Do you use guest WiFi?

Unless I have poor cell signal, I don't bother, as most businesses that offer guest networks arbitrarily slow them down to be useless, against best practice. They might have a 500mbps connection, but ratelimit to something ridiculous like 10mbps. This'll cause unnecessary load, driving up demand on spectrum time. If you're interested in why this is a bad idea, check out https://jimswirelessworld.wordpress...etflix-effect-aka-dont-rate-limit-your-wi-fi/

I also don't bother using VPN, unless I need to get into my home, work, etc. networks. 99% of internet usage is encrypted now, so why add another choke point and double-encrypt things unnecessarily?

My church offers a guest network that gets heavily used -- hundreds of clients at a time on a Sunday... but cell service is a crapshoot, and I don't even bother ratelimiting. Even with 300 clients on the network, our 2x1Gbps connections barely get touched other than bursting. Example, we had over 600 clients throughout the day yesterday and barely hit 100mbps throughout the day... here is a graph of the subinterface on the firewall that feeds the guest VRF:

CleanShot 2026-04-06 at 10.10.22@2x.webp
 
Last edited:
tburke said:
They might have a 500mbps connection, but ratelimit to something ridiculous like 10mbps. This'll cause unnecessary load, driving up demand on spectrum time. If you're interested in why this is a bad idea, check out https://jimswirelessworld.wordpress...etflix-effect-aka-dont-rate-limit-your-wi-fi/
Click to expand...
This is expected behavior with rate shaping. Netflix mostly transports video packets over TCP, which guarantees reliable transport, no resulting packet loss at the application layer. However, the Netflix server will burst a lot of traffic, maybe 50-100Mb/s for a short duration, which overruns the shaper, causing the shaper to drop some packets. Dropping packets is how a shaper slows an offending stream down. Since Netflix transports over TCP, the lost packets will be retransmitted. Retransmission is devastating to throughput. The Netflix server now knows it is way behind delivering video packets, so it sends a large burst again. You see the problem here, there is no escape from packet drops and terrible throughput.

I have had this same problem at hotels and campgrounds, when I see what's happening I just turn the video off because you can't get off the packet loss/burst merry-go-round.
 
JHZR2 said:
If I was at church, why would I want to be on WiFi, especially on Easter?!?

Guest WiFi to me implies easy access, which means lower security. Why would I want to risk it?

If cell service is good, what’s the point?
Click to expand...
Maybe the church service was boring, in Latin, or you are an Atheist being in church against your will.
 
My data plan gives me 75 GB per month so the only time I use WiFi is when I’m at home or at my girlfriend’s place.
 
wwillson said:
This is expected behavior with rate shaping. Netflix mostly transports video packets over TCP, which guarantees reliable transport, no resulting packet loss at the application layer. However, the Netflix server will burst a lot of traffic, maybe 50-100Mb/s for a short duration, which overruns the shaper, causing the shaper to drop some packets. Dropping packets is how a shaper slows an offending stream down. Since Netflix transports over TCP, the lost packets will be retransmitted. Retransmission is devastating to throughput. The Netflix server now knows it is way behind delivering video packets, so it sends a large burst again. You see the problem here, there is no escape from packet drops and terrible throughput.

I have had this same problem at hotels and campgrounds, when I see what's happening I just turn the video off because you can't get off the packet loss/burst merry-go-round.
Click to expand...
Eventually, network folks will realize that they’re doing more hurt than good… I’ll usually test the WiFi when I’m going somewhere and as soon as I see the 10mbps penalty box, it’s back to FirstNet “5G+”.
 
I have no problem using available WiFi to surf and the like.
It's typically faster than 5G and we do not have unlimited data, although I've never maxed mine out.
As @wwillson pointed out, with end to end encryption there really isn't any risk.
 
tburke said:
If you're interested in why this is a bad idea, check out https://jimswirelessworld.wordpress...etflix-effect-aka-dont-rate-limit-your-wi-fi/
Click to expand...
The author of this article went through all this testing just to learn that it takes longer to download a full movie at 2.5 Mbps than it takes at 100 Mbps?

IMO, he misses the point altogether. Free wifi/guest networks are not for downloading entire movies. You can do that at home, before you leave home. These courtesy networks are to allow you to check your email and browse the net, in which case even 2.5 Mbps is sufficient. They don't want you streaming videos or downloading huge files on purpose.
 
BobsArmory said:
Free VPNs are just honey pots, super dangerous. The only paid VPNs that I trust are Mulvad and Proton.
Click to expand...
What about google VPN since they know everything about you anyway?

Also most of the guest wifi around me are at least 50Mbits.
Even the grocery store is 100Mbit capped.

I typically use them only when I have a bad signal.
 
wwillson said:
All networks are to be treated as compromised, only a fool believes otherwise. End-to-end TLS (newer version of SSL) encryption is your savior.

No banking app passes traffic in the clear, all are end-to-end encrypted. Websites that display the closed lock, like BITOG, are encrypted end-to-end. I have zero problem using any WiFi as long as I see the lock or I am using an app that is known to use encryption. Yes, I will use my banking app on whatever WiFi I can get.

The giant caveat everyone should know is this: If you are ever prompted to install a certificate to use a WiFi network, then turn your WiFi off and run away as fast as you can (figuratively). If you do install the certificate, it is likely an intermediate certificate and you just allowed a man-in-the-middle to decrypt all of your sessions and steal your data and credentials.
Click to expand...
Very helpful.

Not sure if all apps have confirmation of the encryption. I assume it’s best practice, but is there a standard way to verify?

I need to find out how one checks if they have inadvertently installed a certificate. When WiFi access splash screens pop up to push terms and conditions or logons who knows what else loads…
 
wwillson said:
Anything not in your home and not at work.


Any VPN free or otherwise that you don't control.
Click to expand...
Yep, I have all my staff use the work VPN (which is fed by gigabit symmetrical fibre) when they are travelling, so that they are forced to run all traffic through our filters and DNS queries are exclusively landing at a known-good resolver. I've always run a mostly Cisco shop, so we are using AnyConnect O365 integrated for MFA and split-tunneling is disabled.

Had an employee, years ago, using his personal cell phone at a hospital, and was on the "guest wifi" and got MITM'd and his accounts compromised.

With the availability of home firewalls like those from Unifi at reasonable prices that can act as an SSL VPN server, I'm not sure why somebody would subscribe to a 3rd party for roadwarrior use unless they are trying to bypass a geofiltering service.
 
You must log in or register to reply here.

Similar threads

Donald
Unifi managed network switch
2
Replies
30
Views
984
Donald
D
Very Pleased with Aruba Instant On Home Network/WiFi
Replies
12
Views
5K
dogememe
Y
  • Locked
Is my network protected in using an anti-virus on all computers but what if a guest accesses my wifi?
Replies
19
Views
1K
OVERKILL
O
3rd PC build, very strange issue. I'm out of tricks. Long read.
2 3
Replies
41
Views
3K
OilMagnate
R
  • Locked
I have finally renovated my home network
Replies
11
Views
2K
Rob_Roy
Back
Top Bottom