I have a reasonably simple network setup at home, mostly using UniFi gear.
Starts in the workshop, where the ETP is. DV130 in bridge mode to a USG. From there into a US8-150W switch that has a few things plugged into it (RPi, NAS, UniFi CK, Cameras and AP). From there, cat6 underground to the house to an unmanaged AT9000/24 switch, which has the rest of the house stuff on it, including another UniFi AP for wireless access.
USG runs the dhcp, there is one wired network and one wireless network configured. Everything can talk to everything without issue. I'm not using any VLAN tagging and there is only one subnet (192.168.1.x)
I want to implement a guest network. I followed the UniFi example I found on their website, which basically creates another SSID using the cloud key controller, and makes it go through a portal before allowing internet access. This now working without issue - no password at the portal, no access to the network or indeed the internet. The issue I am having is that anything connected to the guest network also has unadulterated access to everything on the original SSID and network - ie a guest can access the RPi, NAS etc. I was under the impression from everything that I have read that this would not be the case - I mean, what's the point of the guest network if it provides the same access (but with less security) than the main SSID?
If anyone has done this themselves and has had a better result, or understands how this works better than I obviously do, I'd be very keen to hear about it.