How To Guide
How to Set Up a Guest Wi-Fi Network for Your Business
Running a separate guest Wi-Fi network is one of the simplest and most effective steps a business can take to protect its data. This guide walks you through setting it up correctly — from enabling it on your router to enforcing bandwidth limits, content filtering, and regular password rotation.
Overview
A guest Wi-Fi network runs alongside your main business network but is completely isolated from it. Visitors, contractors, and personal devices get internet access without the ability to see your file servers, printers, point-of-sale terminals, or any other internal resource. This protects you from accidental data leakage and deliberate snooping, and is a requirement under Cyber Essentials if you allow non-business devices to connect to your wireless infrastructure.
Why this matters:
A compromised guest device on a shared network can pivot into your business systems. Proper VLAN separation or a dedicated guest SSID prevents lateral movement entirely.
Step 1: Basic Setup
1
Understand Why Guest Wi-Fi Matters for Business
- Isolates customer and visitor devices from your internal network
- Prevents accidental access to shared drives, printers, and NAS devices
- Limits blast radius if a guest device is infected with malware
- Required for PCI-DSS compliance if guests are near your payment terminals
- Required for Cyber Essentials if BYOD or guest devices access the same infrastructure
- Gives you legal ground to monitor and log guest traffic separately
2
Check Your Router Supports Guest Networks
- Most modern business routers (Ubiquiti, Cisco Meraki, Netgear Business, TP-Link Omada) support guest networks natively
- Consumer-grade routers (BT Smart Hub, Sky Q, Virgin Hub) have basic guest network features but limited VLAN support
- Log into your router admin panel and look for "Guest Network", "Guest SSID", or "VLAN" settings
- If your router lacks guest network support, consider upgrading to a managed access point
Business recommendation:
If you regularly run more than five concurrent guest devices, a dedicated access point with a managed switch and proper VLAN configuration is far more reliable than a consumer router's guest feature.
3
Log In to Your Router Admin Panel
- Open a browser and go to your router's admin IP — typically 192.168.1.1, 192.168.0.1, or 10.0.0.1
- If unsure, run
ipconfigon Windows orip routeon Linux/Mac and look for "Default Gateway" - Enter admin credentials — these should have been changed from factory defaults
- If you do not know the admin password, contact your IT provider before proceeding
- Navigate to "Wireless", "Wi-Fi", or "Network" in the menu, then find "Guest Network" or "Guest Access"
4
Enable the Guest Network
- Toggle the guest network to "Enabled" or "On"
- Select the radio band: 2.4 GHz covers more distance; 5 GHz is faster but shorter range
- For a reception area or waiting room, 2.4 GHz is usually the right choice
- For a co-working space or event venue, enable on both bands
- Save settings before moving to the next step
5
Configure a Strong Guest SSID and Password
- Choose a clear, professional SSID: "CompanyName-Guest" or "Reception-WiFi" — never the generic "Guest" alone
- Set WPA2 or WPA3 encryption — never leave the guest network open with no password
- Create a memorable but non-trivial password: 10–12 characters, mix of words and numbers
- Record the password in your IT documentation and display it in reception
Never leave guest networks open:
An open network with no password means all traffic is unencrypted. Anyone within range can sniff traffic from every guest device. Always use WPA2 as a minimum.
Step 2: Security Settings
6
Enable Client Isolation
- Client isolation prevents guest devices from communicating with each other on the same network segment
- Without it, a malicious guest device could scan for and attack other devices sharing the SSID
- Find this in guest network settings — typically a tick box labelled "Isolate clients" or "AP isolation"
- Enable it — this does not affect internet access for guests
- Mandatory for PCI-DSS compliance in areas near card payment terminals
7
Set Bandwidth Limits for Guests
- Without limits, a single guest streaming 4K video can saturate your business internet connection
- Look for "Bandwidth Control", "QoS", or "Rate Limiting" in guest network settings
- Set a per-device download limit: 5–10 Mbps is sufficient for web browsing, email, and video calls
- Set an upload limit too: 2–5 Mbps prevents guests hogging upstream bandwidth
- Prioritise your main business traffic above guest traffic using QoS rules
8
Enable a Captive Portal
- A captive portal shows a login or terms page before granting internet access
- Useful for collecting contact details, displaying terms of use, and demonstrating GDPR compliance
- Available on enterprise routers (Ubiquiti UniFi, Cisco Meraki) and third-party services
- If collecting email addresses, include a consent checkbox that complies with UK GDPR
- Set session timeout so guests must re-accept terms after a defined period (e.g. 24 hours)
- Log authentication events for compliance and legal hold purposes
Step 3: Advanced Options
9
Use VLANs for Enterprise-Grade Separation
- A VLAN creates a truly separate network segment at the switch level — stronger than just a separate SSID
- Requires a managed switch and VLAN-capable router or access point
- Tag the guest SSID to VLAN 20 (or any available ID); the business network to VLAN 10
- Configure firewall rules to block VLAN-to-VLAN traffic except for permitted services
- The guest VLAN should only reach the internet — not any private IP range
- Recommended for any office with 10 or more employees or any regulated data
When to get professional help:
VLAN configuration on managed switches requires networking knowledge and can break connectivity if misconfigured. Contact InfiniTech for a network audit and proper segmentation setup.
10
Apply Content Filtering to the Guest Network
- Block illegal content (CSAM filtering is mandatory in the UK for public-facing networks)
- Use DNS-based filtering: point guest DNS to Cloudflare for Families (1.1.1.3) or OpenDNS
- Block peer-to-peer and torrent traffic to reduce liability
- Log DNS queries for a minimum of 12 months for legal compliance
11
Test the Guest Network Thoroughly
- Connect a personal device to the guest SSID and verify internet access works
- Attempt to browse to internal resources (file server, NAS, printers by IP) — these should be unreachable
- Attempt to ping devices on the main business network — should fail if isolation is correct
- Run a speed test to confirm bandwidth limits are applied
- Verify content filtering by attempting to access a known blocked site
Step 4: Ongoing Management
12
Display Guest Wi-Fi Credentials Clearly
- Print the SSID and password on a card for the reception desk
- Display a QR code that pre-fills Wi-Fi credentials (free generators available online)
- For hospitality businesses, include Wi-Fi details on welcome cards or menus
- Update all printed materials and QR codes every time you rotate the password
13
Rotate Guest Passwords Regularly
- Change guest network passwords at least quarterly — monthly in high-footfall environments
- Rotate immediately if a suspected security incident occurs
- Use a password manager to store the current guest password alongside rotation dates
- Set a calendar reminder for rotation day
14
Monitor Guest Network Usage
- Check your router's guest client list weekly — look for unexpected persistent connections
- Review bandwidth usage reports — unusual spikes may indicate abuse or compromise
- Enable email or push alerts for unusual activity on managed routers
- Log and retain connection records (IP, MAC address, timestamp) for at least 12 months
15
Document Your Guest Network Policy
- Write a one-page Guest Network Acceptable Use Policy covering: permitted uses, prohibited activities, monitoring notice, and data retention
- Display the AUP on your captive portal or have guests sign it in regulated environments
- Reference your AUP in your GDPR privacy notice
- Review the policy annually and after any security incident
Need a Properly Segmented Business Network?
InfiniTech designs and installs managed Wi-Fi solutions for Cornwall businesses — including VLAN segmentation, captive portals, and ongoing network monitoring.