Guest network at the office: how to separate guests from your business network?

Visitors on your WiFi is perfectly normal. Them sitting on the same network broadcast as your NAS is not. Basic segmentation takes just 10 minutes to set up.

Many SMB offices run a single WiFi network. A visitor gets the password — and suddenly they're sitting in your "trusted" network layer, with potential access to printers, NAS devices, IP cameras, and internal servers.

The two-network minimum

• Business network: employees, company laptops, company printers. Authenticate via WPA2-Enterprise or 802.1X as you grow.
• Guest network: visitors, unknown devices, IoT (smart TV, thermostat). Isolated from the business network via VLAN or client isolation.

Set up in 10 minutes

1. Log in to your router/access point admin panel.
2. Enable "Guest network" (Ubiquiti, Ruckus, and even consumer routers support this).
3. Turn on client isolation: guest clients cannot see each other.
4. Bandwidth throttling (e.g. max 10 Mbps per client) prevents abuse.
5. Use a separate password, displayed at reception or as a QR code.

What goes on which network?

• Business: employee laptops, company printer.
• Guest: visitor devices, smart TV in the meeting room, IP cameras (IoT devices are often unpatched).

Next step: 3-network setup

For > 30 employees or security-sensitive sectors: split into business / IoT / guest. IoT gets its own VLAN because these devices are rarely updated.

See also: security pillar.