[Help] Unifi WiFi Client Segregation Issue

I have 3 SSIDs
Private - VLAN101 (Can talk to VLAN100)
Guest - VLAN102 (Can’t talk to anything except internet)
IoT - VLAN103 (Can’t talk to anything except internet)

And another VLAN for servers (VL100), not an SSID.

So, I’ve noticed that people in my household (and next door) are supplying visitors with our ‘private’ password, however, they don’t know the password. I type it into their devices.
They’re getting the password because now on Android phones you can ‘share’ the SSID’s which will print the wireless password in plain text.

How can I keep devices separated into the correct network so people cannot share the password for private SSIDs?

Idea 1: Create a captive portal, one for Guest and one for Private each has their own login. This way I can make the SSID open, but they won’t be able to share the private password as it’s one-time. The issue with this idea is that Unifi only allows you to create a captive portal with 1 accepted password (Named ‘Simple Password’ in Captive Portal). I think this is dumb… but yeah.

Idea 2: I’ve tried to create the captive portals through pfSense however I’ve had a huge issue getting the phones to accept the self-signed cert, my Pixel 2 just does not like it and will refuse it.

Idea 3: MAC-Bind the ‘allowed’ clients to Private, sure, but this requires constant upkeep and management, and I’m not exactly sure how to enforce this in Unifi.

Idea 4: Use Vouchers with no expiry for private. 2 issues with this, this isn’t very userfriendly for guest access where I just want a simple password and isn’t very practical for private since there’s no true-unlimited, just set the expiry to like 999d. I didn’t particularly like this idea.

So, does anyone have a better solution than my above attempts because I’m lost for ideas now?

Thanks and I’d appreciate anyone that’s able to help. I can’t be the only one that’s facing this or a similar issue.

You could create two ranges of IPs in VLAN101, one that can talk to VLAN100 and one that can’t. Set up the DHCP so it normally gives out IPs in the second range, and use DHCP reservations to put your trusted clients in the first range.

1 Like

Okay, thank you for this I will give it a to.

Would still appreciate further ideas to try.

Is this a business or a home use scenario? The reason I’m asking is if you have a Windows server available, you can use RADIUS authentication and do a cert based authentication. If you have to touch each device to put in the password to put it on your private VLAN anyways, that will work.

Also, if you see other devices on your private VLAN that shouldn’t be there, why not just block them? If you’re using Unifi stuff, it’s not hard.

You could do DHCP reservations for devices you want to access vlan 100, create an alias for the manually assigned range and enforce it with a firewall rule. I know you can do this in pfsense, not sure about Unifi as I haven’t played with their firewall much.

You could also do the same basic thing with a freeRADIUS server assigning IPs instead of DHCP. You can even add TOTP authentication if you wanted. Both pfsense and Unifi have radius servers, but I believe the pfsense option is much more feature rich.