UniFi's Advanced Wi-Fi Settings Explained — McCann Tech (2024)

UniFi’s advanced Wi-Fi settings are often misunderstood. The defaults are usually safe, but it is helpful to understand what each setting does while configuring a network or troubleshooting an issue. The tooltips in the interface cover the basics, but we’ll go through them in depth.

These settings and descriptions are using the default “new” interface, and they are current as of UniFi Network Application version 7.5.169. I also list the settings that are only available in the legacy UI at the end and go over the changes that were introduced in previous UniFi Network version 7 releases.

This guide is long but it doesn’t cover everything, and it is not perfect. I try to be accurate and keep this up to date, but that is not always possible. Ubiquiti’s documentation should always be trusted over what you see in this guide. If you notice anything incorrect or have a suggestion, please let me know.

• UniFi Global Settings↩︎
• Global AP Settings
• Global Network Settings
• Global Switch Settings
• Creating a New Wi-Fi Network↩︎
• Hotspot Portal & Wi-Fi Band↩︎
• Features & Advanced Settings↩︎
• Band Steering
• Hide WiFi Name
• Client Device Isolation
• Proxy ARP
• BSS Transition
• UAPSD
• Fast Roaming
• WiFi Speed Limit (Bandwidth Profile)
• Multicast Management↩︎
• DTIM, Rate Control, & Filtering↩︎
• Security & Wi-Fi Scheduler↩︎
• Radios & Manual Channels↩︎
• Legacy UI Settings↩︎

UniFi Global AP Settings

Channel Width allows you to set channel width for each frequency band of your Wi-Fi radios.

• 20 MHz is the base channel width, but multiple channels may be bonded together to increase data rates and throughput.

• 2.4 GHz should almost always be set to 20 MHz. There is not enough space in the 2.4 GHz spectrum to reliably use 40 MHz channels, especially with multiple APs.

• 5 GHz can be set to 20, 40, 80, or 160 MHz depending on how much you value AP and client density (20 MHz) vs. maximum throughput (80 or 160 MHz). Some clients may not fully support 160 MHz channels in 5 GHz, which requires DFS.

• 6 GHz can safely be set to 80 or 160 MHz. There is a lot of available spectrum for wide channels, and no requirement for DFS or AFC for 6 GHz low power indoor (LPI) access points such as the U6-Enterprise or U6-Enterprise-In-Wall.

Transmit Power allows you to set TX power for your radios to low, medium, high, auto, or a custom value. The actual dBm values for low, medium, and high are based on the AP model and what they are capable of.

• Broadly speaking, higher transmit power means longer range, higher signal-to-noise, and higher throughput. Higher power levels can also increase co-channel or adjacent-channel interference, so it is a balancing act.

• 2.4 GHz signals travel longer distances, and through obstructions like walls or trees more effectively than 5 GHz or 6 GHz signals. In a multi-AP network, turning down 2.4 GHz transmit power helps balance the inherent difference in range. This can lead to better performance and more reliable roaming.

• 5 GHz and 6 GHz signals attenuate more rapidly and are more affected by obstructions, resulting in around half the range of 2.4 GHz. If you have a very dense area or multiple APs, setting a unique channel and keeping 5 GHz TX power on low or medium may be best. For those trying to achieve the most range and coverage from the APs they have, high 5 GHz and 6 GHz TX power can be set.

• Recommendation: Auto is a good default, but usually results in maximum power. If setting manually, use the lowest power level that still results in good coverage and signal strength. Keep 2.4 GHz around 6 dBm lower than 5 GHz or 6 GHz in multi-AP networks if you want to keep their coverage area roughly the same.

AP Exclusions is a list of APs that are excluded from the global rules. You can hit the “X” on the right to apply the global rules, or go to their device settings panel and toggle the global rules there.

Optimize Channelization (Nightly Channel Optimization) is an automated process that looks at all connected UniFi APs and the RF environment they are in. It attempts to automatically pick the best channels for you, and usually does a good job.

• For high-density networks where careful channel planning is important, manual selection is best. For most networks, especially with less experienced administrators, auto channel optimization usually leads to good results.

• You can apply this to all APs, or only APs configured to auto channel.

• Recommendation: Leave enabled if you prefer ease of use, disable if you are manually setting channels.

These settings used to be part of the global AP rules, but have migrated to Settings -> System -> Advanced.

Wireless Meshing controls whether or not there is a hidden SSID broadcast, which allows other UniFi APs to connect to the network wirelessly. Mesh APs rely on wireless backhaul rather than wired, but otherwise operate like any other UniFi AP.

• If you can’t run Ethernet to all of your APs and need to rely on wireless backhaul, you should leave this enabled. Otherwise, you can disable it to reduce SSID and management frame overhead.

• Recommendation: Uncheck for networks where all APs have wired backhaul. Leave enable for additional redundancy and a small hit to airtime utilization.

New Device Auto-Link allows wireless UniFi Protect cameras and IoT devices to be automatically visible for adoption. This setting used to enable a hidden “Element-xxxxxx” SSID, but it is now enables a hidden SSID with no name. This makes it easier to setup those devices, but can be disabled if you don’t need it.

• Recommendation: Uncheck once your network is fully setup, or leave enabled if you are often adding new UniFi devices.

Connectivity Monitor Type controls what mesh APs attempt to reach, to determine if they are online. This is only available when wireless meshing is enabled.

• By default it is the IP of their gateway, typically a UniFi or 3rd party router. You can change this to be any IP you’d like.

• If the device fails to reach the destination, it will enter an “isolated” state, meaning it can’t reach the network. That usually happens when there is a misconfiguration, such as wireless meshing being turned off, or port or VLAN settings not being correct.

• Recommendation: Leave at default unless you have a reason to change to a custom destination. Internal resources are better than public destinations like 1.1.1.1 or 8.8.8.8.

UniFi Global Network Settings

In UniFi Network version 7.2, global network and switch settings were added as well, which operate similar to global AP settings. These mostly come into play when you have a fully UniFi network — UniFi gateway/firewall, switches, and APs.

IPv6 Support globally enables IPv6 support on your networks, and allows for a toggle on networks to set IPv4 and IPv6 separately.

Multicast DNS allows multicast traffic to pass between virtual networks.

• This setting controls whether mDNS is enabled on the wired network, and any wireless networks that rely on it. Multicast DNS is mostly used to discover devices like a Chromecast or printer. If you have AirPlay, Chromecast, Sonos, Bonjour, or similar devices and you want to be able to discover them on other networks, Multicast DNS should be enabled.

• For a guest network or a network with no need for Chromecast/AirPlay/Bonjour/Etc, multicast DNS can be disabled.

• Recommendation: Enable on networks where multicast traffic should be allowed.

IGMP Snooping allows a layer 3 UniFi device to query for multicast clients, and only send multicast traffic to the clients that should receive it.

• This is another setting that relates to multicast traffic, typically coming from streaming or smart home devices such as AirPlay or Chromecast. It trades latency and support for non-registered multicast traffic for a reduction in bandwidth usage.

• Enabling IGMP Snooping can improve performance on networks that have streaming or smart home devices on them. On a guest network or a network without the need for it, IGMP snooping can be disabled.

• Recommendation: Enable if Multicast performance is an issue, and latency and non-registered traffic are not important.

IGMP Proxy and IPTV Support allows you to proxy multicast traffic across networks, setting a source network and networks that are allowed to receive it.

• This is required for some IPTV providers, and is another setting to consider when troubleshooting multicast issues.

• Recommendation: Only enable if needed for your IPTV provider.

UniFi Global Switch Settings

DHCP Snooping restricts DHCP functionality to a list of allowed DHCP servers.

• DHCP snooping and DHCP Guarding allow you to define valid DHCP servers, preventing LAN DHCP-hijacking attacks. This setting would prevent someone plugging in an all-in-one router the wrong way, or someone maliciously trying to take over your network by controlling DHCP IP address assignment.

• DHCP Guarding is set on individual networks, under the DHCP section.

• Recommendation: Enable on a network where security is important. Disabling DHCP snooping or verifying the IPs listed are good troubleshooting steps if clients are not receiving DHCP IP addresses.

Jumbo Frames allows for the use of Ethernet frames larger than 1500 bytes, which is the standard size of an Ethernet frame.

• Enabling this and increasing the maximum size removes the single digit percentage penalty you have from the Ethernet frame header and processing. A gigabit link may go from 940 to 990 Mbps of TCP throughput. Jumbo frames can cause issues for devices that are not configured to deal with them.

• Recommendation: For the vast majority of networks, leave unchecked. Enable if you need a bit of additional throughput from a congested interface.

Flow Control reduces network congestion and high packet latency by pausing traffic temporarily, increasing overall TCP throughput.

• Recommendation: Enable on congested networks with high latency, if needed.

Spanning Tree enables rapid spanning tree protocol (RSTP) or the older, regular spanning tree protocol (STP) on your UniFi switches.

• You’ll still want to set switch priorities individually if you have a network with several switches or links between switches. The lowest priority wins, so your core switch should be 0 or 4096, and the 2nd tier of switches should be 8192, etc.

• Recommendation: Leave on RSTP unless if you are using old switches or devices that do not support RSTP. Sonos devices, for an example, often have issues with RSTP but not regular STP.

802.1X Control enables 802.1X authentication on all of your switch ports. Individual ports can still be excepted from this rule.

• Recommendation: You would want to enable this if you are doing RADIUS authentication on the wired network, otherwise leave unchecked.

Switch Exclusions is a list of the switches that are excluded from the global settings. You can hit the “X” on the right to apply the global rules to them, or go the their device settings panel and control the global rules there.

Creating a New UniFi Wi-Fi Network

In the UniFi interface, network settings are divided into Wi-Fi, Networks, and Internet.

• Wi-Fi controls your wireless connections, including global AP settings, SSID, password, wireless meshing, nightly channel optimization, and other advanced settings.

  See Also

  Global settingsWhat's the difference between access point (AP) mode and router mode?How to Optimize Your WiFi FunctionalityWhat is a Wireless Access Point? | Definition from TechTarget

• Networks controls your LAN networks and VLANs, including global switch settings, DHCP, DNS, and IP addresses.

• Internet controls your WAN connections, including VLANs, IP addresses, dynamic DNS, and Smart Queues for QoS.

By default, UniFi has one LAN network, 192.168.1.0/24, which is used for all wired and wireless connections. Creating additional virtual networks (VLANs) allows you to segment and restrict traffic. This is commonly used for guest or IoT devices, or separating devices or areas into different network groups. Before diving into wireless settings, setup your networks and VLANs first. This can be done by modifying the default LAN, or by creating a new network under the Networks tab.

If the network you want to use has been created, go to Settings → Wi-Fi → Create New.

Give it a name (SSID), password, and specify which wired network it is going to use. If you don’t want to use the default of a WPA2 password, toggle advanced to manual and scroll down to the “Security Protocol” tab. Otherwise, you can save it, and it will be added to all of your APs by default.

You can pick individual APs or define AP groups to control which APs are broadcasting this network. By default, there is one group, and all APs are in it. You can make additional groups or pick individual APs if you want to limit where this network is being broadcast.

AP Groups — Broadcasting APs

• Allows grouping of APs and selecting which APs will broadcast this Wi-Fi network.

• UniFi APs have a limit of either 4 or 8 SSIDs per band, per AP group. Some older models like the AC-Lite only support up to 4 per band. Most models can have up to 8. This means you can have up to eight 2.4 GHz and up to eight 5 GHz networks, or eight dual-band SSIDs. The same applies to 6 GHz.

• Enabling wireless meshing limits all UniFi APs to 4 SSIDs per band. This is due to the fact that wireless meshing adds a hidden SSID for other APs to connect to.

• Default: All APs.

• Recommendation: For smaller networks with only a few APs and no need to limit which APs are broadcasting, use the default “All APs” group. For larger networks, group APs by area or function, and limit the amount of SSIDs as much as possible. Each additional SSID adds overhead and reduces capacity, so the less SSIDs the better.

If you want a basic network, that’s all you need to do. If you want more, the good stuff is hidden under the manual advanced configuration tab.

Note: A new feature added in version 7 is a warning, letting you know applying these changes is going to disrupt users that are currently connected. That’s why you might see a little triangle with an exclamation mark on the “Add New Wi-Fi Network” button in the bottom right.

Every time you change a Wi-Fi network setting, all UniFi APs need to have the configuration applied. This triggers a provision, which causes a short pause in traffic or disconnection while the AP is applying the new settings.

Hotspot Portal and Wi-Fi Band

Hotspot Portal (Wi-Fi Type)

This applies the settings and design you select under the new “Hotspot Manager” tab on the left side of the UI, which looks like a circle with two semi-circles on the left and right. That is where you control the guest wireless splash page design, authentication, payment methods, and settings. In earlier versions, this was referred to as Wi-Fi Type, which had a toggle between standard and guest hotspot.

• Default: Unchecked

• Effect: Checking this box applies your hotspot portal settings and applies client device isolation.

• Recommendation: Check for networks meant for guests, where you want them to see a splash page, agree to terms and conditions, or pay for use of the network. Leave disabled for secured networks for trusted devices.

• Note: In previous versions this was referred to as Wi-Fi Type, which had a toggle between standard and guest hotspot.

Wi-Fi Band

• Options: 2.4 GHz, 5 GHz, or 6 GHz

  • 2.4 GHz: Slower, longer range, more wall penetration.

  • 5 GHz: Faster, shorter range, less wall penetration.

  • 6 GHz: Faster, shorter range, less wall penetration. Limited device support, but lots of available spectrum to use 80 and 160 MHz channels. This requires a Wi-Fi 6E access point. See my U6-Enterprise Preview for more details.

• Default Setting: 2.4 GHz and 5 GHz. If you have a Wi-Fi 6E AP, the option to add 6 GHz appears.

• Effect: This setting controls which band your Wi-Fi network broadcasts on. You can pick one, or enable all of them.

• Recommendation: Leave on dual-band, unless you have connectivity issues with 2.4 GHz devices or want manual control. Enable 6 GHz and change to WPA3 if you have the option.

Note: Dual-band or tri-band SSIDs with multiple access points can lead to roaming issues, with some clients staying on 2.4 GHz, or not roaming to the nearest AP. There are several ways to combat this. Usually adjusting AP placement, lowering 2.4 GHz transmit power, changing channels, or enabling band steering can be effective. You can also create a separate network for each band if you want guaranteed, manual control over which band is used by which device. Otherwise, it’s up to the client device to do the right thing.

Wi-Fi Features and Advanced Wi-Fi Settings

Scrolling below Wi-Fi Band is where things get fun, and the acronyms take over.

Band Steering

• Band steering forces compatible clients to move to 5 GHz.

• Default: On

• Effect: Enabling band steering encourages client devices to use 5 or 6 GHz, and not connect to the slower 2.4 GHz network unless they have to. This has caused connectivity issues in the past, but recently the feature was reworked to be less restrictive and should cause less issues with IoT or older 2.4 GHz-only clients.

• Recommendation: Leave enabled, unless you have connectivity or roaming issues. As a normal troubleshooting step, disabling band steering is a good thing to try. It’s possible that band steering causes issues for your devices on your network, even though it doesn’t cause issues on mine.

Hide Wi-Fi Name

• This forces access points to send out beacon frames with no SSID, meaning the SSID field in the beacon frame is set to null. Beacons are still sent, and “hidden” networks are still easy to detect.To join a network with a hidden SSID, clients will have to manually enter the SSID name along with the password.

• Hiding the SSID does not enhance the security of the network. Hidden networks can still be scanned, found, and joined. Using a more complex password or moving to a newer protocol (WPA2/3 vs. WPA or WEP) would be the better way to improve security.

Client Device Isolation

• Client device isolation prevents clients on the same AP from communicating with each other. Together with network isolation, guest hotspot portal settings, and traffic rules, it can prevent clients from reaching other clients or other networks.

• Default: Off

• Effect: Restricts clients from communicating with each other within the network.

• Recommendation: Enable for high-security guest networks, or IoT networks which would benefit from this restriction. This can also lead to unintended consequences, so test the devices behavior before and after changing this setting.Client device isolation used to be referred to as “Layer 2 isolation - isolates stations on layer 2 (Ethernet) level”

Proxy ARP

• Proxy ARP allows UniFi access points to proxy ARP requests and other common broadcast frames, as unicast. ARP is the Address Resolution Protocol, which is used to learn the MAC address for a given IP address.

• Default: Off

• Effect: Enabling this can reduce broadcast traffic, and therefore airtime usage and latency. This is mainly relevant in larger or higher-density networks where broadcast traffic overhead is a major concern.

• Recommendation: Enable for large or high-density networks.

BSS Transition

• This setting enables BSS Transition with WNM, which stands for Wireless Network Management. WNM allows the AP to send messages to clients to give them information about the network, and details of other APs they can roam to. This includes the current utilization and number of clients, allowing the client to make more informed roaming decisions.

• Default: On

• Effect: This enables 802.11v, which helps with saving power and the roaming process. It’s still up to the client device to support 802.11v and make a decision based on the given information.

• Recommendation: Leave enabled, especially in networks with multiple APs.

UAPSD

• Unscheduled Automatic Power Save Delivery, also known as WMM power save.

• Default: Off

• Effect: Enabling allows devices that support UAPSD to save battery power by keeping their Wi-Fi radio in sleep mode for more time. Like a lot of features that are off by default, this can cause issues for some clients, especially older or IoT devices.

• Recommendation: Turn on if battery life is important, and older/IoT device connectivity is not. Disabling this is a good troubleshooting step if you have performance or connectivity issues.

Fast Roaming

• Faster roaming for modern devices with 802.11r compatibility. It does this by speeding up the security key negotiation process, allowing both the negotiation and requests for resources to occur in parallel. With 802.1X, keys are cached rather than the client needing to check with the RADIUS server with each roam. With pre-shared key networks such as WPA2, the client goes through the normal 4-way handshake authentication process.

• Default: Off

• Effect: Enables OTA (over-the-air) Fast BSS Transition, which allows devices that support it to roam between APs faster. Without this setting enabled, roaming from AP to AP may take a few seconds, and during that time data cannot be sent or received. In most cases you won’t notice this, but latency-sensitive and real-time applications like a voice call can perform poorly. Slow roaming with a VoIP call may result in gaps in the audio. With 802.11r fast roaming enabled, the roams should be nearly unnoticeable.

• Recommendation: Enable on networks with multiple APs that are used for VoIP, video calls, and other real-time applications. If roaming performance is still an issue, consider adjusting band steering, AP placement, and transmit power levels.

• Note: Fast BSS Transition works with both pre-shared key (PSK) and 802.1X authentication methods. Older devices should not experience connectivity issues with this enabled.

Wi-Fi Speed Limit (QoS, Bandwidth Profile)

• Wi-Fi Speed Limit allows you to restrict the amount of bandwidth available for clients connected to the network.

• Default: Off, bandwidth is unlimited.

• Effect: Allows you to set per-client download and upload bandwidth limits.

• Recommendation: Enable if needed, especially on guest networks, networks with limited Internet bandwidth, or with high client density.

• Note: Create new bandwidth profiles under Settings → Profiles → Wi-Fi Speed Limit

Multicast Management and Client Isolation

Multicast Enhancement (IGMPv3)

• Permit devices to send multicast traffic to registered clients at higher data rates by enabling the IGMPv3 protocol.

• Default: Off

• Effect: Enabling this might improve performance with smart home products such as smart speakers or streaming devices.

• Sonos speakers for example, usually function better when…

  • Spanning Tree is set to regular STP mode on your switches if using Ethernet. I’d also recommend lowering the priority of your switches so they continue to be the Spanning Tree root bridge.

  • IGMP Snooping is on under network settings → advanced. This allows switches to identify multicast groups used in each port. Multicast streams are forwarded only to network devices that should receive them. This enables the IGMP querier service on a UniF i gateway, letting it create multicast groups which should improve performance of multicast traffic such as video or audio streams. Some people have had better luck with this disabled, and there may be other issues at fault, such as network topology. Multicast is hard to troubleshoot without a packet capture and knowledge of the protocols involved.

  • Multicast Enhancement (IGMPv3) is on under Wi-Fi settings → multicast management. This allows multicast traffic to be converted to normal unicast traffic when possible.

  • Multicast DNS is on under settings → network, for the network being used. mDNS allows for converting host names to IP addresses in a local network without a DNS server. An example of mDNS is Apple’s Bonjour, which is used to quickly setup sharing between computers and other devices. UniFi’s mDNS service allows you to discover devices on other networks, and can assist with discovery within the network.

• Recommendation: Enable this setting may help issues with Chromecast, AirPlay, or other smart home equipment. Another option is to enable mDNS and create a separate SSID for these devices and follow Ubiquiti’s help article steps here.

Multicast And Broadcast Control

• Multicast and broadcast control restricts the ability to send multicast or broadcast traffic, and allows you to define a list of exceptions.

• Default: Off

• Effect: Prevents the transmission of multicast and broadcast traffic in the network.

• Recommendation: Enable this setting for high-density or guest networks. You can make individual device exceptions if needed.

DTIM, Rate Control, and Filtering

802.11 DTIM Period

• DTIM stands for Delivery Traffic Indication Message, which is a message that is sent along with beacon frames. The role of the DTIM is to let a sleeping client know that it has buffered data waiting for it.

• Default for 2.4 GHz: 1, meaning every 2.4 GHz beacon will include a DTIM

• Default for 5 GHz: 3, meaning every third 5 GHz beacon will include a DTIM

• Effect: Higher numbers buffer longer, potentially saving battery life. Altering these values can cause a variety of issues though, so change them at your own risk.

• Recommendation: Leave this set to auto.

Minimum Data Rate Control

• Minimum data rate control allows you to define the slowest data rate allowed on the network.

• Disabling the lowest data rates is a common setting to consider for high-density networks where airtime conservation is important. Lower data rates are less efficient, and distant clients can hog airtime with an inefficient use of airtime. When data is sent at a low rate, it uses more airtime, limiting the performance of all the other devices using that AP.

• This does not limit the range of your AP, and the details are complicated. Rob Krumm has a great analysis of what changing your rate does and does not change if you want more details.

• Default for 2.4 GHz: All rates allowed (1 to 54 Mbps)

• Default for 5 GHz: All rates allowed (6 to 54 Mbps)

• Recommendation: Leave at default for most networks. Disabling rates below 6 or 11 Mbps can improve the efficiency of higher-density networks, but can also lead to connectivity and performance issues. Returning to default settings is a good troubleshooting step.

Device Access Filtering

• MAC address Filter allows you to restrict clients from joining the network unless they are on the allow list, or block specific MAC addresses.

• RADIUS MAC Authentication enables the use of a RADIUS server for client authentication on this Wi-Fi network. The settings for this are controlled by RADIUS profiles.

• RADIUS Profiles allows you to select pre-defined RADIUS profiles.

  • To create new profile, go to Profiles → RADIUS → Add RADIUS Profile. This is where you define the aspects of your RADIUS server such as IP address, ports, assigned VLAN, shared secrets, and update interval

• MAC address format allows you to set the format for the MAC address and whether semicolons or hyphens are expected.

Security Settings and Wi-Fi Scheduler

Security Protocol

• Open. No password needed to join the network.

• WPA2. The older pre-shared key security method, which requires a password to join the network. WPA2 is less secure than WPA3, but is more universally supported, especially on older devices.

• WPA2 Enterprise. The older 802.1X security method, which requires a RADIUS server to allow users to join the network with a username or password. Usually common in larger networks which need to grant or revoke permission to join without changing other people’s access by changing the pre-shared key.

• WPA2/WPA3. Allows for a mix of WPA2 and WPA3 connections. Devices that support WPA3 will use the newer and more secure standard, while older clients will fallback to WPA2. This is less secure overall than requiring WPA3, but it is more flexible and less likely to cause issues as we transition to WPA3 as a default.

• WPA3. The newer pre-shared key security method, which does a lot of magic behind the scenes to be more secure than WPA2. WPA3 is still vulnerable to certain attacks, so still make sure to use a complex password and restrict access to that if it matters.

• WPA3 Enterprise. The newer 802.1X security method, which like WPA3 personal allows for more secure connections.

• Note: WPA3 is mandatory for 6 GHz networks

If WPA3 is selected…

WPA3 SAE anti-clogging threshold in seconds

• Default: 5

• Note: SAE is Simultaneous Authentication of Equals, and anti-clogging is designed to prevent denial of service (DoS) attacks on the AP. This setting affects the time threshold for what the AP considers “too many” requests.

WPA3 Sync in seconds

• Default: 5

• Note: Explaining how WPA3 works is beyond the scope of this guide. Only change these if you know what you’re doing, and have a valid reason.

PMF (Protected Management Frame)

Protected management frame (PMF) is a security feature which aims to prevent intercepting or forging management traffic. Management frames include authentication, de-authentication, association, dissociation, beacons, and probes. These cannot be encrypted like normal unicast traffic, so this feature protects from forgery, preventing some common security attacks.

• Required: APs will use PMF for all stations. Stations without PMF capability will not be able to join the WLAN.

• Optional: APs will use PMF for all capable stations, while allowing non-PMF capable stations to join the WLAN.

• Disabled: APs will not use PMF for any stations.

• Recommendation: Leave disabled for WPA2 networks, and move to WPA3 if possible.

Note: PMF is required for WPA3 networks.

Group Rekey Interval

• This setting controls how often an AP changes the GTK, or Group Temporal Key. The GTK is a cryptographic key that is used to encrypt all broadcast and multicast traffic between APs and clients.

• Default: 3600 seconds.

• Effect: Lower intervals mean the key changes more often, but can cause the issue of users disconnecting or unable to join the network with the message 'wrong password’, even if the credentials are correct.

• Recommendation: Leave at default.

Wi-Fi Scheduler

The Wi-Fi scheduler allows you to turn an SSID on or off at a certain time, or setup a weekly schedule.

Radio Settings and Manual Channel Control

Radios: Channel, Width, and Power

2.4 GHz

2.4 GHz channel width should almost always be set to 20 MHz, due to their not being enough space in the 2.4 GHz for 40 MHz channels to be used reliably. There are only 3 non-overlapping 20 MHz channels to use, 1, 6, or 11. Pick one of those and try to keep other APs on that channel as far away as possible.

An example would be a two-story house with a basem*nt. If you have one AP per floor, you’d pick channel 1 for the basem*nt, channel 11 for the 1st floor, and channel 6 for the 2nd floor. If you have to add a 4th AP to cover the backyard, pick the channel with the weakest signal strength and least amount of interference. Ideally, you’ll push most of your bandwidth-heavy clients off of 2.4 GHz anyway.

5 GHz

The default channel width is 40 MHz, and that’s a good default. There are 4 non-overlapping 40 MHz channels, and more if you consider going into DFS space. Wider channels like 80 or 160 MHz deliver more throughput, but also have more noise and interference, worse range, and are less widely supported. A 20 MHz channel is the foundation — anything more requires channel bonding and a bit of comprise.

The channel number you select sets the primary 20 MHz channel. If you’re at 40 MHz width, you’ll be using the channel above or below as well. Picking a 40 MHz width and channel 36 uses the 20 MHz for channel 36 and the 20 MHz for channel 40. With that in mind, here are the unique non-DFS channels you can choose in the US:

• 20 MHz has nine: 36, 40, 44, 48, 149, 153, 157, 161, or 165

• 40 MHz has four: 36/40, 44/48, 149/153, or 157/161

• 80 MHz has two: 36/40/44/38 or 149/153/157/161

When you add in DFS space, you have several other channels to pick from:

• Sixteen 20 MHz DFS channels: 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, or 144

• Eight 40 MHz DFS channels: 52/56, 60/64, 100/104, 108/112, 116/120, 124/128, 132/136, 140/144

• Four 80 MHz DFS channels: 52/56/60/64, 100/104/108/112, 116/120/124/128, 132/136/140/144

For 160 MHz channels in 5 GHz, you need to utilize DFS space. There are three non-overlapping channels available:

• 36/40/44/48/52/56/60/64

• 100/104/108/112/116/120/124/128

• 132/136/140/144/149/153/157/161

For dense networks with 4+ APs, 20 or 40 MHz width and a manual channel plan to minimize overlap usually leads to the best results. For normal home networks that prioritize speed, 40 or 80 MHz is usually best. If you have modern clients, a use case that would benefit from a several hundred Mbps, aren’t worried about interference or your Wi-Fi neighbors, or just wanna go fast: try 160 MHz.

Using 80 or 160 MHz channels in a multi-AP network requires dealing with DFS, or being limited to two unique 80 MHz channels. Not all devices support 160 MHz, and 160 MHz channels are the most susceptible to noise and interference. These wide channels trade range for noise and speed. You’ll get the most use for your gigabit connection, but 40 or 80 MHz channels may be a better balance. Sometimes it makes sense to mix and match, where you’d put a big fat 160 MHz channel in your office, but use a more conservative 20 or 40 MHz channel on the outdoor AP that covers your back yard. Experiment and see what works best for you.

6 GHz

6 GHz is largely the same as 5 GHz, but there is no DFS. For low-power indoor APs like the U6-Enterprise or U6-Enterprise-In-Wall, there is no AFC requirement either. Power limits are set with a constant spectral density rather than a constant EIRP. What that means in practice is that there is no noise penalty for doubling a channel width in 6 GHz. With each +3 dB (doubling) of noise, the EIRP doubles as well. That means that 80, 160, and eventually 320 MHz width channels, 6 GHz is the best place for them.

If you have 6 GHz APs and 6 GHz devices, set a wide channel, high power, and let it rip. You will also need to enable WPA3, which is required for 6 GHz operation. 6 GHz also has a slightly worse range and penetration than 5 GHz, so it will quickly fall off in strength when it passes through a wall or floor.

Minimum RSSI and Meshing

Minimum RSSI is a concept where clients will be dropped from the AP once they reach a certain threshold. This should keep clients from associating to the AP in the basem*nt when they are on the 2nd floor, and situations like that. A good general RSSI to shoot for is around -70 dBm, but you may want to raise or lower that depending on your noise floor, network layout, and what you are trying to achieve.

Meshing is a toggle to enable or disable the ability to provide wireless backhaul to other APs. With this checked, nearby UniFi APs will be able to use this AP for a connection to the network. This is usually what you want to do if you can’t provide Ethernet to that AP, or you want to have it available as a backup if you have a flaky cable. Otherwise, turning this off is fine and will save you a tiny bit of overhead.

Band Steering

Band steering can be set to off, prefer 5 GHz, and balanced. With off, the AP doesn’t do anytime to encourage clients to join 5 GHz, and clients may prefer to join the 2.4 GHz radio due to it having longer range and a higher RSSI. Those clients may be closer to another AP and a stronger 5 GHz radio, but a lot of times the Wi-Fi client device will stay connected to the 2.4 GHz radio. Setting band steering to prefer 5 GHz can sometimes help with that. It can also cause issues with some IoT or 2.4 GHz-only devices, so balanced is sometimes a safer choice. This is one more knob to turn when you’re having issues with roaming.

IP Settings and Miscellaneous

IP settings is where you define the management IP address of the AP. By selecting Network Override, you can have it be in a virtual network rather than the default, untagged network. When doing this, make sure the port you are connecting the AP to is a trunk port, and it has access to the virtual network you are assigning. By default, all networks are allowed. Setting an invalid virtual network or IP configuration will prevent your UniFi Network controller from being able to reach or manage your device. That may require a port change or AP reset to fix.

Under network override is the common settings you’d expect: IP, subnet mask, gateway, DNS, and DNS suffix. Below that you have a few options which vary by AP model, but that is where you’d control the LED, SNMP, copy an existing configuration from another AP, enter the debug terminal, do a manual firmware update, flash the LED to locate it, restart or remove the device from your network.

Legacy UI Settings (as of version 7.5.169)

For a long time now, it’s been clear that the old “legacy” user interface was going away. For a while, some settings were in one but not the other interface. Going forward, all settings and development effort are in the new UI, and the legacy UI is being left to rust. These settings are missing in the new interface, or have been moved/renamed.

• Apply Guest Policies is now controlled by the network type setting of “guest network”

• Multicast and Broadcast Filtering or Block LAN to WLAN Multicast and Broadcast Data are now Multicast and Broadcast Control, under settings → Wi-Fi → select the network → Multicast Management

• Beacon Country - add 802.11d county roaming enhancements

• TLDS Prohibit - block Tunneled Link Direct Setup (TDLS) connections

• Point to Point - also referred to as P2P

• P2P Cross Connect - allow wireless stations to connect with each other through AP using P2P

• Send beacons at 1 Mbps is now controlled with the minimum data rate control settings.

• User Group is now called bandwidth profile, for restricting maximum bandwidth for connected client devices

• L2 Isolation is now called Client Isolation, and enabled by default on guest type networks

• Legacy Support - Enable legacy device support (i.e. 11b).

• High Performance Devices or Connect high performance clients to 5 GHz only is now controlled by the band steering setting