicious websites or use your network for inappropriate content. Implement DNS-based filtering to block known threat domains:
# Pi-hole configuration for blocklists
# Add to /etc/pihole/adlists.list
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://urlhaus.abuse.ch/downloads/hostfile/
Configure your guest DHCP to point toward your DNS filter rather than public DNS. This catches many threats at the DNS resolution stage without requiring client-side configuration.
Client Isolation
Enable client isolation on your access points. This prevents guest devices from communicating with each other—a standard feature in most enterprise APs but often disabled by default.
In UniFi controller, navigate to Settings → WiFi → Guest Policies and enable “Allow Guest to Guest Isolation”:
✓ Allow Guest to Guest Isolation
This stops a compromised guest device from scanning for other vulnerable guests on the same network.
Monitoring and Logging
Maintain logs of guest connections for security investigations and compliance. Capture:
- Connection timestamps and duration
- Device MAC addresses
- Data volumes transferred
- Authentication attempts
# Parse access point logs for guest connections
grep "STA_CONNECTED" /var/log/messages | \
jq '{time: .timestamp, mac: .mac, ap: .ap}' | \
jq -c '.'
Rotate and archive these logs regularly—most environments need 90-day retention minimum.
Contractor-Specific Considerations
Contractors often need different access levels than casual visitors. Consider implementing tiered guest networks:
| Access Level | Network Name | Permissions | Duration |
|---|---|---|---|
| Casual Visitor | Guest-Open | Internet only, 24-hour expiry | Single day |
| Contractor | Contractor-VPN | Internet + VPN gateway | Project duration |
| Long-term | Contractor-Monthly | Internet + limited internal access | Monthly rotation |
For contractors needing internal resource access, provide VPN credentials rather than direct network access. This adds authentication layers and encrypts all traffic.
Automation for Access Management
Automate access provisioning and revocation using your identity provider:
# Example: Scheduled access revocation
- name: Revoke contractor access on project end
trigger:
schedule: "0 9 * * 1" # Weekly Monday review
action:
http:
url: "https://api.your-idp.com/revoke-guest-access"
method: POST
headers:
Authorization: "Bearer {{ idp_api_key }}"
Integrate this with your HR systems to automatically disable credentials when contractor contracts expire.
Putting It All Together
Start with network segmentation as your foundation. From there, layer on captive portal authentication, traffic controls, and monitoring. Each additional control reduces risk while maintaining usability for legitimate guest access.
The key is assuming guests will connect untrusted devices and designing your network to contain that risk. Your internal team shouldn’t even notice the guest network exists—it should be completely invisible to corporate systems.
When contractors finish their engagements, revoke their credentials immediately. When events conclude, rotate passwords. These operational practices matter as much as the technical configuration.
Related Articles
- OpenVPN client configuration snippet
- Example room configuration
- Pin configuration
- Example OpenAPI specification snippet
- How to Set Up Hybrid Office Digital Signage Showing Room
Built by theluckystrike — More at zovo.one