Unifi - Allow Public SSID access to one server on LAN



  • I have to enable access to a Listen Everywhere server by https://www.listentech.com

    First things first, I need to be able to access 192.168.0.5 and 192.168.0.6 from the open SSID that has guest policy enabled.

    .5 and .6 are on the corporate lan.

    I can ping them from the open SSID with Guest Policy enabled, but ICMP, DNS, and DHCP are never isolated between lan and SSID, so pinging is not a valid test.

    The user says their app, does not connect to .5 or .6

    The app is doing a scan of some sort to find the Listen Everywhere server, but we don't know what kind of scan it is doing. Maybe a broadcast?

    I want to start with the basic settings to allow a client on the open SSID with guest policy enabled to access ONLY the .5 and .6 devices on the LAN.

    What Is unknown to me, thank to UBNT's great documentation, is whether the PRE-Authorization Access trumps the Post Authorization Restrictions. Also, if it is an open network, is the even a post authorization upon which restrictions can be applied?



  • Not sure you can do what you want using what I assume is Guest Access on the Unifi system.

    You'll likely have to setup a VLAN, create a new SSID for that VLAN - and allow routing between VLANs at your router to gain access to the .5 and .6 - no different than normal publishing to the internet, only that you'll be able to lock it down to only the guest VLAN you create.



  • @Dashrender said in Unifi - Allow Public SSID access to one server on LAN:

    Not sure you can do what you want using what I assume is Guest Access on the Unifi system.

    You'll likely have to setup a VLAN, create a new SSID for that VLAN - and allow routing between VLANs at your router to gain access to the .5 and .6 - no different than normal publishing to the internet, only that you'll be able to lock it down to only the guest VLAN you create.

    I would second this, at least that is how I setup Guest wifi or separate wireless networks.



  • @Dashrender is correct, you need to use a real VLAN for this.

    Because this:

    but ICMP, DNS, and DHCP are never isolated between lan and SSID, so pinging is not a valid test.

    Is not true on a VLAN.


Log in to reply