UniFi's Advanced Wi-Fi Settings Explained

Originally Posted: November 23rd, 2021

UniFi's Avant-garde Wi-Fi settings are often misunderstood. The defaults are usually rubber, only information technology's helpful to empathize what these settings do while setting up a network or troubleshooting an issue. Ubiquiti doesn't practice the best job at explaining, so lets go through them 1 by ane.

These settings and descriptions are using the default "new" interface, and they are electric current as of UniFi Network Application version 6.5.53. I also listing the settings that are only available in the classic/onetime interface at the end.

Table of Contents

The UniFi Wi-Fi settings page, every bit of version 6.five.53.

Creating a New UniFi Wi-Fi Network

In the UniFi interface, network settings are divided into Wi-Fi, Networks, and Internet.

  • Wi-Fi controls your wireless connections, including SSID, countersign, and other advanced settings.

  • Networks controls your LAN networks and VLANs, including DHCP, DNS, and IP addresses.

  • Internet controls your WAN connections, including VLANs, IP addresses, and Smart Queues for QoS.

By default, UniFi has one LAN network, which is used for all wired and wireless connections. Creating boosted networks allows you to segment and restrict traffic. This is commonly used for guest or IoT devices, or separating devices or areas into unlike network groups. Earlier diving into wireless settings, setup your networks and VLANs first. This tin can be done by modifying the default LAN, or past creating a new network under the Networks tab.

If the network you want to use for Wi-Fi has been created, become to Settings → Wi-Fi → Add New Network.

Requite it a proper name (SSID), password, and specify which network it is going to use. If y'all don't want to use the default of a WPA2 password for the network, open the advanced options and gyre downwards to the "Security" tab and change the settings there. Otherwise, you tin save it, and it will be added to all of your APs past default.

If you lot desire a bones network, that'due south all you need to practice. If y'all want more than, the good stuff is hidden under the advanced tab.

Creating a new UniFi Wi-Fi network.

UniFi'south Advanced Wi-Fi Settings

Wi-Fi Band

  • 2.4 GHz: Slower, longer range, more than wall penetration.

  • 5 GHz : Faster, shorter range, less wall penetration.

  • Default: Both.

  • Effect: This setting controls which ring your Wi-Fi network broadcasts on. Y'all tin can choice i, or enable both.

  • Notation: Dual-band SSIDs can lead to roaming bug, with some clients not using 5 GHz, or not roaming to the nearest AP. There are several ways to combat this - usually adjusting AP placement, lowering 2.four GHz transmit power, enabling band steering, fast roaming, or the "loftier performance devices" settings tin be effective. You can also create a separate two.four GHz and 5 GHz network if y'all want guaranteed, manual control over which band is used past which device.

Optimize IoT Wi-Fi Connectivity

  • Improves the connexion reliability of IoT devices.

  • Default: On.

  • Effect: Forces DTIM settings to default values of 1 for 2.4 GHz and three for five GHz. More than on DTIM below, nether the 802.11 Rate and Buoy Controls section.

AP Groups

  • Allows grouping of APs and selecting which will broadcast this Wi-Fi network.

  • Default: All APs.

  • Annotation: UniFi has a limit of iv SSIDs per band, per AP group. You can stretch this to viii full SSIDs if you limit your networks to a single band. You tin can have upwards to four 2.4 GHz and upward to iv 5 GHz networks, or four dual-band SSIDs. Y'all tin can always create additional SSIDs, simply each AP or AP grouping can only broadcast a total of four SSIDs, per ring, at a fourth dimension.

Setting the Wi-Fi Ring and AP Groups. Don't judge me, single AP groups are handy for testing!

Scrolling below AP Groups is where things go fun, and the acronyms take over.

UAPSD

  • Unscheduled Automatic Power Save Delivery, also known as WMM ability salve.

  • Default: Off

  • Effect: Enabling allows devices that support UAPSD to salvage battery power by keeping their Wi-Fi radio in sleep mode for more than time. Like a lot of features that are off by default, this can cause issues for some clients, especially older or IoT devices.

  • Recommendation: Turn on if battery life is important, and older/IoT device connectivity is non.

High Performance Devices

  • Connect high performance clients to 5 GHz only.

  • Default: On.

  • Effect: Disabling this allows "high performance" clients to bring together 2.4 GHz. This can set up (or make worse!) some problems with dual-band SSIDs and poor roaming operation, at the cost of less throughput when devices connect to 2.4 GHz.

  • Recommendation: Disable if y'all have areas which are only covered past 2.4 GHz, or take bug with 2.4 GHz clients not existence able to join the network.

  • Note: Ubiquiti doesn't specify what "loftier performance" is, but I would assume this applies to devices that support Wi-Fi 5 or 6, and multiple spatial streams. Modern phones and laptops, basically.

Proxy ARP

  • Remaps ARP table for station. ARP is the Address Resolution Protocol, which is used to learn the MAC address for a given IP address.

  • Default: Off

  • Effect: Enabling allows the AP to answer ARP requests for customer devices, which helps to limit broadcast traffic. This is mainly relevant in larger, college density networks.

  • Recommendation: Enable for high-density networks.

Legacy Back up

  • Enable legacy device support (i.east. 11b).

  • Default: Off

  • Effect: Enabling this allows connections to older devices that don't support 802.11g or newer standards.

  • Recommendation: But enable if yous need devices that only support 802.11a or 802.11b to connect to the network.

UniFi's advanced WI-Fi settings.

Multicast Enhancement (IGMPv3)

  • Permit devices to send multicast traffic to registered clients at higher data rates by enabling the IGMPv3 protocol.

  • Default: Off

  • Event: Enabling this might amend functioning with smart home products such as smart speakers or streaming devices. Sonos speakers for example, commonly role better when…

    • Spanning Tree is ready to regular STP mode on your switches. I'd also recommend lowering the priority of your switches and then they continue to be the Spanning Tree root bridge.

    • IGMP Snooping is on under network settings -> advanced. This allows switches to place multicast groups used in each port. Multicast streams are forwarded only to network devices that should receive them.

    • Multicast Enhancement (IGMPv3) is on under Wi-Fi settings -> advanced. This enables the IGMP querier service on a UniF i Gateway, letting it create multicast groups which should improve Multicast traffic such every bit video or audio streams. Some people have had better luck with this disabled, and there may be other bug at fault, such as network topology. Multicast is difficult to troubleshoot without a parcel capture and noesis of the protocols involved.

    • Multicast DNS is on under avant-garde features -> advanced gateway settings. mDNS allows for converting host names to IP addresses in a local network without a DNS server. An example of mDNS is Apple's Bonjour, which is used to rapidly setup sharing between computers and other devices. UniFi's mDNS service allows you to notice devices on other networks.

  • Recommendation: Enable this setting may assist issues with Chromecast, AirPlay, or other smart home gear. Another choice is to enable mDNS and create a separate SSID for these devices and follow Ubiquiti's help commodity steps here.

BSS Transition

  • Allow BSS Transition with WNM, with stands for Wireless Network Management. WNM allows the AP to send messages to clients to requite them data about the network, and the details of other APs. This includes the current utilization and number of clients, assuasive the customer to make more than informed roaming decisions.

  • Default: On

  • Effect: Enables 802.11v. This assists with saving power and the roaming process, but information technology's up to the customer device to make a decision based on the given information.

  • Recommendation: Go out enabled, specially in networks with multiple APs.

L2 Isolation

  • Isolates stations on layer 2 (Ethernet) level

  • Default: Off

  • Issue: Restricts clients from communicating with each other.

  • Recommendation: Enable for loftier-security guest networks, or IoT networks which would benefit from this restriction. This can also pb to unintended consequences, so test the devices behavior before and afterward irresolute this setting.

Enable Fast Roaming

  • Faster roaming for modern devices with 802.11r compatibility. Information technology does this by speeding up the security key negotiation process, assuasive both the negotiation and requests for resource to occur in parallel. With 802.1X, keys are cached rather than the client needing to check with the RADIUS server with each roam. With pre-shared key networks such every bit WPA2, the client goes through the normal 4-style handshake authentication procedure.

  • Default: Off

  • Effect: Enables OTA (Over-the-air) Fast BSS Transition, which allows devices that support it to roam between APs faster. Without this setting enabled, roaming from AP to AP may take a few seconds, and during that time data cannot be sent or received. In most cases you lot won't notice this, just latency sensitive and real-time applications like a vocalization call perform poorly. Slow roaming behavior with a VoIP telephone call may effect in gaps in the audio. With 802.11r Fast Roaming enabled, the roams should be nigh unnoticeable.

  • Annotation: Fast BSS Transition works with both preshared cardinal (PSK) and 802.1X authentication methods. Older devices should non feel connectivity bug with this enabled.

Bandwidth Profile

  • Default, or select existing profile.

  • Default: Bandwidth is unlimited.

  • Event: Allows you to ready default per client download and upload bandwidth limits.

  • Annotation: Create new profiles nether Avant-garde features → Bandwidth Profile

New Bandwidth Profiles are created nether Avant-garde Features -> Add Bandwidth Profile.

Security Settings

Security Protocol

  • Open up. No password needed to join the network.

  • WPA-ii. The older pre-shared key security method, which requires a password to join the network. WPA-2 is less secure than WPA-iii, only is more universally supported, especially on older devices.

  • WPA-ii Enterprise. The older 802.1X security method, which requires a RADIUS server to let users to join the network with a username or password. Commonly common in larger networks which demand to grant or revoke permission to join without changing other people's access past changing the pre-shared key.

  • WPA-2/WPA-3. Allows for a mix of WPA-2 and WPA-3 connections. Devices that back up WPA-three will use the newer and more than secure standard, while older clients will fallback to WPA-2. This is less secure overall than requiring WPA-3, but information technology is more than flexible and less likely to cause problems as we transition to WPA-3 as a default.

  • WPA-3. The newer pre-shared cardinal security method, which does a lot of magic behind the scenes to be more than secure than WPA-2. WPA-3 is nevertheless vulnerable to sure attacks, and so still make certain to employ a complex password and restrict access to that if information technology matters

  • WPA-3 Enterprise. The newer 802.1X security method, which like WPA-3 personal allows for more secure connections.

UniFi'southward Wi-Fi security settings.

If WPA3 is selected…

  • WPA3 SAE anti-clogging threshold in seconds

    • Default: 5

    • Note: SAE is Simultaneous Authentication of Equals, and anti-clogging is designed to foreclose denial of service (DoS) attacks on the AP. This setting affects the time threshold for what the AP considers "too many" requests.

  • WPA3 Sync in seconds

    • Default: 5

    • Note: Explaining how WPA3 works is across the scope of this guide. Just change these if you know what you're doing, and take a valid reason.

Hide Wi-Fi Name

This forces admission points to send out beacon frames with no SSID, significant the SSID field in the beacon frame is gear up to null. Beacons are still sent, and "hidden" networks are still easy to detect.To join a network with a hidden SSID, clients will have to manually enter the SSID proper name along with the password.

Hiding the SSID does not raise the security of the network. Using a more complex password or moving to a newer protocol (WPA2/3 vs WPA or WEP) does.

PMF (Protected Management Frame)

Protected management frame (PMF) is a security feature which aims to preclude intercepting or forging management traffic. Management frames include hallmark, de-authentication, association, dissociation, beacons, and probes. These cannot be encrypted like normal unicast traffic, so this characteristic protects from forgery, preventing some mutual security attacks.

  • Required: APs will use PMF for all stations. Stations without PMF adequacy volition not be able to join the WLAN. Required for WPA3.

  • Optional: APs will apply PMF for all capable stations, while allowing non-PMF capable stations to join the WLAN.

  • Disabled: APs volition not utilise PMF for whatever stations.

Group Rekey Interval

  • This setting controls how frequently an AP changes the GTK, or Grouping Temporal Key. The GTK is a cryptographic key that is used to encrypt all broadcast and multicast traffic between APs and clients.

  • Default: 3600 seconds.

  • Note: Lower intervals hateful the key changes more frequently, but can cause the consequence of users disconnecting or unable to join the network with the message 'wrong password', even if the credentials are right.

MAC Authorization Settings

UniFi'south MAC Authorization settings.

  • MAC accost Filter

    • Allows you to restrict clients from joining the network unless they are on the allow list, or block specific MAC addresses.

  • RADIUS MAC Hallmark

    • Allows you to use a RADIUS server for client authentication.

  • RADIUS Profiles

    • Allows yous to select pre-divers RADIUS profiles.

    • To create new contour, go to Avant-garde Features -> RADIUS -> Add RADIUS Profile. This is where you ascertain the aspects of your RADIUS server like IP address, ports, assigned VLAN, shared secrets, and update interval.

  • MAC address format

    • Allows you to set the format for the MAC address and whether semicolons or hyphens are expected.

802.xi Charge per unit and Beacon Controls

UniFi's 802.11 Rate and Beacon Controls.

Override DTIM Flow

  • DTIM stands for Delivery Traffic Indication Message, which is a message that is sent along with beacon frames. The function of the DTIM is to permit a sleeping client know that information technology has buffered data waiting for it. Higher numbers buffer longer, potentially saving battery life. Altering these values tin cause a multifariousness of issues though, then change them at your ain hazard.

  • Default for 2.iv GHz: 1, meaning every 2.4 GHz beacon will include a DTIM

  • Default for five GHz: 3, meaning every third five GHz buoy will include a DTIM

  • Annotation: You cannot alter the default values when "Optimize IoT Wi-Fi Connectivity" is on.

2.4 and 5 GHz Data Rate Control

  • Disabling the lowest data rates is a common setting to consider for high density networks where airtime conservation is important. Lower information rates are less efficient. When data is sent at a low rate, it uses more than airtime, limiting the operation of all the other devices using that AP. This does not limit the range of your AP, and the details are complicated. Rob Krumm has a great analysis of what changing your rate does and does non change if you want more details.

  • Default for ii.iv GHz: All rates allowed (1 to 54 Mbps)

  • Default for 5 GHz: All rates allowed (half-dozen to 54 Mbps)

  • Recommendation: Go out at default for almost networks. Disabling rates below half-dozen or xi Mbps tin can improve the efficiency of higher-density networks.

Wi-Fi Scheduler

Allows you to turn an SSID on or off at a certain time, or setup a weekly schedule.

Settings only available in the former UI (as of version half-dozen.v.53)

These settings are missing in the new interface, or accept been moved/renamed.

  • Apply Guest Policies

  • Beacon Country

  • Add 802.11d canton roaming enhancements

  • TLDS Prohibit

  • Block Tunneled Link Direct Setup (TDLS) connections

  • Point to Point, as well referred to equally P2P

  • Send beacons at 1 Mbps

Blog