Enabling Guest Control in UniFi Controller Blocked Access to Local Network Services by Default

Properly configuring guest isolation in the UniFi Controller

For my guest wireless network, I like the idea of all of the network devices on the guest network to be isolated from one another. Since the guest network should be used for visitors and other untrusted devices, it makes sense to restrict communication between the devices to improve security.

Even though captive portals are a pretty cool feature that can provide a “wow” factor for guests that log onto your guest network, I have read where the captive portal on UniFi wireless access points can reduce the throughput of the guest network. I am content with simply having client isolation on my guest network, which you can enable without using the full blown captive portal.

I do not think enabling only the guest network controls on UniFi access points without the captive portal slows down throughput as much as enabling the captive portal. It is possible my Internet connection is slower than the amount of the reduction of throughput speed caused by enabling the guest network controls. So for my needs, there is no noticeable difference with enabling the guest network. Ubiquiti may have made some performance improvements in newer firmware so your experience may vary.

When I first set up my guest network, I did not enable the guest network controls due to fear of greatly reduced performance. I locked down the guest VLAN with firewall rules, and I prevent the guest devices from accessing any devices on my other VLANs. Later I realized that it was silly for me to completely block my guest network devices from accessing my publicly accessible services (if Internet users can access my public services, why not my guest network also?), so I tweaked the rules to only allow access to the public services from the guest network.

I revisited enabling the guest network controls after reading that some have said that guest controls without the captive portal does not significantly impact performance. Also, I really just wanted the client isolation on the guest network to protect devices that connected to that network.

Whenever I enabled the network, I did not notice any impact to performance on the few devices that I tested. Great so far. Then I tried accessing some of the publicly accessible services that are on another VLAN such as Nextcloud, Plex, etc. It was not connecting to them. My first thought is that the client isolation is somehow blocking access to my other parts of the network since I did not make any changes to the firewall recently.

After doing some digging, I realized that there a few settings that affect the guest network controls, and it is not just for the captive portal but all guest network controls. I was thought enabling the guest network only enabled client isolation. There is a little more to it. If you visit Settings > Guest Control, you will see the following default values:

UniFi Guest Control

My server is located in the subnet. Notice the issue yet? The “Post-Authorization Restrictions” has a list of networks that guests are restricted (blocked) from accessing. It is set to block all private IP addresses so access to my server was being blocked by the access point. These are likely good default values to have for security reasons especially for businesses that offer public WiFi and want to keep the guest network separate from their internal network. However, I do want to provide very limited access to the server on my local network so I had to remove the post-authorization restrictions. I am controlling access to my network with my firewall rather than blocking networks at the wireless access point level.

Once I removed those restrictions, I was good to go with having client isolation while also allowing access to other parts of my network! To verify that my wireless devices were isolated, I used a network scanner app on my phone, and it did not find any other devices on the guest network.