How to Set Up Public WiFi for Business Visitors

Why Guest WiFi Needs Its Own Network

Allowing visitors to connect to the same WiFi network your staff use is a security risk that many businesses overlook. Once a device joins your corporate WLAN, it can potentially reach shared drives, printers, internal systems and other endpoints. A single compromised visitor device — or a disgruntled visitor — could expose data you have a legal obligation to protect.

The principle behind guest WiFi is simple: visitors get internet access, nothing more. Your internal network remains completely invisible to them. Achieving this requires deliberate configuration, not just a separate password.

Hardware Options for Guest WiFi

Consumer-Grade Routers (Not Recommended for Business)

Many small businesses attempt to use a domestic router's built-in guest network feature. While better than nothing, these solutions offer limited control, poor logging capabilities and weak VLAN isolation. They are not appropriate if you handle customer data, operate under sector-specific regulation or have more than a handful of visitors per day.

Business-Grade Access Points

Manufacturers such as Ubiquiti UniFi, Cisco Meraki and Aruba offer access points designed specifically for business environments. These support proper VLAN tagging, role-based access control, bandwidth throttling per SSID and centralised management. Expect to pay from around £150–£400 per access point, with ongoing licensing fees for cloud-managed platforms.

Managed WiFi as a Service

For businesses that want professional-grade WiFi without managing infrastructure themselves, managed WiFi services bundle hardware, monitoring and support into a monthly fee — typically from £30–£80 per access point per month depending on the provider and support level included.

Network Architecture: Segmentation Is Non-Negotiable

Proper guest WiFi relies on network segmentation. The guest SSID should sit on a separate VLAN (Virtual Local Area Network) that has no route to your internal LAN. Traffic from that VLAN exits directly to the internet, bypassing all internal systems.

• VLAN tagging: The guest SSID is assigned to a dedicated VLAN (e.g., VLAN 20). Your firewall or router enforces that VLAN 20 traffic cannot reach VLAN 10 (your corporate network).
• Client isolation: Enable this setting so guest devices cannot communicate with each other on the WiFi network — preventing peer-to-peer attacks between visitors.
• Bandwidth limiting: Cap guest bandwidth (e.g., 20 Mbps down, 5 Mbps up) to prevent visitors from consuming capacity needed for business operations.
• DNS filtering: Apply a DNS filter to the guest VLAN to block malicious domains. This protects your internet connection's reputation and adds a layer of protection against visitors inadvertently downloading malware.

Captive Portals and Acceptable Use

A captive portal is a webpage that appears before a visitor gains internet access. It typically requires the visitor to accept terms and conditions before connecting. This serves several purposes:

• It creates a record of acceptance of your acceptable use policy (AUP)
• It can collect an email address for marketing (with explicit consent under UK GDPR)
• It deters misuse by making clear what is and is not permitted on your network
• It can display contact information, opening hours or promotional content

Under the UK GDPR, if you collect email addresses via a captive portal, you need a lawful basis for processing, a clear privacy notice and the ability to demonstrate consent. Most business-grade WiFi platforms include customisable captive portal templates.

UK Legal and Regulatory Considerations

Businesses providing public or guest WiFi should be aware of two key legal areas:

Data Retention

The Investigatory Powers Act 2016 does not directly require most businesses to retain connection logs, but having logs available is good practice. If your network is used for illegal activity, authorities may request access records. Most business WiFi platforms retain connection metadata by default.

UK GDPR

If your captive portal collects personal data (email addresses, names), you must comply with UK GDPR: purpose limitation, data minimisation, retention limits and a privacy notice. Do not collect data you do not need.

Security Controls to Apply

Beyond segmentation, apply these controls to your guest WiFi setup:

• WPA3 or WPA2-AES encryption: Do not use WEP or WPA (TKIP). All modern business access points support WPA2 as a minimum.
• Regular password rotation: Change the guest WiFi password monthly or weekly if your premises have high visitor volume. Display the current password prominently at reception rather than using a static credential.
• Logging: Retain connection logs (IP address, MAC address, timestamp) for at least 30 days.
• Firewall rules: Block access from the guest VLAN to your private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and to management interfaces.
• Regular review: Include guest WiFi configuration in your annual IT security review.

Implementation Steps

If you are setting up guest WiFi for the first time, here is a practical sequence:

1. Audit your current network equipment to confirm it supports VLANs and multiple SSIDs
2. Plan your VLAN numbering and IP addressing scheme
3. Configure the guest SSID on a dedicated VLAN with no internal routing
4. Enable client isolation and bandwidth throttling
5. Configure the firewall to block guest VLAN access to internal ranges
6. Set up a captive portal with an acceptable use policy
7. Test from a guest device — verify you can reach the internet but cannot ping internal hosts
8. Document the configuration and schedule a review date