2 WiFi SSIDs with no access to LAN

I have same setup.
2 Wireless networks, one for Office second for Guests.
Guest network after connection doesn't have access to LAN, so they can use only internet access without accessing company network.



This is very simple to do by using Unifi devices.
All you have to do is set POST AUTHORIZATION RESTRICTION for IP address from your LAN.


After authentication yours from Guest network will be prohibited to use LAN IP so they can't see LAN, only internet.
You can set more than one subnet :)

Hi James, is this in relation to the TP-Link AC1750 ? I know this is the basics for setting up VLANs but it doesn't look like the AC1750 can do this and also that the Netgear GS108E can either.

Most newer TP-Link models can isolate guests from your LAN (without the need fro VLAN function, it just handles this function internally). It's usually a checkbox in one of the menus (and the description similar to "isolate" or "can see LAN"). Did you flash the newest firmware?

edit: In the older cases it's called AP Isolation:

Enabled AP Isolation - This function can isolate wireless stations on your network from
each other. Wireless devices will be able to communicate with the router but not with each
other. To use this function, check this box. AP Isolation is disabled by default.

This of course applies to ALL wifi clients. Only in the newer TP-Links will this similar function be there in the Guest section (sometimes called "Allow Guests to Access my Local Network", which means, DO NOT tick this checkbox)

PeterNairn,

      The Netgear GS108E is a managed switch that you can adjust the GB ports directly or create VLAN tagging. This is also accompanied by the firewall/router rules. What brand and model is the firewall you have in place?

Hi, maybe I should have mentioned earlier that I already have a DHCP Router on the Lan which runs off a Fritz box.

Hi James, it has very limited configuration for the VLANs, basically all I can do is configure the ports in to VLANS, no routing options.

Peter,

      Then you are stuck with using a device on the AP level that will actually segregate and DHCP a different subnet. Look at the link below, toward the bottom are options to "Allow guests to see each other, or See my Network" and make sure those are not enabled.

https://www.tp-link.com/us/faq-649.html

The issue is that to allow guests to get an IP Address from the DHCP Server then they need access to the LAN, if we block them from the LAN then they get no ip address. That's why I purchased the Netgear Switches which have VPN built in but I still have the same issues as they seem to block everything on the second VLAN so no access to the DHCP Server.

Buy a cheap wifi router specific for the guests, put in on the VLAN. That way, you have DHCP available (in the Wifi router), and you have it separated from the network (because you put the WAN port of the Wifi router on the VLAN port of the switch)

If having separate office and guest WLANs is important, then it's equally important to use kit that is capable of properly supporting this. You already have a VLAN-capable switch, so a WAP (or two) that fully supports WLAN separation is needed. I find the Ubiquiti Unifi products mentioned above to be excellent for such applications. However, be aware that Ubiquiti WAPs require a software controller to be running in order to manage them, either locally or in the cloud.
You don't say how many office and guest users need to be supported or whether capacity for future expansion is required, but if your organisation is a business then it needs business-class hardware. Cheap residential-grade products will commonly lack the bandwidth to support more than a handful of users, and security options are often very basic.

Had to use Managed Network Switch