Cybersecurity

How to Set Up Public WiFi for Business Visitors

Setting up a secure guest WiFi network separates visitor traffic from your corporate network, protects sensitive business data and satisfies UK data protection obligations. This guide covers hardware choices, network segmentation, captive portals and the security controls every business should implement.

NH

Nathan Hill-Haimes

Technical Director

7 min read·Mar 2026

Guest WiFi is not a spare password on your office router. Done properly it is a deliberate piece of network design that protects your data, satisfies UK data protection law, and removes a quiet but real route into your business. This guide walks through the hardware, the segmentation, the legal duties, and the security controls a UK business should apply — the same approach AMVIA builds into its managed cybersecurity engagements.

Why does guest WiFi need its own separate network?

Visitor devices must never share the network your staff use. The moment an unknown laptop or phone joins your corporate WLAN it can potentially reach shared drives, printers, servers and other endpoints. A single infected visitor device can become a pivot point into systems you are legally obliged to protect.

The principle is simple: visitors get internet access and nothing else. Your internal network stays completely invisible to them. That outcome does not come from a second password — it comes from segmentation, isolation and firewall rules working together. This is the same "assume nothing is trusted by default" thinking behind zero trust network access.

What hardware do you need for business guest WiFi?

Use business-grade access points that support proper VLAN tagging, per-SSID controls and central management. Consumer routers can advertise a "guest" SSID, but they lack the isolation, logging and policy control a business handling customer data needs. The table below compares the three realistic options.

OptionTypical costVLAN isolationLoggingBest for
Consumer router guest modeOften bundledWeakMinimalTiny offices, low risk
Business access points (UniFi, Meraki, Aruba)From £150–£400 per APFullGoodMost SMEs
Managed WiFi as a serviceFrom £30–£80 per AP/monthFullManagedNo in-house IT

Consumer-grade routers — not recommended for business

Domestic routers with a built-in guest network are better than nothing, but they offer limited control, poor logging and weak VLAN isolation. They are not appropriate if you handle customer data, fall under sector regulation, or host more than a handful of visitors a day.

Business-grade access points

Manufacturers such as Ubiquiti UniFi, Cisco Meraki and Aruba make access points built for business: real VLAN tagging, role-based access control, per-SSID bandwidth limits and centralised management. Expect to pay from around £150–£400 per access point (typical UK 2026 range), with ongoing licence fees on cloud-managed platforms.

Managed WiFi as a service

If you want business-grade WiFi without owning the configuration risk, managed WiFi bundles hardware, monitoring and support into a monthly fee — typically from £30–£80 per access point per month (market rates as of 2026), depending on provider and support level. This pairs naturally with broader managed IT support so one provider owns the whole stack.

How should you architect the network? Segmentation is non-negotiable

Proper guest WiFi relies on network segmentation. The guest SSID sits on a dedicated VLAN that has no route to your internal LAN. Traffic from that VLAN exits straight to the internet and never touches your business systems. This is the single most important control on the page.

  • VLAN tagging: assign the guest SSID to its own VLAN (for example VLAN 20). Your firewall enforces that VLAN 20 cannot reach VLAN 10 (your corporate network).
  • Client isolation: stop guest devices talking to each other on the WiFi, preventing peer-to-peer attacks between visitors.
  • Bandwidth limiting: cap the guest SSID (for example 20 Mbps down, 5 Mbps up) so visitors cannot starve business operations of capacity.
  • DNS filtering: apply a DNS filter to the guest VLAN to block known-malicious domains and protect your connection's reputation.

The internet feed itself matters too. If guest and business traffic share a single line, a busy guest network can degrade the connectivity your staff depend on — one reason businesses with high footfall move to a dedicated business leased line with guaranteed bandwidth.

What does a captive portal do, and do you need one?

A captive portal is the webpage shown before a visitor reaches the internet, usually requiring them to accept your terms first. It creates a record of acceptance, can collect a marketing email address with consent, deters misuse, and can display opening hours or contact details. For any business offering public WiFi, it is the cleanest way to set expectations.

  • It records acceptance of your acceptable use policy (AUP).
  • It can capture an email address — only with explicit consent under UK GDPR.
  • It makes clear what is and is not permitted on your network.
  • It can carry branding, contact details or promotional content.

If your portal collects personal data, you need a lawful basis for processing, a clear privacy notice, and the ability to demonstrate consent. The Information Commissioner's Office sets out these duties in its guide to UK GDPR. Most business-grade WiFi platforms ship customisable portal templates that make compliance straightforward.

What are the UK legal and regulatory considerations?

UK businesses providing guest WiFi should focus on two areas: data retention and UK GDPR. Neither is onerous, but both carry real consequences if ignored — particularly around personal data collected at the portal and logs that may be requested if your network is misused.

Data retention

The Investigatory Powers Act 2016 does not directly require most businesses to retain connection logs, but keeping them is good practice. If your network is used for illegal activity, authorities may request access records. Most business WiFi platforms retain connection metadata by default, so this is usually a setting to confirm rather than build.

UK GDPR

If your captive portal collects personal data such as names or email addresses, you must apply purpose limitation, data minimisation, retention limits and a clear privacy notice. Do not collect data you do not need. The ICO's guidance on lawful bases explains what "consent" actually requires for marketing.

Which security controls should you apply to guest WiFi?

Beyond segmentation, harden the guest network itself. Encryption, password hygiene, logging and firewall rules turn a convenient amenity into a controlled service. These are the controls AMVIA expects to see on any business guest network during an assessment.

  • WPA3 or WPA2-AES encryption: never WEP or WPA (TKIP). The NCSC's device and network security guidance backs strong, modern encryption as a baseline.
  • Regular password rotation: change the guest password monthly — or weekly for high-footfall sites — and display the current one at reception rather than baking in a static credential.
  • Logging: retain connection metadata (IP, MAC, timestamp) for at least 30 days.
  • Firewall rules: block the guest VLAN from reaching private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and all management interfaces.
  • Regular review: include guest WiFi in your annual IT security review.

What is the step-by-step process to set it up?

Setting up guest WiFi for the first time follows a predictable sequence. Work through it in order — testing isolation before you go live is the step most businesses skip and later regret.

1. Audit your network equipment to confirm it supports VLANs and multiple SSIDs. 2. Plan your VLAN numbering and IP addressing scheme. 3. Configure the guest SSID on a dedicated VLAN with no internal routing. 4. Enable client isolation and bandwidth throttling. 5. Configure the firewall to block guest VLAN access to internal ranges. 6. Set up a captive portal with an acceptable use policy. 7. Test from a guest device — confirm you can reach the internet but cannot ping internal hosts. 8. Document the configuration and schedule a review date.

Is Your Current WiFi Setup Secure?

Many businesses discover their guest WiFi is poorly segmented only after an incident. AMVIA can assess your current network configuration and recommend improvements.

Frequently Asked Questions