Howto setup the Unifi Captive Portal for your Guests

If you want to provide your guests with free and easy internet access, setting up a Unifi Captive Portal might be a good idea. While you just can create an extra wireless network (SSID) with a simple password, you also need to keep the security of your network in mind. You don’t want to give your guests access to your systems. By using the Unifi Guest Portal you can isolate the clients on your network and give them access for only a few hours.

Settings up the captive portal in the Unifi Control is pretty simple. By using the guest isolation option we can prevent the guest from accessing our network without creating VLANs. Another advantage is that you can use the captive portal to promote some of your products or services.

In this article, I am going to walk you through setting up and customizing the Unifi Captive Portal in the Unifi Controller. To the portal, you will need to make sure the controller is running 24/7. So if you have a controller running on your computer that you turn off or take with you, then you really need to buy the Unifi Cloud key.


Create a Guest User group

You might want to limit the amount of bandwidth the guests can use on your network. So before we start creating a Guest Network we first need to create a new user group. This allows us to set upload and download limits for the guests later on.

Unifi Create User Groups for Guest Network

  1. Open Settings > User Groups
  2. Click Create New User Group
  3. Give the group a name: Guests
  4. Limit the upload and download bandwidth. For simple internet browsing, 5mbit download and 1mbit upload are enough. If you want to allow streaming you they need atleast 10mbit download.
  5. Click on Save

Creating a Unifi Guest Network

We need to create a new wireless network for our guests. We will make this a Guest Network which will add a few important restrictions:

  • Pre and Post-Authorization Access. This will make sure the guest can access the captive portal for authentication. After they authenticated they won’t have access to the local network.
  • Client Isolation. This will prevent the clients from sending broadcasts or unicast message to other clients in the same network.

Unifi Create Wireless Guest Network

To create the guest network open the Unifi Controller

  1. Go to Settings > Wireless Networks
  2. Click on Create New Wireless Network
  3. Give the wireless network a name. Something your guest will recognize as a guest network.
  4. Set the security to open. We will secure the network with the captive portal)
  5. Select Apply guest policies (captive portal, guest authentication, access)
  6. Expand the Advanced Options
  7. Select the User Group we just created.

We now have a guest network, but we still need to Set up the captive portal.

Configuring the Unifi Guest Portal

So we have the wireless network for our guest and limited the bandwidth they can use. Now all is left is to create the captive portal. Within the Unifi Controller under the Guest Control section, we can create our Guest Portal, set the authentication and duration of access. So if you have a barbershop you might want to give your customers only 2 hours of access. But if you are running a B&B you can give them a couple of days access to the wifi network.

Setting up the Guest Policies

First, we are going to set up the guest policies. Open the Guest Control page in the Unifi Controller under settings.

Unifi Guest Portal Policies

  1. Enable the Guest Portal
  2. Set a simple password, something your customers can easily fill in. [email protected] for example 😉
  3. Set the expiration, you can choose anything you like here.
  4. Landing Page: you can either redirect the customer back to the page he attempted to visit or send them to a promotion URL. This can be your business website with the latest deal on it for example.
  5. Enable the HTTPS Redirection.

Customize the Unifi Captive Portal

The next step is to customize the captive portal. This allows you to do some corporate branding and inform your guests about the wifi network. There are a few things you will need to keep in mind when you customize the portal.

  • You can add a background picture, which is nice. But make sure you can still read the text. If you have a coffee shop for example, using a picture of coffee beans and your logo might work better then adding a photo of your shop.
  • Inform the users what they get, free access for x hours or days.
  • Add different language if you have foreign guests.
  • Add the terms of service with what is allowed and what not.

Customizing the Unifi Guest Portal

Unifi recommends a background image of 920px width and 640px high. On some screens, this will result in borders besides your image. So use at least an image of 1280px by 720px. Also make sure your images are not big, adding a photo straight from your camera will take a few seconds to download. Compress the image before uploading it.

Access Control

The last step is to limit the access of the guest to your local network. Below the portal customization, you will find the access control. With the access control we can give users access to part of our network before they are authorizited and block access to our internet network after authorization.

Unifi Guest Portal Authorization

Pre-Authorization Access

The Pre-Authorization Access can be left blank by default. By default you want guests to have only access to the Guest Portal, this is built-in. So we don’t need to enter the Ip Address for the controller here.

But if you are using a custom Guest Portal (an other then the Unifi), then you will have to enter the Ip Address here.

Post-Authorization Restrictions

For the Post-Authorization Restrictions, we enter the subnet of our local network. By default, all possible local network address are blocked, so you could leave this as is. But if you have a printer for your guest that you want to give them access to, but not the rest of you network, then you can block it here. (make it your self easy to use different subnets for your guest and your own network)

Managing the connected clients

Your Unifi Guest Portal is now ready for use. The guests can log in and access the internet, but how can you manage them? Within the controller, we can see on the Dashboard how many guests are connected to our network. If you click on the guest you will go to the Clients page filter on the Guests.

Manage Guest Clients Unifi

Here we can see all devices that are connected, how much data they used, to which access point they are connected and the uptime. But more important, this is also the place to block a client or to revoke the authorization.

Conclusion

I hope this article helpt you settings up your Unifi Guest Portal. If you have any questions just leave a comment below.

You may also like the following articles:

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

25 thoughts on “Howto setup the Unifi Captive Portal for your Guests”

  1. Just a little comment on enabling Hotspot/Voucher system – if you’re using/running locally installed UniFi controller and other network equipment except USG or from other vendors ie. EdgeRouter or EdgeRouter-X to manage your traffic/firewall rules and you have a firewall rule isolating your guest WiFi network you definitely need to create a new rule (should be at top of other firewall rules for your guest WiFi network to function properly) allowing access to your UniFi controller. For example if your locally UniFi Controller is running on 192.168.99.1 and you’re isolating guest WiFi on 192.168.100.0/24 you need to define firewall rule for 192.168.100.0/24 allowing access to 192.168.99.1 (your UniFi controller IP address or hostname).

  2. Hi Rudy,

    Am i wright in my case?
    My controller(Cloudkey) has IP 192.168.178.45 and my Firewall(Zyxel USG20VPN) has 192.168.178.1
    I just want to give acces to internet and . not to the lan.
    Pre= 192.168.178.1/32?
    Post= 192.168.178.0/24?

    thannk you already

    • Hi Wim,

      Pre should be 192.168.178.45/32. Pre (before authorization) access is allowed to only the controller (cloudkey). After the client is authorized, the post, you allow access to the whole subnet /24

    • Hi Rudy,

      Are you shure?
      I have now set it up like a wrote earlier.
      In PRE I put the IP adres of my firewall
      and POST de whole subnet/24 because the comment say’s: “Enable post-authorization restrictions to prevent guests from accessing specific hostnames or subnets”. seems to work……when i login to the guest wifi I can acces the internet and can ping my firewall, but can not ping my networkprinter and other network participants

      • Yeah pretty sure. Pre-authorization will allow the guest to access the specified subnet before the guest is authorized. So this way you are giving them access to your firewall, which isn’t necessary. DHCP and DNS are forwarded anyway and the user should only be given access to the guest portal.

        Even pre-authorization access to Unifi Controller isn’t necessary. The guest portal will show anyway. Just did some new tests. No pre-authorization, when connected, can’t ping the router, but can ping a DNS server (Google) and can’t access the internet.
        After authorization with the default Post-Authorization Restrictions, I can’t connect to the internal network but can connect to the internet.

          • Hi Rudy,

            Test it and indeed works fine without filling in a IP -adres in the pre-authorization section. Only put the whole subnet in de post – section. After authorization could only ping ip adresses on the internet and no local IP’s. TOP!
            Thx a lot!!

  3. This drives me nuts…
    I have spent hours and hours to search and try to understand how everything works, and how to get access to a Guest portal via the VLAN that I configures on the Edgerouter X.
    There are may webpages explaining specific steps, but none describing the entire setup, step by step and the logic of the different configurations from ER-X –> HP 1810 –> Ubiquity AP-Pro. The HP switch in the middle has a rather complicated GUI.
    I simply failed to get it to work after more that a week trying. Frustration all over, as I can only use my basic house wifi, and not a guest, special area, or IoT VLAN to connect to and being seperated from the house wifi. So, only conclusion: NO MORE GUESTS IN THE HOUSE…. 🙁

  4. I am new to Unifi/Ubiquity, so Thank you for putting this ‘How To’ together. It was clear and easy to follow. Well Done!

  5. I’m not sure what happened to my comment? My question is will the post authorization 192.168.1.0/24 block the DNS server if it ware at 192.168.1.1 Also does pre authorization need the DNS IP as well as the controller IP?

    • I manually approve every comment, sometimes it may take a couple of days because I don’t always have the time to respond immediately. But your answer is just below here 😉

  6. Using a USG as the DHCP server in this exact setup described. Does 192.168.1.0/24 in post authorization block the DNS server set by USG as 192.168.1.1

  7. Great article, I did everything you said but when I check the post restrictions after I login to guest network I can still access all the other devices on my network. What am I missing?

      • Hi Rudy. I m very new to this. We have a small resort with restaurant. I have 3 wifi networks. One private one. Then one for our in-house guests and one for walk inns. The speed for our guests are different. The in-house guest have a much faster one then the walk-inns. And they both should be a guest network. Can you help?

  8. Thank you very much for the tutorial!

    Can you tell me the correct settings for Access Control, so the guests can only access the internet?

    Our intranet has a range of ip-addresses with 10.0.0.x (Subnet 255.255.255.0). The Gateway (Fritzbox) is 10.0.0.230.

    Thank you very much in advance!

  9. A nice quick manual, but what about the security of the wifi traffic. With open selected I assume there is no encryption of the wifi network traffic.

    I think it should be better to have your wifi protected with at least WPA2. Is there an option to do so with a portal ?

    • You cant combine the guest portal with a WPA2 protected wifi network. Yes, WPA2 is more secure, but keep in mind that with the guest portal you have the option to isolate the network. That means that one client in the guest network can’t reach or see the other guest.

      If you protect your network with a WPA2 key, then anyone that has the password of your wifi network can still intercept the traffic. With the captive portal, you can atleast control how long somebody is connected and isolate each guest traffic on your network.

Leave a Comment