Need a guest network solution for Cafe

T

Thedog

Active Member
Reaction score
56
Hello,

Please see the image as that explains it all. They already have a Unifi AC Pro but I need to put in a firewall / router with captive portal abilities etc. Im thinking that maybe some router with DD-Wrt or Tomato would work? I have no experience with captive portals

But also if possible I would like the AC Pro to have two different SSID and then based on which SSID a client connects to it sends them to either the normal lan or the guest lan. Don't know what that function is called but I think the Unifi can do that, you set a vlan for each SSID I think?

Skärmavbild 2017-01-30 kl. 08.36.35.png
 
Heading out the door now. Short answer is I'm pretty sure that the existing UniFi can do everything you want. There was a recent thread on here about the captive portal.
 
Several layers of doing this with Unifi...

*In simple terms, making an additional SSID for the guest network, and enabling the guest policies....will isolate each client so they can only go out the gateway address, and not "touch" other computers on the network. DHCP and DNS is passed through if you run those on the primary LAN.

*Next level..and what we usually do, when you make that guest SSID, tie it to a VLAN. In the managed switch, control that VLAN..and put it to another network with a different IP range, separate DHCP service, etc. We often do this in Untangle....just fire up another internal interface and pull that VLAN into it. Or...in some cases, where you have like a U-Verse gateway or a Comcast gateway...and you've passed the static IP through to the internal firewalls external NIC, but they still run DHCP and have their private IP range...just uplink the guest VLAN to that. So either of those 2 approaches physically and logically separate the guest VLAN from the production network.
 
YeOldeStonecat said:
Several layers of doing this with Unifi...

*In simple terms, making an additional SSID for the guest network, and enabling the guest policies....will isolate each client so they can only go out the gateway address, and not "touch" other computers on the network. DHCP and DNS is passed through if you run those on the primary LAN.

*Next level..and what we usually do, when you make that guest SSID, tie it to a VLAN. In the managed switch, control that VLAN..and put it to another network with a different IP range, separate DHCP service, etc. We often do this in Untangle....just fire up another internal interface and pull that VLAN into it. Or...in some cases, where you have like a U-Verse gateway or a Comcast gateway...and you've passed the static IP through to the internal firewalls external NIC, but they still run DHCP and have their private IP range...just uplink the guest VLAN to that. So either of those 2 approaches physically and logically separate the guest VLAN from the production network.
Click to expand...

I think the simple version is fine in this scenario but this can be done with a captive portal and also what kind of control can you do? Ideal I would like this:

- The SSID can be open but when you connect you get to a captive portal where you have to type in a key, once that is typed in you get access for 24 hours, after 24 hours you have to type in the key again. It should also be possible to change the key, either if the cafe owner can do it themselves or if I can remote in and do it once in a while.
- Network isolation of course, but that's on by default I suppose
- You should be able to limit the bandwidth speed per client (not limit the total available to the guest network rather limit the speed of each client)
- Be able to block some applications by port(s)

Do you think that's doable without using any additional hardware (ie just a basic router and the unifi)?
 
Thedog said:
https://help.ubnt.com/hc/en-us/articles/205143830-UniFi-Hotspot-Portal-Customization

Suppose you mean that one? What Im not getting is where all the portal information is stored, would it be in the actual unifi unit or would it require a controller (computer) on-site?
Click to expand...

I've not tested it but supposedly you can embed some simple code on the UniFi. But anything else you put on the controller. I'm not at my main machine but there is an app that you can load on top of the unifi controller that lets you do customization. I'll post it later.
 
Open or passworded network...you can control that easily in the Unifi controller

Captive portal...Unifi controller or your own edge firewall (like Untangle can do it too). Although if you want tokens and metered/timed access, perhaps you're looking more for a HotSpot app. I know there are various ones that support Unifi, and Ubiquiti recently came out with some new HotSpot2 feature...but I have no clients that use a HotSpot so I don't have experience with it.

Network Isolation..not enabled by default but it's easy to add.

Rate limiting...yes you can set that "per client". Also a good UTM can control this also, and is usually the better approach.

Blocking applications would be a UTM feature also, not really the job of wireless management since app/port/firewall blocking would be done at the gateway.
 
Markverhyden said:
I've not tested it but supposedly you can embed some simple code on the UniFi. But anything else you put on the controller. I'm not at my main machine but there is an app that you can load on top of the unifi controller that lets you do customization. I'll post it later.
Click to expand...

https://spotipo.com/

But, as mentioned, need to have a local controller. You can use a Raspberry Pi as one.
 
You don't need a controller onsite, it can be in the cloud.
But yes it does require one to have the guest portal page and voucher code etc all working.
The UniFi controller will do everything you want except block certain apps, haven't seen that option.
You'd probably need a USG onsite to do that.
 
I prefer open-mesh.com access points and they have a full cloud based solution as that is how their product was built. They have a captive portal option also. You can get support from them and can actually pickup the phone and call them......try doing that with Ubiquiti products.
 
acscva said:
I prefer open-mesh.com access points and they have a full cloud based solution as that is how their product was built. They have a captive portal option also. You can get support from them and can actually pickup the phone and call them......try doing that with Ubiquiti products.
Click to expand...
Yea but they already have a Unifi AC Pro, they aren't going to chuck it out and buy open-mesh gear are they?

We just call our supplier here in New Zealand when we have Ubiquiti issues, which I think has only ever been once. :)
 
You must log in or register to reply here.

Similar threads

Big Jim
weird wifi issue - slow card payments
2
Replies
24
Views
2K
Big Jim
Big Jim
HCHTech
VLAN 101.....again
Replies
9
Views
1K
YeOldeStonecat
YeOldeStonecat
HCHTech
New+old Unifi setup struggles
Replies
8
Views
1K
HCHTech
HCHTech
thecomputerguy
Need a wireless router recommendation (ultra-small business).
Replies
2
Views
935
HCHTech
HCHTech
britechguy
Anyone ever have a touchpad "spontaneously die" only for pointer movement, and when not in use?
Replies
14
Views
862
Philippe
Philippe
Back
Top