Why Guest WiFi Must Be on a Separate Network — VLAN Guide
Is your guest WiFi on the same network as your company? A single guest device could access your entire infrastructure. What VLAN network segmentation is, why it's critical for SMBs, and how to implement it in 4 steps.
Is your guest WiFi on the same network as your company? A single guest device could access your entire infrastructure. What VLAN network segmentation is, why it's critical for SMBs, and how to implement it in 4 steps.
İçindekiler ▾
Your guest WiFi password is on a sticker at the reception desk. Visitors, delivery drivers, and waiting customers all connect. But here’s the question: can that guest phone reach your accounting server?
If your guest WiFi and company network share the same IP range — yes, it can.
The Risk: Same Network = Same Access
When everything is on one flat network:
Guest Phone → Same Switch → Same VLAN → Can see:
├── Accounting Server (SMB share)
├── IP Cameras
├── Printers
├── NAS with company files
└── Every other device on the networkA visitor doesn’t need to be malicious. Their device might already be compromised with malware that scans for open shares and spreads automatically.
According to the IBM 2024 Cost of a Data Breach Report, network segmentation reduces breach impact by 67%.
The Solution: VLAN Segmentation
VLANs (Virtual LANs) split one physical network into multiple isolated segments:
VLAN 10: Management → Router, switches, admin access
VLAN 20: Staff → Employee computers, printers, servers
VLAN 30: Guest → Internet only, no internal access
VLAN 40: IoT/Cameras → IP cameras, sensors, isolatedDevices on VLAN 30 (Guest) physically share the same cables and switches as VLAN 20 (Staff), but logically they’re completely separated. A guest device cannot see or reach anything on VLAN 20.
Implementation: 4 Steps
Step 1: Plan Your VLANs
| VLAN ID | Name | Purpose | Internet | Internal Access |
|---|---|---|---|---|
| 10 | Management | Network admin | Yes | Full |
| 20 | Staff | Employees | Yes | Servers, printers |
| 30 | Guest | Visitors | Yes | ❌ None |
| 40 | IoT | Cameras, sensors | Limited | ❌ None |
Step 2: Configure the Switch
On a managed switch (MikroTik, HP, Cisco), configure ports:
- Trunk port (to router): carries all VLANs tagged (802.1Q)
- Access ports: each assigned to one VLAN (untagged)
Port 1 (trunk to router): VLAN 10,20,30,40 tagged
Port 2-8 (staff): VLAN 20 untagged
Port 9-10 (guest AP): VLAN 30 untagged
Port 11-12 (cameras): VLAN 40 untaggedStep 3: Configure the Router
On MikroTik RouterOS:
# Create VLAN interfaces
/interface vlan
add interface=ether1 name=vlan20-staff vlan-id=20
add interface=ether1 name=vlan30-guest vlan-id=30
# IP addresses per VLAN
/ip address
add address=192.168.20.1/24 interface=vlan20-staff
add address=192.168.30.1/24 interface=vlan30-guest
# DHCP for guest network
/ip pool add name=guest-pool ranges=192.168.30.10-192.168.30.200
/ip dhcp-server add address-pool=guest-pool interface=vlan30-guest
/ip dhcp-server network add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=8.8.8.8
# Firewall: block guest → staff
/ip firewall filter
add chain=forward src-address=192.168.30.0/24 dst-address=192.168.20.0/24 action=drop comment="Block guest to staff"
add chain=forward src-address=192.168.30.0/24 dst-address=192.168.10.0/24 action=drop comment="Block guest to management"Step 4: Configure WiFi
Create two SSIDs on your access point:
SSID: CompanyName-Staff → Bridge to VLAN 20
SSID: CompanyName-Guest → Bridge to VLAN 30If using MikroTik CAPsMAN, this is configured centrally. Staff SSID uses WPA3 with a strong password. Guest SSID can use a simpler password or captive portal.
Verification
After setup, test from a guest device:
# From guest WiFi, try to ping staff network
ping 192.168.20.1 # Should FAIL (timeout)
ping 8.8.8.8 # Should SUCCEED (internet works)
# Try to access file share
\\192.168.20.100 # Should be unreachableIf guest can reach staff IPs — firewall rules need fixing.
Common Mistakes
| Mistake | Consequence | Fix |
|---|---|---|
| No firewall between VLANs | VLANs exist but can still communicate | Add explicit drop rules |
| Guest DNS points to internal DNS | DNS queries leak internal hostnames | Use public DNS (8.8.8.8) for guest |
| Management VLAN accessible from guest | Attacker can reach router admin | Drop guest → management traffic |
| Same WiFi password for years | Everyone knows it | Rotate quarterly, or use captive portal |
What It Costs
| Component | Price Range |
|---|---|
| MikroTik managed switch (8-port) | $50-100 |
| Configuration (professional) | $100-300 one-time |
| Additional access point | $50-200 |
| Total | $200-600 one-time |
No monthly fees. No subscriptions. One-time setup that protects your network permanently.
Compare this to the average cost of a data breach: $4.88 million (IBM 2024). Even at 0.01% of that risk, VLAN segmentation pays for itself.
Kaynaklar
- Network segmentation reduces breach impact by 67% — IBM Cost of a Data Breach Report (2024)
Sıkça Sorulan Sorular
What happens if guest WiFi isn't on a separate network? +
Any device on your guest WiFi can potentially access shared drives, printers, cameras, and even servers on the same network. A visitor's malware-infected laptop could spread to your entire infrastructure.
What is a VLAN? +
VLAN (Virtual Local Area Network) divides a physical network into logically separate segments. Devices on different VLANs cannot communicate with each other unless explicitly allowed through a router or firewall.
Do I need special equipment for VLANs? +
You need a managed switch (not consumer-grade) and a router that supports VLAN tagging (802.1Q). MikroTik routers and most enterprise switches support this. A basic managed switch starts at around $50-100.
Can I set up VLANs myself? +
Basic VLAN setup is achievable with networking knowledge. However, misconfiguration can lock you out of your own network. For production environments, professional setup is recommended.
Profesyonel Destek mi Lazım?
Bu konuda yardıma ihtiyacın varsa yanındayız. Kurulum, konfigürasyon ve sorun giderme için ulaş.
