Wireless Configuration
The source material this page replaces covers OpenWrt wireless configuration on 802.11n hardware from 2019. This page covers UniFi wireless configuration for a current deployment, updated for WPA3, WiFi 6, and the UniFi management model.
The UDM-SE includes built-in WiFi radios, but for a rack-mounted device in a homelab, the built-in radios are rarely the primary wireless infrastructure. The more common and effective approach is deploying dedicated UniFi access points: ceiling or wall-mounted units that provide better coverage, more flexible placement, and independent radio hardware. This page covers the wireless configuration as it applies to both the built-in radios and external access points, since the configuration is identical from the UniFi perspective.
UniFi wireless architecture
In UniFi, wireless configuration is separated from physical hardware. An SSID (called a WiFi network in UniFi) is a logical entity that defines the network name, security settings, and VLAN mapping. Once created, it is pushed to every adopted access point automatically.
This means:
- Adding a new access point to the site immediately broadcasts all configured SSIDs
- Changing security settings on an SSID applies to every access point at once
- Per-access-point SSID overrides are possible but rarely needed
Security standards: current recommendations
The source material recommends WPA2-PSK with CCMP/AES, which was correct in 2018. In 2026, WPA3 is the current standard and should be used as the default.
WPA3-SAE (Simultaneous Authentication of Equals) replaces the PSK handshake with a more secure negotiation that prevents offline dictionary attacks against captured handshakes. Even a weak passphrase is significantly harder to crack under WPA3 than WPA2.
WPA2/WPA3 transition mode (WPA3-SAE-EXT-KEY/WPA2-PSK mixed) allows both WPA3 and WPA2 clients to connect to the same SSID. Use this rather than WPA3-only if you have older devices that do not support WPA3. Most devices manufactured after 2020 support WPA3.
802.11w Management Frame Protection should be set to Required on WPA3 networks and Capable on WPA2/WPA3 mixed networks. Management frame protection prevents deauthentication attacks.
Passphrases: use a five-word Diceware passphrase for the main WiFi network, as covered in the passphrases section. Store it in KeePassXC. The SSID name is used as a salt in the WPA2 key derivation, so using a unique, non-identifying SSID name matters even if the network is not broadcasting a well-known name.
SSID design
Fewer SSIDs is better. Each additional SSID adds beacon overhead and reduces the effective bandwidth available to all clients. A good rule of thumb is three SSIDs maximum: one for trusted devices, one for guests, and one for IoT devices if needed.
Main SSID
The primary network for trusted devices: laptops, phones, tablets, and anything that should be on a trusted VLAN.
| Setting | Value |
|---|---|
| Network name | Something non-identifying, not your address or surname |
| Security | WPA3 or WPA2/WPA3 transition |
| Password | Five-word Diceware passphrase |
| Network (VLAN) | Core (VLAN 14 at the primary site) |
| 802.11w | Required (WPA3) or Capable (mixed) |
| Band steering | Enabled (pushes capable clients to 5 GHz or 6 GHz) |
| BSS Transition | Enabled (802.11v, helps clients roam between access points) |
| Multicast Enhancement | Enabled |
Visitor SSID
The guest network for devices that should not have access to the internal network.
| Setting | Value |
|---|---|
| Network name | Something clearly identifiable as guest |
| Security | WPA2 or WPA3 (WPA2 for maximum compatibility) |
| Password | Rotated periodically, shared freely |
| Network (VLAN) | Visitor (VLAN 23 at the primary site) |
| Client Device Isolation | Enabled |
| Rate Limiting | Optional: restrict to a reasonable bandwidth ceiling |
Client device isolation prevents guest devices from communicating with each other, not just with internal VLANs. Enable it on the Visitor SSID.
IoT SSID
For smart home devices, sensors, and anything with questionable security posture that should be isolated from trusted devices.
| Setting | Value |
|---|---|
| Network name | Something neutral |
| Security | WPA2 (many IoT devices do not support WPA3) |
| Password | Strong, unique to this SSID |
| Network (VLAN) | An IoT-specific VLAN from the network design |
| Client Device Isolation | Consider enabling |
| 2.4 GHz only | Many IoT devices are 2.4 GHz only; consider disabling 5 GHz for this SSID |
If the network design does not include a dedicated IoT VLAN, create one: a /24 subnet within the site’s address space, with firewall rules that prevent IoT devices from initiating connections to trusted VLANs.
Radio configuration
Navigate to Settings > WiFi > Advanced or to the individual access point settings for per-device radio configuration.
Country code
Set to GB - United Kingdom. This is critical: the country code determines which channels are legal, the maximum transmit power, and which DFS channels are available. Using the wrong country code may result in illegal transmit power or channels.
2.4 GHz radio
The 2.4 GHz band has better range and wall penetration than 5 GHz but is congested in dense environments. In a residential area in the UK, channels 1, 6, and 11 are the only non-overlapping 20 MHz channels.
| Setting | Value |
|---|---|
| Channel width | 20 MHz |
| Channel | Auto (or manually set to 1, 6, or 11 based on a site survey) |
| Transmit power | Auto |
| Minimum RSSI | -80 dBm (optional, prevents sticky client issues) |
| Legacy support (802.11b) | Disabled |
Disabling 802.11b legacy rates eliminates the slowest data rates from the network, which reduces the time spent transmitting low-rate management frames. Every 802.11b device transmitting at 1 Mbps is occupying the airtime that 802.11n or 802.11ax devices would use for data at 300+ Mbps.
5 GHz radio
The 5 GHz band offers more non-overlapping channels and less congestion than 2.4 GHz, at the cost of slightly shorter range.
| Setting | Value |
|---|---|
| Channel width | 80 MHz (or 40 MHz if interference is a concern) |
| Channel | Auto with DFS enabled |
| Transmit power | Auto |
| Minimum RSSI | -75 dBm |
DFS (Dynamic Frequency Selection) channels in the 5 GHz band (channels 52-144 in the UK) are subject to radar detection requirements. UniFi handles DFS correctly: when radar is detected on a DFS channel, the access point moves to a non-DFS channel automatically. Enabling DFS channels gives access to a significantly larger pool of available channels, reducing co-channel interference.
6 GHz radio (WiFi 6E access points only)
If deploying WiFi 6E access points such as the UniFi U6 Enterprise or U6 Pro, a 6 GHz radio is available. The 6 GHz band is entirely clear of legacy devices since only WiFi 6E clients can use it.
| Setting | Value |
|---|---|
| Channel width | 80 MHz or 160 MHz |
| Channel | Auto |
| Transmit power | Auto |
| WPA3 only | Mandatory (6 GHz requires WPA3) |
Roaming configuration
For a multi-access-point deployment, configuring roaming correctly prevents the sticky client problem where a device holds onto a weak signal from a distant access point rather than roaming to a closer one.
802.11r Fast BSS Transition
Enables fast roaming between access points without the full re-authentication handshake. Significantly reduces roaming latency for voice and video calls.
Enable on each SSID under the advanced wireless settings. Note that some older clients have issues with 802.11r: if roaming problems occur on specific devices, check whether disabling 802.11r on that SSID resolves them.
802.11k and 802.11v
802.11k provides neighbour reports that help clients discover nearby access points. 802.11v enables BSS Transition Management, which allows the network to suggest that a client roam to a better access point.
Enable both in the UniFi SSID settings. These are the primary mechanisms by which UniFi helps clients roam proactively rather than holding onto a weak signal.
Minimum RSSI
Setting a minimum RSSI threshold causes the access point to disassociate clients whose signal strength drops below the threshold, forcing them to roam to a better access point. This is the blunt instrument for fixing sticky clients when 802.11k/v are not sufficient.
Set conservatively: too aggressive a threshold causes clients near the edge of the threshold to repeatedly connect and disconnect. -80 dBm for 2.4 GHz and -75 dBm for 5 GHz are reasonable starting points.
WPS
The source material mentions enabling WPS push-button for convenience. The recommendation here is different: disable WPS entirely.
WPS PIN mode has known vulnerabilities (the Pixie Dust attack and brute force of the WPS PIN). Even with push-button WPS, the attack surface is larger than the convenience justifies. A strong Diceware passphrase stored in KeePassXC is the correct solution for devices that need to join the network.
Navigate to Settings > WiFi > Edit each SSID > Advanced and disable WPS.
Multi-site wireless
Vernal and Estival use the same wireless configuration principles. Each site manages its own wireless infrastructure independently. There is no cross-site SSID or roaming: devices at each site connect to that site’s access points.
If consistency across sites is desired (the same SSID names and passphrases at all three sites), configure them identically on each gateway. This allows devices to automatically connect at any site using the same credentials, which is convenient for devices that travel between sites.
Verifying wireless configuration
After configuring, verify from the desktop or a mobile device:
- Connect to the main SSID and confirm an IP address in the Core VLAN range (
10.1.0.x) - Connect to the Visitor SSID and confirm an IP address in the Visitor VLAN range (
10.1.90.x) - Verify the Visitor network cannot reach internal resources
- Check the UniFi Clients view to confirm devices appear on the correct VLANs
- Run a WiFi analyser app to check channel selection and signal strength coverage
WPA3 transition mode is the right default for most deployments in 2026. WPA3-only can be enabled once you have verified that every device that needs to connect supports it. Forcing WPA3-only before checking client compatibility results in devices that cannot connect and are difficult to troubleshoot without physical access.