Untangle Firewall, Ubiquit APs, Guest SSID

Here is my situation.

1. Client has 2 Ubiquiti UniFi APs that currently separate the public and private network.

2. I want to install a Untangle firewall for a content filter based on active directory account, but I don't care about the public WiFi.

How do I filter the domain network but leave the public WiFi open.

Thanks for the advice!

What's the point in that? Won't people just use the public network to get around the fillter if you set it up like that?

None of the devices the staff uses are wireless, it is mainly for owners devices and the public.

From what I am reading on the Untangle forums it is going to require using Layer 3 VLANs I just have not been able to grasp the entire setup yet.

Why on earth would you want a wide open public SSID?

Do you really want people bringing in portable devices (ipad's, phones, soon to be win8 tablets, etc...) and accessing content you'd rather have blocked that way?

Do you really want random people outside your office or possibly in adjacent offices connecting to your network taking up your bandwidth to access stuff that their bosses might have blocked for them?

Do you want to deal with the court orders that result from Joe Pedo setting up his van outside your office every night to download kiddy porn because it can't possibly be traced back to him?

If it was my network I'd have the domain content filter setup with black lists for what I don't want workers to access, and the public network setup with even more black lists or possibly white lists for stuff you don't care of random people you don't know can access. Heck I do that at home for my guest network and additionally block all destination ports except 80 and 443, even DNS has to go through local DNS servers.

If the boss HAS to have unfiltered access over wireless then setup a third private SSID just for him that stays on the work network and setup his AD content filters to give him access to what he needs.

Your are correct and those are all great points. I was going to suggest to her to add some encryption to it, but that still doesn't stop someone from visiting the office using the WiFi and then using it outside the office in range.

I can also see having limited blocking for porn and such on the public side as well, but what is the point of public wifi if they aren't going to be able to access their normal sites.

Thanks for the input!

Why do guests need to be able to access ALL fo their normal sites while visiting your place of business?

You really need to block all destination ports other than 80 and 443. Chances are if anything is sending mail on port 25 it isn't the actual user, probably some malware, and do you really want guests to be able to download torrents on your dime?

Do you want guests accessing file sharing sites? Even on the off chance they're legit sites do you want them downloading a few gigs during working hours because they're bored in the reception area and can, causing slowdowns for real work traffic?

Do people in the reception area really need to be watching the latest youtube video in high def? Or netflix or hulu?

I honestly can't see any reason to have a public wifi AP at a business that's LESS restrictive than the work LAN access. Like I said if someone has legitimate need of more access do it through the AD, the idea of giving strangers less restricted access than people who work for you is just crazy to me. You should be asking how to give the public SSID as little access as possible while still being mostly functional for low bandwidth legit content, without negatively impacting the work LAN.

You can download torrents over port 80

Much harder if you black list file sharing sites, harder still if you use white lists.

Our staff network is going to be pretty restrictive, mainly prevent time wasters. But I will definitely implement it as Dragon is suggesting, just not blocking time wasters. The bandwidth issues for there public network users going on YouTube or Facebook is negligible.

Jay, has application block built in. It is a Layer 7 device.