How to set up a Guest Network Policy without a second public IP?

Guests to school - parents, visiting teachers, visiting students, and others, would need (and maybe expect) some form of internet access when they visit your school. While providing such internet access is a good idea, it is necessary that just like the other school network users, guests should also be governed by appropriate web filtering policies. They should also stay protected from inappropriate content and malicious websites.

Securly's Guest Network Policy helps you to do just that. However, previously, implementing a Guest Network Policy with Securly required schools to have a separate public IP address dedicated to it. We understand that sparing an IP address might not be a feasible option for many schools. And so we have introduced a new option. (You can read about how the original Guest Network policy works in this article here.)

This new option for enabling the Guest Network Policy is available to all paid customers of our Filter platform and is extremely easy for school network admins to implement.

Securly has set up two brand new DNS IPs for each of its clusters. So when guest traffic from your school uses these new DNS servers for resolution, we will apply your specific school guest network policy, not ask users to authenticate, and not decrypt their HTTP/S traffic.


  • One static public IP address: This can be the same static IP address your existing internet traffic uses and exits from your firewall.
  • The ability to adjust the DHCP scope for the network your guests connect to. This can be a guest SSID or wired network.

How do I get started?

Simple! Our support team can enable this feature on your account with a simple request. Reach out to our team here and mention you would like the new Guest Network Policy enabled for your Filter account.  Once the new Guest Network Policy has been enabled, our support team will then provide you with the DNS IP addresses you'll want to use in the DHCP scope for the network which your Guests connect to.

Best Practices

  • Configure the DHCP scope your guest devices receive in such that a device receives the Securly DNS IP addresses themselves and not your internal DNS Server IP addresses.
  • If you have Port 53 restricted on your firewall, you will need to ensure the rules specified in the article here have been appended to include the additional Securly DNS IP's you will be receiving.
  • Please ensure that the network(s) which your filtered users (students, staff, etc.) usually connect to are not scoped to receive the new Guest Network DNS IP addresses. This should be reserved only for Guest or BYOD device networks (SSID and Wired).

As every school network is different, if you run into any issues or have specific questions, we're only a support ticket away.

How it works

  • Guest Network Policy does not require any certs to be deployed for web filtering to work for guests.
  • All traffic would be filtered and blocked according to Guest Network Policy and Global Allow/Deny lists.
  • Guest Network Policy will only log and display the blocked content that a user attempted to visit, under the Reports tab.
  • You can whitelist and blacklist websites for the Guest Network Policy as and when required. However, wildcards are not supported.
  • The YouTube Restricted Mode can be enabled all guest users
  • Guest Network Policy defaults safe search for Google and Bing search engines.

Please note that the Guest Network Policy does not support:

  • User-based policies
  • Keyword scanning
  • Yahoo search
  • Forced login
  • Mapping of OUs
  • Display of devices signed under GNP on the geolocation map
  • Restricting Google logins to personal accounts
  • Wildcards
  • Image result filtering using the Restrict Image Search to Creative Commons functionality
Was this article helpful?
13 out of 22 found this helpful
Have more questions?
Submit a request



Article is closed for comments.

Articles in this section

See more