How to Set Up Guest Wi-Fi Safely in a Small Business
How to put guest Wi-Fi on its own VLAN, isolate clients, throttle bandwidth, and avoid the common shortcuts that expose your business network.
Almost every small business offers guest Wi-Fi. Almost none of them have it set up correctly. The classic mistakes — letting guests onto the same network as the POS, sharing the office Wi-Fi password with vendors, running a single SSID with no isolation — turn what’s supposed to be a customer convenience into the easiest entry point into the business.
The fix isn’t complicated, but it does require thinking about guest Wi-Fi as a separate network rather than as “the same network with a different password.” Here’s how to do it properly on the kind of equipment small businesses actually own.
The Goal: Guest Traffic Should Not Be Able to Touch Anything
A correctly designed guest network gives a visitor exactly two things: an IP address and internet access. They cannot:
- See or talk to other devices on the guest network (no peer-to-peer).
- See or talk to any device on the business network (no cross-VLAN routing).
- Hit the router’s admin interface.
- Use up so much bandwidth that the POS lags or the VoIP phones drop.
Anything short of that is “guest Wi-Fi” in name only.
Step 1: Use a Separate SSID, Not a Separate Password
Some people think handing out a different password to guests on the same SSID is a meaningful separation. It isn’t. Same network, same broadcast domain, same access to everything.
Create a separate SSID named something obvious like “BusinessName Guest.” The customer-facing name matters — people trust SSIDs that look intentional and distrust ones that look like someone’s phone hotspot.
Use WPA2-Personal or WPA3-Personal with a real password. Don’t run open networks unless you also implement a captive portal (more on that below). Open networks expose guests to passive sniffing of unencrypted traffic, which is bad for them and bad for your liability.
Rotate the password regularly — a coffee shop might rotate weekly, an office monthly. Print it on a small sign at the front desk or include it on receipts. Don’t tape it to the router.
Step 2: Put the Guest SSID on Its Own VLAN
This is the step that actually does the security work. A VLAN (virtual LAN) is a way to make one physical network behave like two logically separate networks. Guest traffic on VLAN 20 cannot reach business traffic on VLAN 10 unless the router specifically allows it — and you’re not going to allow it.
On business-grade gear (UniFi, Meraki, Aruba, etc.)
These have a guest network feature that handles VLAN tagging, isolation, and DHCP automatically. Create a network labeled “Guest,” assign it a VLAN ID (20 is conventional), and set its purpose to “Guest.” Then create a wireless network and assign it to that guest network. The controller does the rest.
On a consumer router with “guest network” enabled
Most modern routers (Asus, TP-Link, Netgear, Eero) have a guest mode that creates a logically separate network with the right defaults. Verify in the settings that:
- AP isolation / client isolation is on.
- Access to local network is off or disabled.
- The guest SSID has its own subnet (e.g., 192.168.50.x while the business is on 192.168.1.x).
If the guest mode doesn’t offer client isolation, the router isn’t appropriate for business use. Replace it.
Step 3: Enable Client Isolation
Client isolation (sometimes called “AP isolation,” “wireless isolation,” or “P2P blocking”) prevents devices on the same Wi-Fi network from talking to each other. With it on, two guests on the same SSID can each reach the internet but cannot see each other.
Why this matters: a guest device with malware actively scanning the local network for vulnerable hosts is on every guest network all day long. Without isolation, that scan finds the next guest’s laptop, the smart TV in the lobby, the printer someone forgot was open. With it on, the scan finds nothing.
Turn it on. There is no reason to allow peer-to-peer traffic on a guest network in a business setting.
Step 4: Block Access to the Router and Internal Resources
Even with VLANs and client isolation, you need a firewall rule that explicitly denies guest traffic from reaching:
- The router’s admin interface (usually 192.168.1.1 or whatever the gateway is).
- The DNS server if it’s on the business LAN.
- Any internal subnets — printers, NAS devices, phone systems, cameras.
On UniFi: Settings → Routing & Firewall → Firewall → LAN In → create a rule to drop traffic from the guest network destined for the business networks (and vice versa).
On a consumer router with a guest network: this is usually built in, but verify by trying to reach the router admin page from a connected guest device. If the login page loads, the rule isn’t doing its job.
Step 5: Throttle Guest Bandwidth
A guest streaming 4K Netflix while the credit card terminal is trying to authorize is not the trade-off you want. Set a per-SSID or per-client bandwidth limit on the guest network.
Reasonable starting points:
- Per client: 5–10 Mbps down, 2–5 Mbps up. Enough for browsing, email, and standard-def video. Not enough to swamp the line.
- Total guest SSID cap: 50% of your total bandwidth, or less if you have many phones / a busy POS. Guests should never be able to starve business traffic.
This is configured under QoS, traffic shaping, or bandwidth profiles depending on your gear. UniFi calls these “User Groups.” Meraki calls it “Traffic Shaping.” On consumer Asus routers, look under “Adaptive QoS.”
Step 6: Decide on a Captive Portal (Optional but Often Worthwhile)
A captive portal is the splash page that appears when a guest first connects — accept terms, enter an email, click through to the internet. It’s not a security control by itself, but it gives you:
- Liability cover. A “by using this network you agree to…” page documents that the user accepted an acceptable-use policy.
- Branding. Logo, business name, link to your website. The first interaction a guest has with your network reflects on you.
- Optional email capture. Useful for retail; tasteless for an office.
Don’t conflate a captive portal with security. The captive portal still sits in front of the same VLAN-isolated guest network — without isolation underneath, the splash page does nothing useful.
UniFi, Meraki, and Aruba all do this natively. For consumer gear, you typically need a third-party service (or you skip it).
Step 7: Block Risky Outbound Traffic
This step is optional and depends on your risk tolerance, but consider blocking from the guest network outbound:
- SMTP (port 25) — prevents a guest device with malware from spamming the world from your IP.
- NetBIOS/SMB (ports 137, 138, 139, 445) — no legitimate guest traffic uses these on the open internet.
- Anything else you don’t want associated with your IP address.
Most business firewalls have an “outbound block list” you can apply per-VLAN. The reputational hit from your business IP being on a spam blocklist is real and time-consuming to undo.
Step 8: Don’t Forget the Wired Side
If you have wall jacks in the lobby or a conference room with patch ports, those go to the same switch as the rest of your network. Without VLAN tagging, anyone with a laptop and a patch cable is inside the business network — past every wireless protection you set up.
Either:
- Disable lobby/conference jacks by default, or
- Tag them to the guest VLAN at the switch port, so plugging in lands the user on guest just like Wi-Fi.
Managed switches make this trivial. Unmanaged switches do not — which is one of several reasons a small business should use a managed switch the moment it has more than a handful of jacks.
What This Should Look Like When You’re Done
- Two SSIDs broadcasting: business and guest.
- Two separate IP subnets, on separate VLANs.
- Guests get internet, nothing else.
- A guest scanning the network sees only their own device.
- A guest streaming a movie cannot interfere with a transaction.
- A captive portal (if used) shows the business name and an acceptable-use notice.
- Wired ports in public-facing areas are either disabled or tagged to guest.
Quick Audit: Test It Yourself
Connect a phone to your guest Wi-Fi and try the following:
- Browse the internet. Should work.
- Open the router’s admin page (e.g., 192.168.1.1). Should fail or time out.
- Try to ping a known internal device (a printer’s IP). Should fail.
- Run a network scanner app (Fing, NetAnalyzer). Should show only the gateway and your own device — no other guests, no business devices.
- Run a speed test. Should hit your bandwidth cap, not your full line speed.
If any of these don’t behave as expected, fix them before declaring the guest network done.
Guest Wi-Fi is one of the lowest-effort, highest-value security improvements a small business can make. The default behavior of consumer routers is to make this easy to do badly. Spend the hour to do it right and you’ll have closed off one of the most common ways small businesses get burned.
Related Articles
Employee Offboarding Checklist: How to Wipe and Redeploy a Returned Laptop
A practical small-business checklist for offboarding a departing employee and safely wiping, reimaging, and redeploying their returned laptop.
How to Set Up SPF, DKIM, and DMARC for a Small Business
How to add SPF, DKIM, and DMARC records for your business domain so your email actually lands in the inbox and spoofers can't impersonate you.
How to Set Up a Business VPN for Remote Workers
A practical guide to choosing and deploying a business VPN for remote employees — covering hardware, software, and cloud-based options.