Skip to main content

SmoothWall Guest Network

The Smoothwall guest network previously did not have a valid SSL certificate for HTTPS filtering via Google. As a result, while pages were still blocked as expected, Smoothwall was unable to perform full HTTPS traffic inspection.

To improve reliability and compatibility, a new Guest Network has been created on the UDM-SE at the site. This guest Wi-Fi network operates on both 2.4GHz and 5GHz bands, with Wi-Fi 6 (6GHz) disabled to ensure compatibility with a wider range of devices. Wi-Fi 6 remains enabled on the other non-guest networks.

The security settings for this guest network are as follows:

  • Captive Portal: Enabled, displaying company details and a terms of use message.

  • Authentication: Configured with WPA2-Enterprise security (WPA3-Enterprise was not used at this stage to avoid potential connection issues with older devices; this will be reviewed in the future).

  • Access Control: Authentication is managed via user accounts under the RADIUS server, with accounts created as required for guest users.

  • Filtering: Internet filtering continues to be managed through Smoothwall. Although HTTPS inspection could not be applied due to the missing certificate, content filtering remains active at the domain level.

  • MAC Address Filtering: Initially considered, but not implemented, as it was deemed too restrictive for a school environment.

I have checked to see if there is a way to have user accounts expire on the UDM, but as of yet, there isn't a feature, these accounts have to be done manually. 

The certificate won't be added to this network, as the certificate would need to be installed on personal devices. And the certificate has been added to InTune for devices connected to InTune (tablets, Mac OS, Windows devices)

Staff are all joined to the staff network on a separate VLAN, each network has its own VLAN. 

No comments to display

Back to top