Jump to content

[Help] Unifi WiFi Client Segregation Issue

MrAmos123
By MrAmos123
in Networking
 Share
Posted

Context:
I have 3 SSIDs
Private - VLAN101 (Can talk to VLAN100)
Guest - VLAN102 (Can't talk to anything except internet)
IoT - VLAN103 (Can't talk to anything except internet)

And another VLAN for servers (VL100), not an SSID.

 

Issue:
So, I've noticed that people in my household (and next door) are supplying visitors with our 'private' password, however, they don't know the password. I type it into their devices. 


They're getting the password because now on Android phones you can 'share' the SSID's which will print the wireless password in plain text.

 

Question:
How can I keep devices separated into the correct network so people cannot share the password for private SSIDs?

 

Ideas:

Idea 1: Create a captive portal, one for Guest and one for Private each has their own login. This way I can make the SSID open, but they won't be able to share the private password as it's one-time. The issue with this idea is that Unifi only allows you to create a captive portal with 1 accepted password (Named 'Simple Password' in Captive Portal). I think this is dumb... but yeah. 

 

Idea 2: I've tried to create the captive portals through pfSense however I've had a huge issue getting the phones to accept the self-signed cert, my Pixel 2 just does not like it and will refuse it. 

 

Idea 3: MAC-Bind the 'allowed' clients to Private, sure, but this requires constant upkeep and management, and I'm not exactly sure how to enforce this in Unifi.

 

Idea 4: Use Vouchers with no expiry for private. 2 issues with this, this isn't very userfriendly for guest access where I just want a simple password and isn't very practical for private since there's no true-unlimited, just set the expiry to like 999d. I didn't particularly like this idea.

 

Closing:
So, does anyone have a better solution than my above attempts because I'm lost for ideas now?

 

Thanks and I'd appreciate anyone that's able to help. I can't be the only one that's facing this or a similar issue.

Link to comment
https://linustechtips.com/topic/1125907-help-unifi-wifi-client-segregation-issue/
Share on other sites
Link to post
Share on other sites
Posted

Copying my answer from the Lawrence Technology Services forum so it is here for people who may come across your post in the future:

 

Quote

You could create two ranges of IPs in VLAN101, one that can talk to VLAN100 and one that can’t. Set up the DHCP so it normally gives out IPs in the second range, and use DHCP reservations to put your trusted clients in the first range.

I haven't come up with any other ideas, if I were in your situation I would handle it the way I described above.

Looking to buy GTX690, other multi-GPU cards, or single-slot graphics cards: 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×