Wireless
Wireless Overview
This chapter describes the Zyxel Device’s Network Setting > Wireless screens. Use these screens to set up your Zyxel Device’s Wi-Fi network and security settings.
What You Can Do in this Chapter
This section describes the Zyxel Device’s Wireless screens. Use these screens to set up your Zyxel Device’s Wi-Fi connection.
• Use the General screen to enable the Wireless LAN, enter the SSID and select the Wi-Fi security mode (Wireless General Settings)
• Use the WPS screen to enable or disable WPS, view or generate a security PIN (Personal Identification Number) (WPS).
• Use the Channel Status screen to scan the number of accessing points and view the results (Channel Status).
What You Need to Know
Wi-Fi Standard / IEEE 802.11
IEEE 802.11 is a set of standards developed by the Institute of Electrical and Electronics Engineers (IEEE) for wireless local area networks (WLANs). These standards define how devices like laptops, smartphones, and routers communicate wirelessly using radio waves.
The following table displays the comparison of the different Wi-Fi standards.
Wi-Fi Standard | Maximum Link Rate * | Band | Simultaneous Connections |
|---|---|---|---|
802.11b | 11 Mbps | 2.4 GHz | 1 |
802.11a/g | 54 Mbps | 2.4 GHz and 5 GHz | 1 |
802.11n | 600 Mbps | 2.4 GHz and 5 GHz | 1 |
802.11ac | 6.93 Gbps | 5 GHz | 4 |
802.11ax | 2.4 Gbps | 2.4 GHz | 128 |
9.61 Gbps | 5 GHz and 6 GHz |
* The maximum link rate is for reference under ideal conditions only.Wi-Fi 6 / IEEE 802.11ax
Wi-Fi 6 is backwards compatible with IEEE 802.11a/b/g/n/ac and is most suitable in areas with a high concentration of users. Wi-Fi 6 devices support Target Wakeup Time (TWT) allowing them to automatically power down when they are inactive.
Wi-Fi 6E (IEEE 802.11ax – Extended Standard)
Wi-Fi 6E is an extended standard of Wi-Fi 6 (IEEE 802.11ax). Wi-Fi 6E inherits all the Wi-Fi 6 features and brings with an additional 6 GHz band. The 6 GHz band allows you to avoid possible congested traffic in the lower 2.4 GHz and 5 GHz bands. Wi-Fi clients must support Wi-Fi 6E to connect to the device using the 6 GHz band.
Check your client device’s product specification to see if your client device supports the 6 GHz band (Wi-Fi 6E). If not, you should still use the 2.4/5 GHz bands for connection.Without Multi-Link Operation
Multi-Link Operation Example
Finding Out More
See Technical Reference for advanced technical information on Wi-Fi networks.
Wireless General Settings
Use this screen to enable the Wi-Fi, enter the SSID and select the Wi-Fi security mode. We recommend that you select More Secure to enable WPA3-SAE data encryption.
If you are configuring the Zyxel Device from a computer connected by Wi-Fi and you change the Zyxel Device’s SSID, channel or security settings, you will lose your Wi-Fi connection when you press Apply. You must change the Wi-Fi settings of your computer to match the new settings on the Zyxel Device.If upstream or downstream bandwidth is empty, the Zyxel Device sets the value automatically.Setting a maximum upstream or downstream bandwidth will significantly decrease wireless performance.For the Zyxel Device that supports 2.4 GHz and 5 GHz, Keep the same settings for 2.4 GHz and 5 GHz wireless networks is enabled and cannot be disabled when you enable Mesh in the Network > Wireless > MESH screen. To see if your model supports 6 GHz, please see Overview for more information. For the Zyxel Device that supports 2.4 GHz, 5 GHz, and 6 GHz, Keep the same settings for 2.4 GHz, 5 GHz, and 6 GHz wireless networks is enabled and cannot be disabled when you enable Mesh in the Network > Wireless > MESH screen. To see if your model supports 6 GHz, please see Overview for more information.
Click Network Setting > Wireless to open the General screen.
Network Setting > Wireless > General (for 2.4 GHz and 5 GHz models)
The following table describes the general Wi-Fi labels in this screen.
LABEL | description |
|---|---|
Wireless | |
Wireless | For the Zyxel Device that supports 2.4 GHz and 5 GHz, select Keep the same settings for 2.4GHz and 5GHz wireless networks, and the 2.4 GHz and 5 GHz Wi-Fi networks will use the same SSID and wireless security settings. For the Zyxel Device that supports 2.4 GHz, 5 GHz, and 6 GHz, select Keep the same settings for 2.4GHz, 5GHz and 6GHz wireless networks, and the 2.4 GHz, 5 GHz and 6 GHz Wi-Fi networks will use the same SSID and wireless security settings. To see if your model supports 6 GHz, please see Overview for more information.Keep the same settings for 2.4GHz, 5GHz and 6GHz wireless network means the 2.4 GHz, 5 GHz, and 6 GHz Wi-Fi bands use the same network name (SSID) and some security settings. If your Zyxel Devices supports only 2.4 GHz and 5 GHz, Keep the same settings for 2.4GHz and 5GHz wireless networks means the 2.4 GHz and 5 GHz Wi-Fi bands use the same network name (SSID) and some security settings. This allows Wi-Fi clients to seamlessly connect to either band depending on signal strength and Wi-Fi client specifications. The Zyxel Device intelligently connects each Wi-Fi client to the best available band for optimal performance and coverage:• 2.4GHz: better range and slower speed • 5GHz: faster speed and shorter range • 6GHz (if supported): very fast but with the shortest range If Keep the same settings for 2.4GHz, 5GHz and 6GHz wireless networks or Keep the same settings for 2.4GHz and 5GHz wireless networks is disabled, the SSID and some security settings remain the same across all bands. You should assign different network names (SSIDs) to each band if you want to distinguish between the bands. However, band steering may not work properly unless a Wi-Fi client connects to all supported bands already. Some older devices may not support band steering and may remain on a single band. Some devices may be forced onto a band that is suboptimal for their needs. For example, some laptops may stay on a slower 2.4 GHz link even when a 5 GHz band is available. It can also be hard to diagnose Wi-Fi issues such as weak signals or congestion, as you cannot immediately tell which band a device is connected to. Wi-Fi clients may switch between bands, causing brief disconnections or latency during movement between APs or bands. For critical Wi-Fi clients (such as IoT devices, security cameras, or VoIP phones), consider using separate SSIDs to ensure stability. |
Band | This shows the Wi-Fi band which this radio profile is using. 2.4GHz is the frequency used by IEEE 802.11b/g/n/ax Wi-Fi clients, 5GHz is used by IEEE 802.11a/n/ac/ax Wi-Fi clients while 6GHz is used by IEEE 802.11a/n/ac/ax Wi-Fi clients. To see if your model supports 6 GHz, please see Overview for more information. |
Wireless or Wi-Fi | Click this switch to enable or disable Wi-Fi network in this field. When the switch turns blue, the function is enabled. Otherwise, it is not. This label displays Wireless or Wi-Fi, depending on the Zyxel Device model. |
Channel | Select a channel from the drop-down list box. The options vary depending on the frequency band and the country you are in. Use Auto to have the Zyxel Device automatically determine a channel to use. |
Bandwidth | A standard 20 MHz channel offers transfer speeds of up to 150 Mbps whereas a 40 MHz channel uses two standard channels and offers speeds of up to 300 Mbps. 40 MHz (channel bonding or dual channel) bonds two adjacent radio channels to increase throughput. The Wi-Fi clients must also support 40 MHz. It is often better to use the 20 MHz setting in a location where the environment hinders the Wi-Fi signal. An 80 MHz channel groups adjacent 40 MHz channels into pairs to increase bandwidth even higher. Select 20MHz if you want to lessen radio interference with other wireless devices in your neighborhood or the Wi-Fi clients do not support channel bonding. Not all Zyxel Devices support all channels. The Zyxel Device will choose the best bandwidth available automatically depending on the radio you chose and network conditions. |
Control Sideband | This is available for some regions when you select a specific channel and set the Bandwidth field to 40MHz or 20/40MHz. Set whether the control channel (set in the Channel field) should be in the Lower or Upper range of channel bands. |
Blocking BSSID LAN Access | Select this checkbox so that the Wi-Fi client’s access to all devices on the LAN will be blocked. |
Max. Upstream Bandwidth | Max. Upstream Bandwidth allows you to specify the maximum rate for upstream wireless traffic to the WAN from this wireless LAN in kilobits per second (Kbps). |
Max. Downstream Bandwidth | Max. Downstream Bandwidth allows you to specify the maximum rate for downstream wireless traffic to this wireless LAN from the WAN in kilobits per second (Kbps). |
No Security
Select No Security to allow wireless stations to communicate with the access points without any data encryption or authentication.
If you do not enable any Wi-Fi security on your Zyxel Device, your network is accessible to any wireless networking device that is within range.Wireless > General: No Security
The following table describes the labels in this screen.
LABEL | description |
|---|---|
Security Level | Choose No Security to allow all Wi-Fi connections without data encryption or authentication. |
More Secure (Recommended)
The WPA-PSK (Wi-Fi Protected Access-Pre-Shared Key) security mode provides both improved data encryption and user authentication over WEP. Using a pre-shared key, both the Zyxel Device and the connecting client share a common password in order to validate the connection. This type of encryption, while robust, is not as strong as WPA, WPA2 or even WPA2-PSK. The WPA2-PSK security mode is a more robust version of the WPA encryption standard. It offers better security, although the use of PSK makes it less robust than it could be.
The WPA3-SAE (Simultaneous Authentication of Equals handshake) security mode protects against dictionary attacks (password guessing attempts). It improves security by requiring a new encryption key every time a WPA3 connection is made. A handshake is the communication between the Zyxel Device and a connecting client at the beginning of a Wi-Fi session.
Click Network Setting > Wireless to display the General screen. Select More Secure as the security level. Then select WPA3-SAE from the Security Mode list if your Wi-Fi client supports it. If you are not sure, select WPA3-SAE/WPA2-PSK or WPA2-PSK.
Wireless > General: More Secure: WPA3-SAE/WPA2-PSK
The following table describes the labels in this screen.
Label | description |
|---|---|
Protected Management Frames | This option is only available when using WPA2-PSK as the Security Mode and AES Encryption in Network Setting > Wireless > General. Management frame protection (MFP) helps prevent Wi-Fi DoS (Denial of Service) attacks. Select Disable if you do not want to use MFP. Select Capable to encrypt management frames of Wi-Fi clients that support MFP. Clients that do not support MFP will still be allowed to join the Wi-Fi network, but remain unprotected. Select Required to allow only clients that support MFP to join the Wi-Fi network. When Mesh is enabled, the settings of Protected Management Frames of 5G will follow 2.4G. |
More AP Screen
Use this screen to configure a guest Wi-Fi network that allows access to the Internet through the Zyxel Device. You can use one access point to provide several BSSs simultaneously. You can then assign varying security types to different SSIDs. Wi-Fi clients can use different SSIDs to associate with the same access point.
A Home Guest (H) can access the Internet and other Home Guest (H) Wi-Fi clients on the same Wi-Fi network. They cannot communicate with wired devices connected to the Zyxel Device’s LAN.
Home Guest
An External Guest (E) can access the Internet only. They cannot access other clients on the same Wi-Fi network nor any wired connections from the Zyxel Device.
External Guest
Click Network Setting > Wireless > More AP.
The following table introduces the supported Wi-Fi networks.
Wi-Fi networks | where TO CONFIGURE |
|---|---|
Main/1 | Network Setting > Wireless > General screen |
Guest/3 | Network Setting > Wireless > More AP screen |
The following screen displays.
Network Setting > Wireless > More AP
The following table describes the labels in this screen.
Label | Description |
|---|---|
Band | For the Zyxel Device that supports 2.4 GHz and 5 GHz, select a 2.4GHz or 5GHz frequency band to display the SSID profile of the selected band. For the Zyxel Device that supports 2.4 GHz, 5 GHz, and 6 GHz, select a 2.4GHz, 5GHz, or 6GHz frequency band to display the SSID profile of the selected band. |
# | This is the index number of the entry. |
Status | This field indicates whether this SSID is active. A yellow bulb signifies that this SSID is active, while a gray bulb signifies that this SSID is not active. |
SSID | An SSID profile is the set of parameters relating to one of the Zyxel Device’s BSSs. The SSID (Service Set IDentifier) identifies the Service Set with which a wireless device is associated. This field displays the name of the wireless profile on the network. When a Wi-Fi client scans for an AP to associate with, this is the name that is broadcast and seen in the Wi-Fi client utility. The SSID profiles displayed differ by the frequency band you select in the Band field. |
Security | This field indicates the security mode of the SSID profile. |
Guest WLAN | This displays if the guest WLAN function has been enabled for this WLAN. A Home Guest can access the Internet and other Home Guest Wi-Fi clients on the same Wi-Fi network. They cannot communicate with wired devices connected to the Zyxel Device’s LAN. An External Guest can access the Internet only. They cannot access other clients on the same Wi-Fi network nor any wired connections from the Zyxel Device. N/A displays if guest WLAN is disabled. |
Modify | Click the Edit icon of an SSID profile to configure the SSID profile. |
The Edit More AP Screen
Use this screen to create Guest and additional Wi-Fi networks with different security settings.
If upstream/downstream bandwidth is empty, the Zyxel Device sets the value automatically. Setting a maximum upstream/downstream bandwidth will significantly decrease Wi-Fi performance.Click the Edit icon next to an SSID in the Guest/More AP screen. The following screen displays.
Network Setting > Wireless > Guest/More AP > Edit
Network Setting > Wireless > Guest/More AP > Edit > Access Scenario: Home Guest
Network Setting > Wireless > Guest/More AP > Edit > Access Scenario: External Guest
The following table describes the fields in this screen.
Label | Description |
|---|---|
Wi-Fi or Wireless Network Setup | |
Wi-Fi or Wireless | Click this switch to enable or disable the Wi-Fi in this field. When the switch turns blue  , the function is enabled; otherwise, it is not. |
Wi-Fi or Wireless Network Settings | |
Wi-Fi or Wireless Network Name | The SSID (Service Set Identifier) identifies the service set with which a wireless device is associated. Wireless devices associating to the access point (AP) must have the same SSID. Enter a descriptive name for the Wi-Fi. You can use up to 32 printable characters, including spaces. |
Hide SSID | Select this checkbox to hide the SSID in the outgoing beacon frame so a station cannot obtain the SSID through scanning using a site survey tool. |
Guest WLAN | Select this to create Guest WLANs for home and external clients. Select the WLAN type in the Access Scenario field. |
Access Scenario | Select Home Guest or External Guest to provide different levels of access to the Zyxel Device and the other Wi-Fi clients. A Home Guest can access the Internet and other Home Guest Wi-Fi clients on the same Wi-Fi network. They cannot communicate with wired devices connected to the Zyxel Device’s LAN. An External Guest can access the Internet only. They cannot access other clients on the same Wi-Fi network nor any wired connections from the Zyxel Device. |
Max. Upstream Bandwidth | Specify the maximum rate for upstream wireless traffic to the WAN from this WLAN in kilobits per second (Kbps). |
Max. Downstream Bandwidth | Specify the maximum rate for downstream wireless traffic to this WLAN from the WAN in kilobits per second (Kbps). |
BSSID | This shows the MAC address of the Wi-Fi interface on the Zyxel Device when Wi-Fi is enabled. |
SSID Subnet | Click on this switch to Enable this function if you want the wireless network interface to assign DHCP IP addresses to the associated Wi-Fi clients. This option cannot be used if Keep 2.4G and 5G wireless network name the same is enabled in Network > Wireless > General. |
DHCP Start Address | Specify the first of the contiguous addresses in the DHCP IP address pool. The Zyxel Device assigns IP addresses from this DHCP pool to Wi-Fi clients connecting to the SSID. |
DHCP End Address | Specify the last of the contiguous addresses in the DHCP IP address pool. |
SSID Subnet Mask | Specify the subnet mask of the Zyxel Device for the SSID subnet. |
LAN IP Address | Specify the IP address of the Zyxel Device for the SSID subnet. |
Security Level | |
Security Mode | Select More Secure (Recommended) to add security on this Wi-Fi network. The Wi-Fi clients which want to associate to this network must have the same Wi-Fi security settings as the Zyxel Device. After you select to use a security, additional options appears in this screen. Or you can select No Security to allow any client to associate this network without any data encryption or authentication. See No Security for more details about this field. |
Protected Management Frames | This option is only available when using WPA2-PSK as the Security Mode and AES Encryption in Network Setting > Wireless > General. Management frame protection (MFP) helps prevent Wi-Fi DoS (Denial of Service) attacks. Select Disable if you do not want to use MFP. Select Capable to encrypt management frames of Wi-Fi clients that support MFP. Clients that do not support MFP will still be allowed to join the Wi-Fi network, but remain unprotected. Select Required to allow only clients that support MFP to join the Wi-Fi network. When Mesh is enabled, the settings of Protected Management Frames of 5G will follow 2.4G. |
Generate password automatically | Select this option to have the Zyxel Device automatically generate a password. The password field will not be configurable when you select this option. |
Password | WPA2-PSK uses a simple common password, instead of user-specific credentials. 1. If you did not select Generate password automatically, you can manually enter a pre-shared key at least 8 characters long, including one uppercase letter, one lowercase letter, one number, and one special character. Click the Eye icon to show or hide the password of your Wi-Fi network. When the Eye icon is slashed  , you will see the password in plain text. Otherwise, it is hidden. |
Strength | This displays the current password strength – weak, medium, strong. |
Click this  to show more fields in this section. Click again to hide them. | |
Encryption | AES is the default data encryption type, which uses a 128-bit key. |
Timer | The Timer is the rate at which the RADIUS server sends a new group key out to all clients. The valid range is 0 to 2,147,483,647 seconds. When the timer is set to “0”, it means the same encryption key will be used indefinitely until the session ends. |
Cancel | Click Cancel to exit this screen without saving. |
OK | Click OK to save your changes. |
WPS
Use this screen to configure Wi-Fi Protected Setup (WPS) on your Zyxel Device.
W-iFi Protected Setup (WPS) allows you to quickly set up a Wi-Fi network with strong security, without having to configure security settings manually. Select one of the WPS methods and follow the instructions to establish a WPS connection.Your Wi-Fi devices must support WPS to use this feature. We recommend using Push Button Configuration (PBC) if your Wi-Fi device supports it.
The Zyxel Device applies the security settings of the main SSID (SSID1) profile to the WPS wireless connection (see More Secure (Recommended)). Some models support more than one SSID profile, check the supported number on the Network Setting > Wireless > General screen.The WPS switch is unavailable if the Wi-Fi is disabled.If WPS is enabled, UPnP will automatically be turned on.
Click Network Setting > Wireless > WPS. The following screen displays. Click this switch and it will turn blue. Click Apply to activate the WPS function. Then you can configure the WPS settings in this screen.
Network Setting > Wireless > WPS
The following table describes the labels in this screen.
Label | Description |
|---|---|
General | |
Band | For Zyxel Device that supports 2.4 GHz and 5 GHz, select a 2.4GHz or 5GHz frequency band to enable WPS for all Wi-Fi networks in the selected band. For Zyxel Device that supports 2.4 GHz, 5 GHz, and 6 GHz, select a 2.4GHz, 5GHz, or 6GHz frequency band to enable WPS for all Wi-Fi networks in the selected band. If you use the WPS button on the Zyxel Device ports panel, WPS is automatically enabled on both 2.4 GHz and 5 GHz bands. See Ports Panel for more information about the WPS button. |
WPS | Slide this to the right to enable and have the Zyxel Device activate WPS. Otherwise, it is disabled. |
Add a new device with WPS Method | |
Method 1 PBC | Use this section to set up a WPS or Wi-Fi network using Push Button Configuration (PBC). Click this switch to make it turn blue. Click Apply to activate WPS method 1 on the Zyxel Device. |
WPS | Click this button to add another WPS-enabled Wi-Fi device (within Wi-Fi range of the Zyxel Device) to your Wi-Fi network. This button may either be a physical button on the outside of a Wi-Fi device, or a menu button similar to the WPS button on this screen. You must press the other Wi-Fi device’s WPS button within 2 minutes of pressing this button. |
Cancel | Click Cancel to restore your previously saved settings. |
Apply | Click Apply to save your changes. |
Channel Status
Use this screen to scan for Wi-Fi channel noise and view the results. Click Scan to start, and then view the results in the Channel Scan Result section. The value on each channel number indicates the number of Access Points (AP) using that channel. The Auto-channel-selection algorithm does not always directly follow the AP count; other factors about the channels are also considered. Click Network Setting > Wireless > Channel Status. The screen appears as shown.
If the current channel is a DFS channel, the warning ‘Channel scan process is denied because current channel is a DFS channel (Channel: 52 to 140). If you want to run channel scan, please select a non-DFS channel and try again.’ appears.The AP count may not be a real-time value.Network Setting > Wireless > Channel Status
The following table describes the labels in this screen.
Label | description |
|---|---|
Channel Monitor | |
Wireless Network Setup | |
Band | For Zyxel Device supports 2.4 GHz and 5 GHz, select a 2.4 GHz or 5 GHz frequency band on which you want to conduct a channel scan. For Zyxel Device supports 2.4 GHz, 5 GHz, and 6 GHz, select a 2.4 GHz, 5 GHz or 6 GHz frequency band on which you want to conduct a channel scan. |
Scan wireless LAN Channels | Click the Scan button to scan Wi-Fi channels. |
Channel Scan Result | This displays the results of the channel scan. The blue bar displays the number of access points (AP count) in the Wi-Fi channel. The orange bar displays the Wi-Fi channel that the Zyxel Device is now using. |
MESH
The Zyxel Device supports Mesh to manage your Wi-Fi network. Mesh is the Zyxel implantation of Wi-Fi-Alliance Easy Mesh. It supports AP steering, band steering, auto-configuration and other advances for your Wi-Fi network.
The Zyxel Device can function as a controller to automatically configure Wi-Fi settings on extenders in the network as well as optimize bandwidth usage.
The Zyxel Device optimizes bandwidth usage by directing Wi-Fi clients to an extender (AP steering) or a 2.4 GHz or 5 GHz band (band steering) that is less busy.
See Ways to Manage the Zyxel Device for the complete tutorials with the MPro Mesh app or Zyxel One app.
• Setting up your Mesh network with the Zyxel Device and an Mesh extender,
• setting up your general or guest Wi-Fi,
• basic configurations.
MPro Mesh
Use this screen to enable or disable the Mesh on the Zyxel Device.
Click Network Setting > Wireless > MESH. The following screen displays.
When MPro Mesh is enabled, the SSID and Wi-Fi password of the main 2.4 GHz Wi-Fi network will be copied to the main 5 GHz Wi-Fi network.Network Setting > Wireless > MESH
The following table describes the labels in this screen.
LABEL | DESCRIPTION |
|---|---|
MPro Mesh | Click the button (to the right) to enable the Mesh feature on the Zyxel Device and set up your Mesh network. |
Technical Reference
This section discusses Wi-Fi in depth.
Wi-Fi Network Overview
Wi-Fi networks consist of Wi-Fi clients, access points and bridges.
• A Wi-Fi client is a radio connected to a user’s computer.
• An access point is a radio with a wired connection to a network, which can connect with numerous Wi-Fi clients and let them access the network.
• A bridge is a radio that relays communications between access points and Wi-Fi clients, extending a network’s range.
Normally, a Wi-Fi network operates in an “infrastructure” type of network. An “infrastructure” type of network has one or more access points and one or more Wi-Fi clients. The Wi-Fi clients connect to the access points.
The following figure provides an example of a Wi-Fi network.
Example of a Wi-Fi Network
The Wi-Fi network is the part in the blue circle. In this Wi-Fi network, devices A and B use the access point (AP) to interact with the other devices (such as the printer) or with the Internet. Your Zyxel Device is the AP.
Every Wi-Fi network must follow these basic guidelines.
• Every Wi-Fi device in the same Wi-Fi network must use the same SSID.
The SSID is the name of the Wi-Fi network. It stands for Service Set IDentifier.
• If two Wi-Fi networks overlap, they should use a different channel.
Like radio stations or television channels, each Wi-Fi network uses a specific channel, or frequency, to send and receive information.
• Every Wi-Fi device in the same Wi-Fi network must use security compatible with the AP.
Security stops unauthorized devices from using the Wi-Fi network. It can also protect the information that is sent in the Wi-Fi network.
Additional Wi-Fi Terms
The following table describes some Wi-Fi network terms and acronyms used in the Zyxel Device’s Web Configurator.
Term | Description |
|---|---|
RTS/CTS Threshold | In a Wi-Fi network which covers a large area, Wi-Fi devices are sometimes not aware of each other’s presence. This may cause them to send information to the AP at the same time and result in information colliding and not getting through. By setting this value lower than the default value, the Wi-Fi devices must sometimes get permission to send information to the Zyxel Device. The lower the value, the more often the devices must get permission. If this value is greater than the fragmentation threshold value (see below), then Wi-Fi devices never have to get permission to send information to the Zyxel Device. |
Preamble | A preamble affects the timing in your Wi-Fi network. There are two preamble modes: long and short. If a Wi-Fi device uses a different preamble mode than the Zyxel Device does, it cannot communicate with the Zyxel Device. |
Authentication | The process of verifying whether a Wi-Fi device is allowed to use the Wi-Fi network. |
Fragmentation Threshold | A small fragmentation threshold is recommended for busy networks, while a larger threshold provides faster performance if the network is not very busy. |
Wi-Fi Security Overview
By their nature, radio communications are simple to intercept. For Wi-Fi data networks, this means that anyone within range of a Wi-Fi network without security can not only read the data passing over the airwaves, but also join the network. Once an unauthorized person has access to the network, he or she can steal information or introduce malware (malicious software) intended to compromise the network. For these reasons, a variety of security systems have been developed to ensure that only authorized people can use a Wi-Fi data network, or understand the data carried on it.
These security standards do two things. First, they authenticate. This means that only people presenting the right credentials (often a username and password, or a “key” phrase) can access the network. Second, they encrypt. This means that the information sent over the air is encoded. Only people with the code key can understand the information, and only people who have been authenticated are given the code key.
These security standards vary in effectiveness. Some can be broken, such as the old Wired Equivalent Protocol (WEP). Using WEP is better than using no security at all, but it will not keep a determined attacker out. Other security standards are secure in themselves but can be broken if a user does not use them properly. For example, the WPA-PSK security standard is very secure if you use a long key which is difficult for an attacker’s software to guess – for example, a twenty-letter long string of apparently random numbers and letters – but it is not very secure if you use a short key which is very easy to guess – for example, a three-letter word from the dictionary.
Because of the damage that can be done by a malicious attacker, it is not just people who have sensitive information on their network who should use security. Everybody who uses any Wi-Fi network should ensure that effective security is in place.
A good way to come up with effective security keys, passwords and so on is to use obscure information that you personally will easily remember, and to enter it in a way that appears random and does not include real words. For example, if your mother owns a 1970 Dodge Challenger and her favorite movie is Vanishing Point (which you know was made in 1971) you could use “70dodchal71vanpoi” as your security key.
The following sections introduce different types of Wi-Fi security you can set up in the Wi-Fi network.
SSID
Normally, the Zyxel Device acts like a beacon and regularly broadcasts the SSID in the area. You can hide the SSID instead, in which case the Zyxel Device does not broadcast the SSID. In addition, you should change the default SSID to something that is difficult to guess.
This type of security is fairly weak, however, because there are ways for unauthorized Wi-Fi devices to get the SSID. In addition, unauthorized Wi-Fi devices can still see the information that is sent in the Wi-Fi network.
MAC Address Filter
Every device that can use a Wi-Fi network has a unique identification number, called a MAC address.1 A MAC address is usually written using twelve hexadecimal characters2; for example, 00A0C5000002 or 00:A0:C5:00:00:02. To get the MAC address for each Wi-Fi device in the Wi-Fi network, see the Wi-Fi device’s User’s Guide or other documentation.
You can use the MAC address filter to tell the Zyxel Device which devices are allowed or not allowed to use the Wi-Fi network. If a Wi-Fi device is allowed to use the Wi-Fi network, it still has to have the correct information (SSID, channel, and security). If a Wi-Fi device is not allowed to use the Wi-Fi network, it does not matter if it has the correct information.
This type of security does not protect the information that is sent in the Wi-Fi network. Furthermore, there are ways for unauthorized Wi-Fi devices to get the MAC address of an authorized Wi-Fi device. Then, they can use that MAC address to use the Wi-Fi network.
Encryption
Wi-Fi networks can use encryption to protect the information that is sent in the Wi-Fi network. Encryption is like a secret code. If you do not know the secret code, you cannot understand the message.
The types of encryption you can choose depend on the type of authentication. (See Encryption for information about this.)
No Authentication | RADIUS Server | |
|---|---|---|
Weakest | No Security | WPA WPA2 |
 | WPA-PSK | |
WPA2 | ||
Strongest | WPA3-SAE | WPA3 (server certificate validation) |
For example, if the Wi-Fi network has a RADIUS server, you can choose WPA, WPA2, or WPA3. If users do not log in to the Wi-Fi network, you can choose no encryption, WPA2-PSK, or WPA3-SAE.
It is recommended that Wi-Fi networks use WPA3-SAE, WPA2-PSK, or stronger encryption. The other types of encryption are better than none at all, but it is still possible for unauthorized Wi-Fi devices to figure out the original information pretty quickly.Many types of encryption use a key to protect the information in the Wi-Fi network. The longer the key, the stronger the encryption. Every device in the Wi-Fi network must have the same key.
Signal Problems
Because Wi-Fi networks are radio networks, their signals are subject to limitations of distance, interference and absorption.
Problems with distance occur when the two radios are too far apart. Problems with interference occur when other radio waves interrupt the data signal. Interference may come from other radio transmissions, such as military or air traffic control communications, or from machines that are coincidental emitters such as electric motors or microwaves. Problems with absorption occur when physical objects (such as thick walls) are between the two radios, muffling the signal.
MBSSID
Traditionally, you need to use different APs to configure different Basic Service Sets (BSSs). As well as the cost of buying extra APs, there is also the possibility of channel interference. The Zyxel Device’s MBSSID (Multiple Basic Service Set IDentifier) function allows you to use one access point to provide several BSSs simultaneously. You can then assign varying QoS priorities and/or security modes to different SSIDs.
Wireless devices can use different BSSIDs to associate with the same AP.
Notes on Multiple BSSs
• A maximum of eight BSSs are allowed on one AP simultaneously.
• You must use different keys for different BSSs. If two wireless devices have different BSSIDs (they are in different BSSs), but have the same keys, they may hear each other’s communications (but not communicate with each other).
• MBSSID should not replace but rather be used in conjunction with 802.1x security.
Preamble Type
Preamble is used to signal that data is coming to the receiver. Short and long refer to the length of the synchronization field in a packet.
Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11 compliant Wi-Fi adapters support long preamble, but not all support short preamble.
Use long preamble if you are unsure what preamble mode other Wi-Fi devices on the network support, and to provide more reliable communications in busy Wi-Fi networks.
Use short preamble if you are sure all Wi-Fi devices on the network support it, and to provide more efficient communications.
Use the dynamic setting to automatically use short preamble when all Wi-Fi devices on the network support it, otherwise the Zyxel Device uses long preamble.
The Wi-Fi devices MUST use the same preamble mode in order to communicate.Wi-Fi Protected Setup (WPS)
Your Zyxel Device supports Wi-Fi Protected Setup (WPS), which is an easy way to set up a secure Wi-Fi network. WPS is an industry standard specification, defined by the Wi-Fi Alliance.
WPS allows you to quickly set up a Wi-Fi network with strong security, without having to configure security settings manually. Each WPS connection works between two devices. Both devices must support WPS (check each device’s documentation to make sure).
Depending on the devices you have, you can either press a button (on the device itself, or in its configuration utility) or enter a PIN (a unique Personal Identification Number that allows one device to authenticate the other) in each of the two devices. When WPS is activated on a device, it has 2 minutes to find another device that also has WPS activated. Then, the two devices connect and set up a secure network by themselves.
Push Button Configuration
WPS Push Button Configuration (PBC) is initiated by pressing a button on each WPS-enabled device, and allowing them to connect automatically. You do not need to enter any information.
Not every WPS-enabled device has a physical WPS button. Some may have a WPS PBC button in their configuration utilities instead of or in addition to the physical button.
Take the following steps to set up WPS using the button.
1 Ensure that the two devices you want to set up are within Wi-Fi range of one another.
2 Look for a WPS button on each device. If the device does not have one, log into its configuration utility and locate the button (see the device’s User’s Guide for how to do this – for the Zyxel Device).
3 Press the button on one of the devices (it does not matter which). For the Zyxel Device you must press the Wi-Fi button for more than 5 seconds.
4 Within 2 minutes, press the button on the other device. The registrar sends the network name (SSID) and security key through a secure connection to the enrollee.
If you need to make sure that WPS worked, check the list of associated Wi-Fi clients in the AP’s configuration utility. If you see the Wi-Fi client in the list, WPS was successful.
How WPS Works
When two WPS-enabled devices connect, each device must assume a specific role. One device acts as the registrar (the device that supplies network and security settings) and the other device acts as the enrollee (the device that receives network and security settings. The registrar creates a secure EAP (Extensible Authentication Protocol) tunnel and sends the network name (SSID) and the WPA-PSK or WPA2-PSK pre-shared key to the enrollee. Whether WPA-PSK or WPA2-PSK is used depends on the standards supported by the devices. If the registrar is already part of a network, it sends the existing information. If not, it generates the SSID and WPA2-PSK randomly.
The following figure shows a WPS-enabled client (installed in a notebook computer) connecting to a WPS-enabled access point.
How WPS Works
The roles of registrar and enrollee last only as long as the WPS setup process is active (2 minutes). The next time you use WPS, a different device can be the registrar if necessary.
The WPS connection process is like a handshake; only two devices participate in each WPS transaction. If you want to add more devices you should repeat the process with one of the existing networked devices and the new device.
Note that the access point (AP) is not always the registrar, and the Wi-Fi client is not always the enrollee. All WPS-certified APs can be a registrar, and so can some WPS-enabled Wi-Fi clients.
By default, a WPS device is ‘un-configured’. This means that it is not part of an existing network and can act as either enrollee or registrar (if it supports both functions). If the registrar is un-configured, the security settings it transmits to the enrollee are randomly-generated. Once a WPS-enabled device has connected to another device using WPS, it becomes ‘configured’. A configured Wi-Fi client can still act as enrollee or registrar in subsequent WPS connections, but a configured access point can no longer act as enrollee. It will be the registrar in all subsequent WPS connections in which it is involved. If you want a configured AP to act as an enrollee, you must reset it to its factory defaults.
Example WPS Network Setup
This section shows how security settings are distributed in a sample WPS setup.
The following figure shows a sample network. In step 1, both AP1 and Client 1 are un-configured. When WPS is activated on both, they perform the handshake. In this example, AP1 is the registrar, and Client 1 is the enrollee. The registrar randomly generates the security information to set up the network, since it is un-configured and has no existing information.
WPS: Example Network Step 1
In step 2, you add another Wi-Fi client to the network. You know that Client 1 supports registrar mode, but it is better to use AP1 for the WPS handshake with the new client since you must connect to the access point anyway in order to use the network. In this case, AP1 must be the registrar, since it is configured (it already has security information for the network). AP1 supplies the existing security information to Client 2.
WPS: Example Network Step 2
In step 3, you add another access point (AP2) to your network. AP2 is out of range of AP1, so you cannot use AP1 for the WPS handshake with the new access point. However, you know that Client 2 supports the registrar function, so you use it to perform the WPS handshake instead.
WPS: Example Network Step 3
Limitations of WPS
WPS has some limitations of which you should be aware.
• When you use WPS, it works between two devices only. You cannot enroll multiple devices simultaneously, you must enroll one after the other.
For instance, if you have two enrollees and one registrar you must set up the first enrollee (by pressing the WPS button on the registrar and the first enrollee, for example), then check that it was successfully enrolled, then set up the second device in the same way.
• WPS works only with other WPS-enabled devices. However, you can still add non-WPS devices to a network you already set up using WPS.
WPS works by automatically issuing a randomly-generated WPA-PSK or WPA2-PSK pre-shared key from the registrar device to the enrollee devices. Whether the network uses WPA-PSK or WPA2-PSK depends on the device. You can check the configuration interface of the registrar device to discover the key the network is using (if the device supports this feature). Then, you can enter the key into the non-WPS device and join the network as normal (the non-WPS device must also support WPA-PSK or WPA2-PSK).
• When you use the PBC method, there is a short period (from the moment you press the button on one device to the moment you press the button on the other device) when any WPS-enabled device could join the network. This is because the registrar has no way of identifying the ‘correct’ enrollee, and cannot differentiate between your enrollee and a rogue device. This is a possible way for a hacker to gain access to a network.
You can easily check to see if this has happened. WPS only works simultaneously between two devices, so if another device has enrolled your device will be unable to enroll, and will not have access to the network. If this happens, open the access point’s configuration interface and look at the list of associated clients (usually displayed by MAC address). It does not matter if the access point is the WPS registrar, the enrollee, or was not involved in the WPS handshake; a rogue device must still associate with the access point to gain access to the network. Check the MAC addresses of your Wi-Fi clients (usually printed on a label on the bottom of the device). If there is an unknown MAC address you can remove it or reset the AP.
1 Some wireless devices, such as scanners, can detect Wi-Fi networks but cannot use Wi-Fi networks. These kinds of wireless devices might not have MAC addresses.
2 Hexadecimal characters are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F.