Thanks guys. As far as I know, the Ubiquiti Edgerouter is capable of a /16 subnet, so that might be the easiest solution. I believe the router and APs are also capable of VLANs, but I know the switches are not.
The Edgerouter is pretty capable. VLAN enabled switches aren't expensive nowadays, I've got some cheap TP-Link ones that work well.
I guess I need to look into how the guest network is created on those Unifi APs. I was under the impression that it did all the client isolation for me already, giving out web access only, and I wouldn't have to tell it to block a certain subnet.
I can't remember exactly what the guest stuff does, I know you can block subnets with it. But that is unlikely to help you unless you can separate your wifi users onto separate subnets in the first place.
So when it's a /16 subnet, a device at 192.168.1.64 could talk to another device at 192.168.3.37 with no problems? That seems like the way to go to solve the DHCP issue, but it seems I have a little more work to do on security.
Yes.
For sure, a VLAN would be the way to go, if necessary. Wouldn't physically separate networks also require their own APs, effectively doubling the number of APs they have now? I need staff and guest wifi in all areas. That's why a VLAN seems the better way to go, but I'm not sure if I can create a VLAN for the guest network only, or if it applies to the whole AP...
You can assign different VLANs to different wifi networks on the Unifi APs. You then use the Edgerouter to assign different DHCP ranges based on the VLAN. Then all your guest traffic is completely logically separated and you can use firewall rules on the Edgerouter that apply differently to the two categories of traffic. But only when you've upgraded your switches (it only needs to be the switches between the APs and the Edgerouter).
Previous Topic
Index
