Public WiFi for Your Business: Setup, Security and Best Practices

The Business Case for Guest WiFi

Offering WiFi to customers, clients and visitors is now an expected amenity in most business environments — from retail and hospitality to professional services and co-working spaces. Done well, it improves customer satisfaction and can support marketing goals. Done poorly, it creates a direct pathway into your corporate infrastructure.

The challenge is that many businesses either share their corporate WiFi password with visitors (a significant security risk) or buy a consumer router without understanding the segmentation limitations. Neither approach is acceptable for a business that takes data protection seriously.

Understanding the Risks of Unmanaged Guest WiFi

When a visitor connects to your WiFi, their device joins the same broadcast domain as your other connected devices unless you have implemented proper segmentation. This creates several risks:

• Network reconnaissance: A technically capable visitor can scan the network and identify connected devices, open ports and services.
• Lateral movement: If a visitor's device is already compromised by malware, that malware can attempt to spread to other devices on the same network segment.
• Bandwidth abuse: Without limits, visitors can consume your internet capacity, degrading performance for business operations.
• Legal liability: If a visitor uses your network for illegal activity (copyright infringement, distributing prohibited content), your IP address is associated with that activity.

The Right Architecture: VLANs and Network Segmentation

The foundation of a secure public WiFi setup is network segmentation using VLANs (Virtual Local Area Networks). The guest SSID should be assigned to a separate VLAN that has no routing path to your internal corporate network.

In practical terms this means:

• Visitors can browse the internet normally
• Visitors cannot reach your file servers, internal applications, printers or other devices
• Your corporate devices cannot see guest devices
• The guest VLAN exits to the internet through your firewall with appropriate rules

This architecture requires a managed switch, a business-grade access point, and a firewall or router capable of VLAN routing. Consumer-grade equipment frequently lacks these capabilities.

Choosing the Right Hardware

Business Access Points

For most SMEs, platforms such as Ubiquiti UniFi, Cisco Meraki and Aruba Instant On offer a good balance of capability and cost. These support multiple SSIDs, VLAN tagging, central management and detailed logging. Access point costs typically range from £150 to £500 per unit depending on the model and coverage requirements.

Managed Switches

To pass VLAN-tagged traffic between your access point and firewall, you need a managed switch. Entry-level managed switches from brands like Netgear, TP-Link or Cisco are available from around £80–£300 for small deployments.

Firewall

Your firewall enforces the rule that guest traffic cannot reach internal systems. If you are using a basic ISP-supplied router, you may need to upgrade to a proper business firewall such as pfSense, FortiGate or Sophos. Managed firewall services are available from around £30–£60 per month.

Captive Portal: Terms, Consent and Marketing

A captive portal requires visitors to accept terms before gaining internet access. From a legal standpoint, it creates evidence that users agreed to your acceptable use policy. From a marketing standpoint, it is an opportunity to collect email addresses — but only with clear, freely given consent under UK GDPR.

Key requirements if you collect personal data via a captive portal:

• State clearly what data you are collecting and why
• Provide a link to your privacy policy
• Do not bundle WiFi access with consent to marketing — consent must be freely given
• Store the consent record and retention period appropriately
• Provide a simple way for visitors to withdraw consent

Bandwidth Management and Fair Use

Without controls, a single visitor streaming video in 4K can saturate a modest internet connection. Set per-SSID bandwidth limits appropriate to your connection speed. For a 100 Mbps leased line, allocating 20–30 Mbps total to guest WiFi while protecting 70–80 Mbps for business use is a reasonable starting point.

Most business access points allow you to configure QoS (Quality of Service) rules that prioritise business-critical traffic (VoIP calls, CRM systems) over guest internet traffic automatically.

Security Controls Checklist

Before making your guest WiFi available to visitors, confirm the following:

• Guest SSID is on a dedicated VLAN with no internal routing
• Client isolation is enabled (guests cannot see each other)
• Firewall rules block guest VLAN access to all private IP ranges
• WPA2 or WPA3 encryption is active (not open/unsecured)
• Bandwidth limits are configured
• DNS filtering is applied to the guest VLAN
• Connection logging is enabled and retained for at least 30 days
• A captive portal with acceptable use terms is in place
• Guest WiFi password is rotated regularly

Ongoing Management

Guest WiFi is not a set-and-forget infrastructure component. Include it in your regular IT security reviews, check that firmware updates are applied to access points and periodically verify that the VLAN segmentation remains intact — particularly after any network changes or equipment additions.

AMVIA manages WiFi infrastructure for a range of UK businesses, handling everything from initial design and deployment to ongoing monitoring. If your current guest WiFi arrangement has grown organically rather than being properly designed, a review is worth scheduling before an incident prompts one.