Office guest Wi-Fi: simple to set up, but most SMBs get it wrong

A guest network takes ten minutes to configure, yet we see the same mistakes in offices time and again. What belongs on your guest Wi-Fi, what doesn't, and why does it matter?

Almost every office has a guest Wi-Fi. And yet, on almost every visit, we see the same things: the password is on a yellow sticky note at reception, visitors are on the same network as the accounting PC, and nobody remembers who set up the router in the first place. Time to walk through it — briefly, practically, and without network jargon.

Why you don't want guests on your main network

It sounds hospitable to put the service engineer, the intern, or the supplier's rep on "the Wi-Fi." But the moment a device is on your main network, it can — in theory, and sometimes in practice — reach things you'd rather keep private:

• The network printer (and with it, the ability to view or abuse print jobs).
• The NAS or file server where your documents are stored.
• Other computers in the office, including any vulnerabilities on them.
• The router itself — if it's still running on default passwords.

And it works both ways: an infected laptop brought in by a visitor can cause damage on your main network. A guest network isn't a luxury; it's basic hygiene.

What a good guest network must do

You don't need to be a network administrator to get the basics right. These are the four things it has to do:

1. Isolated from your main network. Guests can't see each other's devices and can't reach your printer, NAS, or PCs. In router settings this is usually called "client isolation" or "AP isolation."
2. Its own password, separate from the main network. That password can be handed out freely; the main network password cannot.
3. Bandwidth limit. Prevent a single visitor's large download from killing your video call.
4. Regular password changes. Quarterly, for example. Past visitors, former employees, and the cleaning crew don't need permanent access.

The five mistakes we see most often

1. A "guest network" that isn't actually a guest network

Some routers offer a second network name (SSID) that simply lands on the same internal network. It looks separate, but it isn't. Test it: connect a phone to the guest network and try to reach the printer or a shared folder. If you can, there's no real separation.

2. The main network password on the sign at the front desk

A classic. Everyone who has ever visited knows it, and in practice it hasn't changed in years. Replace it with the guest network password, and change the main network password once — properly.

3. Default login credentials on the router

"admin / admin" or the sticker password on the bottom of the device. An attacker on your guest network who happens to reach the router's admin interface is in within seconds. Change the router login to something unique and store it in your password manager — not on a Post-it.

4. Firmware from 2021

Routers receive security updates, but many SMB routers don't update automatically. Log in once a quarter and check whether updates are available. Or enable automatic updates if that option exists.

5. IoT devices on the main network

The smart coffee machine, the presence sensor, the smart TV in the meeting room — these are all devices where you have no control over the software. They have no business being near your work files. Put them on the guest network or, if your router supports it, on a separate IoT network.

Done in ten minutes

For most office routers (Ubiquiti, TP-Link, Fritz!Box, Zyxel, ASUS, KPN/Ziggo modems) it goes roughly like this:

1. Log in to your router using the web address printed on the device.
2. Look in the Wi-Fi settings for "Guest network" or a similar option.
3. Enable it and give it a recognisable name (e.g. "YourCompany-Guest").
4. Choose a strong but shareable password (three words plus a number works well).
5. Tick: no access to local network and client isolation.
6. Optionally set a bandwidth limit.
7. Test that from the guest Wi-Fi you cannot reach the printer or shared folders.

What about the work laptops themselves?

A guest network manages traffic within the office, but says nothing about what happens on the laptops themselves. For SMBs, the real basics remain: encrypted hard drives, updates enabled, a password manager, and 2FA on everything that matters. That's also what our 2FA implementation support and security checks are all about.

Quick connection test

Just reorganised your network? Check whether the guest network hasn't become oddly slow, or whether your main network is actually faster now that the IoT clutter has been moved off it. Our speed test does that in a few seconds, and with the IP lookup you can instantly verify that your guest Wi-Fi is using a different outgoing IP or subnet than your main network — a handy sanity check that the separation is genuinely working.

Can't figure it out on your own, or would you like someone to take a look? Feel free to call or email us. It's usually a matter of half an hour, and then you never have to think about it again.