Create Guest network in cnMaestro without logging in to AP's?

I’m trying to create a basic Guest network, that can only go out to the Internet and can’t see the production LAN. Everything I’ve read so far seems pretty cumbersome- log into the AP’s directly, set up different VLANs and a DHCP pool.

I’m at the point where I’m just ready to create an SSID for Guest and simply turn on Client Isolation.

Is their no easier way to create, in cnMaestro, a Guest network in which the AP’s give out a completely different IP range than the production LAN and only allow it to get to the Internet?

Hi @Michael_Albert

What you’re trying to do should be pretty simple, but without knowing a bit about your network it’s a bit hard to advise on what the easiest way to achieve it is.

You’re probably going to have to do that procedure somewhere in your network if you want guest devices to be given different IPs to your production LAN (which often means they’re in another VLAN too). If the APs aren’t going to be your DHCP server, which device is? It may be easier to configure that device than the APs? In my setup, DHCP is done on an L3 switch, so the APs have no part in that.

The place I’d do it in cnMaestro would be under AP Groups > Your Group > Configuration > Network

Apologies if this is all obvious to you. Give us more details and maybe someone can give you a better steer.

1 Like

Thanks. The only experience I had on a WiFi devices prior to Cambium was, when you selected in your cloud controller an SSID to be a “Guest” network, it would automatically configure an internal DHCP scope for that AP and do the necessary ACL and VLAN adjustments and creation on the AP. The Guest network appeared and there wasn’t much configuration to do outside of captive portal or disable Client isolation.

In my test site I have a single AP, that has a production WiFi network on the LAN. I don’t have the ability to do VLANs or another DHCP scope on the network, and was hoping the AP could handle that part. Is there a way to do this from cnMaestro or does it have to be done in the AP?

I’m looking at having to something similar at the company’s other sites and was hoping to avoid having to log into a pile of AP’s individually. If that’s the only way to do it though, I’ll press on in that direction.

Hi @Michael_Albert
Thanks for the extra info. So the main bit is no, you don’t need to log onto each individual AP and give it its settings. One of the ideas behind cnMaestro is that you do the configuration there and it pushes that out to all the APs. Much like other controller-based Wi-Fi, you can put APs into groups and have different settings for some than others and all that kind of stuff.

That said, if you do actually want to have traffic from guest networks tagged and shunted into a different VLAN, then that VLAN or physical network segment has to actually exist beyond the APs or you’ll have other problems (as in exist in your switches, routers etc).

cnMaestro lets you setup a portal that gives guests access in various ways. These range from a simple “click to accept the terms” type thing, simple passwords, or they can be more complicated and involve user authentication, vouchers and payment etc.

If you can’t setup VLANs then this article may help:

Shout if you need more info.



From your comment, my understanding is that your Guest wifi network is also in the same production LAN but you don’t want wireless clients to access production LAN network after doing Guest access, it should reach only internet. If that is correct, you can enable Guest access and configure “Client Isolation-> Network Wide” in the WLAN, by doing this wireless client will not be able to reach any IP’s on the same network (in your case production network), it can reach only internet.

Please let me know, if above configuration will suffice your requirement, else we have to create separate vlan, DHCP pool for Guest clients, which also can be done via CnMaestro itself.

1 Like

Yes thanks, this seems to be the very simplest solution. I don’t really care about VLANs or any of the other. I just want a Guest WiFi network, in which the guest can only get to the Internet, and can’t see my production network.