Applies To: WatchGuard Cloud-managed Access Points (AP130, AP230W, AP330, AP332CR, AP430CR, AP432)
This section provides suggestions and best practices on how to deploy a wireless network. The recommended settings are based on the features available in Wi-Fi in WatchGuard Cloud.
Access Point Transmit Power
You can set the maximum transmit power of your access points to limit or expand the transmission distance of your wireless signals.
Use your site survey to determine the transmit power for your deployment. You can set the transmit power between 8 dBm to 28 dBm. If you set the value to Auto, this enables the access point to use the maximum transmit power allowed for the country of operation.
In most cases, you can use the default Auto selection to provide the maximum power for optimal range. Physical obstructions in deployments such as walls and doors can result in significant interference with signal propagation.
In very dense deployments where access points are deployed in close proximity to each other, we recommend that you adjust your transmit power to limit your coverage area so that it does not expand outside the necessary boundaries for your deployment.
We recommend that you set access point transmit power levels for 2.4 GHz lower than those for 5 GHz. This is to compensate for better propagation of 2.4 GHz signals as compared to 5 GHz.
You configure the transmit power in the radio settings for an access point.
You can view the current transmit power for each radio on the device details page and monitoring page for the access point.
The transmit power shown is a best approximation and does not include antenna gain (EIRP). The actual transmit power depends on several factors, including any antenna gain, maximum power allowed by your country of operation, wireless mode, channel, channel width, and data rates.
We recommend you use external measurement tools to accurately measure the signal strength of your access points from different areas of your deployment to help determine the optimal transmit power.
About Transmit Power and Client Roaming
Transmit power does not directly impact client roaming. Roaming decisions to move from one access point to another access point with a stronger signal are determined by the client. There are additional features you can enable on an access point to improve client roaming, such as Fast Handover, Fast Roaming, and Band Steering. These options are described in the following sections.
Fast Handover
Fast Handover helps wireless clients roam between WatchGuard access points and connect to the access point with the strongest signal, based on the Minimum RSSI Threshold (Received Signal Strength Indicator) you configure.
You configure Fast Roaming in the access point radio settings on the Advanced tab. The valid range is between -100 to -60 dBm. The default is -90 dBm. The closer the RSSI value is to 0, the stronger the signal. For example, -60 dBm is a better signal strength than -70 dBm.
Fast Roaming (802.11k/r)
WatchGuard access points support the 802.11r / 802.11k standards that significantly improves roaming times.
Fast Roaming requires WPA2 security encryption. Fast Roaming reduces the re-authentication time for a wireless client as it roams from one WatchGuard access point to another access point. This enables the wireless client to quickly transition wireless communications and improves performance and stability of streaming-intensive applications such as VoIP and video streaming.
You configure Fast Roaming in the SSID settings on the Advanced tab.
Band Steering
You can actively steer wireless clients from the 2.4 GHz band to use the less congested 5 GHz band to help balance associated clients on an access point between the 2.4 GHz and 5 GHz radios.
You configure Band Steering in the SSID settings on the Advanced tab.
- Balance Clients: Distributes the wireless client load between the 2.4 GHz and 5 GHz radios. Specify the percentage of clients that will use the 5 GHz radio. The remaining percentage will use the 2.4 GHz radio.
- Prefer 5 GHz (default): Clients are steered to the 5 GHz band if the client's signal strength in 5 GHz is higher than the configured threshold.
- Force 5 GHz: Enables the use of additional management packets to make sure a client is always disconnected from the 2.4 GHz radio and steered to the 5 GHz radio when the client reconnects to the access point.
Client Isolation
Client isolation prevents wireless clients from communicating directly to other wireless or wired clients and devices on the same network.
Client isolation is useful in typical guest Wi-Fi access deployments to prevent communications between guest clients and other clients and devices on the network. Client isolation is enabled by default if the SSID is configured as a Guest SSID.
Traffic Shaping
If you offer guest wireless access, you can use traffic shaping to prevent guest traffic from adversely affecting your private internal wireless network.
You configure bandwidth limits in the SSID settings on the Traffic Shaping tab.
In this example, the throughput rate for the Guest SSID has been limited to 10 Mbps for uploads and 20 Mbps for downloads.
SSID Bridge Mode and NAT Mode
WatchGuard access points can operate in Bridged mode or NAT (Network Address Translation) mode.
For most use cases we recommend you use Bridged mode. With Bridged mode, traffic is bridged between the wireless interface and the wired interface.
When you use NAT mode, the access point supplies clients with IP addresses from the DHCP range you configure and performs NAT for traffic between the wireless interface and the wired interface.
NAT mode is required to create an Access Point VPN.
You configure Bridged or NAT mode network settings in the SSID wireless configuration.
