Author Archives: JAB_au

CIDR Conversation Table

CIDR Conversion Table

CIDR LengthMask# of Networks#  of Hosts
/1128.0.0.0128 A2,147,483,392
/2192.0.0.064 A1,073,741,696
/3224.0.0.032 A536,870,848
/4240.0.0.016 A268,435,424
/5248.0.0.08 A134,217,712
/6252.0.0.04 A67,108,856
/7254.0.0.02 A33,554,428
/8255.0.0.01 A16,777,214
/9255.128.0.0128 B8,388,352
/10255.192.0.064 B4,194,176
/11255.224.0.032 B2,097,088
/12255.240.0.016 B1,048,544
/13255.248.0.08 B524,272
/14255.252.0.04 B262,136
/15255.254.0.02 B131,068
/16255.255.0.01 B65,024
/17255.255.128.0128 C32,512
/18255.255.192.064 C16,256
/19255.255.224.032 C8,128
/20255.255.240.016 C4,064
/21255.255.248.08 C2,032
/22255.255.252.04 C1,016
/23255.255.254.02 C508
/24255.255.255.01 C254
/25255.255.255.1282 subnets124
/26255.255.255.1924 subnets62
/27255.255.255.2248 subnets30
/28255.255.255.24016 subnets14
/29255.255.255.24832 subnets6
/30255.255.255.25264 subnets2
/31255.255.255.254nonenone
/32255.255.255.255none1

UniFi’s Advanced Wi-Fi Settings Explained

UniFi’s Advanced Wi-Fi settings are often misunderstood. The defaults are usually safe, but it’s helpful to understand what these settings do while setting up a network or troubleshooting an issue. Ubiquiti doesn’t do the best job at explaining, so lets go through them one by one.
These settings and descriptions are using the default “new” interface, and they are current as of UniFi Network Application version 6.5.53. I also list the settings that are only available in the classic/old interface at the end.

UniFi’s Wi-Fi Settings
Table of Contents

  • Creating a New UniFi Wi-Fi Network
  • Advanced Wi-Fi Settings
    • Wi-Fi Band
    • Optimize IoT Wi-Fi Connectivity
    • AP Groups
    • UAPSD
    • High Performance Devices
    • Proxy ARP
    • Legacy Support
    • Multicast Enhancement (IGMPv3)
    • BSS Transition
    • L2 Isolation
    • Enable Fast Roaming
  • Bandwidth Profile
  • Security Settings
    • Security Protocol
    • If WPA3 is selected…
    • Hide Wi-Fi Name
    • PMF (Protected Management Frame)
    • Group Rekey Interval
  • MAC Authorization Settings
  • 802.11 Rate and Beacon Controls
    • Override DTIM Period
    • 2.4. GHz Data Rate Control
    • 5 GHz Data Rate Control
  • Wi-Fi Scheduler
  • Settings only available in the old UI

Creating a New UniFi Wi-Fi Network
In the UniFi interface, network settings are divided into Wi-Fi, Networks, and Internet.

  • Wi-Fi controls your wireless connections, including SSID, password, and other advanced settings.
  • Networks controls your LAN networks and VLANs, including DHCP, DNS, and IP addresses.
  • Internet controls your WAN connections, including VLANs, IP addresses, and Smart Queues for QoS.

By default, UniFi has one LAN network, which is used for all wired and wireless connections. Creating additional networks allows you to segment and restrict traffic. This is commonly used for guest or IoT devices, or separating devices or areas into different network groups. Before diving into wireless settings, setup your networks and VLANs first. This can be done by modifying the default LAN, or by creating a new network under the Networks tab.
If the network you want to use for Wi-Fi has been created, go to Settings → Wi-Fi → Add New Network.

Creating a new Wi-Fi network
Give it a name (SSID), password, and specify which network it is going to use. If you don’t want to use the default of a WPA2 password for the network, open the advanced options and scroll down to the “Security” tab and modify the settings there. Otherwise, you can save it, and it will be added to all of your APs by default.
If you want a basic network, that’s all you need to do. If you want more, the good stuff is hidden under the advanced tab.
UniFi’s Advanced Wi-Fi Settings
WI-FI Band

  • 2.4 GHz: Slower, longer range, more wall penetration.
  • 5 GHz : Faster, shorter range, less wall penetration.
  • Default: Both
  • Effect: This setting controls which band your Wi-Fi network broadcasts on. You can pick one, or enable both.
  • Note: Dual-band SSIDs can lead to roaming issues, with some clients not using 5 GHz, or not roaming to the nearest AP. There are several ways to combat this – usually adjusting AP placement, lowering 2.4 GHz transmit power, enabling band steering, fast roaming, or the “high performance devices” settings can be effective. You can also create a separate 2.4 GHz and 5 GHz network if you want guaranteed, manual control over which band is used by which device.

Optimize IoT Wi-Fi Connectivity

  • Improves the connection reliability of IoT devices.
  • Default: On
  • Effect: Forces DTIM settings to default values of 1 for 2.4 GHz and 3 for 5 GHz. More on DTIM below, under the 802.11 Rate and Beacon Controls section.

AP Groups

  • Allows grouping of APs and selecting which will broadcast this Wi-Fi network.
  • Default: All APs
  • Note: UniFi has a limit of 4 SSIDs per band, per AP group. You can stretch this to 8 total SSIDs if you limit your networks to a single band. You can have up to four 2.4 GHz and up to four 5 GHz networks, or four dual-band SSIDs. You can always create additional SSIDs, but each AP or AP group can only broadcast a total of four SSIDs, per band, at a time.
    • Edit: Thanks u/fictionaldisc711 for pointing out the limit can vary by model. The limit is 8 per band with the AC-HD. I don’t have a AC-SHD or UAP-XG to test, but those should allow for 8 SSIDs per band as well.
    • Edit #2: Thanks u/SmokingCrop- for pointing out that enabling wireless uplink connectivity monitor (under system -> application configuration, or old UI -> Site -> Services) also limits the total number of SSIDs to 4.

Setting Wi-Fi Band and AP Group
Scrolling below AP Groups is where things get fun, and the acronyms take over.
UAPSD

  • Unscheduled Automatic Power Save Delivery, also known as WMM power save.
  • Default: Off
  • Effect: Enabling allows devices that support UAPSD to save battery power by keeping their Wi-Fi radio in sleep mode for more time. Like a lot of features that are off by default, this can cause issues for some clients, especially older or IoT devices.
  • Recommendation: Turn on if battery life is important, and older/IoT device connectivity is not.

High Performance Devices

  • Connect high performance clients to 5 GHz only.
  • Default: On
  • Effect: Disabling this allows “high performance” clients to join 2.4 GHz. This can fix (or make worse!) some issues with dual-band SSIDs and poor roaming performance, at the cost of less throughput when devices connect to 2.4 GHz.
  • Recommendation: Disable if you have areas which are only covered by 2.4 GHz, or have issues with 2.4 GHz clients not being able to join the network.
  • Note: Ubiquiti doesn’t specify what “high performance” is, but I would assume this applies to devices that support Wi-Fi 5 or 6, and multiple spatial streams. Modern phones and laptops, basically.

Proxy ARP

  • Remaps ARP table for station. ARP is the Address Resolution Protocol, which is used to learn the MAC address for a given IP address.
  • Default: Off
  • Effect: Enabling allows the AP to answer ARP requests for client devices, which helps to limit broadcast traffic. This is mainly relevant in larger, higher density networks.
  • Recommendation: Enable for high-density networks.

Legacy Support

  • Enable legacy device support (i.e. 11b).
  • Default: Off
  • Effect: Enabling this allows connections to older devices that don’t support 802.11g or newer standards.
  • Recommendation: Only enable if you need devices that only support 802.11a or 802.11b to connect to the network.

Advanced Settings
Multicast Enhancement (IGMPV3)

  • Permit devices to send multicast traffic to registered clients at higher data rates by enabling the IGMPv3 protocol.
  • Default: Off
  • Effect: Enabling this might improve performance with smart home products such as smart speakers or streaming devices. Some have reported the opposite. Sonos speakers for example, usuallyfunction better when…
    • Spanning Tree is set to regular STP mode on your switches. I’d also recommend lowering the priority of your switches so they continue to be the Spanning Tree root bridge.
    • IGMP Snooping is on under network settings -> advanced. This allows switches to identify multicast groups used in each port. Multicast streams are forwarded only to network devices that should receive them.
    • Multicast Enhancement (IGMPv3) is on under Wi-Fi settings -> advanced. This enables the IGMP querier service on a UniFi gateway such as the USG or UDM, letting it create multicast groups which should improve Multicast traffic such as video or audio streams. Some people have had better luck with this disabled, and there may be other issues at fault, such as network topology. Multicast is hard to troubleshoot without a packet capture and knowledge of the protocols involved.
    • Multicast DNS is on under advanced features -> advanced gateway settings. mDNS allows for converting host names to IP addresses in a local network without a DNS server. An example of mDNS is Apple’s Bonjour, which is used to quickly setup sharing between computers and other devices. UniFi’s mDNS service allows you to discover devices on other networks.
  • Recommendation: Enabling this setting may help issues with Chromecast, AirPlay, or other smart home gear. Another option is to enable mDNS and create a separate SSID for these devices and follow Ubiquiti’s help article steps here.

BSS Transition

  • Allow BSS Transition with WNM, which stands for Wireless Network Management. WNM allows the AP to send messages to clients to give them information about the network, and the details of other APs. This includes the current utilization and number of clients, allowing the client to make more informed roaming decisions.
  • Default: On
  • Effect: Enables 802.11v. This assists with saving power and the roaming process, but it’s up to the client to device to make a decision based on the given information.
  • Recommendation: Leave enabled, especially in networks with multiple APs.

L2 Isolation

  • Isolates stations on layer 2 (Ethernet) level
  • Default: Off
  • Effect: Restricts clients from communicating with each other.
  • Recommendation: Enable for high-security guest networks, or IoT networks which would benefit from this restriction. This can also lead to unintended consequences, so test the devices behavior before and after changing this setting.

Enable Fast Roaming

  • Faster roaming for modern devices with 802.11r compatibility. It does this by speeding up the security key negotiation process, allowing both the negotiation and requests for resources to occur in parallel. With 802.1X, keys are cached rather than the client needing to check with the RADIUS server with each roam. With pre-shared key networks such as WPA2, the client goes through the normal 4-way handshake authentication process.
  • Default: Off
  • Effect: Enables OTA (Over-the-air) Fast BSS Transition, which allows devices that support it to roam between APs faster. Without this setting enabled, roaming from AP to AP may take a few seconds, and during that time data cannot be sent or received. In most cases you won’t notice this, but latency sensitive and real-time applications like a voice call perform poorly. Slow roaming behavior with a VoIP call may result in gaps in the audio. With 802.11r Fast Roaming enabled, the roams should be nearly unnoticeable.
  • Note: Fast BSS Transition works with both preshared key (PSK) and 802.1X authentication methods. Older devices should not experience connectivity issues with this enabled.

Bandwidth Profile

  • Default, or select existing profile.
  • Default: Bandwidth is unlimited.
  • Effect: Allows you to set default per client download and upload bandwidth limits.
  • Note: Create new profiles under Advanced features → Bandwidth Profile

New Bandwidth Profiles are created under Advanced Features -> Bandwidth Profile
Security Settings
Security Protocol

  • Open. No password needed to join the network.
  • WPA-2. The older pre-shared key security method, which requires a password to join the network. WPA-2 is less secure than WPA-3, but is more universally supported, especially on older devices.
  • WPA-2 Enterprise. The older 802.1X security method, which requires a RADIUS server to allow users to join the network with a username or password. Usually common in larger networks which need to grant or revoke permission to join without changing other people’s access by changing the pre-shared key.
  • WPA-2/WPA-3. Allows for a mix of WPA-2 and WPA-3 connections. Devices that support WPA-3 will use the newer and more secure standard, while older clients will fallback to WPA-2. This is less secure overall than requiring WPA-3, but it is more flexible and less likely to cause issues as we transition to WPA-3 as a default.
  • WPA-3. The newer pre-shared key security method, which does a lot of magic behind the scenes to be more secure than WPA-2. WPA-3 is still vulnerable to certain attacks, so still make sure to use a complex password and restrict access to that if it matters
  • WPA-3 Enterprise. The newer 802.1X security method, which like WPA-3 personal allows for more secure connections.

If WPA3 is selected…

  • WPA3 SAE anti-clogging threshold in seconds
    • Default: 5
    • Note: SAE is Simultaneous Authentication of Equals, and anti-clogging is designed to prevent denial of service (DoS) attacks on the AP. This setting affects the time threshold for what the AP considers “too many” requests.
  • WPA3 Sync in seconds
    • Default: 5
    • Note: Explaining how WPA3 works is beyond the scope of this guide. Only change these if you know what you’re doing, and have a valid reason.

Wi-Fi security and MAC Authorization settings
Hide Wi-Fi Name
This forces access points to send out beacon frames with no SSID, meaning the SSID field in the beacon frame is set to null. Beacons are still sent, and “hidden” networks are still easy to detect. To join a network with a hidden SSID, clients will have to manually enter the SSID name along with the password.
Hiding the SSID does not enhance the security of the network. Using a more complex password or moving to a newer protocol (WPA2/3 vs WPA or WEP) does.
PMF (Protected Management Frame)
Protected management frame (PMF) is a security feature which aims to prevent intercepting or forging management traffic. Management frames include authentication, de-authentication, association, dissociation, beacons, and probes. These cannot be encrypted like normal unicast traffic, so this feature protects from forgery, preventing some common security attacks.

  • Required: APs will use PMF for all stations. Stations without PMF capability will not be able to join the WLAN. Required for WPA3.
  • Optional: APs will use PMF for all capable stations, while allowing non-PMF capable stations to join the WLAN.
  • Disabled: APs will not use PMF for any stations.

Group Rekey Interval

  • This setting controls how often an AP changes the GTK, or Group Temporal Key. The GTK is a cryptographic key that is used to encrypt all broadcast and multicast traffic between APs and clients.
  • Default: 3600 seconds.
  • Note: Lower intervals mean the key changes more often, but can cause the issue of users disconnecting or unable to join the network with the message ‘wrong password’, even if the credentials are correct.

MAC Authorization Settings

  • MAC address Filter
    • Allows you to restrict clients from joining the network unless they are on the allow list, or block specific MAC addresses.
  • RADIUS MAC Authentication
    • Allows you to use a RADIUS server for client authentication.
  • RADIUS Profiles
    • Allows you to select pre-defined RADIUS profiles.
    • To create new profile, go to Advanced Features -> RADIUS -> Add RADIUS Profile. This is where you define the aspects of your RADIUS server like IP address, ports, assigned VLAN, shared secrets, and update interval.
  • MAC address format
    • Allows you to set the format for the MAC address and whether semicolons or hyphens are expected.

Override DTIM Period

  • DTIM stands for Delivery Traffic Indication Message, which is a message that is sent along with beacon frames. The role of the DTIM is to let a sleeping client know that it has buffered data waiting for it. Higher numbers buffer longer, potentially saving battery life. Altering these values can cause a variety of issues though, so change them at your own risk.
  • Default for 2.4 GHz: 1, meaning every 2.4 GHz beacon will include a DTIM
  • Default for 5 GHz: 3, meaning every third 5 GHz beacon will include a DTIM
  • Note: You cannot modify the default values when “Optimize IoT Wi-Fi Connectivity” is on.

802.11 Rate and Beacon Controls
2.4 and 5 GHz Data Rate Control

  • Disabling the lowest data rates is a common setting to consider for high density networks where airtime conservation is important. Lower data rates are less efficient. When data is sent at a low rate, it uses more airtime, limiting the performance of all the other devices using that AP. This does not limit the range of your AP, and the details are complicated. Rob Krumm has a great analysis of what changing your rate does and does not change if you want more details.
  • Default for 2.4 GHz: All rates allowed (1 to 54 Mbps)
  • Default for 5 GHz: All rates allowed (6 to 54 Mbps)
  • Recommendation: Leave at default for most networks. Disabling rates below 6 or 11 Mbps can improve the efficiency of higher-density networks.

WiFi Scheduler
Allows you to turn an SSID on or off at a certain time, or setup a weekly schedule.

Creating a new schedule in Wi-Fi Scheduler
Settings only available in the old UI (as of version 6.5.53)
These settings are missing in the new interface, or have been moved/renamed.

  • Apply Guest Policies
  • Beacon Country
  • Add 802.11d county roaming enhancements
  • TLDS Prohibit
  • Block Tunneled Link Direct Setup (TDLS) connections
  • Point to Point, also referred to as P2P
  • Send beacons at 1 Mbps

Windows Update error 0x80092004 Windows 7 & 2008

Microsoft changed the signing of update packages for Windows 7 and Windows Server 2008 R2 devices on the August 2019 Patch Day for the first time. The company signs packages only with SHA-2 since August 2019; it signed them with SHA-1 and SHA-2 previously but decided to drop SHA-1 because of known weaknesses.

Two updates need to be installed on Windows 7 and Windows Server 2008 R2 systems so that SHA-2 signed updates are installed correctly:

  • KB4474419 — SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: August 13, 2019
  • KB4490628 — Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: March 12, 2019