Recommended settings for Wi-Fi routers and access points

iOS and OS X: Recommended settings for Wi-Fi routers and access points The following Wi-Fi base station (or Wi-Fi router) settings are recommended for all Macs and iOS devices. These settings will help ensure maximum performance, security, and reliability when using Wi-Fi. Wi-Fi base stations are 802.11a/b/g/n access points that include AirPort Extreme Base Stations, AirPort Express, and AirPort Time Capsule. "Wi-Fi router" is a generic term and includes Wi-Fi base stations and third-party 802.11a/b/g/n Wi-Fi access points. Before configuring or adjusting specific settings, perform the following steps: Ensure that your Wi–Fi router's firmware is up to date. If you are using a Wi–Fi base station, refer to this article for information on how to update it. Verify that all Wi–Fi devices you intend to use support the settings recommended in this article. If possible, back up your current Wi–Fi router's settings. If necessary, refer to the product documentation or manufacturer's website. Forget or remove the Wi-Fi settings for your network from any devices that connect to your Wi-Fi router. (This will prevent the devices from attempting to connect to your network with the old configuration.) You will need to reconnect these devices to your network once you've finished applying the new settings. Configure all Wi–Fi base stations on the same network with the same settings. Not doing so will cause connectivity and reliability issues. On dual-band Wi–Fi base stations, configure both bands to have the same settings unless otherwise noted below. Use the following settings for maximum performance, security, and reliability. SSID (Service Set Identifier—Wi-Fi network name) Set to Any unique name. Description The SSID, or network name, identifies your Wi-Fi network to users and other Wi-Fi devices. It is case sensitive. More details Choose a name that is unique to your network and is not shared by other nearby networks or other networks you are likely to encounter. If your router came with a default SSID (network name), it is especially important that you change it to a different, unique name. Some common default SSID names to avoid are "linksys", "netgear", "NETGEAR", "dlink", "wireless", "2wire", and "default", but there are others. If your SSID is not unique, Wi-Fi devices will have trouble identifying your network. This could cause them to fail to automatically connect to your network, or to connect to other networks sharing the same SSID. In addition, it may prevent Wi-Fi devices from using all base stations in your network (if you have more than one Wi-Fi base station), or prevent them from using all available bands (if you have a dual-band Wi-Fi base station). Hidden network Set to Disabled Description Hidden networks don't broadcast their SSID over Wi-Fi. This option may also be incorrectly referred to as a "closed" network, and the corresponding nonhidden state may be referred to as "broadcast" or "open". More details Because hidden networks don't broadcast their SSID, it is more difficult for devices to find them, which can result in increased connection time and can reduce the reliability of auto-connection. Note that hiding a network doesn't secure your Wi-Fi network, because the SSID is still available through other mechanisms. Security is enforced by a different setting (see Security below). MAC address authentication or filtering Set to Disabled Description Restricts access to a Wi-Fi router to devices with specific MAC (Media Access Control) addresses. More details When enabled, this feature allows a user to configure a list of MAC addresses for the Wi-Fi router, and restrict access to only devices with addresses that are in the list. Devices with MAC addresses not in the list will fail to associate to the Wi-Fi network. Unfortunately, device MAC addresses can be easily changed, so this cannot be relied upon to prevent unauthorized access to the network. Security should be enforced by a different setting (see Security below). Security Set to WPA2 Personal (AES) Description The security setting controls the type of authentication and encryption used by your Wi-Fi router. This setting allows you to control access to your wireless network, as well as to specify the level of privacy you'd like to have for data you send over the air. More details WPA2 Personal (AES) is currently the strongest form of security offered by Wi-Fi products, and is recommended for all uses. When enabling WPA2, be sure to select a strong password, one that cannot be guessed by third parties. If you have older Wi-Fi devices on your network that don't support WPA2 Personal (AES), a good second choice is WPA/WPA2 Mode (often referred to as WPA Mixed Mode). This mode will allow newer devices to use the stronger WPA2 AES encryption, while still allowing older devices to connect with older WPA TKIP-level encryption. If your Wi-Fi router doesn't support WPA/WPA2 Mode, WPA Personal (TKIP) mode is the next best choice. Note that the use of WEP is not recommended for compatibility, reliability, performance, and security reasons; WEP is insecure and functionally obsolete. However, if you must support legacy WEP devices and you have a newer (802.11n) Wi-Fi router, you may be able to select the WEP Transitional Security Network (WEP TSN) security mode. This mode will allow legacy WEP clients to join your network with WEP encryption while allowing newer devices to use more modern and secure encryption modes, such as WPA TKIP or WPA2 AES. If WEP TSN mode is not supported, then WEP128 with Shared Authentication should be used (with a single WEP key in key index 1). For compatibility reasons, WEP128 networks should use 13-character ASCII passwords. For reference, "None" or unsecured mode, provides no authentication or encryption. If you use this security mode, anyone will be able to join your Wi-Fi network, use your Internet connection, or access any shared resource on your network. In addition, anyone will be able to read any traffic you send over the network. For these reasons, this security mode is not recommended. Note: Due to serious security weaknesses, the WEP and WPA TKIP encryption methods are deprecated and strongly discouraged. These modes should be used only if it is necessary to support legacy Wi-Fi devices that don't support WPA2 AES and cannot be upgraded to support WPA2 AES. Devices using these deprecated encryption methods will not be able to take full advantage of 802.11n performance and other features. Due to these issues the Wi-Fi Alliance has directed the Wi-Fi industry to phase out WEP and WPA TKIP. 2.4 GHz Radio Mode Set to 802.11b/g/n Description This setting controls which versions of the 802.11a/b/g/n standard the network uses for wireless communication on the 2.4 GHz band. Newer standards (802.11n) support faster transfer rates, and older standards provide compatibility with older devices and additional range. More details Routers that support 802.11n should be configured for 802.11b/g/n for maximum speed and compatibility. Routers that only support 802.11g should be put in 802.11b/g mode, while those that support only 802.11b can be left in 802.11b mode. Different Wi-Fi routers support different radio modes, so the exact setting will vary depending on the Wi-Fi router in use. In general, enable support for all modes. Devices will then automatically select the fastest commonly supported mode to communicate. Note that choosing a subset of the available modes will prevent some devices from connecting (for example, 802.11b/g devices will be unable to connect to a Wi-Fi router in 802.11n-only mode). In addition, choosing a subset of the available modes may cause interference with nearby legacy networks, and may cause nearby legacy devices to interfere with your network. 5 GHz Radio Mode Set to 802.11a/n Description This setting controls which versions of the 802.11a/b/g/n standard the network uses for wireless communication on the 5 GHz band. Newer standards support faster transfer rates, and older standards provide compatibility with older devices and additional range. More details Routers that support 802.11n should be configured for 802.11a/n mode for maximum speed and compatibility. Routers that only support 802.11a can be left in 802.11a mode. Different Wi-Fi routers support different radio modes, so the exact setting will vary depending on the Wi-Fi router in use. In general, enable support for all modes. Devices will then automatically select the fastest commonly supported mode to communicate. Note that choosing a subset of the available modes will prevent older devices from connecting (for example, 802.11a devices will be unable to connect to a Wi-Fi router in 802.11n-only mode). In addition, choosing a subset of the available modes may cause interference with nearby legacy networks, and may cause nearby legacy devices to interfere with your network. Channel Set to Auto Description This setting controls which channel your Wi-Fi router will use to communicate. "Auto" allows the Wi-Fi router to select the best channel automatically. You can also manually select a channel. More details For best performance, choose "Auto" mode and let the Wi-Fi router select the best channel. If this mode is not supported by your Wi-Fi router, you will need to manually select a channel. You should pick a channel that is free from other Wi-Fi routers and other sources of interference. Refer to this article for information about possible sources of interference. 2.4 GHz channel width Set to 20 MHz Description Channel width controls how large a "pipe" is available to transfer data. However, larger channels are more subject to interference and more prone to interfere with other devices. A 40 MHz channel is sometimes referred to as a wide channel, with 20 MHz channels referred to as narrow channels. More details Use 20 MHz channels in the 2.4 GHz band. Using 40 MHz channels in the 2.4 GHz band can cause performance and reliability issues with your network, especially in the presence of other Wi-Fi networks and other 2.4 GHz devices. 40 MHz channels may also cause interference and issues with other devices that use this band, such as Bluetooth devices, cordless phones, neighboring Wi-Fi networks, and so on. Note that not all routers support 40 MHz channels, especially in the 2.4 GHz band. If they are not supported, the router will use 20 MHz channels. 5 GHz channel width Set to Both 20 MHz and 40 MHz Description Channel width controls how large a "pipe" is available to transfer data. However, larger channels are more subject to interference, and more prone to interfere with other devices. Interference is less of an issue in the 5 GHz band. A 40 MHz channel is sometimes referred to as a wide channel, with 20 MHz channels referred to as narrow channels. More details For best performance and reliability, enable support for both channel widths. This allows devices to use whichever width they support, which results in optimal performance and compatibility. Note that not all client devices support 40 MHz channels, so do not enable 40 MHz-only mode; devices that support only 20 MHz channels will not be able to connect to a Wi-Fi router in 40 MHz-only mode. In addition, not all routers support 40 MHz channels; a router that doesn't will use 20 MHz channels. DHCP Set to Only one DHCP server per network Description The Dynamic Host Configuration Protocol (DHCP) assigns addresses that identify devices on your network. Once assigned, devices use these addresses to communicate with each other and with computers on the Internet. (The functionality of a DHCP server can be thought of as similar to a phone company handing out phone numbers, which customers then use to call other people). More details There should be only one DHCP server on your network. This DHCP server may be built in to your DSL or cable modem, a standalone router, or integrated with your Wi-Fi router. In any case, only one device should act as a DHCP server on your network. If more than one device has it enabled, you will likely see address conflicts and will have issues accessing the Internet or other resources on your network. NAT Set to Only enabled on your router; only one device at most should provide NAT services on the network. Description Network address translation (NAT) translates between addresses on the Internet and those on a local network. (The functionality of a NAT provider is like that of a worker in an office mail room who takes a business address and an employee name on incoming letters and replaces them with the destination office number in a building. This allows people outside the business to send information to a specific person in the building). More details Generally, NAT should only be enabled on the device acting as a router for your network. This is usually either your DSL or cable modem, or a standalone router (which may also act as your Wi-Fi router). If NAT is enabled on more than one device—"double NAT"—you will likely have trouble accessing certain Internet services, such as games, Voice Over IP (VoIP), and Virtual Private Network (VPN), and communicating across the different levels of NAT on the local network.