Enterprise Guest WiFi Segmentation: VLAN Design, Captive Portal, and Corporate Network Isolation

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Guest WiFi is a standard expectation at most offices, and the security gap between 'we have a separate SSID for guests' and 'guests are genuinely isolated from corporate systems' is large in most environments. A separate SSID that maps to the same VLAN as corporate devices offers no meaningful isolation. A separate SSID that maps to a guest VLAN but has no firewall rules blocking guest-to-corporate routing provides only the illusion of isolation. True guest WiFi isolation requires all four elements: a dedicated VLAN, firewall rules that deny all guest-to-internal traffic, client isolation that prevents guest device peer attacks, and a captive portal that creates session records.
The architecture is well-supported by every enterprise wireless controller vendor and requires configuration rather than additional infrastructure in most environments.
VLAN design and SSID mapping
The VLAN is the foundation of guest network isolation — everything else, including firewall rules and captive portal controls, depends on guest traffic being correctly tagged into the isolated VLAN from the access point. The SSID-to-VLAN mapping must be configured consistently across every access point in the environment; a single AP that broadcasts the guest SSID without the VLAN tag breaks isolation for any client that associates to that AP. Most enterprise wireless controllers (UniFi, Cisco Meraki, Cisco WLC, Aruba) apply the VLAN mapping at the SSID level globally, so a site-wide configuration change propagates automatically. The guest VLAN also needs its own DHCP scope and a separate DNS resolver configured in the DHCP lease, which should point to a public resolver rather than your internal DNS server.
Map the guest SSID to a dedicated VLAN on every access point
The SSID-to-VLAN mapping must be consistent across all access points for isolation to work. In UniFi: every access point inherits the SSID VLAN mapping from the site-level network configuration — create a 'Guest' WiFi network with VLAN 100, and every AP that broadcasts this SSID automatically tags guest traffic into VLAN 100. In Cisco Meraki: Networks > Configure > Access Control > VLAN tagging. In Cisco WLC: WLAN > VLAN mapping. Test the mapping: connect a device to the guest SSID and check the assigned IP — if it is in the guest VLAN subnet (192.168.100.x), the mapping is correct. If it is in the corporate subnet, the VLAN mapping is missing or incorrect.
Configure a separate DHCP server for the guest VLAN
The guest VLAN needs its own DHCP server that serves only the guest subnet. Options: run DHCP from the firewall interface on the guest VLAN, from the wireless controller (most controllers can serve DHCP for guest networks), or from a dedicated DHCP scope on your existing DHCP server scoped to the guest VLAN. Critical: the DNS server configured in the DHCP lease for the guest VLAN should be a public resolver (8.8.8.8, 1.1.1.1) — not your internal DNS server. Your internal DNS resolver has entries for internal systems that you do not want guest devices to discover. A guest device that can query your internal DNS server for dc01.internal.company.com has more information than it should.
Validating isolation: test before trusting your configuration
Guest network isolation should be tested from a connected device before the network is opened to visitors, and verified again any time the wireless controller firmware is updated or the VLAN configuration changes. The test procedure is six specific checks: confirmed guest subnet IP assignment, working internet access, failed ping to internal hosts, failed traceroute reaching any internal hop, failed connection to internal web servers by IP, and failed peer-to-peer pings between two guest devices. Each test targets a distinct isolation layer, so a failure on any single test pinpoints exactly which layer has a misconfiguration. Running all six tests together takes under ten minutes and produces a documented record of isolation validation.
Test isolation from a connected device before going live
From a device connected to the guest SSID: (1) Confirm the assigned IP is in the guest VLAN subnet. (2) Confirm internet access works (open a browser, load a site). (3) Attempt to ping an internal host IP: ping 10.1.1.1 (your default gateway for the corporate network, or a known internal server). This should fail with 'Request timed out' or 'Destination host unreachable.' (4) Attempt a traceroute to an internal host: the trace should not reach any internal hop. (5) Attempt to access an internal web server by IP: http://10.1.1.50 should fail to connect. (6) Test client isolation: with two test devices on the guest SSID, attempt to ping between them — with client isolation enabled, this should fail. All six tests passing confirms the isolation configuration is working. Any test that succeeds when it should fail indicates a misconfiguration that needs to be resolved before the guest network is made available to visitors.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The bottom line
Enterprise guest WiFi security is a four-layer configuration: dedicated VLAN at Layer 2, firewall deny rules at Layer 3 blocking guest-to-corporate routing, client isolation at the access point preventing guest device peer attacks, and a captive portal for session recording and AUP acknowledgment. Each layer provides defense in depth — if any single layer is misconfigured, the others still provide partial protection. Test the isolation from a connected device before opening the network to visitors, and monitor firewall deny logs from the guest VLAN for unexpected connection attempts to internal resources.
Frequently asked questions
How do I create a guest WiFi VLAN that is completely isolated from my corporate network?
Guest VLAN isolation architecture: (1) Create a dedicated VLAN for guest traffic: in your managed switch, create VLAN 100 (or whichever ID you choose) and assign a subnet (e.g., 192.168.100.0/24) with a DHCP server that serves only this subnet. (2) Configure the SSID on your wireless access points to tag traffic into the guest VLAN: in Cisco, Aruba, Ubiquiti, or Meraki controllers, each SSID can be mapped to a VLAN — map the 'GuestWiFi' SSID to VLAN 100. All traffic from clients on this SSID is tagged with VLAN 100 and handled separately from corporate VLAN traffic. (3) Configure your firewall with deny-all between the guest VLAN and all internal subnets: rule: SOURCE=192.168.100.0/24, DESTINATION=10.0.0.0/8 (or all internal subnets), ACTION=DENY. Add this rule before any permit rules. (4) Add a permit rule allowing guest VLAN to reach the internet only: SOURCE=192.168.100.0/24, DESTINATION=any, ACTION=PERMIT (the deny-internal rule above will catch internal traffic before this rule is reached). (5) Verify isolation by connecting a test device to the guest SSID and attempting to ping an internal host — if the deny rule is working, the ping should fail.
What are the key firewall rules for a guest WiFi segment?
Guest VLAN firewall rule set (ordered, first-match): (1) DENY: source=guest VLAN, destination=all corporate subnets (all RFC 1918 ranges your organization uses: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 — be specific to avoid accidentally blocking legitimate internet traffic to sites that use private addressing). (2) DENY: source=guest VLAN, destination=management VLAN (wireless AP management, switch management, firewall management interfaces). (3) PERMIT: source=guest VLAN, destination=DNS resolver (either the ISP's resolver or 8.8.8.8 — do not point guest VLAN at your internal DNS server which could leak internal hostname data). (4) PERMIT: source=guest VLAN, destination=any, service=HTTP/HTTPS (TCP 80, 443). Optionally add common ports (IMAP, SMTP, VPN protocols) if guests commonly need email or VPN access on guest WiFi. (5) DENY ALL: implicit deny for all other traffic from guest VLAN. Log all denied traffic from the guest VLAN for 30 days — access attempt logs are useful if a guest device is later found to have been compromised.
How do I configure a captive portal for the guest WiFi network?
Captive portal options for enterprise guest WiFi: (1) Built-in controller captive portal: most enterprise wireless controllers (Cisco WLC, Aruba ClearPass, Ubiquiti UniFi, Meraki) include built-in captive portal functionality. Configure: splash page URL, AUP text (the visitor clicks 'I agree to the acceptable use policy'), session timeout (8 hours for business visitors, shorter for retail), optionally: a pre-registration form that captures visitor name and company for the session log. (2) External captive portal (more flexible): the wireless controller redirects unauthenticated guest HTTP requests to an external portal URL — you host the portal page (on a separate DMZ server or a cloud service like Cloudflare Access). The portal collects consent, then sends a RADIUS or API acknowledgment to the controller to authorize the client. (3) Simple pre-shared key (PSK) without captive portal: acceptable for low-risk guest environments if the PSK is rotated frequently (weekly or monthly), shared only with confirmed visitors, and the PSK is communicated verbally rather than posted visibly. PSK without captive portal provides no per-session record linking users to activity.
How do I prevent guest devices from attacking each other on the guest WiFi?
Client isolation prevents peer-to-peer communication between wireless clients on the same SSID: enable client isolation (also called AP isolation, wireless isolation, or layer 2 isolation depending on vendor) in your wireless controller or access point configuration. Effect: each client on the guest SSID can only communicate with the access point's default gateway (the internet router); clients cannot communicate directly with each other even if they are on the same subnet. Configuration: Ubiquiti UniFi: SSID settings > Advanced > Enable Client Isolation. Cisco WLC: WLAN > Security > Layer 2 > P2P Blocking > Drop. Aruba: SSID profile > Client Isolation. Meraki: Access Control > Client Isolation. Important: client isolation operates at Layer 2 (within the SSID) — it is separate from the VLAN-based corporate isolation which operates at Layer 3. Both should be enabled: VLAN isolation prevents guest-to-corporate traffic, client isolation prevents guest-to-guest attacks.
Should my guest WiFi use WPA2-PSK or open (no password) authentication?
WPA2-PSK versus open network for guest WiFi: Open network (no password): the wireless traffic is unencrypted, meaning anyone nearby with a wireless adapter in monitor mode can capture all guest traffic. Not recommended for corporate environments — your acceptable use policy and your duty of care to guests should include protecting their WiFi traffic from eavesdropping. WPA2-PSK with shared password: encrypts wireless traffic, prevents passive sniffing. The PSK is typically printed on a sign or shared via front desk — effectively public, but it provides encryption against passive attackers who do not know the current PSK. Rotate weekly or monthly. WPA3 (if your APs support it): WPA3-Personal with Simultaneous Authentication of Equals (SAE) prevents offline dictionary attacks against captured handshakes and provides Forward Secrecy — a captured session cannot be decrypted even if the PSK is later obtained. WPA3 is the best option for new deployments but requires both AP and client device WPA3 support. Captive portal on top of WPA2/WPA3-PSK provides the best combination: encryption against passive interception, plus session tracking and AUP acknowledgment.
How do I configure bandwidth limits to prevent guest traffic from impacting corporate traffic?
Bandwidth limiting for guest WiFi: most enterprise wireless controllers support rate limiting at the SSID level (all guest clients combined) and at the per-client level. Per-client limits are more effective: (1) Cisco WLC: WLAN > QoS > Bandwidth Limit: set upstream (client-to-AP) and downstream (AP-to-client) limits per client. Typical: 10 Mbps downstream, 5 Mbps upstream per guest client is sufficient for web browsing and video conferencing without enabling large file transfers. (2) Ubiquiti UniFi: SSID settings > Band Steering > Bandwidth Profiles: create a 'Guest' profile with per-client limits. (3) Meraki: Access Control > Traffic Shaping > Bandwidth Limits. (4) Additionally: configure QoS policies on the uplink from the guest VLAN to the internet to prioritize corporate traffic when contention occurs. A DSCP marking policy that marks corporate traffic as CS3 (medium) and guest traffic as BE (best effort) ensures corporate applications are not starved by guest streaming traffic.
What logging and monitoring should I enable on the guest WiFi network?
Guest network logging requirements: (1) DHCP lease log: every IP address assigned to a guest client, with the client MAC address and timestamp of lease assignment. If a guest device is later involved in an incident, the DHCP log links the IP to the device. (2) Firewall deny log: every connection attempt from the guest VLAN that was blocked by your deny-corporate rules. Attempts to reach internal subnets from the guest network are indicators of reconnaissance or misconfigured devices and should be reviewed. (3) Captive portal session log: for each authenticated guest session: MAC address, assigned IP, session start time, session end time, AUP acknowledgment timestamp. Retain for 90 days minimum (some regulations require longer for legal compliance). (4) DNS query log: if you run a DNS resolver for the guest VLAN, logging DNS queries provides visibility into what domains guest devices are resolving. This is useful for detecting malware command-and-control from guest devices as well as for compliance investigations.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
