Bridged Access Point

Posted on 6 2026

The source material this page replaces covers configuring an OpenWrt router as a dumb access point: disabling DHCP, disabling firewall, disabling WAN, and bridging the LAN interfaces so the device acts purely as a wireless extension of the main network. That approach is correct for commodity hardware running OpenWrt. For this network, the same goal is achieved differently depending on the hardware involved.

UniFi access points: automatic adoption

If the additional access point is a UniFi device (U6 Lite, U6 Pro, U6 Enterprise, or any other UniFi AP), the configuration is almost entirely automatic. No DHCP configuration, no firewall changes, and no static routes need to be set manually because UniFi handles all of this through the controller.

Connect the UniFi access point to any LAN port on the UDM-SE or a downstream UniFi switch with PoE. The AP powers on, broadcasts its adoption SSID briefly, and appears in UniFi Devices within a few minutes.

Navigate to UniFi Devices. The new access point shows as Pending Adoption. Click Adopt. The controller pushes the full network configuration: all SSIDs, VLAN mappings, radio settings, and security configuration defined earlier in this series.

That is the complete process. The access point is now a managed node in the network, broadcasting all configured SSIDs, participating in 802.11r/k/v assisted roaming, and reporting stats to the controller.

Per-access-point configuration

After adoption, some per-device settings are worth reviewing. Select the access point in UniFi Devices and navigate to the Settings tab.

Channel override: the controller assigns channels automatically based on the site survey. Override specific channels for a device in a location where you know a particular channel works better.

Transmit power: defaults to auto. Override if a specific power level is needed for a particular placement.

LED: disable the LED once the device is confirmed working if it is visible in an occupied room.

VLAN override per SSID: if a specific access point should serve a different VLAN for a particular SSID (unusual but occasionally useful), configure it here.

Uplink connectivity: if the access point is connected via Ethernet, this shows the upstream switch port. If connected wirelessly (mesh), it shows the upstream AP. Wired is always preferable.

Non-UniFi devices: bridge mode

For situations where a non-UniFi device provides wireless coverage, configuring it in bridge or access point mode prevents double NAT and allows the UDM-SE to remain the single router, DHCP server, and firewall for the network.

Common scenarios:

  • An ISP-provided router/modem that needs to operate in bridge mode so the UDM-SE handles routing
  • A consumer router used as a wireless access point in a location where running Ethernet for a UniFi AP is impractical
  • A legacy device being phased out while UniFi hardware is being added

Configuring a consumer router as a bridged AP

The specific steps vary by manufacturer but the principle is the same across all of them:

  1. Connect the device’s LAN port (not WAN) to a LAN port on the UDM-SE or downstream switch
  2. Access the device’s admin interface
  3. Disable DHCP server
  4. Disable the WAN interface or set it to unused
  5. Disable the firewall if possible
  6. Assign the device a static IP address on the same subnet as the UDM-SE LAN, but outside the DHCP range
  7. Set the gateway to the UDM-SE’s IP address

The device is now a dumb AP: it provides wireless connectivity but all routing, DHCP, and firewall functions are handled by the UDM-SE. Devices connecting to the bridged AP’s WiFi get their IP addresses from the UDM-SE’s DHCP server and are on the same LAN as wired devices.

VLAN limitations of bridged non-UniFi APs

A significant limitation of bridged non-UniFi access points is VLAN support. Most consumer routers in bridge or AP mode only bridge a single VLAN, the native VLAN of the connected port. They cannot present multiple SSIDs on different VLANs.

If VLAN-aware wireless is needed (a main SSID on the Core VLAN and a Visitor SSID on the Visitor VLAN), a UniFi access point is required. Consumer hardware in bridge mode cannot do this.

For locations where VLAN segmentation on wireless is not needed and the only goal is extending coverage, a consumer AP in bridge mode is acceptable.

ISP modem/router in bridge mode

If the ISP provides a combined modem/router, configuring it in bridge mode passes the public IP address through to the UDM-SE’s WAN port, allowing the UDM-SE to handle all routing rather than the ISP device.

This eliminates double NAT (where the ISP router and the UDM-SE each perform NAT, causing complications with port forwarding and VPN).

The bridge mode setting on ISP devices is often called:

  • Bridge mode
  • IP Passthrough
  • DMZ mode (on some ISP routers, this passes all traffic to a single LAN device)
  • Modem mode

Contact the ISP or check the device documentation for the specific steps. Some ISPs do not permit bridge mode on their provided equipment, in which case IP passthrough or DMZ mode to the UDM-SE’s MAC address achieves the same result.

After configuring bridge mode on the ISP device, the UDM-SE’s WAN port should receive the public IP address directly. Verify in UniFi OS > WAN that the WAN IP is the public address rather than an RFC 1918 address from the ISP device.

Wireless mesh (UniFi Flex or outdoor APs)

For locations where Ethernet cabling is impractical, UniFi supports wireless mesh: an access point connects to the network wirelessly via another access point rather than via Ethernet.

When adopting an AP without a wired connection, it connects to the nearest accessible AP wirelessly and presents itself for adoption. The controller adopts it the same way as a wired AP.

Wireless uplink is significantly slower than wired uplink and increases latency. Use it only where wired connectivity is genuinely impossible, not merely inconvenient. A single hop wireless uplink halves the available bandwidth for client devices on that AP. Two hops quarters it.

If wireless mesh is in use, check the uplink in UniFi Devices and verify the wireless uplink signal strength is adequate. A weak uplink produces a fast-looking AP with poor actual throughput.

The UDM-SE’s built-in WiFi radios are functional but designed for a rack-mounted device and provide limited coverage compared to ceiling or wall-mounted dedicated access points. For meaningful wireless coverage, dedicated UniFi access points placed strategically around the building are the correct solution, not relying on the UDM-SE’s built-in radios.