cody/UMtest
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
UMtest/wbe750_um.md
Cody Cook d94b1dd034 Upload files to "/"
2024-10-23 14:34:11 -07:00

10383 lines
527 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# BE18400 Tri-Band PoE 10G/Multi-Gigabit {#topic_nrb_x1b_czb}
|Parameter|Value\(s\)|
|---------|----------|
|Business Unit|BlankBU|
|Title continued|Insight Managed WiFi 7 Access Point|
|Customer|NETGEAR|
|WBE750| |
|Product|BE18400 Tri-Band PoE 10G/Multi-Gigabit Insight Managed WiFi 7 Access Point Model WBE750|
|Part Number|202-12660-02|
|Publish Date|June 2024|
|Address|Street|350 E. Plumeria Drive|
|City, State Zip|San Jose, CA 95134|
|Country|USA|
|TOC|Yes|
|Index|No|
|Keywords|NETGEAR BE18400 Tri-Band PoE 10G/Multi-Gigabit Insight Managed WiFi 7 Access Point Model WBE750 User Manual; WiFi 7 AP; BE18400 AP; WBE750 AP; 802.11be; 802.11ax; WPA3; 10 Gbps; 10G; 5 Gbps; 5G; 2.5 Gbps; 2.5G; Multi-Gigabit; Multi-GiG; PoE++; 60W; 802.3bt; 6 GHz; 5 GHz; 2 GHz; Tri-band; Insight|
|Display change bar|No|
## Support and Community {#section_ytl_m3t_srb .section}
Visit [netgear.com/support](https://www.netgear.com/support/) to get your questions answered and access the latest downloads.
You can also check out our NETGEAR Community for helpful advice at [community.netgear.com](https://community.netgear.com/).
## Regulatory and Legal {#section_h1j_q3t_srb .section}
Si ce produit est vendu au Canada, vous pouvez accéder à ce document en français canadien à [https://www.netgear.com/support/download/](https://www.netgear.com/support/download/).
\(If this product is sold in Canada, you can access this document in Canadian French at [https://www.netgear.com/support/download/](https://www.netgear.com/support/download/).\)
For regulatory compliance information including the EU Declaration of Conformity, visit [https://www.netgear.com/about/regulatory/](https://www.netgear.com/about/regulatory/).
See the regulatory compliance document before connecting the power supply.
For NETGEARs Privacy Policy, visit [https://www.netgear.com/about/privacy-policy](https://www.netgear.com/about/privacy-policy/).
By using this device, you are agreeing to NETGEARs Terms and Conditions at [https://www.netgear.com/about/terms-and-conditions](https://www.netgear.com/about/terms-and-conditions/). If you do not agree, return the device to your place of purchase within your return period.
Do not use this device outdoors. The PoE source is intended for intra building connection only.
Applicable to 6 GHz devices only: Only use the device indoors. The operation of 6 GHz devices is prohibited on oil platforms, cars, trains, boats, and aircraft, except that operation of this device is permitted in large aircraft while flying above 10,000 feet. Operation of transmitters in the 5.925-7.125 GHz band is prohibited for control of or communications with unmanned aircraft systems.
## Trademarks {#section_mb4_r3t_srb .section}
© NETGEAR, Inc., NETGEAR, and the NETGEAR Logo are trademarks of NETGEAR, Inc. Any non-NETGEAR trademarks are used for reference purposes only.
## Revision History {#section_tql_dvs_zqb .section}
<table id="table_qrb_x1b_czb"><thead><tr><th>
Publication Part Number
</th><th>
Publish Date
</th><th>
Comments
</th></tr></thead><tbody><tr><td>
202-12660-02
</td><td>
June 2024
</td><td>
We added the following sections:
[Configure multi-link operation](#task_x13_fnp_c1c)
[Manage global MAC ACLs and traffic policies](#concept_ehl_zcb_2bc) and subsections, including:
- [Manage MAC ACLs for broadcast and multicast traffic from the wired LAN](#concept_cmb_rdb_2bc) and subsections
- [Block all broadcast and multicast traffic from the wired LAN](#task_yxr_cq1_2bc)
- [Manage the Wireless Noise Filter](#concept_rzn_kcb_2bc) and subsections
- [Manage the Global Traffic Filter](#concept_lsw_hcb_2bc) and subsections
[Manage SSID-based MAC ACLs and traffic policies for WiFi networks](#concept_bmx_1jy_cbc) and subsections, including:
- [Manage MAC ACLs for broadcast and multicast traffic from WiFi clients](#concept_j23_5db_2bc) and subsections
- [Manage MAC/IP Traffic Filter groups for WiFi networks](#concept_ekl_m2b_2bc) and subsections
[Use the Reset button to reboot the AP](#task_uhf_d5s_mbc)
[Display statistics for MAC and IP-based traffic policies](#task_dj5_vkr_2bc)
[Select a MAC ACL for broadcast and multicast traffic from WiFi clients in a WiFi network](#task_rm3_zl3_2bc)
[Block all broadcast and multicast traffic for a WiFi network](#task_f3w_5m3_2bc)
[Select a MAC/IP Traffic Filter group for a WiFi network](#task_fgg_jl3_2bc)
We revised the following sections:
[Hardware interfaces](#concept_cqj_hyp_czb) and [Use the Reset button to reset the AP](#task_ocl_rkd_h1c)
Added information about the following options in a WiFi network \(see [Set up an open or secure WiFi network](#task_ujs_4pt_dzb)\):
- Configure multi-link operation
- Select a MAC ACL for broadcast and multicast traffic from WiFi clients
- Select a MAC/IP Traffic Filter group
Added restrictions for WPA2 Enterprise and WPA3 Enterprise security and for client isolation in [Set up an open or secure WiFi network](#task_ujs_4pt_dzb) and [Change the authentication and encryption for a WiFi network](#task_afq_pz1_2zb)
Added the option to test configured RADIUS servers in [Set up RADIUS servers](#task_jvz_zpp_c1c)
[Enable or disable client isolation for a WiFi network](#task_qpk_cxd_h1c)
[Manage sticky clients](#task_qhl_rqk_h1c)
We made multiple minor changes and improvements to other sections.
</td></tr><tr><td>
202-12660-01
</td><td>
March 2024
</td><td>
First publication.
</td></tr></tbody>
</table># Introduction {#concept_cpt_by3_kmb .concept}
This manual is for the NETGEAR BE18400 Tri-Band PoE 10G/Multi-Gigabit Insight Managed WiFi 7 Access Point Model WBE750.
Model WBE750, in this manual referred to as the AP, supports the Wi-Fi 7 standard with IEEE 802.11be, eight \(4+4\) data streams, and tri-band concurrent operation at 6 GHz, 5 GHz, and 2.4 GHz, allowing for a combined throughput of about 18.4 Gbps \(11530 Mbps at 6 GHz, 5765 Mbps at 5 GHz, and 1147 Mbps at 2.4 GHz\).
The AP can function as a Power over Ethernet plus plus \(PoE++, 802.3bt\) powered device \(PD\) in an existing network connected to a PoE++ switch. The AP also supports a power adapter for connection to a regular switch or router. The PoE++ Ethernet port supports various speeds from 100 Mbps, 1 Gbps, 2.5 Gbps, and 5 Gbps up to 10 Gbps.
This chapter contains the following sections:
**Note:** For more information about the topics that are covered in this manual, visit the support website at [netgear.com/support/](https://www.netgear.com/support/).
**Note:** Firmware updates with new features and bug fixes are made available from time to time at [netgear.com/support/download/](https://www.netgear.com/support/download/). You can check for and download new firmware manually. If the features or behavior of your product does not match what is described in this manual, you might need to update the firmware.
**Note:** In this manual, *WiFi network* means the same as SSID \(service set identifier or WiFi network name\) or VAP \(virtual access point\). That is, when we refer to a WiFi network we mean an individual SSID or VAP.
## Additional documentation {#concept_h4m_tdj_czb}
The following documents are available at [netgear.com/support/download/](https://www.netgear.com/support/download/):
- Installation guide
- Pro WiFi Mount Installation Guide
- Datasheet
AP management in NETGEAR Insight is described in the NETGEAR knowledge base. See [kb.netgear.com/000044338/](https://kb.netgear.com/000044338/Knowledge-base-landing-page-for-Insight-Managed-Wireless-Access-Points).
## How to manage the AP {#concept_cmf_vjj_czb}
For NETGEAR Insight Premium and Insight Pro subscribers, the AP supports the NETGEAR Insight Cloud Portal and Insight app:
- **Insight Cloud Portal**: Lets you configure and manage the AP through the portal of the Insight cloud-based management platform.
- **Insight app**: Lets you configure and manage the AP from your iOS or Android mobile device and connects to the Insight cloud-based management platform.
You can also manage the AP with the device UI. Management through the Insight cloud-based management platform and management through the device UI are mutually exclusive.
You can manage and monitor the AP using the following methods:
- **Insight-only management**: You use only the Insight Cloud Portal or Insight app. However, if you wish, at any time, you can change to the standalone management method.
- **Standalone management**: You use the AP as a standalone device in your network and manage and monitor the AP using the device UI only. This is the default management method, However, if you wish, at any time, you can change to the Insight-only management method.
## About the device user interface and NETGEAR Insight {#concept_dbx_dgy_5lb}
This user manual describes the device user interface \(UI\), which you use if the AP functions as a standalone access point.
For information about NETGEAR Insight subscriptions, visit [netgear.com/business/services/insight/](https://www.netgear.com/business/services/insight/) and [kb.netgear.com/000061848](https://kb.netgear.com/000061848/How-do-I-use-NETGEAR-s-one-year-of-Insight-included-subscription).
This manual does not describe NETGEAR Insight procedures, which are documented in the NETGEAR knowledge base. For knowledge base articles about NETGEAR Insight, visit [kb.netgear.com/000044338/](https://kb.netgear.com/000044338/Knowledge-base-landing-page-for-Insight-Managed-Wireless-Access-Points).
If you install the AP as a NETGEAR Insight managed device, the settings for features that you can manage through the Insight Cloud Portal and Insight app are masked out in the device UI. However, using the device UI, you can still manage the settings for certain features that might not yet be supported in Insight.
# Hardware Overview {#concept_vbt_3rp_czb .concept}
The NETGEAR BE18400 Tri-Band PoE 10G/Multi-Gigabit Insight Managed WiFi 7 Access Point Model WBE750 is an *indoor* access point.
The chapter contains the following sections:
## Unpack the AP {#concept_ugv_rrp_czb}
The package contains the following items:
- WBE750 AP with the port cover attached
- Mount plate \(the adjustable size is set at the “P2” position.\)
- Deep clip
- Shallow clip
- Installation guide
**Note:** Depending on the product ordered, the package might not include a power adapter. You power up the AP by connecting it to a PoE++ switch. If you ordered a package without a power adapter, you can still order a power adapter as an option.
For information about the multiple mounting options, see the *Pro WiFi Mount Installation Guide*, which you can download by visiting [netgear.com/support/download/](https://www.netgear.com/support/download/).
## Top panel LED {#concept_yf3_35p_czb}
The LED that provides the status of the AP is located at the edge of the top panel of the AP.
![](../WBE750%20UM/Img/WBE750_top_view_r1.ai "Top panel with LED")
<table id="table_ag3_35p_czb"><thead><tr><th colspan="2">
Color
</th><th>
Description
</th></tr></thead><tbody><tr><td colspan="3">
**Normal behavior**
</td></tr><tr><td>
   ![](../WBE700%20Series%20Base%20UM/Img/Gray_LED_r1.ai)
</td><td>
Off
</td><td>
No power is supplied to the AP.
</td></tr><tr><td>
   ![](../WBE700%20Series%20Base%20UM/Img/Amber_LED_r1.ai)
</td><td>
Solid amber, temporarily
</td><td>
The AP is starting or the **Reset** button was pressed.
</td></tr><tr><td>
![](../WBE700%20Series%20Base%20UM/Img/Amber_fast_blink_r1.ai)
</td><td>
Blinking amber slowly, temporarily
</td><td>
The AP is in the process of getting an IP address.
</td></tr><tr><td>
![](../WBE700%20Series%20Base%20UM/Img/Amber_slow_blink_r1.ai)
</td><td>
Blinking amber fast, temporarily
</td><td>
The AP is updating firmware or is being reset to factory default settings.
</td></tr><tr><td>
   ![](../WBE700%20Series%20Base%20UM/Img/Blue_LED_r1.ai)
</td><td>
Solid blue
</td><td>
The AP started up, functions in Insight mode, and is connected to the Insight cloud-based management platform.
</td></tr><tr><td>
   ![](../WBE700%20Series%20Base%20UM/Img/Green_LED_r1.ai)
</td><td>
Solid green
</td><td>
The AP started up and functions either as a standalone access point or as an Insight discovered access point that is not connected to the Insight cloud-based management platform.
</td></tr><tr><td>
![](../WBE700%20Series%20Base%20UM/Img/Blue_fast_blink_r1.ai)
</td><td>
Blinking blue
</td><td>
At least one WiFi client is connected to the AP. The speed of blinking depends on the transmit and receive data rate of connected clients.
</td></tr><tr><td>
![](../WBE700%20Series%20Base%20UM/Img/Multi_fast_blink_r1.ai)
</td><td>
Blinking multicolor
</td><td>
The AP is functioning as a node in an Insight Instant Mesh WiFi Network and the mesh setup is in progress.
</td></tr><tr><td colspan="3">
**Problem indication**
</td></tr><tr><td>
![](../WBE700%20Series%20Base%20UM/Img/Green_fast_blink_r1.ai)
</td><td>
Blinking green, continuously
</td><td>
The PoE power that the AP is receiving is not at the required PoE++ \(802.3at802.3bt\) level.
</td></tr><tr><td>
![](../WBE700%20Series%20Base%20UM/Img/Amber_fast_blink_r1.ai)
</td><td>
Blinking amber slowly, continuously
</td><td>
The AP did not receive an IP address from a DHCP server.
</td></tr><tr><td>
   ![](../WBE700%20Series%20Base%20UM/Img/Amber_LED_r1.ai)
</td><td>
Solid amber, continuously
</td><td>
A boot error occurred or the AP is malfunctioning.
</td></tr></tbody>
</table>**Note:** For information about troubleshooting with the LED, see [Troubleshoot with the LED](#concept_jyq_mfr_h1c).
## Hardware interfaces {#concept_cqj_hyp_czb}
The bottom panel of the AP has a LAN/PoE++ port, DC power connector for an optional power adapter, and **Reset** button.
![](Img/WBE750_port_view_cover_r1.ai "Hardware interfaces")
The bottom panel contains the following components, in the previous figure shown from left to right:
- **LAN/PoE++ port**: You can use the LAN/PoE++ 10Gbe RJ-45 LAN port to connect the AP to a PoE++ \(802.3bt\) switch, or if you use an optional power adapter, to a non-PoE switch.
If connected to 10 Gbps equipment, the LAN/PoE++ port supports Ethernet speeds up to 10 Gbps within your LAN. If your Internet connection, modem, router, and switch support a speed of 10 Gbps, the APs Internet connection also functions at 10 Gbps. Otherwise, the Internet connection functions at the highest speed that your ISP connection, modem, router, and switch support.
For more information about the LAN/PoE++ port connection, see [Set up and connect the AP to your network](#task_bvv_mlq_czb).
- **DC power connector**: If you do not use a PoE++ switch to provide power to the AP, connect an optional power adapter to the DC power connector.
- **Reset button**: You can use the **Reset** button to reboot the AP or to reset the AP to its factory default settings:
- **Reboot**: To reboot the AP, press the **Reset** button for about two seconds until the LED lights solid amber, and then immediately release the button. For more information, see [Use the Reset button to reboot the AP](#task_uhf_d5s_mbc).
- **Reset**: To reset the AP to its factory default setting, press the **Reset** button until the LED start blinking amber, after which you can release the button. For more information, see [Use the Reset button to reset the AP](#task_ocl_rkd_h1c).
If you hold the **Reset** button, the LED first lights solid amber, and then about 5 seconds later, starts blinking amber. If you release the button while the LED lights solid amber, the AP reboots rather than resets. The LED must be blinking amber.
## Product label {#concept_ymm_dzp_czb}
The product label of the AP shows the QR code, serial number, MAC address, setup WiFi network name \(SSID\), and network key \(password\) of the AP, as well as the default IP address, default user name and default password to access the device UI.
![](Img/WBE750_label.ai "Product label")
## Safety instructions and warnings for an indoor access point {#concept_hqz_vnp_czb}
Use the following safety guidelines to ensure your own personal safety and to help protect your system from potential damage.
To reduce the risk of bodily injury, electrical shock, fire, and damage to the equipment, observe the following precautions:
- This product is designed for indoor use only in a temperature-controlled and humidity-controlled environment. Note the following:
- For more information about the environment in which this product must operate, see the environmental specifications in the appendix or the data sheet.
- If you want to connect the product over an Ethernet cable to a device located outdoors, the outdoor device must be properly grounded and surge protected, and you must install an Ethernet surge protector inline between the indoor product and the outdoor device. Failure to do so can damage the product.
- Before connecting the product to outdoor cables or wired outdoor devices, see [https://kb.netgear.com/000057103](https://kb.netgear.com/000057103) for additional safety and warranty information.
Failure to follow these guidelines can result in damage to your NETGEAR product, which might not be covered by NETGEARs warranty, to the extent permissible by applicable law.
- Do not service the product except as explained in your product documentation. Some devices should never be opened.
- If any of the following conditions occur, unplug the product from its power source, and then replace the part or contact your trained service provider:
- Depending on your product, the power adapter, power adapter cable, power adapter plug, or PoE Ethernet cable is damaged.
- An object fell into the product.
- The product was exposed to water.
- The product was dropped or damaged.
- The product does not operate correctly when you follow the operating instructions.
- Keep the product away from radiators and heat sources. Also, do not block cooling vents.
- Do not spill food or liquids on your product components, and never operate the product in a wet environment. If the product gets wet, see the appropriate section in your troubleshooting guide, or contact your trained service provider.
- Do not push any objects into the openings of your product. Doing so can cause fire or electric shock by shorting out interior components.
- Use the product only with approved equipment.
- If applicable to your product, allow the product to cool before removing covers or touching internal components.
- Be sure that devices that are attached over Ethernet cables are electrically rated to operate with the power available in your location.
- Depending on your product, use only the supplied power adapter or an Ethernet cable that provides PoE.
If your product uses a power adapter:
- If you were not provided with a power adapter, contact your local NETGEAR reseller.
- The power adapter must be rated for the product and for the voltage and current marked on the product electrical ratings label.
- To help prevent electric shock, plug any system and peripheral power cables into properly grounded power outlets.
- If applicable to your product, the peripheral power cables are equipped with three-prong plugs to help ensure proper grounding. Do not use adapter plugs or remove the grounding prong from a cable. If you must use an extension cable, use a three-wire cable with properly grounded plugs.
- Observe extension cable and power strip ratings. Make sure that the total ampere rating of all products plugged into the extension cable or power strip does not exceed 80 percent of the ampere ratings limit for the extension cable or power strip.
- To help protect your system from sudden, transient increases and decreases in electrical power, use a surge suppressor, line conditioner, or uninterruptible power supply \(UPS\).
- Position system cables, power adapter cables, and PoE Ethernet cables carefully. Route cables so that they cannot be stepped on or tripped over. Be sure that nothing rests on any cables.
- Do not modify power adapters, power adapter cables, or plugs. Consult a licensed electrician or your power company for site modifications.
- Always follow your local and national wiring rules.
# Install the AP in Your Network and Access It for Initial Configuration {#concept_rz2_wy3_czb .concept}
This chapter describes how you can install and access the AP in your network.
The chapter contains the following sections:
CAUTION:
This device must be professionally installed. It is the installers responsibility to follow local country regulations, including operations within legal frequency channels, output power, and DFS requirements. The vendor, reseller, or distributor is not responsible for illegal wireless operations. For more details, see the devices terms and conditions.
**Note:** In this manual, *WiFi network* means the same as SSID \(service set identifier or WiFi network name\) or VAP \(virtual access point\). That is, when we refer to a WiFi network we mean an individual SSID or VAP.
## Position your AP for best performance {#concept_xmd_y3q_czb}
Before you install and mount your AP as described in the installation guide or an appendix to this manual, consider how you can position the AP for best performance.
WiFi clients that are within the AP WiFi range can connect to the WiFi network. However, the WiFi range can vary significantly depending on the physical placement of your AP. For example, the thickness, density, and number of walls the WiFi signal passes through can limit the range.
Additionally, other WiFi devices in and around your office, home, yard, or campus, might affect your APs signal. WiFi devices can be other access points, routers, repeaters, WiFi range extenders, and any other devices that emit WiFi signals to provide network access.
Tips for positioning your AP:
- Place your AP near the center of the area where the WiFi clients operate.
A line of sight between the AP and the WiFi clients is not required for good performance.
- If you use a power adapter, make sure that the AP is within reach of an AC power outlet.
- Place the AP in an elevated location, minimizing the number of walls and ceilings between the AP and the WiFi clients.
- Place the AP away from electrical devices such as these:
- Ceiling fans
- Home security systems
- Microwaves
- Computers
- Bases of cordless phones
- 2.4 GHz and 5.8 GHz cordless phones
- Place the AP away from large metal surfaces, large glass surfaces, insulated walls, and items such as these:
- Solid metal doors
- Aluminum studs
- Fish tanks
- Mirrors
- Brick
- Concrete
If you are using adjacent standalone APs, use non-overlapping radio frequency channels to reduce interference. For more information, see [Change the channel for a radio](#task_ltq_52q_c1c).
## Set up and connect the AP to your network {#task_bvv_mlq_czb}
You can connect the AP to a Power over Ethernet plus \(PoE+, 802.3at\)Power over Ethernet plus plus \(PoE++, 802.3bt\) switch in your network. The switch must be connected to a network router that is connected to the Internet. If you use a PoE++ connection, the AP does not require a power adapter.
**Note:** Depending on the product ordered, the package might not include a power adapter. You power up the AP by connecting it to a PoE++ switch. If you ordered a package without a power adapter but do not want to use a PoE++ connection, you can still order a power adapter as an option.
If connected to 2.5 Gbps equipment, the AP LAN/PoE+ port supports Ethernet speeds up to 2.5 Gbps within your LAN. The following figure show a NETGEAR MS510TXUP switch, which supports speeds of 2.5 Gbps and higher, as well as PoE+ and PoE++. If your Internet connection, modem, router, and switch support a speed of 2.5 Gbps, the APs Internet connection also functions at 2.5 Gbps. Otherwise, the Internet connection functions at the highest speed that your ISP connection, modem, router, and switch support.
If connected to 10 Gbps equipment, the AP LAN/PoE++ port supports Ethernet speeds up to 10 Gbps within your LAN. The following figure show a NETGEAR MS510TXUP switch, which supports speeds of 10 Gbps, as well as PoE++. If your Internet connection, modem, router, and switch support a speed of 10 Gbps, the APs Internet connection also functions at 10 Gbps. Otherwise, the Internet connection functions at the highest speed that your ISP connection, modem, router, and switch support.
The following figure shows the AP connected to a PoE++ switch, which has a redundant connection to a network router that is connected to the Internet.
![](../WBE710%20UM/Img/WBE710_specific-2_diagram_r1.ai "Set up the AP with a PoE++connection to your network")
![](../WBE750%20UM/Img/WBE750_specific-2_diagram_r1.ai "Set up the AP with a PoE++connection to your network")
To set up the AP with an Ethernet connection to your network:
1. Connect an Ethernet cable to the LAN/PoE++ port on the AP.
2. Connect the other end of the Ethernet cable to a port on a switch that is connected to your network and to the Internet.
If you use a PoE+ switch, the switch port that is connected to the AP must be able to supply 30W PoE+ power. The AP requires 802.3at \(PoE+\) input.
If you use a PoE++ switch, the switch port that is connected to the AP must be able to supply 60W PoE++ power. The AP requires 802.3bt \(PoE++\) input.
**Note:** For optimal functioning, make sure that you use an 802.3at \(PoE+\) switch and not an 802.3af \(PoE\) switch. If the LED remains solid amber five minutes after the AP started up, the AP might receive insufficient PoE power. For more information, see [The AP functions as a PoE PD and the LED is blinking green continuously](#task_z4q_dnr_xlb).
**Note:** For optimal functioning, make sure that you use an 802.3bt \(PoE++\) switch and not an 802.3at \(PoE+\) or 802.3af \(PoE\) switch. If the LED remains solid amber five minutes after the AP started up, the AP might receive insufficient PoE power. For more information, see [The AP functions as a PoE PD and the LED is blinking green continuously](#task_z4q_dnr_xlb).
While the AP is starting or in the process of getting an IP address from a DHCP server \(or router functioning as a DHCP server\) in your network, the LED blinks amber slowly. After about three minutes, the LED turns solid blue or solid green and the AP is ready for you to perform the initial configuration.
For information about accessing the AP for initial configuration, see [Connect to the AP for initial configuration](#concept_l2y_snq_czb).
## Connect to the AP for initial configuration {#concept_l2y_snq_czb}
After you set up the AP, you can use several methods to connect to it for initial configuration.
For remote management of the AP \(and of multiple devices and networks\), you can use the NETGEAR Insight Cloud Portal on a computer or tablet or the NETGEAR Insight app on an iOS or Android mobile device. If you use the AP in a standalone configuration, you can use the device UI on a computer or tablet. For more information, see [About the device user interface and NETGEAR Insight](#concept_dbx_dgy_5lb).
For information about using the Insight Cloud Portal or Insight app, see one of the following sections:
- [Connect over the Internet using the NETGEAR Insight Cloud Portal](#task_vnk_dtq_czb)
- [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb)
For information about using the device UI, see one of the following sections:
- [Connect over WiFi to the device UI for initial configuration](#task_hlf_15d_dzb)
- [Connect over the LAN to the device UI for initial configuration](#task_hd4_3yd_dzb)
- [Configure the AP offline using a directly connected computer](#task_msr_pb2_dzb)
**Note:** If your network does not include a DHCP server \(or a router that functions as a DHCP server\) and you do not perform the initial configuration of the AP as described in one of these sections, you can connect only to the AP and the AP can provide an IP address to only five clients. To prevent this situation, make sure that you perform the initial configuration of the AP.
### Connect over the Internet using the NETGEAR Insight Cloud Portal {#task_vnk_dtq_czb}
The Insight Cloud Portal is available for Insight Premium or Insight Pro subscribers. To use the NETGEAR Insight Cloud Portal to configure and manage the AP, the AP must already be connected to the Internet.
For more information about the Insight Cloud Portal, visit the following pages:
- [netgear.com/business/services/insight/](https://www.netgear.com/business/services/insight/)
- [kb.netgear.com/000061848](https://kb.netgear.com/000061848/How-do-I-use-NETGEAR-s-one-year-of-Insight-included-subscription)
- [kb.netgear.com/000044343](https://kb.netgear.com/000044343/How-do-I-create-an-Insight-account)
Your NETGEAR account is also your Insight account. Your NETGEAR account credentials let you log in as an Insight Premium user, or if you upgrade to an Insight Pro account, as an Insight Pro user.
The following figure shows the AP connected to a PoE++ switch, which has a redundant connection to a network router that is connected to the Internet. The WiFi clients have the NETGEAR Insight app installed or have access to the Cloud Portal.
![](../WBE710%20UM/Img/WBE710_specific-1_diagram_r1.ai "Set up the AP in a NETGEAR Insight configuration")
![](../WBE750%20UM/Img/WBE750_specific-1_diagram_r1.ai "Set up the AP in a NETGEAR Insight configuration")
To connect to the AP over the Internet through the Insight Cloud Portal:
1. Make sure that the AP is connected to the Internet.
2. On a computer or tablet, visit [insight.netgear.com](https://accounts.netgear.com/login?redirectUrl=https:%2F%2Finsight.netgear.com%2F).
The NETGEAR Account Login page displays.
3. If you do not already have an Insight account, you can create an account now.
For information about creating an Insight Premium account or upgrading to an Insight Pro account, visit [kb.netgear.com/000044343](https://kb.netgear.com/000044343/How-do-I-create-an-Insight-account).
4. Enter the email address and password for your NETGEAR account and click the NETGEAR **Sign In** button.
5. Only if you are an Insight Pro user, select the organization to which you want to add the AP.
6. Add a new network location where you want to add the AP, or select an existing network location.
7. Click the **+ \(Add Device\)** button.
**Note:** If you are an Insight Pro user, you can either add a single device or you can add multiple Insight managed devices by uploading a device list as a CSV file.
8. In the Add New Device pop-up page, enter the APs serial number and MAC address, and then click **Go**.
The serial number and MAC address are on the AP label.
9. After Insight verifies that the AP is a valid product, you can optionally change the device name of the AP, and then click **Next**.
When the AP is successfully added to the portal, a page displays a confirmation that setup is in progress.
**Note:** If the AP is online but Insight does not detect the AP, the firewall at the physical location where the AP is located might prevent communication with the Insight cloud. In that situation, add port and DNS entries for outbound access to the firewall. For more information, see [kb.netgear.com/000062467](https://kb.netgear.com/000062467/Ports-and-DNS-records-for-connection-to-Insight-cloud).
The AP automatically updates to the latest Insight firmware and Insight location configuration. This might take up to 10 minutes, during which time the AP will restart.
The AP is now an Insight managed device that is connected to the Insight cloud-based management platform. If the LED was solid green, it lights solid blue.
You can use the Insight Cloud Portal or Insight app to configure and manage the AP.
**Note:** If you add the AP to a NETGEAR Insight network location and manage the AP through the Insight Cloud Portal or Insight app, the admin password for the AP changes. That is, after you add the AP to an Insight network location, the Insight network password for that location replaces the admin password. To access the device UI, you must then enter the Insight network password and not the admin password. If you later decide to remove the AP from the Insight network location or change the management mode to Web-browser mode \(see [Change the management mode to NETGEAR Insight or Web-browser](#task_an4_y5x_g1c)\), you must continue to use the Insight network password to access the device UI until you manually change the admin password on the AP.
### Connect over WiFi using the NETGEAR Insight app {#task_kw1_drq_czb}
The NETGEAR Insight app is available for Insight Premium and Insight Pro subscribers.
You can install the NETGEAR Insight app on an iOS or Android mobile device and set up the AP \(and perform many other tasks as well\).
For more information about the Insight app, visit the following pages:
- [netgear.com/business/services/insight/](https://www.netgear.com/business/services/insight/)
- [kb.netgear.com/000061848](https://kb.netgear.com/000061848/How-do-I-use-NETGEAR-s-one-year-of-Insight-included-subscription)
- [kb.netgear.com/000044343](https://kb.netgear.com/000044343/How-do-I-create-an-Insight-account)
Your NETGEAR account is also your Insight account. Your NETGEAR account credentials let you log in as an Insight Premium user, or if you upgrade to an Insight Pro account, as an Insight Pro user.
The following figure shows the AP connected to a PoE++ switch, which has a redundant connection to a network router that is connected to the Internet. The WiFi clients have the NETGEAR Insight app installed or have access to the Cloud Portal.
![](../WBE710%20UM/Img/WBE710_specific-1_diagram_r1.ai "Set up the AP in a NETGEAR Insight configuration")
![](../WBE750%20UM/Img/WBE750_specific-1_diagram_r1.ai "Set up the AP in a NETGEAR Insight configuration")
To connect to the AP over WiFi using an iOS or Android mobile device:
1. On your mobile device, go to the app store, search for NETGEAR Insight, and download the Insight app.
![](../WBE700%20Series%20Base%20UM/Img/InsightAppBadges.png)
2. On your mobile device, connect over WiFi to the APs setup WiFi network using one of the following methods:
- **Scan the QR code**: Scan the QR code on the AP label on the bottom of the AP to connect to the setup WiFi network.
- **Connect manually**: The setup WiFi network is on the AP label and is shown in the format NETGEARxxxxxx-SETUP, where xxxxxx is the last six hexadecimal digits of the APs MAC address. The default password is **sharedsecret**.
3. Launch the Insight app.
4. If you do not already have an Insight account, you can create an account now.
For information about creating an Insight Premium account or upgrading to an Insight Pro account, visit [kb.netgear.com/000044343](https://kb.netgear.com/000044343/How-do-I-create-an-Insight-account).
5. Enter the email address and password for your NETGEAR account and tap **LOG IN**.
6. Add a new network location where you want to add the AP by tapping the **Next** button, and then tapping **OK**.
You can also select an existing network location.
The device admin password that you entered for the new network location replaces the existing admin password on all devices that you add to the network location.
In most situations, Insight detects the AP automatically, which can take several minutes.
7. To add the AP to your network location, do one of the following:
- If the AP is automatically detected and listed in the Insight Manageable Devices section, tap the icon for the AP, and then tap the **ADD DEVICE** button.
- If the AP is not automatically detected, or you prefer to use another method to add the AP, tap the **+** icon in the top bar, and do one of the following:
- Tap the **SCAN BARCODE OR QR CODE** button, and then scan the APs code, which is on the AP label.
- Tap the **Enter Serial Number and MAC Address** link, and then manually enter the APs serial number and MAC address, which are on the AP label.
8. If prompted, name the AP and tap the **Next** button.
The AP automatically updates to the latest Insight firmware and Insight location configuration. This might take up to 10 minutes, during which time the AP will restart.
The AP is now an Insight-managed device that is connected to the Insight cloud-based management platform. If the LED LED was solid green, it lights solid blue.
You can use the Insight Cloud Portal or Insight app to configure and manage the AP.
**Note:** If you add the AP to a NETGEAR Insight network location and manage the AP through the Insight Cloud Portal or Insight app, the admin password for the AP changes. That is, the Insight network password for that location replaces the admin password. To access the device UI, you must then enter the Insight network password and not the admin password. If you later decide to remove the AP from the Insight network location or change the management mode to Web-browser mode \(see [Change the management mode to NETGEAR Insight or Web-browser](#task_an4_y5x_g1c)\), you must continue to use the Insight network password to access the device UI until you manually change the admin password on the AP.
### Connect over WiFi to the device UI for initial configuration {#task_hlf_15d_dzb}
This section describes how to connect to the AP for the first time over WiFi using a WiFi-enabled computer or mobile device \(without using the NETGEAR Insight app\) and complete the initial configuration.
To connect over WiFi to the device UI for initial configuration:
1. From your computer or mobile device, connect over WiFi to the APs setup WiFi network using one of the following methods:
- **Scan the QR code**: Scan the QR code on the AP label on the bottom of the AP to connect to the setup WiFi network.
- **Connect manually**: The setup WiFi network is on the AP label and is shown in the format NETGEARxxxxxx-SETUP, where xxxxxx is the last six hexadecimal digits of the APs MAC address. The default password is **sharedsecret**.
2. On the computer or mobile device, launch a web browser and, in the address bar, type **http://aplogin.net**.
**Note:** You can use **http://aplogin.net** only during initial setup of the AP.
The login page displays.
Your browser might display a security warning because of the self-signed certificate on the AP, which is expected behavior. You can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and default password, and click the **Login** button.
The user name is **admin**. The default password is **password**. The user name and password are case-sensitive.
The Day Zero Easy Setup page displays.
4. Select the **Web-browser** radio button.
The Day Zero Easy Setup page adjusts to display multiple options.
**Note:** After you save the basic settings that are shown on the page, the Day Zero Easy Setup page no longer displays when you log in. Instead, the login page displays. After you log in, the Dashboard displays.
5. To let the AP check for the latest firmware, click the **Check for Upgrade** button.
If new firmware is available for the AP, we recommend that you upgrade the firmware. After the firmware upgrade completes, the AP restarts. When the AP is ready, go back to [1](#step_p3k_zkd_dzb) of this procedure.
6. Specify the settings that are described in the following table.
<table id="table_nlf_15d_dzb"><thead><tr><th>
Setting
</th><th>
Description
</th></tr></thead><tbody><tr><td>
Country/Region
</td><td>
From the menu, select the country and region in which the AP is operating.
**Note**: In some countries, the AP is sold with a preconfigured country or region setting and you cannot change it.
**Note**: If you do not see your country or region listed in the menu, update the APs firmware and check again. If you still do not see your country or region listed, contact NETGEAR support.
**Note**: Make sure that the country is set to the location where the device is operating. It might not be legal to operate the AP in a region other than the regions listed in the menu. You are responsible for complying with the local, regional, and national regulations that are set for channels, power levels, and frequency ranges.
</td></tr><tr><td>
Time Zone
</td><td>
From the menu, select the time zone for the country and region in which the AP is operating.
</td></tr><tr><td>
DHCP Client
</td><td>
By default, the DHCP client of the AP allows the AP to receive an IP address from a DHCP server \(or router that functions as a DHCP server\) in your network.
To set up the AP with a static \(fixed\) IP address, do the following:
1. Select the **Disable** radio button.
Additional fields display.
2. Specify the IP address, IP subnet mask, IP address of the default gateway, and IP address of the DNS server.
</td></tr><tr><td>
AP Name
</td><td>
As an option, type a new name for the AP. The name must contain alphanumeric characters, must contain at least one alphabetical character, cannot be longer than 64 characters, and can contain hyphens but cannot start or end with a hyphen.
By default, the AP name is Netgearxxxxxx, in which xxxxxx represents the last six hexadecimal digits of the APs MAC address.
</td></tr><tr><td>
AP Login New Password
</td><td>
Type a new admin password. This is the password that you must use to log in to the APs device UI. \(It is *not* the password that you use for WiFi access.\)
The password must be 8 to 63 characters in length and must contain at least one uppercase letter, one lowercase letter, and one number.
Save the password for future use.
</td></tr><tr><td>
Confirm New Password
</td><td>
Type exactly the same password that you typed in the **AP Login New Password** field.
</td></tr><tr><td>
SSID
</td><td>
You cannot use the setup SSID for regular operation. The setup SSID is for initial setup only. Type a new name with a maximum of 32 characters. You can use a combination of alphanumeric and special characters, except for quotation marks \("\) and a backslash \(\\\).
</td></tr></tbody>
</table>7. From the **Authentication** menu, select one of the following authentication types for the WiFi network, and, if applicable, set a new passphrase \(network key or WiFi password\) for the WiFi network:
- **Open**: A legacy open WiFi network does not provide any security. Any WiFi device can join the network. We recommend that you do *not* use a legacy open WiFi network but configure WiFi security. However, a legacy open network might be appropriate for a WiFi hotspot.
If you select **Open** from the **Authentication** menu, the **Enhanced Open** check box displays.
- **Enhanced Open check box cleared**: The WiFi network is a legacy open network without any security. This is the default option for an open network. Clients are not authenticated, traffic is not encrypted, and 802.11w \(PMF\) is automatically disabled.
- **Enhanced Open check box selected**: The WiFi enhanced open feature is enabled. This feature is based on opportunistic wireless encryption \(OWE\). The encryption is set to CCM mode protocol \(CCMP\) and 802.11w \(PMF\) is automatically set to mandatory. If you select the **Enhanced Open** check box, the **Allow Devices to Connect with Open** check box displays.
If you select the **Allow Devices to Connect with Open** check box, the WiFi network can accept both clients that support the WiFi enhanced open feature and clients that do not. For clients that do not support the WiFi open enhanced feature, traffic is not encrypted.
If you clear the **Allow Devices to Connect with Open** check box, the WiFi network can only accept clients that support the WiFi enhanced open feature.
- **WPA2 Personal**: This option allows only WiFi clients that support WPA2 to connect to the SSID. Select this option if all WiFi clients are capable of supporting WPA2. This option uses AES encryption. In the **Passphrase** field, type a new passphrase for the WiFi network. The passphrase must be at least 8 characters in length and can be a maximum of 63 characters in length.
- **WPA2/WPA Personal**: This option allows both WPA and WPA2 WiFi clients to connect to the SSID. This option uses TKIP and AES encryption. Broadcast packets use TKIP. For unicast \(that is, point-to-point\) transmissions, WPA clients use TKIP and WPA2 clients use AES. In the **Passphrase** field, type a new passphrase for the WiFi network. The passphrase must be at least 8 characters in length and can be a maximum of 63 characters in length.
- **WPA3 Personal**: This option allows only WiFi clients that support WPA3 to connect to the SSID. Select this option if all WiFi clients are capable of supporting WPA3. This option uses SAE encryption. In the **Passphrase** field, type a new passphrase for the WiFi network. The passphrase must be at least 8 characters in length and can be a maximum of 63 characters in length.
- **WPA3/WPA2 Personal**: This option allows both WPA2 and WPA3 WiFi clients to connect to the SSID. This option uses AES and SAE encryption. WPA2 clients use AES and WPA3 clients use SAE. In the **Passphrase** field, type a new passphrase for the WiFi network. The passphrase must be at least 8 characters in length and can be a maximum of 63 characters in length.
**Note**: After you complete the setup process, you can set up WPA2 Enterprise or WPA3 Enterprise security with RADIUS servers. For more information, see [Change the authentication and encryption for a WiFi network](#task_afq_pz1_2zb).
8. Click the **Apply** button.
Your settings are saved. A pop-up window displays the IP address and the new WiFi network and password \(passphrase\).
If you specified a static IP address, save the IP address information because you must type the IP address when you log in again.
You are disconnected from the AP. If you changed the default country, the AP restarts.
9. Reconnect over WiFi to the APs WiFi network using the new SSID and passphrase that you just defined on the Day Zero Easy Setup page.
10. Type the AP IP address in the browser address bar.
If you changed the IP address, type the IP address that you specified in [6](#step_t1v_3ld_dzb).
Your browser might display a security warning because of the self-signed certificate on the AP, which is expected behavior. You can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
The login page displays.
11. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you just defined on the Day Zero Easy Setup page. The user name and password are case-sensitive.
The Dashboard displays. You can now customize the AP settings for your network environment.
### Connect over the LAN to the device UI for initial configuration {#task_hd4_3yd_dzb}
The following procedure assumes that your network includes a DHCP server \(or router that functions as a DHCP server\) and that the AP and your computer are on the same LAN. By default, the AP functions as a DHCP client.
To connect over the LAN to the device UI for initial configuration:
1. To determine the IP address that the DHCP server assigned to the AP, access the DHCP server or use an IP network scanner.
If you use a Windows-based computer, launch File Explorer \(or Windows Explorer\), select **Network** from the Navigation pane, right-click the AP device icon, and select **Properties** to display the IP address.
**Note:** You can also use the NETGEAR Insight app to discover the IP address that is assigned to the AP. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
2. On the computer, launch a web browser and, in the address bar, type the IP address that is assigned to the AP.
The login page displays.
Your browser might display a security warning because of the self-signed certificate on the AP, which is expected behavior. You can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and default password, and click the **Login** button.
The user name is **admin**. The default password is **password**. The user name and password are case-sensitive.
The Day Zero Easy Setup page displays.
4. Select the **Web-browser** radio button.
The Day Zero Easy Setup page adjusts to display multiple options.
**Note:** After you save the basic settings that are shown on the page, the Day Zero Easy Setup page no longer displays when you log in. Instead, the login page displays. After you log in, the Dashboard displays.
5. To let the AP check for the latest firmware, click the **Check for Upgrade** button.
If new firmware is available for the AP, we recommend that you upgrade the firmware. After the firmware upgrade completes, the AP restarts. When the AP is ready, depending on your situation, go back to [2](#step_kw5_3zd_dzb) or [3](#step_ksz_3zd_dzb) of this procedure.
6. Specify the settings that are described in the following table.
<table id="table_md4_3yd_dzb"><thead><tr><th>
Setting
</th><th>
Description
</th></tr></thead><tbody><tr><td>
Country/Region
</td><td>
From the menu, select the country and region in which the AP is operating.
**Note**: In some countries, the AP is sold with a preconfigured country or region setting and you cannot change it.
**Note**: If you do not see your country or region listed in the menu, update the APs firmware and check again. If you still do not see your country or region listed, contact NETGEAR support.
**Note**: Make sure that the country is set to the location where the device is operating. It might not be legal to operate the AP in a region other than the regions listed in the menu. You are responsible for complying with the local, regional, and national regulations that are set for channels, power levels, and frequency ranges.
</td></tr><tr><td>
Time Zone
</td><td>
From the menu, select the time zone for the country and region in which the AP is operating.
</td></tr><tr><td>
DHCP Client
</td><td>
By default, the DHCP client of the AP allows the AP to receive an IP address from a DHCP server \(or router that functions as a DHCP server\) in your network.
To set up the AP with a static \(fixed\) IP address, do the following:
1. Select the **Disable** radio button.
Additional fields display.
2. Specify the IP address, IP subnet mask, IP address of the default gateway, and IP address of the DNS server.
</td></tr><tr><td>
AP Name
</td><td>
As an option, type a new name for the AP. The name must contain alphanumeric characters, must contain at least one alphabetical character, cannot be longer than 64 characters, and can contain hyphens but cannot start or end with a hyphen.
By default, the AP name is Netgearxxxxxx, in which xxxxxx represents the last six hexadecimal digits of the APs MAC address.
</td></tr><tr><td>
AP Login New Password
</td><td>
Type a new admin password. This is the password that you must use to log in to the APs device UI. \(It is *not* the password that you use for WiFi access.\)
The password must be 8 to 63 characters in length and must contain at least one uppercase letter, one lowercase letter, and one number.
Save the password for future use.
</td></tr><tr><td>
Confirm New Password
</td><td>
Type exactly the same password that you typed in the **AP Login New Password** field.
</td></tr><tr><td>
SSID
</td><td>
You cannot use the setup SSID for regular operation. The setup SSID is for initial setup only. Type a new name with a maximum of 32 characters. You can use a combination of alphanumeric and special characters, except for quotation marks \("\) and a backslash \(\\\).
</td></tr></tbody>
</table>7. From the **Authentication** menu, select one of the following authentication types for the WiFi network, and, if applicable, set a new passphrase \(network key or WiFi password\) for the WiFi network:
- **Open**: A legacy open WiFi network does not provide any security. Any WiFi device can join the network. We recommend that you do *not* use a legacy open WiFi network but configure WiFi security. However, a legacy open network might be appropriate for a WiFi hotspot.
If you select **Open** from the **Authentication** menu, the **Enhanced Open** check box displays.
- **Enhanced Open check box cleared**: The WiFi network is a legacy open network without any security. This is the default option for an open network. Clients are not authenticated, traffic is not encrypted, and 802.11w \(PMF\) is automatically disabled.
- **Enhanced Open check box selected**: The WiFi enhanced open feature is enabled. This feature is based on opportunistic wireless encryption \(OWE\). The encryption is set to CCM mode protocol \(CCMP\) and 802.11w \(PMF\) is automatically set to mandatory. If you select the **Enhanced Open** check box, the **Allow Devices to Connect with Open** check box displays.
If you select the **Allow Devices to Connect with Open** check box, the WiFi network can accept both clients that support the WiFi enhanced open feature and clients that do not. For clients that do not support the WiFi open enhanced feature, traffic is not encrypted.
If you clear the **Allow Devices to Connect with Open** check box, the WiFi network can only accept clients that support the WiFi enhanced open feature.
- **WPA2 Personal**: This option allows only WiFi clients that support WPA2 to connect to the SSID. Select this option if all WiFi clients are capable of supporting WPA2. This option uses AES encryption. In the **Passphrase** field, type a new passphrase for the WiFi network. The passphrase must be at least 8 characters in length and can be a maximum of 63 characters in length.
- **WPA2/WPA Personal**: This option allows both WPA and WPA2 WiFi clients to connect to the SSID. This option uses TKIP and AES encryption. Broadcast packets use TKIP. For unicast \(that is, point-to-point\) transmissions, WPA clients use TKIP and WPA2 clients use AES. In the **Passphrase** field, type a new passphrase for the WiFi network. The passphrase must be at least 8 characters in length and can be a maximum of 63 characters in length.
- **WPA3 Personal**: This option allows only WiFi clients that support WPA3 to connect to the SSID. Select this option if all WiFi clients are capable of supporting WPA3. This option uses SAE encryption. In the **Passphrase** field, type a new passphrase for the WiFi network. The passphrase must be at least 8 characters in length and can be a maximum of 63 characters in length.
- **WPA3/WPA2 Personal**: This option allows both WPA2 and WPA3 WiFi clients to connect to the SSID. This option uses AES and SAE encryption. WPA2 clients use AES and WPA3 clients use SAE. In the **Passphrase** field, type a new passphrase for the WiFi network. The passphrase must be at least 8 characters in length and can be a maximum of 63 characters in length.
**Note**: After you complete the setup process, you can set up WPA2 Enterprise or WPA3 Enterprise security with RADIUS servers. For more information, see [Change the authentication and encryption for a WiFi network](#task_afq_pz1_2zb).
8. Click the **Apply** button.
Your settings are saved. A pop-up window displays the IP address and the new WiFi network and password \(passphrase\).
If you specified a static IP address, save the IP address information because you must type the IP address when you log in again.
If you changed the default country, the AP restarts.
**Note:** Do not close the page!
After a short period, the Dashboard displays automatically. If the Dashboard does not display, for example, because you assigned a static IP address, see the next step.
You can now customize the AP settings for your network environment.
9. If the Dashboard does not display automatically, do the following:
1. Take one of the following actions:
- If you assigned a static IP address to the AP, type the IP address that you specified in [6](#step_ts4_gzd_dzb) in the address bar of the web browser.
- If you did not assign a static IP address, reenter the IP address that is displayed in the address bar of the web browser. If that does not work, write down the IP address, close the web browser, launch the web browser again, and then type the IP address in the address bar of the web browser.
- If you did not assign a static IP address and you closed the page so that you cannot see the IP address of the AP, use an IP scanner tool, use a network discovery tool, or access the DHCP server to discover the IP address of the AP in your network.
**Note:** You can also use the NETGEAR Insight app to discover the IP address that is assigned to the AP. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
Then, launch a browser and type the IP address in the address bar.
Your browser might display a security warning because of the self-signed certificate on the AP, which is expected behavior. You can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
The login page displays.
2. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you just defined on the Day Zero Easy Setup page. The user name and password are case-sensitive.
The Dashboard displays. You can now customize the AP settings for your network environment.
### Configure the AP offline using a directly connected computer {#task_msr_pb2_dzb}
You can take the AP offline \(that is, disconnect it from your network\), connect a computer through an Ethernet cable to the LAN port of the AP, and connect to the AP over its default IP address so that you can configure it offline. After you complete the configuration, you can bring the AP online.
**Note:** Because the AP is not connected to a PoE++ switch, you can use this configuration method only if you have a power adapter for the AP.
To connect to the AP using a computer that is directly connected to the LAN port of the AP:
1. Record the IP address and subnet mask of your computer so that you can reinstate these IP address settings later.
2. Temporarily change the IP address on your computer to 192.168.0.210 with 255.255.255.0 as the subnet mask.
\(You can actually use any IP address in the 192.168.0.2192.168.0.254 range, with the exception of IP address 192.168.0.100, which is the default IP address of the AP.\)
For more information about changing the IP address on your computer, see the help or documentation for your computer.
3. Use an Ethernet cable to connect your computer to the LAN port on the AP.
4. On the computer, launch a web browser and type **192.168.0.100** in the address bar.
The login page displays.
Your browser might display a security warning because of the self-signed certificate on the AP, which is expected behavior. You can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
5. Type the AP user name and default password, and click the **Login** button.
The user name is **admin**. The default password is **password**. The user name and password are case-sensitive.
The Day Zero Easy Setup page displays.
6. Select the **Web-browser** radio button.
The Day Zero Easy Setup page adjusts to display multiple options.
**Note:** After you save the basic settings that are shown on the page, the Day Zero Easy Setup page no longer displays when you log in. Instead, a login window displays. After you log in, the Dashboard displays.
7. To let the AP check for the latest firmware, click the **Check for Upgrade** button.
If new firmware is available for the AP, we recommend that you upgrade the firmware. After the firmware upgrade completes, the AP restarts. When the AP is ready, depending on your situation, go back to [4](#step_ft1_tc2_dzb) or [5](#step_f4y_xn3_4tb) of this procedure.
8. Specify the settings that are described in the following table.
<table id="table_rsr_pb2_dzb"><thead><tr><th>
Setting
</th><th>
Description
</th></tr></thead><tbody><tr><td>
Country/Region
</td><td>
From the menu, select the country and region in which the AP is operating.
**Note**: In some countries, the AP is sold with a preconfigured country or region setting and you cannot change it.
**Note**: If you do not see your country or region listed in the menu, update the APs firmware and check again. If you still do not see your country or region listed, contact NETGEAR support.
**Note**: Make sure that the country is set to the location where the device is operating. It might not be legal to operate the AP in a region other than the regions listed in the menu. You are responsible for complying with the local, regional, and national regulations that are set for channels, power levels, and frequency ranges.
</td></tr><tr><td>
Time Zone
</td><td>
From the menu, select the time zone for the country and region in which the AP is operating.
</td></tr><tr><td>
DHCP Client
</td><td>
By default, the DHCP client of the AP allows the AP to receive an IP address from a DHCP server \(or router that functions as a DHCP server\) in your network.
To set up the AP with a static \(fixed\) IP address, do the following:
1. Select the **Disable** radio button.
Additional fields display.
2. Specify the IP address, IP subnet mask, IP address of the default gateway, and IP address of the DNS server.
</td></tr><tr><td>
AP Name
</td><td>
As an option, type a new name for the AP. The name must contain alphanumeric characters, must contain at least one alphabetical character, cannot be longer than 64 characters, and can contain hyphens but cannot start or end with a hyphen.
By default, the AP name is Netgearxxxxxx, in which xxxxxx represents the last six hexadecimal digits of the APs MAC address.
</td></tr><tr><td>
AP Login New Password
</td><td>
Type a new admin password. This is the password that you must use to log in to the APs device UI. \(It is *not* the password that you use for WiFi access.\)
The password must be 8 to 63 characters in length and must contain at least one uppercase letter, one lowercase letter, and one number.
Save the password for future use.
</td></tr><tr><td>
Confirm New Password
</td><td>
Type exactly the same password that you typed in the **AP Login New Password** field.
</td></tr><tr><td>
SSID
</td><td>
You cannot use the setup SSID for regular operation. The setup SSID is for initial setup only. Type a new name with a maximum of 32 characters. You can use a combination of alphanumeric and special characters, except for quotation marks \("\) and a backslash \(\\\).
</td></tr></tbody>
</table>9. From the **Authentication** menu, select one of the following authentication types for the WiFi network, and, if applicable, set a new passphrase \(network key or WiFi password\) for the WiFi network:
- **Open**: A legacy open WiFi network does not provide any security. Any WiFi device can join the network. We recommend that you do *not* use a legacy open WiFi network but configure WiFi security. However, a legacy open network might be appropriate for a WiFi hotspot.
If you select **Open** from the **Authentication** menu, the **Enhanced Open** check box displays.
- **Enhanced Open check box cleared**: The WiFi network is a legacy open network without any security. This is the default option for an open network. Clients are not authenticated, traffic is not encrypted, and 802.11w \(PMF\) is automatically disabled.
- **Enhanced Open check box selected**: The WiFi enhanced open feature is enabled. This feature is based on opportunistic wireless encryption \(OWE\). The encryption is set to CCM mode protocol \(CCMP\) and 802.11w \(PMF\) is automatically set to mandatory. If you select the **Enhanced Open** check box, the **Allow Devices to Connect with Open** check box displays.
If you select the **Allow Devices to Connect with Open** check box, the WiFi network can accept both clients that support the WiFi enhanced open feature and clients that do not. For clients that do not support the WiFi open enhanced feature, traffic is not encrypted.
If you clear the **Allow Devices to Connect with Open** check box, the WiFi network can only accept clients that support the WiFi enhanced open feature.
- **WPA2 Personal**: This option allows only WiFi clients that support WPA2 to connect to the SSID. Select this option if all WiFi clients are capable of supporting WPA2. This option uses AES encryption. In the **Passphrase** field, type a new passphrase for the WiFi network. The passphrase must be at least 8 characters in length and can be a maximum of 63 characters in length.
- **WPA2/WPA Personal**: This option allows both WPA and WPA2 WiFi clients to connect to the SSID. This option uses TKIP and AES encryption. Broadcast packets use TKIP. For unicast \(that is, point-to-point\) transmissions, WPA clients use TKIP and WPA2 clients use AES. In the **Passphrase** field, type a new passphrase for the WiFi network. The passphrase must be at least 8 characters in length and can be a maximum of 63 characters in length.
- **WPA3 Personal**: This option allows only WiFi clients that support WPA3 to connect to the SSID. Select this option if all WiFi clients are capable of supporting WPA3. This option uses SAE encryption. In the **Passphrase** field, type a new passphrase for the WiFi network. The passphrase must be at least 8 characters in length and can be a maximum of 63 characters in length.
- **WPA3/WPA2 Personal**: This option allows both WPA2 and WPA3 WiFi clients to connect to the SSID. This option uses AES and SAE encryption. WPA2 clients use AES and WPA3 clients use SAE. In the **Passphrase** field, type a new passphrase for the WiFi network. The passphrase must be at least 8 characters in length and can be a maximum of 63 characters in length.
**Note**: After you complete the setup process, you can set up WPA2 Enterprise or WPA3 Enterprise security with RADIUS servers. For more information, see [Change the authentication and encryption for a WiFi network](#task_afq_pz1_2zb).
10. Click the **Apply** button.
Your settings are saved. A pop-up window displays the IP address and the new WiFi network and password \(passphrase\).
If you specified a static IP address, save the IP address information because you must type the IP address when you log in again.
You are disconnected from the AP. If you changed the default country, the AP restarts.
11. After a few minutes, if the login window does not display automatically, type **192.168.0.100** in the address bar of your browser.
If you changed the IP address, type the IP address that you saved in [8](#step_or2_1d2_dzb).
Your browser might display a security warning because of the self-signed certificate on the AP, which is expected behavior. You can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
The login page displays.
12. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you just defined on the Day Zero Easy Setup page. The user name and password are case-sensitive.
The Dashboard displays. You can now customize the AP settings for your network environment.
13. After you complete the setup process, or both the setup and customization process, you can change the computer back to its original IP address settings.
## Log in to the AP after initial setup {#task_eff_qzq_5lb}
After initial setup, the AP is ready for use and you can change the settings and monitor the traffic.
To log in to the APs device UI:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
The Dashboard displays various panes that let you see the status of your AP at a glance.
For more information about the Dashboard and its various panes, see [Monitor the AP and the Network](#concept_d5z_p1l_h1c).
## What to do if you get a browser security warning {#concept_c2d_g4q_czb}
When you enter the IP address that is assigned to the AP in the address field of your browser, a security warning might display because of the self-signed certificate on the device. This is expected behavior. You can proceed, or add an exception for the security warning.
To proceed with a security warning or add an exception for a security warning:
- **Google Chrome**: Click the **ADVANCED** link. Then, click the **Proceed to x.x.x.x \(unsafe\)** link, in which x.x.x.x represents the domain name or IP address of the device.
- **Apple Safari**: Click the **Show Details** button. Then, click the **visit this website** link. If a warning pop-up window displays, click the **Visit Website** button. If another pop-up window displays to let you confirm changes to your certificate trust settings, enter your Mac user name and password and click the **Update Setting** button.
- **Mozilla Firefox**: Click the **ADVANCED** button. Then, click the **Add Exception** button. In the pop-up window that displays, click the **Confirm Security Exception** button.
- **Microsoft Edge**: Select **Details &gt; Go on to the webpage**.
- **Microsoft Internet Explorer**: Click the **Continue to this website \(not recommended\)** link.
# Install the AP in an Insight Instant Mesh WiFi Network {#concept_gfp_pmf_dzb .concept}
In addition to functioning as a regular standalone access point, the AP can function in an Insight Instant Mesh WiFi network as either a root AP \(which we refer to as a *root*\) or a node AP \(which we refer to as a *node*\).
This chapter describes how you can use the NETGEAR Insight Cloud Portal or Insight app to connect the AP to a root so that you can let the AP function as a node in an Insight Instant Mesh WiFi network. The NETGEAR Insight Cloud Portal and Insight app are available for Insight Premium and Insight Pro subscribers.
**Note:** To set up a node in a NETGEAR Insight Instant Mesh WiFi network with a connection to a root, you must use either the NETGEAR Insight Cloud Portal or Insight app. You cannot use the device UI to set up a mesh WiFi connection to a root.
For information about how you can manage and monitor the node with the Insight Cloud Portal and Insight app, visit [netgear.com/insight](https://www.netgear.com/insight/). The Insight Cloud Portal and Insight app have embedded help and are documented in multiple knowledge base articles that you can access by visiting [netgear.com/support](https://www.netgear.com/support/).
The chapter contains the following sections:
**Note:** In this manual, *WiFi network* means the same as SSID \(service set identifier or WiFi network name\) or VAP \(virtual access point\). That is, when we refer to a WiFi network we mean an individual SSID or VAP.
## What are a root and a node? {#concept_jt2_kqf_dzb}
The AP can function in an Insight Instant Mesh WiFi network as a root or node:
- **Root**: A mesh-capable AP that you set up with a wired connection to your network to create a gateway to one or more mesh-capable APs that function as nodes. On the root, use the Ethernet port for the connection to your network. A root can service multiple nodes simultaneously.
- **Node**: A mesh-capable AP with a WiFi backhaul connection to a root that provides Internet connectivity. The node is not connected to your network over a wired connection but over a WiFi connection.
![](../WBE700%20Series%20Base%20UM/Img/WBE700_mesh_diagram_r1.ai "Mesh network with a node and a wired root")
<table id="table_lt2_kqf_dzb"><thead><tr><th>
Number or Icon and Description
</th></tr></thead><tbody><tr><td>
![](../WBE700%20Series%20Base%20UM/Img/Number_1.ai)   A root that is connected over Ethernet to a network switch.
</td></tr><tr><td>
![](../WBE700%20Series%20Base%20UM/Img/Number_2.ai)   A node that is connected over a 6 GHz backhaul WiFi connection to the root.
</td></tr><tr><td>
![](../WBE700%20Series%20Base%20UM/Img/Number_3.ai)   Either a computer or a tablet with access to the Insight Cloud Portal or a mobile phone with the Insight app The Insight Cloud Portal or Insight app lets you configure and manage the node in the Insight Instant Mesh WiFi network.
</td></tr><tr><td>
![](../WBE700%20Series%20Base%20UM/Img/Number_4.ai)   A network switch.
</td></tr><tr><td>
![](../WBE700%20Series%20Base%20UM/Img/Number_5.ai)   A network router that is connected to the Internet.
</td></tr><tr><td>
![](../WBE700%20Series%20Base%20UM/Img/GreenWave.ai)   Broadcast in the 2.4 GHz radio band.
</td></tr><tr><td>
![](../WBE700%20Series%20Base%20UM/Img/PurpleWave.ai)   Broadcast in the 5 GHz radio band.
</td></tr><tr><td>
![](../WBE700%20Series%20Base%20UM/Img/OrangeWave.ai)   Broadcast in the 6 GHz radio band.
</td></tr></tbody>
</table>## What is an Insight Instant Mesh WiFi network? {#concept_hvk_tlm_dzb}
A mesh WiFi network consists of at least one mesh-capable root and one or more nodes that connect to the root over WiFi \(see [What are a root and a node?](#concept_jt2_kqf_dzb)\). The root is connected over Ethernet to a router or Internet gateway and provides Internet access to its nodes. The root and nodes work together to cover a potentially large area with WiFi network, which is the mesh network.
A mesh network can be a good solution if you want to bring WiFi to the following environments:
- Nearby rooms where cabling is not available \(in line of sight and in range of the current WiFi reception\)
- Neighboring office buildings \(in line of sight and in range of the current WiFi reception\)
- Any environment in which you cannot run cables
In the mesh WiFi network, the node connects to the root over a WiFi connection and broadcasts \(extends\) the WiFi network to the WiFi clients:
- **Backhaul connection**: The WiFi connection between the root and the node is referred to as the backhaul connection.
- **Fronthaul connection**: The WiFi connection between the node and its WiFi clients is referred to as the fronthaul connection.
In a NETGEAR Insight Instant Mesh WiFi network, you must use the Insight Cloud Portal or Insight app to set up the mesh WiFi connection between the root and the node. That is, you cannot do so through the device UI of either the root or the node. In a network with multiple roots, NETGEAR Insight automatically connects the node to the root with the strongest WiFi signal.
Although the node broadcasts the same WiFi network or networks as the root, you can also set up a WiFi network on the node, which then can be broadcast by the root and other nodes in the mesh network.
The AP can broadcast on the 2.4 GHz band, the 5 GHz band, and the 6 GHz band \(the preferred band for the backhaul connection on the AP\). Depending on the WiFi capability of the WiFi client, any band can provide the fronthaul connection.
## Requirements for placing a node in an Insight Instant Mesh WiFi network {#concept_brt_jmm_dzb}
The following are the requirements for placing a node in an Insight Instant Mesh WiFi network:
- The existing WiFi network must include at least one mesh-capable access point that runs the latest firmware version. On the root, use one Ethernet port for the connection to your network.
- The node must be in factory default state. If you previously used the node in your network, reset the AP to factory default settings.
- The node must be within range of the WiFi signal of a root so that it can sync with the root. During setup, for a reliable WiFi connection, place the node less than 25 feet \(7.5 m\), in a line of sight with minimal obstacles from the closest root.
- You must use the NETGEAR Insight Cloud Portal or Insight app to install the node in the existing WiFi network.
For information about the NETGEAR access point models that can function either as a root or as a node, visit [kb.netgear.com/000065847](https://kb.netgear.com/000065847/Which-access-points-support-Insight-Mesh-WiFi/).
## Access the Cloud Portal to set up or manage an Insight Instant Mesh WiFi network {#task_yct_qqm_dzb}
The NETGEAR Insight Cloud Portal is available for Insight Premium and Insight Pro subscribers.
After you install the AP in an Insight Instant Mesh WiFi network, you can use the Insight Cloud Portal to set up a mesh WiFi connection and configure, manage, and monitor the AP.
For more information about the NETGEAR Insight Cloud Portal, visit the following pages:
- [netgear.com/business/services/insight](https://www.netgear.com/business/services/insight)
- [kb.netgear.com/000061848](https://kb.netgear.com/000061848/How-do-I-use-NETGEAR-s-one-year-of-Insight-included-subscription)
- [kb.netgear.com/000044338](https://kb.netgear.com/000044338/Knowledge-base-landing-page-for-Insight-Managed-Wireless-Access-Points)
To connect to the AP over the Internet through the Insight Cloud Portal:
1. On a computer or tablet, visit [insight.netgear.com](https://accounts.netgear.com/login?redirectUrl=https:%2F%2Finsight.netgear.com%2F).
The NETGEAR Account Login page displays.
2. If you do not already have an Insight account, you can create an account now.
For information about creating an Insight Premium account or upgrading to an Insight Pro account, visit [kb.netgear.com/000044343](https://kb.netgear.com/000044343/How-do-I-create-an-Insight-account).
3. Enter the email address and password for your NETGEAR account and click the NETGEAR **Sign In** button.
You can now set up the AP mesh WiFi connection. For more information, see [kb.netgear.com/000061304](https://kb.netgear.com/000061304/How-do-I-set-up-an-Insight-Instant-Mesh-network).
## Connect the AP as a node to a root using the Cloud Portal {#task_qmc_ktm_dzb}
The NETGEAR Insight Cloud Portal is available for Insight Premium and Insight Pro subscribers.
You can use the Insight Cloud Portal to connect the AP as a node to a root. The root must be set up with a wired connection to a router or Internet gateway so that the root can provide Internet connectivity to the node.
For more information about the Insight Cloud Portal and the configuration and management options that are available through the Insight Cloud Portal, visit [netgear.com/insight](https://www.netgear.com/insight/). The Insight Cloud Portal has embedded help and is documented in multiple knowledge base articles that you can access by visiting [netgear.com/support](https://www.netgear.com/support/).
The node can use any band to establish the backhaul connection to the root and the fronthaul connection to WiFi clients. However, after the backhaul connection is established, if both the root and the node can support the 6 GHz band, the node automatically switches to the 6 GHz band as the preferred band for its backhaul connection. Using the Insight Cloud Portal, you can change the backhaul settings.
To use the Insight Cloud Portal to connect the node to a root in an existing WiFi network:
1. Make sure that the mesh mode for the Insight network location is set to Auto.
For more information, visit [kb.netgear.com/000064932](https://kb.netgear.com/000064932).
2. Make sure that the mesh mode for the root is set to Auto.
For more information, visit [kb.netgear.com/000064931](https://kb.netgear.com/000064931).
3. Make sure that node is in factory default state.
If you previously used the AP in your network, reset the AP to factory default settings.
4. For a reliable WiFi connection, place the node less than 25 feet \(7.5 m\), in a line of sight with minimal obstacles from the closest root.
5. Connect the node to a power source.
The LED of the node lights amber and then lights green.
**Note:** To prevent a network loop, connect the node to a PoE++ switch that is *not* connected to the same network as the root or to the Internet. You can also use an optional power adapter.
6. Access the Insight Cloud Portal by visiting [insight.netgear.com](https://accounts.netgear.com/login?redirectUrl=https:%2F%2Finsight.netgear.com%2F), enter your NETGEAR email address and password, and click the **NETGEAR Sign In** button.
7. Only if you are an Insight Pro user, select the organization to which you want to add the node.
8. Select the location to which you want to add the node.
9. Click the **+ \(Add Device\)** button.
10. In the Add New Device pop-up page, enter the nodes serial number and MAC address, and then click **Go**.
Insight detects the node automatically. This process might take a few minutes.
The node attempts to detect and connect to the root that provides the strongest WiFi signal in the Insight Instant Mesh WiFi network.
**Note:** The initial connection and configuration process might take up to 10 minutes. The node might restart during the configuration process.
11. Wait for the node to go through the initial connection and configuration process and for the LED to stop blinking amber, green, and blue and to light solid blue.
**Note:** The initial connection and configuration process might take up to 10 minutes. The node might restart during the configuration process.
The LED lights as follows during the initial connection and configuration process:
- **Blinking green**: The node is attempting to detect a root.
- **Solid green**: The node is making its first connection with the root that provides the strongest WiFi signal.
- **Blinking amber slowly**: The node is contacting the network router or DHCP server to receive an IP address.
If the LED does not stop blinking amber, see [LED is blinking amber slowly, continuously](#concept_prq_bkr_h1c).
- **Blinking amber, green, and blue**: The node is being configured as a managed device in the Insight Instant Mesh WiFi network.
If the LED does not stop blinking amber, green, and blue, see [LED does not stop blinking amber, green, and blue](#concept_khy_qlr_h1c).
When the configuration is complete, the LED lights as follows:
- **Solid blue**: The configuration is complete and the node is ready for operation. The node functions in the Insight Instant Mesh WiFi network and is connected to the Insight cloud.
The node is automatically configured to broadcast \(extend\) the roots WiFi network.
If you are experiencing difficulty connecting the node with a root, see [The node and root cannot connect](#task_rcq_dmr_h1c).
For information about accessing, managing, and monitoring the node with the NETGEAR Insight Cloud Portal and Insight app, visit [netgear.com/insight](https://www.netgear.com/insight/). The Insight Cloud Portal and Insight app have embedded help and are documented in multiple knowledge base articles that you can access by visiting [netgear.com/support](https://www.netgear.com/support/).
## Install the Insight app to manage an Insight Instant Mesh WiFi network {#task_tz1_lrm_dzb}
The NETGEAR Insight app is available for Insight Premium and Insight Pro subscribers.
Before you can add the AP to an Insight Instant Mesh WiFi network using the NETGEAR Insight app, you must install the app on an iOS or Android mobile device.
For more information about the NETGEAR Insight app, visit the following pages:
- [netgear.com/business/services/insight](https://www.netgear.com/business/services/insight)
- [kb.netgear.com/000061848](https://kb.netgear.com/000061848/How-do-I-use-NETGEAR-s-one-year-of-Insight-included-subscription)
- [kb.netgear.com/000044338](https://kb.netgear.com/000044338/Knowledge-base-landing-page-for-Insight-Managed-Wireless-Access-Points)
To install the Insight app to manage an Insight Instant Mesh WiFi network:
1. On your mobile device, go to the app store, search for NETGEAR Insight, and download the Insight app.
![](../WBE700%20Series%20Base%20UM/Img/InsightAppBadges.png)
2. Launch the Insight app.
3. If you do not already have an Insight account, you can create an account now.
For information about creating an Insight Premium account or upgrading to an Insight Pro account, visit [kb.netgear.com/000044343](https://kb.netgear.com/000044343/How-do-I-create-an-Insight-account).
4. Enter the email address and password for your NETGEAR account and tap **LOG IN**.
You can now set up the AP mesh WiFi connection \(see [Connect the AP as a node to a root using the Insight app](#task_rvq_v5m_dzb)\).
## Connect the AP as a node to a root using the Insight app {#task_rvq_v5m_dzb}
You can use the NETGEAR Insight app to connect the AP as a node to a root. The root must be set up with a wired connection to a router or Internet gateway so that the root can provide Internet connectivity to the node.
For more information about the Insight app and the configuration and management options that are available through the Insight app, visit [netgear.com/insight](https://www.netgear.com/insight/). The Insight app has embedded help and is documented in multiple knowledge base articles that you can access by visiting [netgear.com/support](https://www.netgear.com/support/).
The node can use any band to establish the backhaul connection to the root and the fronthaul connection to WiFi clients. However, after the backhaul connection is established, if both the root and the node can support the 6 GHz band, the node automatically switches to the 6 GHz band as the preferred band for its backhaul connection. Using the Insight Cloud Portal, you can change the backhaul settings.
To use the NETGEAR Insight app to connect the node to a root in an existing WiFi network:
1. Make sure that the mesh mode for the Insight network location is set to Auto.
For more information, visit [kb.netgear.com/000064932](https://kb.netgear.com/000064932).
You cannot use the Insight app to change the mesh mode for the Insight network location. You must use the Cloud Portal. For all other steps in this procedure, you *can* use the Insight app.
2. Make sure that the mesh mode for the root is set to Auto.
For more information, visit [kb.netgear.com/000064929](https://kb.netgear.com/000064929).
3. Make sure that node is in factory default state.
If you previously used the AP in your network, reset the AP to factory default settings.
4. For a reliable WiFi connection, place the node less than 25 feet \(7.5 m\), in a line of sight with minimal obstacles from the closest root.
5. Connect the node to a power source.
The LED of the node lights amber and then lights green.
**Note:** To prevent a network loop, connect the node to a PoE++ switch that is *not* connected to the same network as the root or to the Internet. You can also use an optional power adapter.
6. Connect your mobile device to the existing WiFi network that includes one or more roots.
7. Launch the Insight app and sign in to your account.
8. Select the Insight network location with the root.
In most situations, the Insight app detects the node automatically. This process might take a few minutes.
9. Do one of the following to add the node to the Insight network location:
- **Automatically detected**: If the node is automatically detected and listed in the Insight Manageable Devices section, tap the icon for the node, and then tap the **ADD DEVICE** button.
- **Not automatically detected**: If the node is not automatically detected, do the following:
1. Tap the **+** icon in the top bar.
2. Do one of the following:
- Tap the **SCAN BARCODE OR QR CODE** button, and then scan the nodes code.
- Tap the **Enter Serial Number and MAC address** link, and then manually enter the nodes serial number and MAC address.
3. If prompted, name the node and tap the **Next** button.
The node attempts to detect and connect to the root that provides the strongest WiFi signal in the Insight Instant Mesh WiFi network.
**Note:** The initial connection and configuration process might take up to 10 minutes. The node might restart during the configuration process.
10. Wait for the node to go through the initial connection and configuration process and for the LED to stop blinking amber, green, and blue and to light solid blue.
**Note:** The initial connection and configuration process might take up to 10 minutes. The node might restart during the configuration process.
The LED lights as follows during the initial connection and configuration process:
- **Blinking green**: The node is attempting to detect a root.
- **Solid green**: The node is making its first connection with the root that provides the strongest WiFi signal.
- **Blinking amber slowly**: The node is contacting the network router or DHCP server to receive an IP address.
If the LED does not stop blinking amber, see [LED is blinking amber slowly, continuously](#concept_prq_bkr_h1c).
- **Blinking amber, green, and blue**: The node is being configured as a managed device in the Insight Instant Mesh WiFi network.
If the LED does not stop blinking amber, green, and blue, see [LED does not stop blinking amber, green, and blue](#concept_khy_qlr_h1c).
When the configuration is complete, the LED lights as follows:
- **Solid blue**: The configuration is complete and the node is ready for operation. The node functions in the Insight Instant Mesh WiFi network and is connected to the Insight cloud.
The node is automatically configured to broadcast \(extend\) the roots WiFi network.
If you are experiencing difficulty connecting the node with a root, see [The node and root cannot connect](#task_rcq_dmr_h1c).
For information about accessing, managing, and monitoring the node with the NETGEAR Insight Cloud Portal and Insight app, visit [netgear.com/insight](https://www.netgear.com/insight/). The Insight Cloud Portal and Insight app have embedded help and are documented in multiple knowledge base articles that you can access by visiting [netgear.com/support](https://www.netgear.com/support/).
# Manage the Basic WiFi Features for a WiFi network {#concept_lnp_sjt_dzb .concept}
The AP can support eight WiFi networks, each with its own unique WiFi settings, including WiFi security. This chapter describes how you can manage the basic WiFi features for a WiFi network.
For information about the advanced WiFi features for a WiFi network, see [Manage the Advanced WiFi Features for a WiFi network](#concept_o4y_v5d_h1c).
The chapter includes the following sections:
**Note:** If you want to change the settings of a WiFi network on the AP, use a wired connection to avoid being disconnected when the new WiFi settings take effect.
**Note:** In this manual, *WiFi network* means the same as SSID \(service set identifier or WiFi network name\) or VAP \(virtual access point\). That is, when we refer to a WiFi network we mean an individual SSID or VAP.
## Set up an open or secure WiFi network {#task_ujs_4pt_dzb}
The AP provides one setup SSID that is enabled by default and that broadcasts on the 2.4 GHz band, 5 GHz band, and 6 GHz band. This is the SSID that you renamed and for which you set a new passphrase when you initially connected to the AP. We also refer to this SSID as the default WiFi network, and it is displayed as SSID1 in the device UI. You can add more SSIDs: The AP can support a total of eight SSIDs.
The AP can simultaneously support the 2.4 GHz band for 802.11b/g/n/ax/be WiFi devices, the 5 GHz band for 802.11a/na/ac/ax/be WiFi devices, and the 6 GHz band for 802.11ax/be devices.
SSID stands for service set identifier, which is the WiFi network name. When you create a new SSID, you are defining the settings for a new WiFi network, also referred to as virtual access point \(VAP\). That means that the AP supports up to eight WiFi networks or VAPs.
If you plan to use WPA2 Enterprise security or WPA3 Enterprise security for your WiFi network, first set up RADIUS servers \(see [Set up RADIUS servers](#task_jvz_zpp_c1c)\). Note that WPA2 Enterprise security and WPA3 Enterprise security are not compatible with a multicast DNS \(mDNS\) gateway \(see [Manage the multicast DNS gateway](#concept_dm4_tpx_g1c)\).
To set up a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; WLAN Settings**.
The page that displays lets you select and add an SSID.
5. Click the **+** button to the left of Add SSID.
A pop-up page displays the settings for the SSID.
6. Specify the WiFi network name \(SSID\), select whether the SSID is broadcast, and specify the VLAN ID as described in the following table.
<table id="table_zjs_4pt_dzb"><thead><tr><th>
Setting
</th><th>
Description
</th></tr></thead><tbody><tr><td>
Wireless Network Name \(SSID\)
</td><td>
The SSID is the WiFi network name of the VAP. Enter a name for the SSID with a maximum of 32 characters. You can use a combination of alphanumeric and special characters, except for quotation marks \("\) and a backslash \(\\\).
For a WiFi device to be able to connect to the VAP, the SSID on the WiFi device must match the SSID of the VAP.
</td></tr><tr><td>
Broadcast SSID
</td><td>
By default, the VAP broadcasts its SSID so that WiFi clients can detect the SSID in their scanned network lists. To turn off the SSID broadcast, select the **No** radio button.
Turning off the SSID broadcast provides additional WiFi security, but users must know the SSID to be able to join the VAP.
</td></tr><tr><td>
VLAN ID
</td><td>
You can enter the VLAN ID that must be associated with the VAP. By default, the VLAN ID is 1. The VLAN must be between 1 and 4094.
This VLAN ID is not the same as the 802.1Q VLAN ID that is used for the wired network \(see [Set the 802.1Q VLAN and management VLAN](#task_b45_rsw_g1c)\).
</td></tr></tbody>
</table>7. Specify the WiFi security by selecting an option from the **Authentication** menu and, if applicable, by specifying a passphrase in the **Passphrase** field or selecting an option from the **Encryption** menu:
- **Open**: A legacy open WiFi network does not provide any security. Any WiFi device can join the network. We recommend that you do *not* use a legacy open WiFi network but configure WiFi security. However, a legacy open network might be appropriate for a WiFi hotspot.
If you select **Open** from the **Authentication** menu, the **Enhanced Open** check box displays.
- **Enhanced Open check box cleared**: The WiFi network is a legacy open network without any security. This is the default option for an open network. Clients are not authenticated, traffic is not encrypted, and 802.11w \(PMF\) is automatically disabled \(see [8](#step_dqc_sx1_2zb)\).
- **Enhanced Open check box selected**: The WiFi enhanced open feature is enabled. This feature is based on opportunistic wireless encryption \(OWE\). The encryption is set to CCM mode protocol \(CCMP\) and 802.11w \(PMF\) is automatically set to mandatory \(see [8](#step_dqc_sx1_2zb)\). If you select the **Enhanced Open** check box, the **Allow Devices to Connect with Open** check box displays.
If you select the **Allow Devices to Connect with Open** check box, the WiFi network can accept both clients that support the WiFi enhanced open feature and clients that do not. For clients that do not support the WiFi open enhanced feature, traffic is not encrypted.
In this case, the SSID name can have a maximum length of 28 characters. Also, you can configure a maximum of two WiFi networks with OWE security and the option to allow both clients that support the WiFi enhanced open feature and clients that do not.
If you clear the **Allow Devices to Connect with Open** check box, the WiFi network can only accept clients that support the WiFi enhanced open feature.
- **WPA2 Personal**: This option is not available if the 6 GHz band is enabled.
This option, which is the same as WPA2-PSK, uses AES encryption. This type of security enables only WiFi devices that support WPA2 to join the VAP.
WPA2 provides a secure connection but some legacy WiFi devices do not detect WPA2 and support only WPA. If your network includes such older devices, select **WPA2/WPA Personal** authentication.
In the **Passphrase** field, enter a phrase of 8 to 63 characters. To join the VAP, a user must enter this passphrase. To display the passphrase in clear text, click the eye icon.
- **WPA2/WPA Personal**: This option is not available if the 6 GHz band is enabled.
This option, which is the same as WPA2-PSK/WPA-PSK, enables WiFi devices that support either WPA2 or WPA to join the VAP. This option uses AES and TKIP encryption.
WPA-PSK \(which uses TKIP\) is less secure than WPA2-PSK \(which uses AES\) and limits the speed of WiFi devices to 54 Mbps.
In the **Passphrase** field, enter a phrase of 8 to 63 characters. To join the VAP, a user must enter this passphrase. To display the passphrase in clear text, click the eye icon.
- **WPA2 Enterprise**: This option is not available if the 6 GHz band is enabled.
This enterprise-level security uses RADIUS for centralized Authentication, Authorization, and Accounting \(AAA\) management. For WPA2 Enterprise security to function, you must set up RADIUS servers \(see [Set up RADIUS servers](#task_jvz_zpp_c1c)\).
WPA2 Enterprise security and a captive portal are mutually exclusive.
From the **Encryption** menu, select the data encryption mode:
- **TKIP + AES**. This type of data encryption enables WiFi devices that support either WPA or WPA2 to join the APs WiFi network. This is the default mode.
- **AES**. This type of data encryption provides a secure connection but some older WiFi devices do not detect WPA2 and support only WPA. Therefore, if your network includes such older devices, select **TKIP + AES** encryption.
When you select **WPA2 Enterprise** authentication, the **Dynamic VLAN** radio buttons display:
- **Enable**: The RADIUS server can assign a VLAN ID to clients. If the RADIUS server does not do so, the clients are automatically assigned the VLAN ID that you configured for the SSID.
- **Disable**: The clients are assigned the VLAN ID that you configured for the SSID. This is the default setting.
A dynamic VLAN is mutually exclusive with a captive portal, NAT mode, wireless client isolation, a multicast DNS \(mDNS\) gateway, and multi-link operation \(MLO\).
- **WPA3 Personal**: This option is the most secure personal authentication option. WPA3 uses SAE encryption and enables only WiFi devices that support WPA3 to join the VAP. If you select this option, 802.11w \(PMF\) is automatically set to mandatory \(see [8](#step_dqc_sx1_2zb)\).
WPA3 provides a secure connection but some legacy WiFi devices do not detect WPA3 and support only WPA2. If your network also includes WPA2 devices, select **WPA3/WPA2 Personal** authentication.
In the **Passphrase** field, enter a phrase of 8 to 63 characters. To join the VAP, a user must enter this passphrase. To display the passphrase in clear text, click the eye icon.
- **WPA3/WPA2 Personal**: This option, which is the same as WPA3/WPA2-PSK, is the default setting. It enables WiFi devices that support either WPA3 or WPA2 to join the VAP. This option uses SAE and AES encryption.
WPA2-PSK \(which uses AES\) is less secure than WPA3 \(which uses SAE\).
In the **Passphrase** field, enter a phrase of 8 to 63 characters. To join the VAP, a user must enter this passphrase. To display the passphrase in clear text, click the eye icon.
- **WPA3 Enterprise**: This enterprise-level security uses RADIUS for centralized Authentication, Authorization, and Accounting \(AAA\) management. For WPA3 Enterprise security to function, you must set up RADIUS servers \(see [Set up RADIUS servers](#task_jvz_zpp_c1c)\). If you select this option, 802.11w \(PMF\) is automatically set to mandatory \(see [8](#step_dqc_sx1_2zb)\).
WPA3 Enterprise security and a captive portal are mutually exclusive.
When you select WPA3 Enterprise security, the encryption is automatically set to GCMP256, which is a 256-bit encryption protocol.
When you select **WPA3 Enterprise** authentication, the **Dynamic VLAN** radio buttons display:
- **Enable**: The RADIUS server can assign a VLAN ID to clients. If the RADIUS server does not do so, the clients are automatically assigned the VLAN ID that you configured for the SSID.
- **Disable**: The clients are assigned the VLAN ID that you configured for the SSID. This is the default setting.
A dynamic VLAN is mutually exclusive with a captive portal, NAT mode, wireless client isolation, a multicast DNS \(mDNS\) gateway, and multi-link operation \(MLO\).
8. Optionally, enable 802.11w Protected Management Frames \(PMF\).
Protected Management Frames \(PMF\), according to the 802.11w standard, is a security feature that protects unicast and multicast management frames from being intercepted and changed for malicious purposes. The type of authentication that you select determines if this feature is mandatory, optional, or disabled. You can also set it manually.
- **Mandatory**: This option requires devices to use PMF. Devices that do not support PMF cannot connect to the WiFi network. If you select Enhanced Open authentication, WPA3 Personal authentication, or WPA3 Enterprise authentication, the radio button for PMF is set to **Mandatory**, and you cannot change it.
- **Optional**: This option lets the AP automatically activate PMF based on whether devices can support PMF. If you select WPA3/WPA2 Personal authentication, the radio button for PMF is set to **Optional**, but you can change it.
- **Disable**: This option disables PMF. If you select Open, WPA2 Personal, WPA2/WPA Personal, or WPA2 Enterprise authentication, the radio button for PMF is set to **Disabled**, but you can change it \(except for Open authentication\).
9. Optionally, enable Multi Pre-Shared Key \(PSK\), which lets you segregate the WiFi network into different VLANs, each accessible with a unique passphrase.
Multi PSK is supported only if the WiFi security is WPA2 Personal or WPA2/WPA Personal.
In a way, Multi PSK lets you create different sub WiFi networks on the WiFi network that you are setting up.
Although you can also configure this feature while you set up a WiFi network, this feature is more complex and therefore described separately. For more information, see [Set up Multi PSK for a WiFi network](#task_jh1_c5k_h1c).
10. Optionally, disable the WiFi broadcast or set up a WiFi activity schedule by selecting one of the following radio buttons:
- **Always ON**: When you set up an SSID, you are creating a new VAP. By default, the new VAP is enabled and the **Always ON** radio button is selected.
- **Always OFF**: Select this radio button to set up the SSID but temporarily disable the VAP.
- **Custom**: Select this radio button to set up a broadcast schedule. An icon displays to the right of the radio button. Do the following:
1. Click the icon next to the radio button.
A pop-up window displays.
2. Either select a predefined time from the **Preset** menu or select custom time blocks by clicking the time blocks.
A blue color for a time block indicates that the VAP will be enabled \(on\). A gray color for a time block indicates that the VAP will be disabled \(off\).
3. Click the **Done** button.
The pop-up window closes.
For each SSID, you can create a single custom schedule. In that schedule, for each day from 12:00 a.m. to the next day 12:00 a.m., you specify the time or times that the VAP is disabled. You can schedule a maximum of three events for a single day.
11. Optionally, select one or two radio bands only by clearing one or more check boxes.
Clear one or more check boxes \(**2.4 GHz**, **5 GHz**, or **6 GHz**\) or keep the default selection. By default, the 2.4 GHz and 5 GHz check boxes are selected but the 6 GHz check box is cleared, which means that the AP broadcast the SSID on the 2.4 GHz and 5 GHz bands.
**Note:** If you enable the 6 GHz band, only WiFi clients that support WiFi 6 capabilities can connect to the 6 GHz band, as well as to the 2.4  GHz or 5 GHz band. WiFi clients that do not support WiFi 6 capabilities can connect to the 2.4  GHz or 5 GHz band.
12. Optionally, enable band steering with 802.11k radio resource management \(RRM\) and 802.11v WiFi network management.
By default, band steering with 802.11k RRM and 802.11v WiFi network management is disabled for the VAP.
To enable band steering with 802.11k RRM and 802.11v WiFi network management, select the **Enable** radio button. Doing so allows the AP, under certain channel conditions, to steer WiFi devices to the 2.4 GHz, 5 GHz, or 6 GHz band of the VAP. These WiFi devices must be dual-band or tri-band capable. Compared to the 2.4 GHz band, generally more channels and bandwidth are available in the 5 GHz band, and even more in the 6 GHz band, causing less interference and allowing for a better user experience.
802.11k RRM and 802.11v WiFi network management affect the network in the following ways:
- **802.11k RRM**: This feature lets the AP and 802.11k-aware clients dynamically measure the available radio resources. In an 802.11k-enabled network, APs and clients can send neighbor reports, beacon reports, and link measurement reports to each other, allowing 802.11k-aware clients to automatically select the best AP for initial connection or for roaming.
- **802.11v WiFi network management**: This feature lets the AP steer its WiFi clients to the 2.4 GHz, 5 GHz, or 6 GHz band, based on the APs channel load.
The AP sets the received signal strength indicator \(RSSI\) threshold automatically. \(That is, you cannot configure the RSSI threshold manually.\)
13. Optionally, enable multi-link operation \(MLO\).
Aggregating the APs radios is referred to as multi-link operation \(MLO\), which is a key feature of Wi-Fi 7. Devices that communicate using MLO are called multi link devices \(MLDs\).
For MLO to function, enable at least two radios and configure the WiFi mode as 11be for each radio. For MLO to function, enable both the 5 GHz and 6 GHz radios and configure the WiFi mode as 11be for each radio. MLO improves throughput, latency, and reliability. For more information, see [Configure multi-link operation](#task_x13_fnp_c1c).
Under Multi-LinkOperation, select one of the following radio buttons:
- **Enable**: MLO is enabled. The radios on which 11be is enabled are aggregated to function as if they were a single link.
- **Disable**: MLO is disabled. The radios on which 11be is enabled function independently. This is the default setting.
14. To set the addressing and traffic mode, configure client isolation, configure URL tracking, configure a captive portal, select a MAC ACL for WiFi clients, configure bandwidth rate limits, or do all of this, scroll down and click the **&gt; Advanced** tab.
The pop-up page expands.
15. Optionally, set the NAT mode or Bridge mode for addressing and traffic.
By default, the addressing and traffic mode of the AP is Bridge mode, which means that WiFi clients receive IP addresses from a DHCP server \(or a router that functions as a DHCP server\) in your network. This is usually the same DHCP server that assigns an IP address to the AP itself.
You can also set NAT mode, which enables the APs DHCP server for WiFi clients. The APs DHCP server assigns an IP address in a different range from the IP address of the AP itself. NAT mode and Multi PSK \(see [9](#step_bhp_mlg_l5b)\) are mutually incompatible.
From the **Addressing and Traffic** menu, select the addressing and traffic mode:
- **Bridge**: The WiFi clients receive their IP addresses from the DHCP server in the same network as the AP. This is the default mode.
- **NAT**: WiFi clients receive their IP addresses from a private DHCP address pool on the AP. If you select this mode, by default, the WLAN network address is 172.31.0.0. This means that WiFi clients are assigned an IP address in the range from 172.31.0.2 to 172.31.3.254. The IP address of the default DNS server for the WLAN is 8.8.8.8. To change the default range for the DHCP address pool, the default DNS server, or the lease time, do the following:
1. In the **Network Address** field, type a network address that is different from the network address for the AP. For example, if the APs IP address is in the range from 192.168.0.1 to 192.168.0.254 \(a common IP address range\), type a network address that is different from 192.168.0.0.
2. From the **Subnet Mask** menu, select one of the preconfigured subnet mask schemes.
3. In the **DNS** field, enter the IP address for the DNS server that you want to use. This IP address must be different from the WLAN network address that you set in the previous step.
4. In the **Lease Time** field, type the period in minutes that the address lease is valid for a WiFi client. The range is from 5 minutes to 43200 minutes. The default is 1440 minutes \(24 hours\). After the lease expires, the WiFi client must reconnect.
NAT mode is mutually exclusive with a dynamic VLAN \(DVLAN\), Multi PSK \(see [9](#step_bhp_mlg_l5b)\), a multicast DNS \(mDNS\) gateway, and a management VLAN other than VLAN 1.
16. Optionally, configure WiFi client isolation.
By default, client isolation is disabled for the VAP, and the **Disable** radio button is selected.
To block communication between WiFi clients that are associated with the same SSID or different SSIDs on the AP, select the **Enable** radio button.
When you select the **Enable** radio button, the **Allow access to devices listed below** check box displays. You can then select and add static IP addresses or domains \(that resolve to static IP addresses\) of network devices that are exempt from isolation so that clients are allowed to reach them. For more information, see [Enable or disable client isolation for a WiFi network](#task_qpk_cxd_h1c).
WiFi client isolation is mutually exclusive with a MAC/IP Traffic Filter group \(see [22](#step_bvz_hnm_nbc)\), a dynamic VLAN \(DVLAN\), Multi PSK \(see [9](#step_bhp_mlg_l5b)\), and a multicast DNS \(mDNS\) gateway. You also cannot enable WiFi client isolation if you disallow broadcast and multicast traffic \(see [21](#step_psj_cmm_nbc)\) or allow it only from a group of specific devices \(see [22](#step_bvz_hnm_nbc)\).
17. Optionally, enable URL tracking.
By default, URL tracking is disabled, and the **Disable** radio button is selected. To enable URL tracking for all URLs that are requested by WiFi clients that are connected to the SSID, select the **Enable** radio button.
For information about how to display the tracked URLs per SSID or per WiFi client, see [Display or download tracked URLs](#task_dbt_njq_h1c).
18. To configure a captive portal, a MAC ACL for WiFi clients, or bandwidth rate limits, see the information in the following sections:
- [Set Up and Manage a Captive Portal](#concept_thn_qhq_c1c)
- [Manage MAC ACLs for WiFi clients](#concept_gld_kdw_g1c) and [Select a MAC ACL for WiFi clients in a WiFi network](#task_zg4_jyd_h1c)
- [Set bandwidth rate limits for a WiFi network](#task_q21_bzd_h1c)
Although you can also configure these features while you set up a WiFi network, these features are more complex and therefore described separately.
19. To change the DHCP Offer message settings, allow or disallow broadcast and multicast traffic, select a MAC ACL for broadcast and multicast traffic from WiFi clients, select a MAC/IP Traffic Filter group, or do all of this, scroll down and click the **&gt;Traffic Policy** tab.
The pop-up page expands.
20. Optionally, change the DHCP Offer message settings.
When a device tries to associate with the WiFi network and negotiates an IP address, the AP converts the broadcast DHCP offer message that it receives from the DHCP server to a unicast message, and forwards it to the device. This is the default option \(that is, the **Enable** radio button is selected\). To disable this option so that the AP does *not* convert the broadcast DHCP offer messages to unicast messages, select the **Disable** radio button.
The DHCP Offer message settings are not available and do not display on the page if you enable multi-link operation \(MLO, see [13](#step_end_xjm_nbc)\).
21. To disallow broadcast and multicast traffic in the WiFi network, clear the **Allow Broadcast/Multicast Traffic** check box.
By default, broadcast and multicast traffic is allowed.
22. To select a MAC ACL for broadcast and multicast traffic from WiFi clients or select a MAC/IP Traffic Filter group, see the information in the following sections:
- [Manage MAC ACLs for broadcast and multicast traffic from WiFi clients](#concept_j23_5db_2bc) and [Select a MAC ACL for broadcast and multicast traffic from WiFi clients in a WiFi network](#task_rm3_zl3_2bc)
- [Manage MAC/IP Traffic Filter groups for WiFi networks](#concept_ekl_m2b_2bc) and [Select a MAC/IP Traffic Filter group for a WiFi network](#task_fgg_jl3_2bc)
Although you can also configure these features while you set up a WiFi network, these features are more complex and therefore described separately.
23. To configure advance rate selection for the 2.4 GHz band and 5 GHz band, scroll down and click the **&gt;Advanced Rate Selection** tab.
For more information, see [Configure advanced rate selection for a WiFi network](#task_cps_112_h1c).
Although you can also configure this feature while you set up a WiFi network, the feature is more complex and therefore described separately.
24. Click the **Apply** button.
Your settings are saved.
25. Make sure that you can connect to the new WiFi network.
If you cannot connect to the new WiFi network, check the following:
- If your WiFi-enabled computer or mobile device is already connected to another WiFi network in your area, disconnect it from that WiFi network and connect it to the correct WiFi network. Some WiFi devices automatically connect to the first open network without WiFi security that they discover.
- If your WiFi-enabled computer or mobile device is trying to connect to your network with its old settings \(before you changed the settings\), update the WiFi network selection in your WiFi-enabled computer or mobile device to match the current settings for your network.
- Does your WiFi device display as a connected client? \(See [Display client distribution, connected clients, and client trends](#task_rq4_qsw_wlb).\) If it does, it is connected to the network.
- Are you using the correct WiFi network name \(SSID\) and password?
- If the WiFi authentication and encryption is set to WPA3 Personal, make sure that the WiFi adapter device driver is updated to the latest version on your WiFi-enabled computer or mobile device.
## Display or change the settings of a WiFi network {#task_dyq_xjt_dzb}
You can display or change the settings of the default WiFi network \(SSID or VAP\) or any custom WiFi network. The default WiFi network is the SSID that you renamed and for which you set a new passphrase when you initially connected to the AP. This SSID is displayed as SSID1 in the device UI.
To display or change the settings of a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; WLAN Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Change the settings of the WiFi network as needed.
For detailed descriptions of the settings, see [Set up an open or secure WiFi network](#task_ujs_4pt_dzb).
7. If you made changes, click the **Apply** button.
Your settings are saved.
8. If you made changes, make sure that you can reconnect over WiFi to the network with its new settings.
If you cannot connect over WiFi, check the following:
- If your WiFi-enabled computer or mobile device is already connected to another WiFi network in your area, disconnect it from that WiFi network and connect it to the correct WiFi network. Some WiFi devices automatically connect to the first open network without WiFi security that they discover.
- If your WiFi-enabled computer or mobile device is trying to connect to your network with its old settings \(before you changed the settings\), update the WiFi network selection in your WiFi-enabled computer or mobile device to match the current settings for your network.
- Does your WiFi device display as a connected client? \(See [Display client distribution, connected clients, and client trends](#task_rq4_qsw_wlb).\) If it does, it is connected to the network.
- Are you using the correct WiFi network name \(SSID\) and password?
## Remove a WiFi network {#task_t5n_5bb_2zb}
You can remove a custom WiFi network \(SSID or VAP\) that you no longer need. You cannot remove the default WiFi network. The default WiFi network is the SSID that you renamed and for which you set a new passphrase when you initially connected to the AP. This SSID is displayed as SSID1 in the device UI.
To remove a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; WLAN Settings**.
The page that displays lets you select an SSID.
5. Click the trash can icon to the right of the SSID.
A warning pop-up window displays.
6. Click the **Delete** button.
The pop-window closes and the WiFi network is removed.
## Hide or broadcast the SSID for a WiFi network {#task_egv_ddb_2zb}
By default, a WiFi network \(SSID or VAP\) broadcasts its network name \(also referred to as the SSID\) so that WiFi clients can detect the SSID in their scanned network lists. For additional security, you can turn off the SSID broadcast and hide the SSID so that users must know the SSID to be able to join the WiFi network.
**Note:** If you set up a wireless distribution system \(WDS; see [Set up a WiFi Bridge in a Wireless Distribution System](#concept_y3f_gtj_h1c)\), you must keep the SSID broadcast enabled.
To hide or broadcast the network name for a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; WLAN Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Under Broadcast SSID, select one of the following radio buttons:
- **No**: The SSID is hidden for the WiFi network.
- **Yes**: The SSID is broadcast for the WiFi network.
7. Click the **Apply** button.
Your settings are saved.
## Change the VLAN ID for a WiFi network {#task_erz_mdb_2zb}
The VLAN ID for a WiFi network is not the same as the 802.1Q VLAN ID that is used for the wired network \(see [Set the 802.1Q VLAN and management VLAN](#task_b45_rsw_g1c)\).
CAUTION:
Before you change the VLAN ID, be sure that the VLAN is configured on the network switch and the DHCP server and that the AP and its clients can get IP addresses over the new VLAN.
To change the VLAN ID for a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; WLAN Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. In the **VLAN ID** field, enter an ID \(that is, a number\).
By default, the VLAN ID for a WiFi network is 1. The VLAN must be between 1 and 4094.
7. Click the **Apply** button.
Your settings are saved.
## Change the authentication and encryption for a WiFi network {#task_afq_pz1_2zb}
You can change the authentication and encryption of the default WiFi network \(SSID or VAP\) or any custom WiFi network. The default WiFi network is the SSID that you renamed and for which you set a new passphrase when you initially connected to the AP. This SSID is displayed as SSID1 in the device UI.
Before you change the authentication and encryption, consider the types of clients that must be able to connect to the WiFi network. WPA3 provides a more secure connection than WPA2, but some WiFi devices might not yet detect WPA3 and support only WPA2. Similarly, WPA2 provides a more secure connection than WPA, but some legacy WiFi devices do not detect WPA2 and support only WPA.
If you plan to use WPA2 Enterprise security or WPA3 Enterprise security for your WiFi network, first set up RADIUS servers \(see [Set up RADIUS servers](#task_jvz_zpp_c1c)\).
To change the authentication and encryption for a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; WLAN Settings**.
The page that displays lets you select and add an SSID.
5. Click the **+** button to the left of Add SSID.
The settings for the selected SSID display.
6. From the **Authentication** menu, select one of the following authentication types for the WiFi network, and, if applicable, set a new passphrase \(network key or WiFi password\) in the **Passphrase** field or select an option from the **Encryption** menu:
- **Open**: A legacy open WiFi network does not provide any security. Any WiFi device can join the network. We recommend that you do *not* use a legacy open WiFi network but configure WiFi security. However, a legacy open network might be appropriate for a WiFi hotspot.
If you select **Open** from the **Authentication** menu, the **Enhanced Open** check box displays.
- **Enhanced Open check box cleared**: The WiFi network is a legacy open network without any security. This is the default option for an open network. Clients are not authenticated, traffic is not encrypted, and 802.11w \(PMF\) is automatically disabled \(see [Enable or disable PMF for a WiFi network](#task_vwx_kbb_2zb)\).
- **Enhanced Open check box selected**: The WiFi enhanced open feature is enabled. This feature is based on opportunistic wireless encryption \(OWE\). The encryption is set to CCM mode protocol \(CCMP\) and 802.11w \(PMF\) is automatically set to mandatory \(see [Enable or disable PMF for a WiFi network](#task_vwx_kbb_2zb)\). If you select the **Enhanced Open** check box, the **Allow Devices to Connect with Open** check box displays.
If you select the **Allow Devices to Connect with Open** check box, the WiFi network can accept both clients that support the WiFi enhanced open feature and clients that do not. For clients that do not support the WiFi open enhanced feature, traffic is not encrypted.
In this case, the SSID name can have a maximum length of 28 characters. Also, you can configure a maximum of two WiFi networks with OWE security and the option to allow both clients that support the WiFi enhanced open feature and clients that do not.
If you clear the **Allow Devices to Connect with Open** check box, the WiFi network can only accept clients that support the WiFi enhanced open feature.
- **WPA2 Personal**: This option is not available if the 6 GHz band is enabled.
This option, which is the same as WPA2-PSK, uses AES encryption. This type of security enables only WiFi devices that support WPA2 to join the VAP.
WPA2 provides a secure connection but some legacy WiFi devices do not detect WPA2 and support only WPA. If your network includes such older devices, select **WPA2/WPA Personal** authentication.
In the **Passphrase** field, enter a phrase of 8 to 63 characters. To join the VAP, a user must enter this passphrase. To display the passphrase in clear text, click the eye icon.
- **WPA2/WPA Personal**: This option is not available if the 6 GHz band is enabled.
This option, which is the same as WPA2-PSK/WPA-PSK, enables WiFi devices that support either WPA2 or WPA to join the VAP. This option uses AES and TKIP encryption.
WPA-PSK \(which uses TKIP\) is less secure than WPA2-PSK \(which uses AES\) and limits the speed of WiFi devices to 54 Mbps.
In the **Passphrase** field, enter a phrase of 8 to 63 characters. To join the VAP, a user must enter this passphrase. To display the passphrase in clear text, click the eye icon.
- **WPA2 Enterprise**: This option is not available if the 6 GHz band is enabled.
This enterprise-level security uses RADIUS for centralized Authentication, Authorization, and Accounting \(AAA\) management. For WPA2 Enterprise security to function, you must set up RADIUS servers \(see [Set up RADIUS servers](#task_jvz_zpp_c1c)\).
WPA2 Enterprise security and a captive portal are mutually exclusive.
From the **Encryption** menu, select the data encryption mode:
- **TKIP + AES**. This type of data encryption enables WiFi devices that support either WPA or WPA2 to join the APs WiFi network. This is the default mode.
- **AES**. This type of data encryption provides a secure connection but some older WiFi devices do not detect WPA2 and support only WPA. Therefore, if your network includes such older devices, select **TKIP + AES** encryption.
When you select **WPA2 Enterprise** authentication, the **Dynamic VLAN** radio buttons display:
- **Enable**: The RADIUS server can assign a VLAN ID to clients. If the RADIUS server does not do so, the clients are automatically assigned the VLAN ID that you configured for the SSID.
- **Disable**: The clients are assigned the VLAN ID that you configured for the SSID. This is the default setting.
A dynamic VLAN is mutually exclusive with a captive portal, NAT mode, wireless client isolation, a multicast DNS \(mDNS\) gateway, and multi-link operation \(MLO\).
- **WPA3 Personal**: This option is the most secure personal authentication option. WPA3 uses SAE encryption and enables only WiFi devices that support WPA3 to join the VAP. If you select this option, 802.11w \(PMF\) is automatically set to mandatory \(see [Enable or disable PMF for a WiFi network](#task_vwx_kbb_2zb)\).
WPA3 provides a secure connection but some legacy WiFi devices do not detect WPA3 and support only WPA2. If your network also includes WPA2 devices, select **WPA3/WPA2 Personal** authentication.
In the **Passphrase** field, enter a phrase of 8 to 63 characters. To join the VAP, a user must enter this passphrase. To display the passphrase in clear text, click the eye icon.
- **WPA3/WPA2 Personal**: This option, which is the same as WPA3/WPA2-PSK, is the default setting. It enables WiFi devices that support either WPA3 or WPA2 to join the VAP. This option uses SAE and AES encryption.
WPA2-PSK \(which uses AES\) is less secure than WPA3 \(which uses SAE\).
In the **Passphrase** field, enter a phrase of 8 to 63 characters. To join the VAP, a user must enter this passphrase. To display the passphrase in clear text, click the eye icon.
- **WPA3 Enterprise**: This enterprise-level security uses RADIUS for centralized Authentication, Authorization, and Accounting \(AAA\) management. For WPA3 Enterprise security to function, you must set up RADIUS servers \(see [Set up RADIUS servers](#task_jvz_zpp_c1c)\). If you select this option, 802.11w \(PMF\) is automatically set to mandatory \(see [Enable or disable PMF for a WiFi network](#task_vwx_kbb_2zb)\).
WPA3 Enterprise security and a captive portal are mutually exclusive.
When you select WPA3 Enterprise security, the encryption is automatically set to GCMP256, which is a 256-bit encryption protocol.
When you select **WPA3 Enterprise** authentication, the **Dynamic VLAN** radio buttons display:
- **Enable**: The RADIUS server can assign a VLAN ID to clients. If the RADIUS server does not do so, the clients are automatically assigned the VLAN ID that you configured for the SSID.
- **Disable**: The clients are assigned the VLAN ID that you configured for the SSID. This is the default setting.
A dynamic VLAN is mutually exclusive with a captive portal, NAT mode, wireless client isolation, a multicast DNS \(mDNS\) gateway, and multi-link operation \(MLO\).
7. Click the **Apply** button.
Your settings are saved.
8. Make sure that you can connect to the new WiFi network.
If you cannot connect to the new WiFi network, check the following:
- If your WiFi-enabled computer or mobile device is already connected to another WiFi network in your area, disconnect it from that WiFi network and connect it to the correct WiFi network. Some WiFi devices automatically connect to the first open network without WiFi security that they discover.
- If your WiFi-enabled computer or mobile device is trying to connect to your network with its old settings \(before you changed the settings\), update the WiFi network selection in your WiFi-enabled computer or mobile device to match the current settings for your network.
- Does your WiFi device display as a connected client? \(See [Display client distribution, connected clients, and client trends](#task_rq4_qsw_wlb).\) If it does, it is connected to the network.
- Are you using the correct WiFi network name \(SSID\) and password?
- If you changed the WiFi authentication and encryption to WPA3 Personal, make sure that the WiFi adapter device driver is updated to the latest version on your WiFi-enabled computer or mobile device.
## Enable or disable PMF for a WiFi network {#task_vwx_kbb_2zb}
Protected Management Frames \(PMF\), according to the 802.11w standard, is a security feature that protects unicast and multicast management frames from being intercepted and changed for malicious purposes. The type of authentication that you select determines if this feature is mandatory, optional, or disabled. You can also set it manually.
To enable or disable PMF for a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; WLAN Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Under 802.11w \(PMF\), select one of the following radio buttons:
- **Mandatory**: Requires devices to use PMF. Devices that do not support PMF cannot connect to the WiFi network. If you select Enhanced Open authentication, WPA3 Personal authentication, or WPA3 Enterprise authentication, the radio button for PMF is set to **Mandatory**, and you cannot change it.
- **Optional**: Lets the AP automatically activate PMF based on whether devices can support PMF. If you select WPA3/WPA2 Personal authentication, the radio button for PMF is set to **Optional**, but you can change it.
- **Disable**: PMF is disabled for the WiFi network. If you select Open, WPA2 Personal, WPA2/WPA Personal, or WPA2 Enterprise authentication, the radio button for PMF is set to **Disabled**, but you can change it \(except for Open authentication\).
7. Click the **Apply** button.
Your settings are saved.
## Set up Multi PSK for a WiFi network {#task_jh1_c5k_h1c}
Multi Pre-Shared Key \(PSK\) is supported only if the WiFi security is WPA2 Personal or WPA2/WPA Personal.
Multi PSK lets you segregate a single WiFi network into different VLANs, each accessible with a unique passphrase. In a way, Multi PSK lets you create different sub WiFi networks on a single WiFi network. When connecting to the WiFi network, the passphrase that a user enters determines the VLAN that the WiFi client is placed in.
In addition to a VLAN and passphrase, you can associate a key identifier with the VLAN-to-passphrase mapping. The key identifier lets you identify the VLANs in the WiFi network for network monitoring purposes. For example, when you display WiFi clients, the key identifier can also display \(see [Display client distribution, connected clients, and client trends](#task_rq4_qsw_wlb)\).
As examples of key identifiers, you could use terms such as corporatenetwork\_22, corporatenetwork\_23, and corporatenetwork\_24. These key identifiers \(or the associated VLAN IDs\) are not visible to a user trying to connect to the WiFi network: the user sees the SSID and enters the passphrase.
If you enable Multi PSK, the WiFi networks passphrase and VLAN are replaced by the passphrases and VLANs that are part of the Multi PSK configuration.
**Note:** To configure Multi PSK on the default WiFi network \(displayed as SSID1 in the device UI\), which is the WiFi network that you defined when you initially connected to the AP, you must first change the WiFi security to WPA2 Personal or WPA2/WPA Personal.
In addition, the following restrictions apply to Multi PSK:
- You cannot enable Multi PSK for a WiFi network in the 6 GHz band.
- You can configure Multi PSK on a maximum of four WiFi networks.
- Each WiFi network on which you configure Multi PSK can support a maximum of eight VLAN-to-passphrase mappings. \(Within each WiFi network, each passphrase and key identifier must be unique.\) The AP can support a maximum of 32 Multi PSK VLAN-to-passphrase mappings. For example, four WiFi networks each can support eight Multi PSK VLAN-to-passphrase mappings.
- Within a Multi PSK on a single WiFi network, you can map the same VLAN ID to different passphrases. You can also use the same VLAN ID for Multi PSK in different WiFi networks.
- If inter-VLAN routing is disabled in the network to which the AP is connected, the following applies:
- WiFi clients that are connected to different VLANs on the same WiFi network \(that is, the WiFi clients use different passphrases to connect to the same WiFi network\) cannot communicate with each other and remain isolated.
- WiFi clients that are connected to the *same* VLAN on different WiFi networks *can* communicate with each other.
- Multi PSK and the following features are mutually exclusive:
- Multi-link operation \(see [Configure multi-link operation](#task_x13_fnp_c1c)\)
- Captive portal \(see [Set Up and Manage a Captive Portal](#concept_thn_qhq_c1c)\)
- mDNS gateway \(see [Manage the multicast DNS gateway](#concept_dm4_tpx_g1c)\)
- NAT mode \(see [Set NAT mode or Bridge mode for addressing and traffic](#task_cjb_tvd_h1c)\)
- Client isolation \(see [Enable or disable client isolation for a WiFi network](#task_qpk_cxd_h1c)\)
To set up Multi PSK for a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; WLAN Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
You cannot configure Multi PSK on the default WiFi network \(displayed as SSID1 in the device UI\), which is the WiFi network that you defined when you initially connected to the AP.
6. Select the Multi PSK **Enable** radio button.
The page adjusts.
7. Configure the Multi PSK settings:
1. To add a new Multi PSK entry, specify the following settings:
- **VLAN ID**: The VLAN ID, which is the VLAN that a WiFi client becomes a member of.
The VLAN ID must be between 1 and 4094.
- **Passphrase**: The unique passphrase \(WiFi password\) that a user must enter to let the WiFi client connect to the associated VLAN of the WiFi network.
The passphrase must be between 8 and 63 characters.
- **Key Identifier**: The phrase or term that lets you identify the VLAN in the WiFi network for monitoring purposes. The maximum length is 30 alphanumeric characters, including the following special characters: hyphen \(-\) and underscore \(\_\).
2. To add another Multi PSK entry, click the **+** button to the left of Add New Passphrase and repeat the previous step a.
3. To remove a Multi PSK entry, click the trash can icon to the right of the entry.
8. Click the **Apply** button.
Your settings are saved.
## Disable or enable a WiFi network or set up a WiFi activity schedule {#task_dln_5db_2zb}
You can temporarily disable a WiFi network \(SSID or VAP\), you can reenable the WiFi network, or you can set up a schedule that specifies when the WiFi network is active.
Scheduling a WiFi network a green feature that allows you to turn off the WiFi network during scheduled vacations, office shutdowns, on evenings, or on weekends.
For each SSID, you can create a single custom schedule. In that schedule, for each day from 12:00 a.m. to the next day 12:00 a.m., you specify the time or times that the VAP is disabled. You can schedule a maximum of three events for a single day.
To disable or enable a WiFi network or set up a WiFi activity schedule:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; WLAN Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Under Schedule, select one of the following radio buttons:
- **Always ON**: The WiFi network is enabled.
- **Always OFF**: The WiFi network is disabled.
- **Custom**: The WiFi network is enabled or disabled according to a schedule that you must set up.
An icon displays to the right of the radio button.
7. If you selected **Custom** in the previous step, do the following:
1. Click the icon next to the radio button.
A pop-up window displays.
2. Either select a predefined time from the **Preset** menu or select custom time blocks by clicking the time blocks.
A blue color for a time block indicates that the WiFi network will be enabled \(on\). A gray color for a time block indicates that the WiFi network will be disabled \(off\).
3. Click the **Done** button.
The pop-up window closes.
8. Click the **Apply** button.
Your settings are saved.
## Enable or disable band steering {#task_lwy_1yk_h1c}
Band steering lets the AP identify the WiFi devices that are dual-band or tri-band capable and steer those devices to the 2.4 GHz, 5 GHz, or 6 GHz band of a WiFi network \(SSID or VAP\). Compared to the 2.4 GHz band, generally more channels and bandwidth are available in the 5 GHz band, and even more in the 6 GHz band, causing less interference and allowing for a better user experience. Band steering includes 802.11k radio resource management \(RRM\) and 802.11v WiFi network management. By default, band steering is disabled.
802.11k RRM and 802.11v WiFi network management affect the network in the following ways:
- **802.11k RRM**: This feature lets the AP and 802.11k-aware clients dynamically measure the available radio resources. In an 802.11k-enabled network, APs and clients can send neighbor reports, beacon reports, and link measurement reports to each other, allowing 802.11k-aware clients to automatically select the best AP for initial connection or for roaming.
- **802.11v WiFi network management**: This feature lets the AP steer its WiFi clients to the 2.4 GHz, 5 GHz, or 6 GHz band, based on the APs channel load. In an environment with multiple APs, 802.11v WiFi network management helps WiFi clients that are roaming to select the best AP.
The AP sets the received signal strength indicator \(RSSI\) threshold automatically. \(That is, you cannot configure the RSSI threshold manually.\)
To enable or disable band steering with 802.11k RRM and 802.11v WiFi network management for a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; WLAN Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Under Band Steering / 802.11 k/v, select one of the following radio buttons:
- **Disable**: Band steering is disabled for the VAP. This is the default setting.
- **Enable**: Under certain channel conditions, the AP steers WiFi devices to the 2.4 GHz, 5 GHz, or 6 GHz band of the VAP. These WiFi devices must be dual-band or tri-band capable.
7. Click the **Apply** button.
Your settings are saved.
## Configure multi-link operation {#task_x13_fnp_c1c}
Aggregating the APs radios is referred to as multi-link operation \(MLO\), which is a key feature of Wi-Fi 7. Devices that communicate using MLO are called multi link devices \(MLDs\).
For MLO to function, enable at least two radios and configure the WiFi mode as 11be for each radio.
For MLO to function, enable both the 5 GHz and 6 GHz radios and configure the WiFi mode as 11be for each radio.
MLO improves throughput, latency, and reliability:
- WiFi devices are no longer limited to operating on a single channel of the 2.4 GHz, 5 GHz, or 6 GHz radio but can now utilize multiple links across frequency bands.
- Simultaneous MLO allows traffic to be aggregated across multiple radios, which results in the following:
- Peak throughput and low latency
- Traffic being dynamically switched between radio bands to avoid WiFi interference
- Deterministic and predictable low latency even in heavily congested environments
By default, MLO is disabled. Enabling MLO allows the MLO-capable clients to send traffic on multiple bands at the same time.
MLO and the following features are mutually incompatible:
- MAC ACLs for WiFi networks \(see [Manage MAC ACLs for WiFi clients](#concept_gld_kdw_g1c) and [Manage MAC ACLs for broadcast and multicast traffic from WiFi clients](#concept_j23_5db_2bc)\)
- Multi PSK \(see [Set up Multi PSK for a WiFi network](#task_jh1_c5k_h1c)\)
- WPA2 Enterprise security and WPA3 Enterprise security that use a dynamic VLAN \(DVLAN, see [Set up an open or secure WiFi network](#task_ujs_4pt_dzb) and [Change the authentication and encryption for a WiFi network](#task_afq_pz1_2zb)\)
To configure multi-link operation:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; WLAN Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Under Multi-LinkOperation, select one of the following radio buttons:
- **Enable**: MLO is enabled. The radios on which 11be is enabled are aggregated to function as if they were a single link.
- **Disable**: MLO is disabled. The radios on which 11be is enabled function independently. This is the default setting.
CAUTION:
After you click the Apply button, all WiFi clients are temporarily disconnected before they are automatically reconnected.
7. Click the **Apply** button.
Your settings are saved.
# Manage the Basic Radio Features {#concept_qjn_c5p_c1c .concept}
This chapter describes how you can manage the basic radio features of the AP. For information about the advanced radio features, see [Manage the Advanced Radio Features](#concept_rhw_3gk_h1c).
CAUTION:
If you change a radio feature on the 2.4 GHz radio, the change affects all WiFi networks that broadcast on the 2.4 GHz radio. Similarly, if you change a radio feature on the 5 GHz or 6 GHz radio, the change affects all WiFi networks that broadcast on the 5 GHz or 6 GHz radio. If the change is not specific to one radio, the change affects *all* WiFi networks on the AP.
The chapter includes the following sections:
**Note:** If you want to change the radio settings, use a wired connection to avoid being disconnected when the new radio settings take effect.
**Note:** In this manual, *WiFi network* means the same as SSID \(service set identifier or WiFi network name\) or VAP \(virtual access point\). That is, when we refer to a WiFi network we mean an individual SSID or VAP.
## Manage the basic WiFi settings for the radios {#task_s4x_k3b_2zb}
The basic WiFi settings for each radios apply to all WiFi networks \(VAPs or SSIDs\) that are configured on the radio. You can specify the radio settings for the 2.4 GHz, 5 GHz, and 6 GHz band radios individually.
To manage the basic WiFi settings for the radios:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The Wireless Settings page displays, showing the same types of settings for each radio.
The following descriptions apply to all radios, but you can specify the radio settings for the 2.4 GHz, 5 GHz, and 6 GHz radios individually.
5. Keep a radio on or turn it off:
- **Turn Radio ON check box selected**: By default, the **Turn Radio ON** check box is selected and the radio broadcasts.
- **Turn Radio ON check box cleared**: Turning off a radio disables WiFi access for the band, which can be helpful during configuration, network tuning, or troubleshooting.
6. Select one of the following **Wireless Mode** radio buttons for a radio, which determines if you can set the channel width, and if so, which channel widths are available:
- **2.4 GHz**:
- **11be**: 802.11be, 802.11ax, 802.11ng, 802.11bg, and 802.11b WiFi clients can connect to the AP. This is the default setting.
- **11ax**: 802.11ax, 802.11ng, 802.11bg, and 802.11b WiFi clients can connect to the AP. This is the default setting.
- **11ng**: 802.11ax, 802.11ng, 802.11bg, and 802.11b WiFi clients can connect to the AP. However, the speed of 802.11ax clients is limited to the maximum speed that is supported by 802.11ng \(about 450 Mbps\).
- **11bg**: 802.11ax, 802.11ng, 802.11bg, and 802.11b WiFi clients can connect to the AP. However, the speed of 802.11ax and 802.11ng clients is limited to the maximum speed that is supported by 802.11bg \(about 54 Mbps\).
- **11b**: 802.11ax, 802.11ng, 802.11bg, and 802.11b WiFi clients can connect to the AP. However, the speed of 802.11ax, 802.11n, and 802.11bg clients is limited to the maximum speed that is supported by 802.11b \(about 11 Mbps\).
- **5 GHz**:
- **11be**: 802.11be, 802.11ax, 802.11ac, 802.11na, and 802.11a WiFi clients can connect to the AP. This is the default setting.
- **11ax**: 802.11ax, 802.11ac, 802.11na, and 802.11a WiFi clients can connect to the AP.
- **11ac**: 802.11ax, 802.11ac, 802.11na, and 802.11a WiFi clients can connect to the AP. However, the speed of 802.11be and 802.11ax clients is limited to the maximum speed that is supported by 802.11ac \(about 867 Mbps\).
- **11na**: 802.11ax, 802.11ac, 802.11na, and 802.11a WiFi clients can connect to the AP. However, the speed of 802.11be, 802.11ax, and 802.11ac clients is limited to the maximum speed that is supported by 802.11na \(about 450 Mbps\).
- **11a**: 802.11ax, 802.11ac, 802.11na, and 802.11a WiFi clients can connect to the AP. However, the speed of 802.11ax, 802.11ac, 802.11na clients is limited to the maximum speed that is supported by 802.11a \(up to about 54 Mbps\).
- **6 GHz**:
- **11be**: 802.11be and 802.11ax WiFi clients can connect to the AP. This is the default setting.
- **11ax**: 802.11ax, 802.11ac, 802.11na, and 802.11a WiFi clients can connect to the AP.
7. From the **Channel Width** menu for a radio, select the channel width, keeping in mind that a wider channel improves the performance \(no or minimal interference and better data rates\):
- **2.4 GHz**: The channel width depends on the wireless mode:
- **11be, 11ac, and 11ng**: 20 MHz, 40 MHz, or Dynamic 20 / 40 MHz. The default is 20 MHz.
- **11ac and 11ng**: 20 MHz, 40 MHz, or Dynamic 20 / 40 MHz. The default is 20 MHz.
- **11bg and 11b**: You cannot select the channel width.
- **5 GHz**: The channel width depends on the wireless mode:
- **11be, 11ax, and 11ac**: 20 MHz, 40 MHz, 80 MHz, 160 MHz, or Dynamic 20 / 40 /80 / 160 MHz. The default is 40 MHz.
- **11na**: 20 MHz, 40 MHz, or Dynamic 20 / 40 MHz. The default is 40 MHz.
- **11a**: You cannot select the channel width.
The 40 MHz, 80 MHz, and 160 MHz channels enable higher data rates but leave fewer channels available for use on the 5 GHz radio.
- **6 GHz**: The channel width depends on the wireless mode:
- **11be**: 20 MHz, 40 MHz, 80 MHz, 160 MHz, 320 MHz or Dynamic 20 / 40 /80 / 160 / 320 MHz. The default is 80 MHz.
- **11ax**: 20 MHz, 40 MHz, 80 MHz, 160 MHz, or Dynamic 20 / 40 /80 / 160 MHz. The default is 80 MHz.
For more information, see [Change the channel width for a radio](#task_xbp_ly5_vlb).
8. **Guard Interval**: The guard interval protects radio transmissions from interference. Your selection from the **Wireless Mode** menu determines if you can set the guard interval, and if so, which guard intervals are available. For the 11a, 11b, and 11bg WiFi modes, you cannot set the guard interval at all.
From the menu, select one of the following settings:
- **Auto**: The guard interval is set automatically by the AP. This option is not available in the 11be and 11ax WiFi modes.
- **Long-800 ns**: This option is available in the 11ax, 11ac, 11na, and 11ng modes. In the 11be and 11ax WiFi modes, this option is the default setting.
- **Double Long-1600 ns**: This option is available only in the 11be and 11ax WiFi modes.
- **Quadruple Long-3200 ns**: This option is available only in the 11be and 11ax WiFi modes
9. Output power: From the menu, select the transmission power of the radio. You can select **100%\(Max\)**, **50%**, **25%**, **12.5%**, or **4%\(Min\)**. The default is 100%\(Max\).
**Note:** If two or more access points are operating in the same area and on the same channel, interference can occur. In this situation, you might want to decrease the output power for the AP. Make sure that you comply with the regulatory requirements for total radio frequency \(RF\) output power in your country.
10. **Channel**: From the menu, select the WiFi channel for the radio. The available WiFi channels and frequencies depend on the country that you selected for the AP and on the radio. The default is Auto, which enables a radio to automatically select the most suitable channel.
**Note:** You do not need to change the WiFi channel unless you experience interference \(which is indicated by lost connections\).
**Note:** If you use multiple access points, reduce interference by selecting non-overlapping channels for adjacent access points. We recommend a channel spacing of four channels between adjacent access points \(for example, in the 2.4 GHz band, use channels 1 and 5, or 6 and 10\).
11. Click the **Apply** button.
A warning pop-up window displays.
12. Click the **OK** button.
The pop-up window closes and your settings are saved. The radio or radios restart and WiFi clients might need to reconnect.
## Turn a radio on or off {#task_vdl_3yp_c1c}
By default, the 2.4 GHz, 5 GHz , and 6 GHz radios broadcast. Turning off a radio disables WiFi access for the associated band, which affects all WiFi networks \(VAPs or SSIDs\) in that band. Turning off a radio can be helpful during configuration, network tuning, or troubleshooting.
To turn a radio on or off:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The Wireless Settings page displays.
5. Take one of the following actions:
- **Turn a radio on**: Select the **Turn Radio ON** check box for the radio.
- **Turn a radio off**: Clear the **Turn Radio ON** check box for the radio.
6. Click the **Apply** button.
A warning pop-up window displays.
7. Click the **OK** button.
The pop-up window closes and your settings are saved. The radio or radios restart and WiFi clients might need to reconnect.
## Change the WiFi mode for a radio {#task_vx3_yyp_c1c}
By default, all types of WiFi clients can access a WiFi network on the AP, that is, the WiFi modes on the AP support 802.11be, 802.11ax, 802.11ac, 802.11na, 802.11ng, 802.11bg, 802.11b, and 802.11a clients. You can change the WiFi modes to limit access to certain types of clients.
To change the WiFi mode for a radio:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The Wireless Settings page displays.
5. Select one of the following **Wireless Mode** radio buttons for a radio, which determines if you can set the channel width, and if so, which channel widths are available:
- **2.4 GHz**:
- **11be**: 802.11be, 802.11ax, 802.11ng, 802.11bg, and 802.11b WiFi clients can connect to the AP. This is the default setting.
- **11ax**: 802.11ax, 802.11ng, 802.11bg, and 802.11b WiFi clients can connect to the AP. This is the default setting.
- **11ng**: 802.11ax, 802.11ng, 802.11bg, and 802.11b WiFi clients can connect to the AP. However, the speed of 802.11ax clients is limited to the maximum speed that is supported by 802.11ng \(about 450 Mbps\).
- **11bg**: 802.11ax, 802.11ng, 802.11bg, and 802.11b WiFi clients can connect to the AP. However, the speed of 802.11ax and 802.11ng clients is limited to the maximum speed that is supported by 802.11bg \(about 54 Mbps\).
- **11b**: 802.11ax, 802.11ng, 802.11bg, and 802.11b WiFi clients can connect to the AP. However, the speed of 802.11ax, 802.11n, and 802.11bg clients is limited to the maximum speed that is supported by 802.11b \(about 11 Mbps\).
- **5 GHz**:
- **11be**: 802.11be and 802.11ax Wi-Fi clients can connect to the AP. This is the default setting.
- **11ax**: 802.11ax, 802.11ac, 802.11na, and 802.11a WiFi clients can connect to the AP.
- **11ac**: 802.11ax, 802.11ac, 802.11na, and 802.11a WiFi clients can connect to the AP. However, the speed of 802.11be and 802.11ax clients is limited to the maximum speed that is supported by 802.11ac \(about 867 Mbps\).
- **11na**: 802.11ax, 802.11ac, 802.11na, and 802.11a WiFi clients can connect to the AP. However, the speed of 802.11be, 802.11ax, and 802.11ac clients is limited to the maximum speed that is supported by 802.11na \(about 450 Mbps\).
- **11a**: 802.11ax, 802.11ac, 802.11na, and 802.11a WiFi clients can connect to the AP. However, the speed of 802.11ax, 802.11ac, 802.11na clients is limited to the maximum speed that is supported by 802.11a \(up to about 54 Mbps\).
- **6 GHz**:
- **11be**: 802.11be and 802.11ax Wi-Fi clients can connect to the AP. This is the default setting.
- **11ax**: 802.11ax, 802.11ac, 802.11na, and 802.11a WiFi clients can connect to the AP.
6. Click the **Apply** button.
A warning pop-up window displays.
7. Click the **OK** button.
The pop-up window closes and your settings are saved. The radio or radios restart and WiFi clients might need to reconnect.
## Change the channel width for a radio {#task_xbp_ly5_vlb}
Use the following guidelines when you determine the channel width for a radio:
- A wider channel generally improves the performance \(no or minimal interference and better data rates\).
- A narrower channel generally results in lower throughput but might provide a more stable connection in a demanding situation, such as an environment with a long distance between the AP and WiFi clients and more than normal interference.
- The 802.11n specification allows a 40 MHzwide channel in addition to the legacy 20 MHz channel width that is available with other WiFi modes.
- The 802.11ac and 802.11ax specifications for the 5 GHz band \(and, by extension for the 6 GHz radio\) allow an 80 MHzwide channel and 160wide channel in addition to the 20 MHz and 40 MHz channel widths that are available with other WiFi modes.
- The 802.11be specification for the 6 GHz radio allows a 320wide MHz channel in addition to the 20 MHz, 40 MHz, 80 MHz, and 160 MHz channel widths that are available with other WiFi modes.
**Note:** We recommend that you leave the default options: 20 MHz for the 2.4 GHz radio, 40 MHz for the 5 GHz radio, and 80 MHz for the 6 GHz radio.
The WiFi mode \(see [Change the WiFi mode for a radio](#task_vx3_yyp_c1c)\) determines if you can set the channel width, and if so, which channel widths are available.
To change the channel width for a radio:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The Wireless Settings page displays.
5. From the **Channel Width** menu for a radio, select the channel width, keeping in mind that a wider channel improves the performance \(no or minimal interference and better data rates\):
- **2.4 GHz**: The channel width depends on the wireless mode:
- **11be, 11ax, and 11ac**: 20 MHz, 40 MHz, or Dynamic 20 / 40 MHz. The default is 20 MHz.
- **11ac and 11ng**: 20 MHz, 40 MHz, or Dynamic 20 / 40 MHz. The default is 20 MHz.
- **11bg and 11b**: You cannot select the channel width.
- **5 GHz**: The channel width depends on the wireless mode:
- **11be, 11ax, and 11ac**: 20 MHz, 40 MHz, 80 MHz, 160 MHz, or Dynamic 20 / 40 /80 / 160 MHz. The default is 40 MHz.
- **11na**: 20 MHz, 40 MHz, or Dynamic 20 / 40 MHz. The default is 40 MHz.
- **11a**: You cannot select the channel width.
The 40 MHz, 80 MHz, and 160 MHz channels enable higher data rates but leave fewer channels available for use on the 5 GHz radio.
- **6 GHz**: The channel width depends on the wireless mode:
- **11be**: 20 MHz, 40 MHz, 80 MHz, 160 MHz, 320 MHz or Dynamic 20 / 40 /80 / 160 / 320 MHz. The default is 80 MHz.
- **11ax**: 20 MHz, 40 MHz, 80 MHz, 160 MHz, or Dynamic 20 / 40 /80 / 160 MHz. The default is 80 MHz.
6. Click the **Apply** button.
A warning pop-up window displays.
7. Click the **OK** button.
The pop-up window closes and your settings are saved. The radio or radios restart and WiFi clients might need to reconnect.
## Change the guard interval for a radio {#task_xn2_dfq_c1c}
From the menu, select the guard interval, which protects radio transmissions from interference. The WiFi mode \(see [Change the WiFi mode for a radio](#task_vx3_yyp_c1c)\) determines if you can set the guard interval, and if so, which guard intervals are available. For the 11a, 11b, and 11bg WiFi modes, you cannot set the guard interval at all.
Use the following guidelines:
- A shorter guard interval supports more throughput in an environment in which WiFi devices operate at a shorter distance from the AP.
- A longer guard interval works well in an environment with multiple SSIDs and WiFi devices that operate at a longer distance from the AP.
- Some legacy devices can operate with a long 800ns guard interval only.
To change the guard interval for a radio:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The Wireless Settings page displays.
5. From the **Guard Interval** menu for the radio, select one of the following settings:
- **Auto**: The guard interval is set automatically by the AP. This option is not available in the 11be and 11ax WiFi modes.
- **Long-800 ns**: This option is available in the 11ax, 11ac, 11na, and 11ng modes. In the 11be and 11ax WiFi modes, this option is the default setting.
- **Double Long-1600 ns**: This option is available only in the 11be and 11ax WiFi modes.
- **Quadruple Long-3200 ns**: This option is available only in the 11be and 11ax WiFi modes
6. Click the **Apply** button.
A warning pop-up window displays.
7. Click the **OK** button.
The pop-up window closes and your settings are saved. The radio or radios restart and WiFi clients might need to reconnect.
## Change the output power for a radio {#task_xlh_q2q_c1c}
By default, the output power of the AP is set at the maximum. If two or more access points are operating in the same area and on the same channel, interference can occur. In such a situation, you might want to decrease the output power for the AP. Make sure that you comply with the regulatory requirements for total radio frequency \(RF\) output power in your country.
To change the output power for a radio:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The Wireless Settings page displays.
5. From the **Output Power** menu for the radio, select **100%\(Max\)**, **50%**, **25%**, **12.5%**, or **4%\(Min\)**.
The default is 100%\(Max\).
6. Click the **Apply** button.
A warning pop-up window displays.
7. Click the **OK** button.
The pop-up window closes and your settings are saved. The radio or radios restart and WiFi clients might need to reconnect.
## Change the channel for a radio {#task_ltq_52q_c1c}
The available WiFi channels and frequencies depend on the country that you select for the AP and the radio. The default is Auto, which enables a radio to automatically select the most suitable channel.
**Note:** You do not need to change the WiFi channel unless you experience interference \(which is indicated by lost connections\).
**Note:** If you use multiple access points, reduce interference by selecting non-overlapping channels for adjacent access points. We recommend a channel spacing of four channels between adjacent access points \(for example, in the 2.4 GHz band, use channels 1 and 5, or 6 and 10\).
To change the channel for a radio:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The Wireless Settings page displays.
5. From the **Channel** menu for the radio, select a channel.
The default is Auto. When you select a particular channel, the channel selection becomes static.
6. Click the **Apply** button.
A warning pop-up window displays.
7. Click the **OK** button.
The pop-up window closes and your settings are saved. The radio or radios restart and WiFi clients might need to reconnect.
## Manage Quality of Service for a WiFi radio {#task_mx3_vfq_c1c}
You can specify the Quality of Service \(QoS\) setting for the 2.4 GHz, 5 GHz, and 6 GHz radios separately. These settings are enabled by default for each radio. Disabling QoS for a radio might impact the throughput and speed of WiFi traffic on the AP.
To manage the QoS settings for a WiFi radio:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; QoS Settings**.
The QoS Settings page displays.
5. Enable or disable the following features for the radio by selecting the applicable **Enable** or **Disable** radio buttons:
- **Wi-Fi Multimedia \(WMM\)**: WiFi Multimedia \(WMM\) is a subset of the 802.11e standard. Time-dependent information such as video or audio is given higher priority than normal traffic. For WMM to function correctly, WiFi clients must also support WMM. By enabling WMM, you allow WMM to control upstream traffic flowing from WiFi devices to the AP and downstream traffic flowing from the AP to WiFi devices. WMM defines the following four queues in decreasing order of priority:
- **Voice**: The highest priority queue with minimum delay, which makes it very suitable for applications such as VoIP and streaming media.
- **Video**: The second highest priority queue with low delay. Video applications are routed to this queue.
- **Best effort**: The medium priority queue with medium delay. Most standard IP applications use this queue.
- **Background**: The low priority queue with high throughput. Applications such as FTP that are not time-sensitive but require high throughput can use this queue.
- **WMM Powersave**: Enabling the WMM Powersave feature saves power for battery-powered devices and fine-tunes power consumption.
6. Click the **Apply** button.
A warning pop-up window displays.
7. Click the **OK** button.
The pop-up window closes and your settings are saved. The radio or radios restart and WiFi clients might need to reconnect.
# Set Up and Manage a Captive Portal {#concept_thn_qhq_c1c .concept}
This chapter describes how you can set up and manage a captive portal on the AP.
A captive portal is a web page that users see when they attempt to connect to a WiFi network. A captive portal includes a splash page and usually requires some form of authentication for the user. The AP supports two types of captive portals:
- **Click-through captive portal**: A basic portal for which the splash page is stored on the AP. For each WiFi network, you can set up a unique click-through captive portal.
- **External captive portal**: A portal that is hosted by an external captive portal vendor. You can apply an external captive portal to multiple WiFi networks or you can apply a unique external captive portal to each WiFi network.
The chapter includes the following sections:
**Note:** A captive portal is not compatible with Multi PSK. To enable a captive portal, first disable Multi PSK \(see [Set up Multi PSK for a WiFi network](#task_jh1_c5k_h1c)\).
**Note:** In this manual, *WiFi network* means the same as SSID \(service set identifier or WiFi network name\) or VAP \(virtual access point\). That is, when we refer to a WiFi network we mean an individual SSID or VAP.
## Set up a click-through captive portal for a WiFi network {#task_tzw_b3q_c1c}
A click-through captive portal is a basic portal for which the splash page is stored on the AP, that is, it is not an external captive portal. Use a click-through captive portal to welcome or instruct WiFi users and limit their sessions. You can require users to agree to an end user license agreement \(EULA\) and redirect them to a specific website. A click-through captive portal is specific to the WiFi network \(SSID\) on which you set it up.
To set up a click-through captive portal for a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; WLAN Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Scroll down and click the **&gt; Advanced** tab.
The page expands.
7. Select the **Captive Portal** check box.
The page adjusts. By default, the **Click Through** radio button is selected.
8. Specify the click-through settings as described in the following table.
<table id="table_wzw_b3q_c1c"><thead><tr><th>
Setting
</th><th>
Description
</th></tr></thead><tbody><tr><td>
Session Timeout \(in min\)
</td><td>
Enter the number of minutes from 1 to 1440 after which a WiFi session is terminated and a user must log in again. The default is 60 minutes.
</td></tr><tr><td>
Redirect URL
</td><td>
To redirect a user to a specific website after login, select the **Redirect URL** check box and enter the URL. If the **Redirect URL** check box is cleared, a user is directed to the default web page.
</td></tr><tr><td>
Title
</td><td>
Enter the title that is displayed on the captive portal login page. If you do not customize the title, the default title displays on the captive portal login page.
</td></tr><tr><td>
Message
</td><td>
Enter a message to the user. This message is displayed on the captive portal login page. If you do not customize the message, the default message displays on the captive portal login page.
</td></tr><tr><td>
JPEG/JPG Image \(Max 500 KB\)
</td><td>
To customize the image that is displayed on the captive portal login page, click the **Browse** button and navigate to and select an image. If you do not customize the image, the default image displays on the captive portal login page.
</td></tr><tr><td>
EULA \(Max 1 KB\)
</td><td>
The field includes a default end user license agreement \(EULA\). You can enter or copy custom text into the field. To show the EULA on the captive portal login page, select the **EULA** check box.
</td></tr></tbody>
</table>9. To preview the captive portal login page, click the **Preview** button.
10. Click the **Apply** button.
Your settings are saved. WiFi clients attempting to connect to the SSID are presented with the captive portal login page.
**Note:** An HTTPS session is blocked until after the captive portal authentication occurs.
## Set up an external captive portal for a WiFi network {#task_md5_j3q_c1c}
An external captive portal is a portal that is hosted by an external captive portal vendor. That is, this type of portal is not stored on the AP. For an external captive portal, you generally must register your devices with and purchase licenses from the vendor.
You can apply an external captive portal to multiple WiFi networks or you can apply a unique external captive portal to each WiFi network
To set up an external captive portal for a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; WLAN Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Scroll down and click the **&gt; Advanced** tab.
The page expands.
7. Select the **Captive Portal** check box.
The page adjusts. By default, the Click-Through radio button is selected.
8. Click the **External Captive Portal** radio button.
The page adjusts.
9. In the **Splash Page URL** field, enter the URL that is provided by the vendor.
This URL redirects a user to the splash page on the website that hosts the captive portal. The length of the splash page URL can be up to 256 characters.
10. Select one of the following **Captive Portal Authentication Type** radio buttons:
- **Web/HTTP**: Authentication for access to the splash page occurs on the AP using the HTTPS protocol. Specify the following settings:
- **Web Authentication URL**: Enter the web authentication URL that is provided by the vendor.
The length of the web authentication URL can be up to 256 characters.
- **Key**: Enter the key credential that is provided by the vendor. This field is optional and depends on the authentication requirements of the vendor.
The length of the key can be up to 31 characters.
- **Secret**: Enter the secret credential that is provided by the vendor. This field is optional and depends on the authentication requirements of the vendor.
The length of the key can be up to 63 characters.
- **Radius**: Authentication for access to the splash page occurs on an external RADIUS authentication server \(a secondary RADIUS authentication server is an option\). The vendor might also require an accounting RADIUS server \(a secondary RADIUS accounting server is an option\).
Specify the following settings for *each* RADIUS server, as directed by the vendor:
- **IPv4 Address**: Enter the IP address of the server. The IP address is provided by the vendor.
- **Port**: Enter the port number that is used by the server. The IP port number is provided by the vendor. By default, an authentication server uses port number 1812; an accounting server uses port number 1813.
The port number range can be from 1 to 65335.
- **Password**: Enter the password \(shared secret\) for interaction with the server. The password is provided by the vendor.
The password must be a minimum of 8 characters and can be a maximum of 64 characters.
11. Select one of the following **FailSafe** buttons to specify if users are allowed to reach the splash page and access the Internet if authentication is not possible:
- **Enable**: If authentication is not possible—for example, because captive portal servers do not respond—users are still allowed to access the Internet for a period of 30 minutes.
- **Disable**: This is the default setting. If authentication is not possible, users cannot reach the splash page and cannot access the Internet. Instead, they get a message *Oops. Something went wrong. Please try after some time*.
12. Select one of the following **Allow HTTPS** buttons to specify when secure HTTP \(HTTPS\) traffic is allowed to pass through:
- **Enable**: Before authentication occurs, HTTPS traffic is allowed to pass through.
- **Disable**: This is the default setting. HTTPS traffic is allowed only *after* authentication occurs.
13. Configure the walled garden settings.
The walled garden specifies the external applications and sites that a user can access from the captive portal. Generally, the vendor provides information about the applications and sites. The vendor splash page, domain name, and authentication servers must also be included in the walled garden. Follow the directions of the vendor.
You can do the following to configure the walled garden:
- **Add a single URL**: In the right field, type the URL, press **Enter**, and click the **Move** button.
- **Add multiple URLs**: In the right field, paste a list of URLs, and click the **Move** button.
- **Remove one or more URLs**: Select the check boxes for URLs, and click the **Remove** button.
- **Remove all URLs**: Select the **Select All**check box, and click the **Remove** button.
14. Click the **Apply** button.
Your settings are saved. WiFi clients attempting to connect to the SSID are presented with the captive portal login page.
# Manage Access and Security {#concept_efq_q3v_g1c .concept}
This chapter describes how you can manage access and security features and user accounts.
The chapter includes the following sections:
**Note:** For information about essential WiFi security \(network authentication and encryption\), see [Set up an open or secure WiFi network](#task_ujs_4pt_dzb) or [Change the authentication and encryption for a WiFi network](#task_afq_pz1_2zb).
**Note:** In this manual, *WiFi network* means the same as SSID \(service set identifier or WiFi network name\) or VAP \(virtual access point\). That is, when we refer to a WiFi network we mean an individual SSID or VAP.
## Manage user accounts {#concept_z3y_rjv_g1c}
User accounts provide either read/write or read-only access to the device UI of the AP. You cannot delete the admin user account or change its user name, but you can change its password. You can add accounts for other users, and you can change or delete these accounts.
The following sections describe how you can manage user accounts:
For information about changing the password for the default admin user account, see [Change the admin user account password](#task_jdh_2kv_g1c).
### Add a user account {#task_gpd_4lv_g1c}
To add a user account:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; User Accounts**.
The User Accounts page displays.
5. Click the add user account icon.
Additional fields and a menu display.
6. Specify the settings for the new user account:
- **User Name**: Enter a user name.
The user name must consist of up to 15 alphanumeric characters without any special characters. Do not use admin or Admin as the user name.
- **Password**: Enter a password between 8 and 63 characters in length and confirm the password.
The password must contain at least one uppercase letter, one lowercase letter, and one number.
- **Privilege**: From the menu, select **Read-Write** or **Read Only**.
- **Session Timeout**: Use the **Hours** and **Minutes** fields to specify the period after which a session automatically expires and the user must log in again.
By default, a session expires after 45 minutes.
7. Click the **Apply** button.
Your settings are saved.
### Change the time-out period for a user session {#task_utq_hnv_g1c}
When a user logs in to the device UI, the session times out automatically after 45 minutes. You can change the time-out period, which applies to all users, including the admin user.
To change the time-out period for a user session:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; User Accounts**.
The User Accounts page displays.
5. Under Session Timeout, use the **Hours** and **Minutes** fields to specify the period after which a session automatically expires and the user must log in again.
By default, a session expires after 45 minutes.
6. Click the **Apply** button.
Your settings are saved. Your session is terminated and you must log in again.
### Change the settings for a user account {#task_m3t_vnv_g1c}
You cannot change the access privilege for the default admin user account.
To change the user name, password, or access privilege for a user account:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; User Accounts**.
The existing user accounts display.
5. To the right of the user account, change the existing settings as needed:
- **User Name**: Enter another user name.
The user name must consist of up to 15 alphanumeric characters without any special characters. Do not use admin or Admin as the user name.
- **Password**: Enter another password between 8 and 63 characters in length, and confirm the password.
The password must contain at least one uppercase letter, one lowercase letter, and one number.
- **Privilege**: From the menu, select **Read-Write** or **Read Only**.
6. Click the **Apply** button.
Your settings are saved.
### Remove a user account {#task_rrx_g4v_g1c}
You can remove a user account that you no longer need. You cannot remove the default admin user account.
To remove a user account:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; User Accounts**.
The User Accounts page displays, showing the existing user accounts.
5. Click the **X** to the right of the user account.
A warning pop-up window displays.
6. Click the **Delete** button.
The pop-up windows closes and the user account is removed.
## Set up RADIUS servers {#task_jvz_zpp_c1c}
If you use WPA2 Enterprise security, WPA3 Enterprise security, or a RADIUS MAC ACL, you must set up RADIUS servers for authentication or both authentication and accounting using RADIUS. You must set up a primary IPv4 server and you can set up a secondary IPv4 server. These RADIUS server settings apply either to all WiFi networks that use WPA2 Enterprise security or WPA3 Enterprise security \(see [Set up an open or secure WiFi network](#task_ujs_4pt_dzb)\) or to all WiFi networks that use a RADIUS MAC ACL.
**Note:** Either WPA2 Enterprise security or WPA3 Enterprise security and a RADIUS MAC ACL are mutually exclusive. If you want to use a RADIUS MAC ACL for a WiFi network, select a different type of WiFi security \(see [Set up an open or secure WiFi network](#task_ujs_4pt_dzb)\). If you want to use WPA2 Enterprise security or WPA3 Enterprise security for a WiFi network, use a local MAC ACL \(see [Manage MAC ACLs for WiFi clients](#concept_gld_kdw_g1c)\).
If you use a RADIUS MAC ACL, you must define the ACL on the RADIUS server, using the format in the following example for client MAC addresses in the RADIUS server: If the client MAC address is 00:0a:95:9d:68:16, specify it as 000a959d6816 in the RADIUS server.
To set up RADIUS servers:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Security &gt; RADIUS Settings**.
The RADIUS Settings page displays.
5. For each RADIUS server that you want to set up, configure the following settings:
- **IPv4 Address**: Enter the IPv4 address of the RADIUS server. The AP must be able to reach this IP address.
- **Port**: Enter the number of the UDP port on the AP that is used to access the RADIUS server. You can enter a number in the range from 1 to 65535. The default port number is 1812.
- **Password**: Enter the password \(shared key\) that is used between the AP and the RADIUS server during the authentication or accounting process. The password must be between 8 and 128 characters. By default, the password is sharedsecret.
6. To enable accounting on the authentication servers, click the **Enable Accounting** button so that the button displays blue.
7. Configure the following authentication settings, which apply to all RADIUS server that you set up:
- **Reauthentication time**: Enter the interval in seconds after which the supplicant \(the WiFi client\) must be reauthenticated with the RADIUS server. You can enter an interval in the range from 0 to 99999. The default interval is 3600 seconds \(1 hour\). Enter **0** to disable reauthentication.
- **Update Global Key**: Select the check box to allow the global key update, and enter the interval in seconds. You can enter an interval in the range from 0 to 99999. The check box is selected by default, and the default interval is 1800 seconds \(30 minutes\). Clear the check box to prevent the global key update.
8. Click the **Apply** button.
Your settings are saved.
9. To test if the configured RADIUS servers can be reached by the AP, do the following:
1. Click the **Test RADIUS Settings** tab.
The page expands.
2. In the **Username** field, type a user name that must already be defined on the RADIUS server, and in the **Passphrase** field, type the associated passphrase to access the RADIUS server.
The password must be between 8 and 128 characters. The passphrase must also be between 8 and 128 characters.
3. Click the **Begin Test** button.
The AP attempts to reach the configured RADIUS servers using the user name and passphrase.
The results of the test display in the Test RADIUS Result field.
## Manage neighbor AP detection {#concept_xxs_qzv_wlb}
The AP can detect neighbor access points \(APs\) in a radio band and you can classify them as known APs.
If you enable neighbor AP detection for a radio band, the AP regularly scans the WiFi network, collects information about all access points on the channels, and maintains a list of access points it detects in the area. Initially all detected access points are displayed in the Unknown AP List. You can add access points that you are familiar with to the Known AP List. You can also import a list of known access points in the Known AP List.
CAUTION:
Access points in the Unknown AP List require further investigation. They could be rogue access points, which use the SSID of a legitimate network. These types of access points can present a serious security threat.
The following sections describe how you can manage neighbor AP detection and add neighbor access points to the Known AP List:
**Note:** If you enable Energy Efficiency Mode, the AP cannot detect neighbor APs in the 5 GHz and 6 GHz radio bands. To use neighbor AP detection in the 5 GHz and 6 GHz radio bands, first disable Energy Efficiency Mode. For more information, see [Manage the Energy Efficiency Mode](#task_css_3zv_g1c).
### Enable neighbor access point detection and move access points to the Known AP List {#task_gxj_1bw_g1c}
The AP can detect neighbor access points \(APs\) and lets you classify them as known APs. After you enable neighbor AP detection, the AP maintains a list of access points it detects in the area. Initially all detected access points are displayed in the Unknown AP List. You can manually move access points from the Unknown AP List to the Known AP List.
By default neighbor access point detection is disabled.
To enable neighbor access point detection and move detected access points to the Known AP List:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Security &gt; Neighbor AP**.
The page that displays lets you select a radio band \(2.4 GHz, 5 GHz, or 6 GHz\).
5. Click the **&gt;** button to the left of the radio band.
The Neighbor AP page displays for the selected radio band.
6. Select the **Enable Neighbor AP** check box.
7. Click the **Apply** button.
Your settings are saved. Neighbor AP detection is now enabled.
8. From the **Detection Policy** menu, select the scan method:
- **Mild**: The AP scans for neighbor access points every hour. This is the default setting.
- **Moderate**: The AP scans for neighbor access points every 30 minutes.
- **Aggressive**: The AP scans for neighbor access points every 15 minutes.
Detected neighbor access points display in the Unknown AP List.
9. To display detected neighbor access points and move them from the Unknown AP List to the Known AP List, do the following:
1. Click the **Unknown AP List** tab.
The page adjusts to display the unknown access points.
2. If no access points display, click the **Refresh** button.
3. Select the check boxes for the access points that you are familiar with and that you trust.
4. Click the **&lt;&lt; Move to Known AP List** button.
5. Click the **Known AP List** tab.
The selected access points display in the Known AP List.
**Note:** You can delete access points from the Known AP List. After being detected, these access points once more display in the Unknown AP List.
10. Click the **Apply** button.
Your settings are saved.
### Import an existing neighbor access point list in the Known AP List {#task_gnm_gcw_g1c}
You can import a list with MAC addresses of known neighbor access points in the Known AP List.
The file with MAC addresses must be in the following format:
- Entries in the file must be MAC addresses only in hexadecimal format with each octet separated by a hyphen, for example 00-11-22-33-44-55.
- You must separate entries with a comma, or place entries on separate lines.
- The file must be in text format \(that is, with a `.txt` or extension\).
For information about enabling neighbor AP detection, see [Enable neighbor access point detection and move access points to the Known AP List](#task_gxj_1bw_g1c).
To import a list with MAC addresses of known neighbor access points in the Known AP List:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Security &gt; Neighbor AP**.
The page that displays lets you select the radio band \(2.4 GHz, 5 GHz, or 6 GHz\).
5. Click the **&gt;** button to the left of the radio band.
The Neighbor AP page displays for the selected radio band.
6. To download a sample of an AP list in the format that is required for importing in the Known AP List, click the **Download Sample** link.
7. Import and compose the Known AP List in the following way:
1. Replace or merge the MAC addresses in the import list with the MAC addresses in the Known AP List by selecting one of the following radio buttons:
- **Replace**: MAC addresses in the Known AP List are replaced with the ones in the import list.
- **Merge**: MAC addresses in the Known AP List are merged with the ones in the import list.
2. Click the **Browse** button and navigate to and select the import file.
The MAC addresses on the import list are placed in the Known AP List.
3. To remove a MAC address from the Known AP List, select the MAC address and click the **Delete** button.
When you remove a device from the Known AP List, after the AP redetects the device, the device is once again placed in the Known AP List.
8. Click the **Apply** button.
Your settings are saved.
## Manage global MAC ACLs and traffic policies {#concept_ehl_zcb_2bc}
Global MAC ACLs allow you to control broadcast and multicast traffic from the wired LAN; global traffic policies allow you to control traffic coming in from the wired LAN, traffic going out to the wired LAN, and traffic between different VAPs on the AP. \(A VAP is a virtual access point that broadcasts on the same SSID and same radio.\)
The AP applies these global MAC ACLs and traffic policies in the following order of precedence:
1. **Broadcast and multicast traffic**: Allows incoming broadcast and multicast traffic from all devices on the wired LAN or only from specific devices on the wired LAN. Incoming traffic from the wired LAN can be from a connected router, switch, a wired client, and so on.
For more information, see [Manually set up a MAC ACL for broadcast and multicast traffic from the wired LAN](#task_uzp_nz1_2bc).
2. **Wireless Noise Filter**: Lets you enable and modify eight generic traffic rules for specific incoming and outgoing DHCP, ARP, IPv6, broadcast, and multicast traffic. These eight rules are preconfigured, but not enabled by default.
For more information, see [Enable or disable the Wireless Noise Filter](#task_jl3_lw1_2bc) and [Enable, disable, or change a traffic rule in the Wireless Noise Filter](#task_bdd_hx1_2bc).
3. **Global Traffic Filter**: Lets you add and enable custom traffic rules that allow or deny traffic based on the network layer \(MAC addresses or IP addresses\) and a selected protocol. This traffic can be incoming, outgoing, or in both directions.
For more information, see [Manage the Global Traffic Filter](#concept_lsw_hcb_2bc).
These global MAC ACLs and traffic policies apply to all WiFi networks \(SSIDs\). You can also manage MAC ACLs and traffic policies that you can apply to individual SSIDs \(see [Manage SSID-based MAC ACLs and traffic policies for WiFi networks](#concept_bmx_1jy_cbc)\).
### Manage MAC ACLs for broadcast and multicast traffic from the wired LAN {#concept_cmb_rdb_2bc}
By default, any device is allowed to send broadcast and multicast traffic from the wired LAN to the AP.
However, you can set up an access control list \(ACL\) that is based on up to 256 MAC addresses for devices that are allowed to send broadcast and multicast traffic from the wired LAN. Broadcast and multicast traffic from devices on the wired LAN that are not on this ACL is rejected by the AP.
The ACL functions as follows:
- A device for which you place the MAC address in the ACL is allowed to send broadcast and multicast traffic from the LAN into any WiFi network on the AP.
- Broadcast and multicast traffic from all other devices on the LAN is rejected by the AP.
The ACL takes effect only after you enable it.
The following sections describe how you can manage MAC ACLs for broadcast and multicast traffic from devices on the wired LAN:
#### Manually set up a MAC ACL for broadcast and multicast traffic from the wired LAN {#task_uzp_nz1_2bc}
By default, broadcast and multicast traffic from any device on the wired LAN can reach the WiFi networks on the AP.
You can compose a single MAC access control list \(ACL\) to allow broadcast and multicast traffic only from specific devices on the wired LAN. When you enable this ACL, broadcast and multicast traffic from devices on the ACL is allowed to reach the WiFi networks on the AP. Broadcast and multicast traffic from other devices on the wired LAN is rejected by the AP. The ACL can contain up to 256 MAC addresses. If enabled, this ACL applies to *all* WiFi networks on the AP.
By default, this MAC ACL is disabled and does not include any stations. You can manually add devices, import devices \(see [Import an existing MAC ACL for broadcast and multicast traffic from the wired LAN](#task_xhm_vy1_2bc)\), or do both.
To manually set up a MAC ACL for broadcast and multicast traffic from the wired LAN:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; Traffic Policies**.
The Traffic Policies page displays.
5. Click the **&gt; Allow Broadcast/Multicast Traffic LAN** tab.
The pages adjusts.
By default, the Allow Broadcast/Multicast Traffic - LAN check box is selected and the Allow all devices radio button is selected.
6. Select the **Allow traffic only from specified devices** radio button.
The page adjusts.
7. Compose the ACL in the following way:
- To manually add a device to the Allowed Stations table, enter the MAC address in the format 00-00-00-00-00-00 in the table to the right, and click the **&lt;&lt; Move** button.
The device is added to the Allowed Stations table. You can add multiple devices simultaneously.
- To remove a device from the Allowed Stations table, select the check box for the device, and click the **Remove** button.
You can search the Available Stations table.
- To remove all devices from the Allowed Stations table so that you can recompose the ACL, select the **Select-all** check box, and click the **Remove** button.
8. Click the **Apply** button.
Your settings are saved.
Broadband and multicast traffic from devices in the Allowed Stations table is allowed to reach the WiFi networks on the AP.
#### Import an existing MAC ACL for broadcast and multicast traffic from the wired LAN {#task_xhm_vy1_2bc}
You can import an existing access control list \(ACL\) that is based on up to 256 MAC addresses. You can import the list into any MAC ACL, but the MAC addresses on the list are available only for the MAC ACL into which you import the list. That is, if you want to use the same list in another \(type of\) MAC ACL, you must also import the list into that MAC ACL.
The file with MAC addresses must be in the following format:
- Entries in the file must be MAC addresses only in hexadecimal format with each octet separated by a hyphen, for example 00-11-22-33-44-55.
- You must separate entries with a comma, or place entries on separate lines.
- The file must be in text format \(that is, with a `.txt` or extension\).
You can use the MAC ACL to allow broadcast and multicast traffic only from specific devices on the wired LAN. If enabled, this ACL applies to *all* WiFi networks on the AP.
To import an existing MAC ACL for broadcast and multicast traffic from the wired LAN:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; Traffic Policies**.
The Traffic Policies page displays.
5. Click the **&gt; Allow Broadcast/Multicast Traffic LAN** tab.
The pages adjusts.
By default, the Allow Broadcast/Multicast Traffic - LAN check box is selected and the Allow all devices radio button is selected.
6. Select the **Allow traffic only from specified devices** radio button.
The page adjusts.
7. To download a sample of a MAC ACL in the format that is required for importing, click the **Download Sample** link.
8. Import and compose the ACL in the following way:
1. Replace or merge the MAC addresses in the import list with the MAC addresses in the Allowed Stations table \(if any are already in the table\) by selecting one of the following radio buttons:
- **Replace**: MAC addresses in the Allowed Stations table are replaced with the ones in the import list.
- **Merge**: MAC addresses in the Allowed Stations table are merged with the ones in the import list.
2. Click the **Browse** button and navigate to and select the import file.
The MAC addresses on the import list are placed in the Allowed Stations table.
3. To remove a MAC address from the Allowed Stations table, select the MAC address and click the **Remove** button.
You can search the Allowed Stations table.
9. Click the **Apply** button.
Your settings are saved.
For information about manually adding MAC addresses to those in the Allowed Stations table, see [Manually set up a MAC ACL for broadcast and multicast traffic from the wired LAN](#task_uzp_nz1_2bc).
Broadband and multicast traffic from devices in the Allowed Stations table is allowed to reach the WiFi networks on the AP.
#### Block all broadcast and multicast traffic from the wired LAN {#task_yxr_cq1_2bc}
By default, broadcast and multicast traffic from any device on the wired LAN can reach the WiFi networks on the AP. You can block all broadcast and multicast traffic from the wired LAN, preventing this type of traffic from reaching the WiFi networks on the AP.
To block all broadcast and multicast traffic from the wired LAN:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; Traffic Policies**.
The Traffic Policies page displays.
5. Click the **&gt; Allow Broadcast/Multicast Traffic LAN** tab.
The pages adjusts.
6. Clear the **Allow Broadcast/Multicast Traffic - LAN** radio button.
7. Click the **Apply** button.
Your settings are saved.
Broadband and multicast traffic from the wired LAN is not allowed to reach the WiFi networks on the AP.
### Manage the Wireless Noise Filter {#concept_rzn_kcb_2bc}
By default, no restrictions exist for DHCP, ARP, IPv6, broadcast, and multicast traffic for any port, IP address, or traffic direction.
The AP provides eight preconfigured traffic policies \(that is, traffic rules\) that can prevent generic traffic from flooding the WiFi networks. These rules are referred to as the Wireless Noise Filter and are disabled by default. You can enable the Wireless Noise Filter and then enable or disable individual traffic rules.
The MAC ACL that controls incoming broadcast and multicast traffic takes precedence over traffic policies in the Wireless Noise Filter.
The following sections describe how you can manage the Wireless Noise Filter:
#### Enable or disable the Wireless Noise Filter {#task_jl3_lw1_2bc}
By default, the Wireless Noise Filter is disabled and so are all individual traffic rules in the Wireless Noise Filter. A rule can become active only after you enable both the Wireless Noise Filter and the rule \(see [Enable, disable, or change a traffic rule in the Wireless Noise Filter](#task_bdd_hx1_2bc)\).
You cannot add or delete a traffic rule in the Wireless Noise Filter but you can edit each traffic rule to adapt it for your specific network situation.
To enable or disable the Wireless Noise Filter:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; Traffic Policies**.
The Traffic Policies page displays.
5. Click the **&gt; MAC/IP Traffic Filters** tab.
The page adjusts.
6. Click the **&gt; Wireless Noise Filter** tab.
The table with traffic rules displays.
7. Select or clear the **Enable Wireless Noise Filter** check box:
- **Check box selected**: The Wireless Noise Filter is enabled.
- **Check box cleared**: The Wireless Noise Filter is disabled.
8. Click the **Apply** button.
Your settings are saved.
#### Enable, disable, or change a traffic rule in the Wireless Noise Filter {#task_bdd_hx1_2bc}
You cannot add or delete a traffic policy \(that is, a traffic rule\) from the Wireless Noise Filter but you can change each traffic rule to adapt it for your specific network situation. You can also enable or disable individual traffic rules.
CAUTION:
Other than enabling or disabling traffic rules in the Wireless Noise Filter, we recommend that you change the settings for the traffic rules only if you fully understand the consequences. Incorrect configuration might cause connectivity problems for all devices that are connected or are trying to connect to the AP.
To enable, disable, or change an individual traffic rule in the Wireless Noise Filter:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; Traffic Policies**.
The Traffic Policies page displays.
5. Click the **&gt; MAC/IP Traffic Filters** tab.
The page adjusts.
6. Click the **&gt; Wireless Noise Filter** tab.
The table with traffic rules displays. By default, all traffic rules are disabled.
7. If the Wireless Noise Filter is disabled, select the **Enable Wireless Noise Filter** check box.
8. Select the check box for a traffic rule, and click the **pencil** icon.
The Add / Edit Rule pop-up window displays.
9. Configure the following settings as needed:
**Note:** You can enable or disable the Drop IPv6 traffic rule, but you cannot change it.
- **Rule Name**: You can change the default name. The following applies to the name:
- must be a unique alpha-numeric name
- can be a maximum length of 32 characters
- can include only the special characters , - and \_
- must start and end with alphanumeric characters
- **State**: Select a radio button:
- **Enable**: After you click the Apply button, the rule takes effect if the Wireless Noise Filter is enabled.
- **Disable**: You can change the rule, but after you click the Apply button, the rule takes does not take effect, even if the Wireless Noise Filter is enabled. By default, a rule is disabled.
- **Action**: Select a radio button:
- **Allow**: Traffic that matches the rule is allowed to pass through the WiFi network.
- **Deny**: Traffic that matches the rule is dropped.
- **Direction**: Select a radio button:
- **In**: The traffic rule is applied only to traffic flowing in from a WiFi network.
- **Out**: The traffic rule is applied only to traffic flowing out to a WiFi network.
- **Both**: The traffic rule is applied to both traffic flowing in from a WiFi network and traffic flowing out to a WiFi network.
- **Network Layer**: Select a radio button:
- **MAC**: The traffic rule filters packets at the MAC level.
- **IP**: The traffic rule filters packets at the IP level.
- **Protocol**: From the **Protocol** menu, select a protocol:
- **ANY**: The traffic rule applies to any traffic.
- **ARP**: The traffic rule applies only to Address Resolution Protocol \(ARP\) traffic.
- **TCP**: The traffic rule applies only to Transmission Control Protocol \(TCP\) traffic.
- **UDP**: The traffic rule applies only to User Datagram Protocol \(UDP\) traffic.
- **ICMP**: The traffic rule applies only to Internet Control Message Protocol \(ICMP\) traffic.
- **IGMP**: The traffic rule applies only to Internet Group Management Protocol \(ICMP\) traffic.
- **Source**: To set the source for the traffic to which the traffic rule must apply, do the following:
1. From the **Type** menu, select the type of source MAC address or IP address, depending on the network layer \(MAC or IP\) that you selected:
- **ANY**: The traffic rule is applied to any source MAC address or IP address.
- **MAC Address** \(MAC level only\): The traffic rule is applied only to the source MAC address that you specify in the **MAC Address** field.
- **IP Address** \(IP level only\): The traffic rule is applied only to the source IP address that you specify in the **IP Address** field.
- **IP Subnet** \(IP level only\): The traffic rule is applied only to the source IP subnet that you specify in the **Network Address** and **Network Mask** fields.
The length of the network mask must be from 8 to 32 numbers.
2. In the **Port** field, type a source port number to which the traffic rule must apply.
The port number must be in the range from 1 to 65535.
- **Destination**: To set the destination for the traffic to which the traffic rule must apply, do the following:
1. From the **Type** menu, select the type of destination MAC address or IP address, depending on the network layer \(MAC or IP\) that you selected:
- **ANY**: The traffic rule is applied to any destination MAC address or IP address.
- **MAC Address** \(MAC level only\): The traffic rule is applied only to the destination MAC address that you specify in the **MAC Address** field.
- **IP Address** \(IP level only\): The traffic rule is applied only to the destination IP address that you specify in the **IP Address** field.
- **IP Subnet** \(IP level only\): The traffic rule is applied only to the destination IP subnet that you specify in the **Network Address** and **Network Mask** fields.
The length of the network mask must be from 8 to 32 numbers.
2. In the **Port** field, type a destination port number to which the traffic rule must apply.
The port number must be in the range from 1 to 65535.
10. In the pop-up window, click the **Apply** button.
The Wireless Noise Filter page displays again.
11. To change the priority of the traffic rule, point to the **six dots** icon at the left of the traffic rule, click and hold, and then move the traffic rule up or down in the table.
12. Click the **Apply** button.
Your settings are saved.
#### Change the priority for a traffic rule in the Wireless Noise Filter {#task_anb_ft1_2bc}
You can change the priority for a traffic rule in the Wireless Noise Filter.
To change the priority for an individual traffic rule in the Wireless Noise Filter:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; Traffic Policies**.
The Traffic Policies page displays.
5. Click the **&gt; MAC/IP Traffic Filters** tab.
The page adjusts.
6. Click the **&gt; Wireless Noise Filter** tab.
The table with traffic rules displays.
7. If the Wireless Noise Filter is disabled, select the **Enable Wireless Noise Filter** check box.
8. Point to the **six dots** icon at the left of the traffic rule for which you want to change the priority, click and hold, and then move the traffic rule up or down in the table.
9. Click the **Apply** button.
Your settings are saved.
### Manage the Global Traffic Filter {#concept_lsw_hcb_2bc}
The Global Traffic Filter lets you add custom traffic policies that you can apply globally to incoming and outgoing traffic for all WiFi networks.
Both the MAC ACL that controls incoming broadcast and multicast traffic and the traffic polices in the Wireless Noise Filter take precedence over traffic policies that you add to the Global Traffic Filter.
The following sections describe how you can manage the Global Traffic Filter:
#### Enable or disable the Global Traffic Filter {#task_l3s_4v1_2bc}
By default, the Global Traffic Filter does not contain any traffic policies \(that is, traffic rules\). You can add a rule \(see [Add a traffic rule to the Global Traffic Filter](#task_rmj_gp1_2bc)\), change an existing rule, and delete a rule that you no longer need.
Disabling the Global Traffic Filter does not delete traffic rules that you added to the Global Traffic Filter.
To enable or disable the Global Traffic Filter:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; Traffic Policies**.
The Traffic Policies page displays.
5. Click the **&gt; MAC/IP Traffic Filters** tab.
The page adjusts.
6. Click the **&gt; Global Traffic Filter** tab.
The table with traffic rules displays. If you did not yet add any rules, the table is empty.
7. Select or clear the **Enable Global Traffic Filter** check box:
- **Check box selected**: The Global Traffic Filter is enabled.
- **Check box cleared**: The Global Traffic Filter is disabled.
8. Click the **Apply** button.
Your settings are saved.
#### Add a traffic rule to the Global Traffic Filter {#task_rmj_gp1_2bc}
You can add up to16 traffic policies \(that is, traffic rules\) to the Global Traffic Filter. The priority of the traffic rules is assigned in the order in which you add the rules. That is, the first rule that you add is assigned the first \(highest\) priority, the second rule is assigned the second priority, and so on. However, you can change the priority.
CAUTION:
We recommend that you add global traffic rules only if you fully understand the consequences. Incorrect configuration might cause connectivity problems for all devices that are connected or are trying to connect to the AP.
To add a traffic rule to the Global Traffic Filter:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; Traffic Policies**.
The Traffic Policies page displays.
5. Click the **&gt; MAC/IP Traffic Filters** tab.
The page adjusts.
6. Click the **&gt; Global Traffic Filter** tab.
The table with traffic rules displays. If you did not yet add any rules, the table is empty.
7. Click the **plus** icon.
The Add / Edit Rule pop-up window displays.
8. Configure the following settings as needed:
- **Rule Name**: You can change the default name. The following applies to the name:
- must be a unique alpha-numeric name
- can be a maximum length of 32 characters
- can include only the special characters , - and \_
- must start and end with alphanumeric characters
- **State**: Select a radio button:
- **Enable**: After you click the Apply button, the rule takes effect if the Global Traffic Filter is enabled.
- **Disable**: You can change the rule, but after you click the Apply button, the rule takes does not take effect, even if the Global Traffic Filter is enabled. By default, a rule is disabled.
- **Action**: Select a radio button:
- **Allow**: Traffic that matches the rule is allowed to pass through the WiFi network.
- **Deny**: Traffic that matches the rule is dropped.
- **Direction**: Select a radio button:
- **In**: The traffic rule is applied only to traffic flowing in from a WiFi network.
- **Out**: The traffic rules is applied only to traffic flowing out to a WiFi network.
- **Both**: The traffic rule is applied to both traffic flowing in from a WiFi network and traffic flowing out to a WiFi network.
- **Network Layer**: Select a radio button:
- **MAC**: The traffic rule filters packets at the MAC level.
- **IP**: The traffic rule filters packets at the IP level.
- **Protocol**: From the **Protocol** menu, select a protocol:
- **ANY**: The traffic rule applies to any traffic.
- **ARP**: The traffic rule applies only to Address Resolution Protocol \(ARP\) traffic.
- **TCP**: The traffic rule applies only to Transmission Control Protocol \(TCP\) traffic.
- **UDP**: The traffic rule applies only to User Datagram Protocol \(UDP\) traffic.
- **ICMP**: The traffic rule applies only to Internet Control Message Protocol \(ICMP\) traffic.
- **IGMP**: The traffic rule applies only to Internet Group Management Protocol \(ICMP\) traffic.
- **Source**: To set the source for the traffic to which the traffic rule must apply, do the following:
1. From the **Type** menu, select the type of source MAC address or IP address, depending on the network layer \(MAC or IP\) that you selected:
- **ANY**: The traffic rule is applied to any source MAC address or IP address.
- **MAC Address** \(MAC level only\): The traffic rule is applied only to the source MAC address that you specify in the **MAC Address** field.
- **IP Address** \(IP level only\): The traffic rule is applied only to the source IP address that you specify in the **IP Address** field.
- **IP Subnet** \(IP level only\): The traffic rule is applied only to the source IP subnet that you specify in the **Network Address** and **Network Mask** fields.
The length of the network mask must be from 8 to 32 numbers.
2. In the **Port** field, type a source port number to which the traffic rule must apply.
The port number must be in the range from 1 to 65535.
- **Destination**: To set the destination for the traffic to which the traffic rule must apply, do the following:
1. From the **Type** menu, select the type of destination MAC address or IP address, depending on the network layer \(MAC or IP\) that you selected:
- **ANY**: The traffic rule is applied to any destination MAC address or IP address.
- **MAC Address** \(MAC level only\): The traffic rule is applied only to the destination MAC address that you specify in the **MAC Address** field.
- **IP Address** \(IP level only\): The traffic rule is applied only to the destination IP address that you specify in the **IP Address** field.
- **IP Subnet** \(IP level only\): The traffic rule is applied only to the destination IP subnet that you specify in the **Network Address** and **Network Mask** fields.
The length of the network mask must be from 8 to 32 numbers.
2. In the **Port** field, type a destination port number to which the traffic rule must apply.
The port number must be in the range from 1 to 65535.
9. In the pop-up window, click the **Apply** button.
The Global Traffic Filter page displays again.
10. To change the priority of the traffic rule, point to the **six dots** icon at the left of the traffic rule, click and hold, and then move the traffic rule up or down in the table.
The priority number adjusts.
11. Click the **Apply** button.
Your settings are saved.
#### Change a traffic rule in the Global Traffic Filter {#task_ubt_2r1_2bc}
You can change an existing traffic rule in the Global Traffic Filter.
To change an existing traffic rule in the Global Traffic Filter:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; Traffic Policies**.
The Traffic Policies page displays.
5. Click the **&gt; MAC/IP Traffic Filters** tab.
The page adjusts.
6. Click the **&gt; Global Traffic Filter** tab.
The table with traffic rules displays.
7. If the Global Traffic Filter is disabled, select the **Enable Global Traffic Filter** check box.
8. Select the check box for the traffic rule, and click the **pencil** icon.
The Add / Edit Traffic Rule pop-up window displays.
9. Change the settings as needed.
For more information about the settings, see [Add a traffic rule to the Global Traffic Filter](#task_rmj_gp1_2bc).
10. In the pop-up window, click the **Apply** button.
The Global Traffic Filter page displays again.
11. To change the priority of the traffic rule, point to the **six dots** icon at the left of the traffic rule, click and hold, and then move the traffic rule up or down in the table.
The priority number adjusts.
12. Click the **Apply** button.
Your settings are saved.
#### Change the priority for a traffic rule in the Global Traffic Filter {#task_mjl_ts1_2bc}
You can change the priority for an existing traffic rule in the Global Traffic Filter.
To change the priority for an existing traffic rule in the Global Traffic Filter:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; Traffic Policies**.
The Traffic Policies page displays.
5. Click the **&gt; MAC/IP Traffic Filters** tab.
The page adjusts.
6. Click the **&gt; Global Traffic Filter** tab.
The table with traffic rules displays.
7. If the Global Traffic Filter is disabled, select the **Enable Global Traffic Filter** check box.
8. Point to the **six dots** icon at the left of the traffic rule for which you want to change the priority, click and hold, and then move the traffic rule up or down in the table.
The priority number adjusts.
9. Click the **Apply** button.
Your settings are saved.
#### Remove a traffic rule from the Global Traffic Filter {#task_dsv_bfb_2bc}
You can remove a traffic rule that you no longer need.
To remove a traffic rule from the Global Traffic Filter:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; Traffic Policies**.
The Traffic Policies page displays.
5. Click the **&gt; MAC/IP Traffic Filters** tab.
The page adjusts.
6. Click the **&gt; Global Traffic Filter** tab.
The table with traffic rules displays.
7. If the Global Traffic Filter is disabled, select the **Enable Global Traffic Filter** check box.
8. Select the check box for the traffic rule, and click the **trash can** icon.
The traffic rule is removed.
9. Click the **Apply** button.
Your settings are saved.
## Manage SSID-based MAC ACLs and traffic policies for WiFi networks {#concept_bmx_1jy_cbc}
In addition to global MAC ACLs and traffic policies that apply to traffic to and from the wired LAN \(see [Manage global MAC ACLs and traffic policies](#concept_ehl_zcb_2bc)\), the AP supports SSID-based MAC ACLs and traffic policies that allow you to control which WiFi clients can connect to a WiFi network and which WiFi traffic can enter and leave a WiFi network:
- **MAC ACLs for WiFi clients**: Allow or reject WiFi clients from connecting to a WiFi network based on their MAC address.
For more information, see [Manage MAC ACLs for WiFi clients](#concept_gld_kdw_g1c).
- **MAC ACLs for broadcast and multicast traffic**: Allow incoming broadcast and multicast traffic only from specific devices on a WiFi network.
For more information, see [Manage MAC ACLs for broadcast and multicast traffic from WiFi clients](#concept_j23_5db_2bc).
- **MAC/IP Traffic Filter groups**: Add custom traffic rules to a group and apply the group to a WiFi network. These traffic rules can allow or deny traffic based on the network layer \(MAC addresses or IP addresses\) and a selected protocol, and can affect incoming or outgoing WiFi traffic, or WiFi traffic in both directions.
For more information, see [Manage MAC/IP Traffic Filter groups for WiFi networks](#concept_ekl_m2b_2bc).
**Note:** Global traffic rules in the Wireless Noise Filter \(see [Manage the Wireless Noise Filter](#concept_rzn_kcb_2bc)\) and, if enabled, Global Traffic Filter \(see [Manage the Global Traffic Filter](#concept_lsw_hcb_2bc)\) take higher precedence than traffic rules in MAC/IP Traffic Filter groups for WiFi networks.
### Manage MAC ACLs for WiFi clients {#concept_gld_kdw_g1c}
The AP supports eight local access control lists \(ACLs\) that let you control which WiFi clients are allowed access and which WiFi clients are denied access. These ACLs are based on MAC addresses, and each local MAC ACL can contain a total number of 512 MAC addresses..
If you set up an ACL with a policy that allows access and you apply that ACL to a WiFi network \(that is, to an SSID\), the ACL functions as follows:
- A WiFi device for which you place the MAC address in the ACL is allowed access to the WiFi network.
- All other WiFi devices are denied access to the WiFi network.
If you set up an ACL with a policy that denies access and you apply that ACL to a WiFi network \(that is, to an SSID\), the ACL functions as follows:
- A WiFi device for which you place the MAC address in the ACL is denied access to the WiFi network.
- All other WiFi devices are allowed access to the WiFi network.
An ACL takes effect only after you apply it to a WiFi network. For information about applying an ACL for WiFi clients to a WiFi network, see [Select a MAC ACL for WiFi clients in a WiFi network](#task_zg4_jyd_h1c). You can apply a MAC ACL for WiFi clients to more than one WiFi network.
The following sections describe how you can manage MAC ACLs for WiFi clients:
#### Manually set up a MAC ACL for WiFi clients {#task_uhl_mgw_g1c}
You can compose up to eight access control lists \(ACLs\) that are each based on up to 512 MAC addresses. The AP includes MAC ACLs with the following default group names and settings, which you can change:
- **Management**: If enabled, allows access to trusted stations by default.
- **Guest**: If enabled, allows access to trusted stations by default.
- **Guest 1**: If enabled, denies access to untrusted stations by default.
- **Custom**: If enabled, denies access to untrusted stations by default.
- **Custom 1**: If enabled, allows access to trusted stations by default.
- **Custom 2**: If enabled, allows access to trusted stations by default.
- **Custom 3**: If enabled, allows access to trusted stations by default.
- **Custom 4**: If enabled, allows access to trusted stations by default.
By default, these MAC ACLs are disabled and do not include any stations. You can manually add devices, import devices \(see [Import an existing MAC ACL for WiFi clients](#task_jlk_vhw_g1c)\), or do both.
You can use a MAC ACL to control which WiFi devices \(stations\) can access a WiFi network. You can apply one MAC ACL to more than one WiFi network.
To manually set up a MAC ACL for WiFi clients:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Security &gt; ACLs &gt; Wireless Clients**.
The page shows all MAC ACLs.
5. Click the group name for the MAC ACL that you want to set up.
The MAC ACL page displays, showing the settings for the selected MAC ACL.
Devices in the Available Stations table are automatically detected by the AP and are common to all MAC ACLs, which allows you to add a device to more than one MAC ACL. A neighboring station displays as Neighbor and a connected station displays as Connected.
6. To change the group name, enter a new name in the **Group Name** field.
The default group names for the eight MAC ACLs are Management, Guest, Guest 1, Custom, Custom 1, Custom 2, Custom 3, and Custom 4.
A group name can have a length of maximum 32 characters. You cannot use special characters except for a hyphen \(-\), underscore \(\_\), and space \( \).
7. Select the ACL Policy **Allow** or **Deny** radio button.
If you select the **Allow** radio button, a WiFi device for which you place the MAC address in the ACL is allowed access to the WiFi network, but all other WiFi devices are denied access to the WiFi network.
If you select the **Deny** radio button, a WiFi device for which you place the MAC address in the ACL is denied access to the WiFi network, but all other WiFi devices are allowed access to the WiFi network.
8. Compose the ACL in the following way:
- For an ACL for which you selected the **Allow** radio button in [7](#step_ylc_mgw_g1c), do the following:
- To manually add a device to the Trusted Stations table, enter the MAC address in the format 00-00-00-00-00-00 in the field below the Trusted Stations table, and click the **Add** button.
The device is added to the Trusted Stations table.
- To move a device from the Available Stations table to the Trusted Stations table, select the check box for the device and click the **&lt;&lt; Move** button.
You can search the Available Stations table. You can also filter devices in the Available Stations table by clicking the **filter** icon.
- To remove a device from the Trusted Stations table, select the check box for the device and click the **Remove** button.
You can search the Trusted Stations table.
When you remove a device from the Trusted Stations table, after the AP redetects the device, the device is once again placed in the Available Stations table.
- For an ACL for which you selected the **Deny** radio button in [7](#step_ylc_mgw_g1c), do the following:
- To manually add a device to the Untrusted Stations table, enter the MAC address in the format 00-00-00-00-00-00 in the field below the Untrusted Stations table, and click the **Add** button.
The device is added to the Untrusted Stations table.
- To move a device from the Available Stations table to the Untrusted Stations table, select the check box for the device and click the **&lt;&lt; Move** button.
You can search the Available Stations table. You can also filter devices in the Available Stations table by clicking the **filter** icon.
- To remove a device from the Untrusted Stations table, select the check box for the device and click the **Remove** button.
You can search the Untrusted Stations table.
When you remove a device from the Untrusted Stations table, after the AP redetects the device, the device is once again placed in the Available Stations table.
9. Click the **Apply** button.
Your settings are saved.
For more information about applying an ACL to a WiFi network, see [Select a MAC ACL for WiFi clients in a WiFi network](#task_zg4_jyd_h1c).
WiFi devices in the Trusted Stations table can access the WiFi network to which you apply the ACL. WiFi devices in the Untrusted Stations table cannot access the WiFi network to which you apply the ACL.
#### Import an existing MAC ACL for WiFi clients {#task_jlk_vhw_g1c}
You can import an existing access control list \(ACL\) that is based on up to 512 MAC addresses. You can import the list into any MAC ACL, but the MAC addresses on the list are available only for the MAC ACL into which you import the list. That is, if you want to use the same list in another MAC ACL, you must also import the list into that MAC ACL.
The file with MAC addresses must be in the following format:
- Entries in the file must be MAC addresses only in hexadecimal format with each octet separated by a hyphen, for example 00-11-22-33-44-55.
- You must separate entries with a comma, or place entries on separate lines.
- The file must be in text format \(that is, with a `.txt` or extension\).
You can use a MAC ACL to control which WiFi devices can access a WiFi network. You can apply a MAC ACL to more than one WiFi network.
To import an existing MAC ACL for WiFi clients:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Security &gt; ACLs &gt; Wireless Clients**.
The page shows all MAC ACLs.
5. Click the group name for the MAC ACL that you want to set up.
The MAC ACL page displays, showing the settings for the selected MAC ACL.
Devices in the Available Stations table are automatically detected by the AP and are common to all MAC ACLs, which allows you to add a device to more than one MAC ACL. A neighboring station displays as Neighbor and a connected station displays as connected.
6. To change the group name, enter a new name in the **Group Name** field.
The default group names for the eight MAC ACLs are Management, Guest, Guest 1, Custom, Custom 1, Custom 2, Custom 3, and Custom 4.
A group name can have a length of maximum 32 characters. You cannot use special characters except for a hyphen \(-\), underscore \(\_\), and space \( \).
7. Select the ACL Policy **Allow** or **Deny** radio button.
If you select the **Allow** radio button, a WiFi device for which you import the MAC address into the ACL is allowed access to the WiFi network, but all other WiFi devices are denied access to the WiFi network.
If you select the **Deny** radio button, a WiFi device for which you import the MAC address into the ACL is denied access to the WiFi network, but all other WiFi devices are allowed access to the WiFi network.
8. To download a sample of a MAC ACL in the format that is required for importing, click the **Download Sample** link.
9. Import and compose the ACL in the following way:
- For an ACL for which you selected the **Allow** radio button in [7](#step_p4s_5hw_g1c), do the following:
1. Replace or merge the MAC addresses in the import list with the MAC addresses in the Trusted Stations table \(if any are already in the table\) by selecting one of the following radio buttons:
- **Replace**: MAC addresses in the Trusted Stations table are replaced with the ones in the import list.
- **Merge**: MAC addresses in the Trusted Stations table are merged with the ones in the import list.
2. Click the **Browse** button and navigate to and select the import file.
The MAC addresses on the import list are placed in the Trusted Stations table.
3. To remove a MAC address from the Trusted Stations table, select the MAC address and click the **Remove** button.
You can search the Trusted Stations table.
When you remove a device from the Trusted Stations table, after the AP redetects the device, the device is once again placed in the Available Stations table.
- For an ACL for which you selected the **Deny** radio button in [7](#step_p4s_5hw_g1c), do the following:
1. Replace or merge the MAC addresses in the import list with the MAC addresses in the Untrusted Stations table \(if any are already in the table\) by selecting one of the following radio buttons:
- **Replace**: MAC addresses in the Untrusted Stations table are replaced with the ones in the import list.
- **Merge**: MAC addresses in the Untrusted Stations table are merged with the ones in the import list.
2. Click the **Browse** button and navigate to and select the import file.
The MAC addresses on the import list are placed in the Untrusted Stations table.
3. To remove a MAC address from the Untrusted Stations table, select the MAC address and click the **Remove** button.
You can search the Untrusted Stations table.
When you remove a device from the Untrusted Stations table, after the AP redetects the device, the device is once again placed in the Available Stations table.
10. Click the **Apply** button.
Your settings are saved. For information about manually adding MAC addresses to those in the Trusted Stations table or Untrusted Stations table, see [Manually set up a MAC ACL for WiFi clients](#task_uhl_mgw_g1c).
For more information about applying an ACL to a WiFi network, see [Select a MAC ACL for WiFi clients in a WiFi network](#task_zg4_jyd_h1c).
WiFi devices in the Trusted Stations table can access the WiFi network to which you apply the ACL. WiFi devices in the Untrusted Stations table cannot access the WiFi network to which you apply the ACL.
### Manage MAC ACLs for broadcast and multicast traffic from WiFi clients {#concept_j23_5db_2bc}
The AP supports eight local access control lists \(ACLs\) that let you control which WiFi clients are allowed to send broadcast and multicast traffic into a WiFi network \(that is, into an SSID\). These ACLs are based on MAC addresses, and each local MAC ACL can contain a total number of 256 MAC addresses.
The ACL functions as follows:
- A WiFi device for which you place the MAC address in the ACL is allowed to send broadcast and multicast traffic into the WiFi network.
The broadcast and multicast traffic is allowed within the same SSID on which the WiFi client sends the traffic, regardless of the radio on which the SSID broadcasts. If another SSID is using the same VLAN, clients on the other SSID can also receive the broadcast or multicast traffic.
For example:
- The “Main Lobby” SSID uses VLAN 1 and broadcasts on both the 2.4 GHz radio and the 5 GHz radio.
- The MAC address of Client 1 is on the MAC ACL, and Client 1 sends multicast traffic on the 5 GHz radio of the “Main Lobby” SSID.
- The “Auditorium” SSID is also configured on the same VLAN 1 and broadcasts on the 2.4 GHz radio.
- The “Accounting Department” SSID is configured on VLAN 2 and broadcasts on both the 2.4 GHz radio and the 5 GHz radio.
In this situation, the multicast traffic from Client 1 can reach all clients that are connected to the “Main Lobby” SSID as well as all clients that are connected to the “Auditorium” SSID, but it cannot reach clients that are connected to the “Accounting Department” SSID.
- Broadcast and multicast traffic from all other WiFi devices is rejected by the WiFi network.
An ACL takes effect only after you apply it to a WiFi network. For information about applying an ACL for broadcast and multicast traffic to a WiFi network, see [Select a MAC ACL for broadcast and multicast traffic from WiFi clients in a WiFi network](#task_rm3_zl3_2bc). You can apply an ACL for broadcast and multicast traffic to more than one WiFi network.
The following sections describe how you can manage MAC ACLs for broadcast and multicast traffic from WiFi clients:
#### Manually set up a MAC ACL for broadcast and multicast traffic from WiFi clients {#task_yxh_2bb_2bc}
You can compose up to eight access control lists \(ACLs\) for broadcast and multicast traffic from WiFi clients. Each ACL is based on up to 256 MAC addresses. The AP includes MAC ACLs with the default group names Group 1 through Group 8. You can change these names.
By default, these MAC ACLs are disabled and do not include any stations. You can manually add devices, import devices \(see [Import an existing MAC ACL for broadcast and multicast traffic from WiFi clients](#task_w3x_z1b_2bc)\), or do both.
You can use a MAC ACL to control which WiFi clients \(stations\) are allowed to send broadcast and multicast traffic into a WiFi network \(that is, into an SSID\). You can apply one MAC ACL to more than one WiFi network.
To manually set up a MAC ACL for broadcast and multicast traffic from WiFi clients:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Security &gt; ACLs &gt; Allow Broadcast/Multicast Traffic**.
The Allow Broadcast/Multicast Traffic page displays.
5. Click the group name for the MAC ACL that you want to set up.
The page adjusts.
Devices in the Connected Stations table are automatically detected by the AP and are common to all MAC ACLs, which allows you to add a device to more than one MAC ACL. A neighboring station displays as Neighbor and a connected station displays as Connected.
6. To change the group name, enter a new name in the **Group Name** field.
The default group names for the eight MAC ACLs are Group 1, Group 2, Group 3, Group 4, Group 5, Group 6, Group 7, and Group 8.
A group name can have a length of maximum 32 characters. You cannot use special characters except for a hyphen \(-\), underscore \(\_\), and space \( \).
7. Compose the ACL in the following way:
- To manually add a device to the Allowed Stations table, enter the MAC address in the format 00-00-00-00-00-00 in the field below the Allowed Stations table, and click the **Add** button.
The device is added to the Allowed Stations table.
- To move a device from the Connected Stations table to the Allowed Stations table, select the check box for the device and click the **&lt;&lt; Move** button.
You can search the Connected Stations table.
- To remove a device from the Allowed Stations table, select the check box for the device and click the **Remove** button.
You can search the Allowed Stations table.
When you remove a device from the Allowed Stations table, after the AP redetects the device, the device is once again placed in the Connected Stations table.
8. Click the **Apply** button.
Your settings are saved.
For more information about applying an ACL for broadcast and multicast traffic from WiFi clients to a WiFi network, see [Select a MAC ACL for broadcast and multicast traffic from WiFi clients in a WiFi network](#task_rm3_zl3_2bc).
WiFi devices in the Allowed Stations table are allowed to send broadcast and multicast traffic into a WiFi network to which you apply the ACL.
#### Import an existing MAC ACL for broadcast and multicast traffic from WiFi clients {#task_w3x_z1b_2bc}
You can import an existing access control list \(ACL\) that is based on up to 256 MAC addresses. You can import the list into any MAC ACL, but the MAC addresses on the list are available only for the MAC ACL into which you import the list. That is, if you want to use the same list in another MAC ACL, you must also import the list into that MAC ACL.
The file with MAC addresses must be in the following format:
- Entries in the file must be MAC addresses only in hexadecimal format with each octet separated by a hyphen, for example 00-11-22-33-44-55.
- You must separate entries with a comma, or place entries on separate lines.
- The file must be in text format \(that is, with a `.txt` or extension\).
You can use a MAC ACL to control which WiFi clients \(stations\) are allowed to send broadcast and multicast traffic into a WiFi network \(that is, into an SSID\). You can apply one MAC ACL to more than one WiFi network.
To import an existing MAC ACL for broadcast and multicast traffic from WiFi clients:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Security &gt; ACLs &gt; Allow Broadcast/Multicast Traffic**.
The Allow Broadcast/Multicast Traffic page displays.
5. Click the group name for the MAC ACL that you want to set up.
The page adjusts.
Devices in the Connected Stations table are automatically detected by the AP and are common to all MAC ACLs, which allows you to add a device to more than one MAC ACL. A neighboring station displays as Neighbor and a connected station displays as Connected.
6. To change the group name, enter a new name in the **Group Name** field.
The default group names for the eight MAC ACLs are Group 1, Group 2, Group 3, Group 4, Group 5, Group 6, Group 7, and Group 8.
A group name can have a length of maximum 32 characters. You cannot use special characters except for a hyphen \(-\), underscore \(\_\), and space \( \).
7. To download a sample of a MAC ACL in the format that is required for importing, click the **Download Sample** link.
8. Import and compose the ACL in the following way:
1. Replace or merge the MAC addresses in the import list with the MAC addresses in the Allowed Stations table \(if any are already in the table\) by selecting one of the following radio buttons:
- **Replace**: MAC addresses in the Allowed Stations table are replaced with the ones in the import list.
- **Merge**: MAC addresses in the Allowed Stations table are merged with the ones in the import list.
2. Click the **Browse** button and navigate to and select the import file.
The MAC addresses on the import list are placed in the Allowed Stations table.
3. To remove a MAC address from the Allowed Stations table, select the MAC address and click the **Remove** button.
You can search the Allowed Stations table.
When you remove a device from the Allowed Stations table, after the AP redetects the device, the device is once again placed in the Connected Stations table.
9. Click the **Apply** button.
Your settings are saved.
For information about manually adding MAC addresses to those in the Allowed Stations table, see [Manually set up a MAC ACL for broadcast and multicast traffic from WiFi clients](#task_yxh_2bb_2bc).
For more information about applying an ACL for broadcast and multicast traffic from WiFi clients to a WiFi network, see [Select a MAC ACL for broadcast and multicast traffic from WiFi clients in a WiFi network](#task_rm3_zl3_2bc).
WiFi devices in the Allowed Stations table are allowed to send broadcast and multicast traffic into a WiFi network to which you apply the ACL.
### Manage MAC/IP Traffic Filter groups for WiFi networks {#concept_ekl_m2b_2bc}
A MAC/IP Traffic Filter group is a collection of custom MAC-based and IP-based traffic rules that you can apply to incoming and outgoing traffic in a WiFi network \(SSID\). Each rule can allow or deny a specific type of traffic.
The AP provides eight MAC/IP Traffic Filter groups. You can add up to 16 traffic rules to each group. You can apply a single group to more than one SSID.
**Note:** Global traffic rules in the Wireless Noise Filter \(see [Manage the Wireless Noise Filter](#concept_rzn_kcb_2bc)\) and, if enabled, Global Traffic Filter \(see [Manage the Global Traffic Filter](#concept_lsw_hcb_2bc)\) take higher precedence than traffic rules in MAC/IP Traffic Filter groups for WiFi networks.
**Note:** If you apply a MAC/IP Traffic Filter group to a WiFi network, the throughput might be affected and could be lower than normal.
The following sections describe how you can manage MAC/IP Traffic Filter groups:
#### Enable or disable a MAC/IP Traffic Filter group {#task_nts_bv1_2bc}
By default, a MAC/IP Traffic Filter group does not contain any traffic policies \(that is, traffic rules\). You can add a rule \(see [Add a traffic rule to a MAC/IP Traffic Filter group](#task_ggh_mn1_2bc)\), change an existing rule, and delete a rule that you no longer need.
Disabling a group does not delete traffic rules that you added to the group.
To enable or disable a MAC/IP Traffic Filter group:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Security &gt; ACLs &gt; MAC/IP Traffic Filters**.
The MAC/IP Traffic Filters page displays.
5. Click the group that you want enable or disable.
The page adjusts.
6. Select or clear the **Enable Group** check box.
- **Check box selected**: The group is enabled.
- **Check box cleared**: The group is disabled.
7. Click the **Apply** button.
Your settings are saved.
#### Add a traffic rule to a MAC/IP Traffic Filter group {#task_ggh_mn1_2bc}
You can add one or more traffic policies \(that is, traffic rules\) to a MAC/IP Traffic Filter group. The priority of the traffic rules is assigned in the order in which you add the rules. That is, the first rule that you add is assigned the first \(highest\) priority, the second rule is assigned the second priority, and so on. However, you can change the priority.
CAUTION:
We recommend that you add traffic rules only if you fully understand the consequences. Incorrect configuration might cause connectivity problems for all devices that are connected or are trying to connect to the WiFi network to which you apply the MAC/IP Traffic Filter group.
To add a traffic rule to a MAC/IP Traffic Filter group:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Security &gt; ACLs &gt; MAC/IP Traffic Filters**.
The MAC/IP Traffic Filters page displays.
5. Click the group to which you want to add a traffic rule and then select the **Enable Group** check box.
6. Click the **plus** icon.
The Add / Edit Rule pop-up window displays.
7. Configure the following settings as needed:
- **Rule Name**: You can change the default name. The following applies to the name:
- must be a unique alpha-numeric name
- can be a maximum length of 32 characters
- can include only the special characters , - and \_
- must start and end with alphanumeric characters
- **State**: Select a radio button:
- **Enable**: After you click the Apply button, the rule takes effect if the MAC/IP Traffic Filter is enabled.
- **Disable**: You can change the rule, but after you click the Apply button, the rule takes does not take effect, even if the MAC/IP Traffic Filter is enabled. By default, a rule is disabled.
- **Action**: Select a radio button:
- **Allow**: Traffic that matches the rule is allowed to pass through the WiFi network.
- **Deny**: Traffic that matches the rule is dropped.
- **Direction**: Select a radio button:
- **In**: The traffic rule is applied only to traffic flowing in from a WiFi network.
- **Out**: The traffic rules is applied only to traffic flowing out to a WiFi network.
- **Both**: The traffic rule is applied to both traffic flowing in from a WiFi network and traffic flowing out to a WiFi network.
- **Network Layer**: Select a radio button:
- **MAC**: The traffic rule filters packets at the MAC level.
- **IP**: The traffic rule filters packets at the IP level.
- **Protocol**: From the **Protocol** menu, select a protocol:
- **ANY**: The traffic rule applies to any traffic.
- **ARP**: The traffic rule applies only to Address Resolution Protocol \(ARP\) traffic.
- **TCP**: The traffic rule applies only to Transmission Control Protocol \(TCP\) traffic.
- **UDP**: The traffic rule applies only to User Datagram Protocol \(UDP\) traffic.
- **ICMP**: The traffic rule applies only to Internet Control Message Protocol \(ICMP\) traffic.
- **IGMP**: The traffic rule applies only to Internet Group Management Protocol \(ICMP\) traffic.
- **Source**: To set the source for the traffic to which the traffic rule must apply, do the following:
1. From the **Type** menu, select the type of source MAC address or IP address, depending on the network layer \(MAC or IP\) that you selected:
- **ANY**: The traffic rule is applied to any source MAC address or IP address.
- **MAC Address** \(MAC level only\): The traffic rule is applied only to the source MAC address that you specify in the **MAC Address** field.
- **IP Address** \(IP level only\): The traffic rule is applied only to the source IP address that you specify in the **IP Address** field.
- **IP Subnet** \(IP level only\): The traffic rule is applied only to the source IP subnet that you specify in the **Network Address** and **Network Mask** fields.
The length of the network mask must be from 8 to 32 numbers.
2. In the **Port** field, type a source port number to which the traffic rule must apply.
The port number must be in the range from 1 to 65535.
- **Destination**: To set the destination for the traffic to which the traffic rule must apply, do the following:
1. From the **Type** menu, select the type of destination MAC address or IP address, depending on the network layer \(MAC or IP\) that you selected:
- **ANY**: The traffic rule is applied to any destination MAC address or IP address.
- **MAC Address** \(MAC level only\): The traffic rule is applied only to the destination MAC address that you specify in the **MAC Address** field.
- **IP Address** \(IP level only\): The traffic rule is applied only to the destination IP address that you specify in the **IP Address** field.
- **IP Subnet** \(IP level only\): The traffic rule is applied only to the destination IP subnet that you specify in the **Network Address** and **Network Mask** fields.
The length of the network mask must be from 8 to 32 numbers.
2. In the **Port** field, type a destination port number to which the traffic rule must apply.
The port number must be in the range from 1 to 65535.
8. In the pop-up window, click the **Apply** button.
The MAC/IP Traffic Filters page displays again.
9. To change the priority of the traffic rule, point to the **six dots** icon at the left of the traffic rule, click and hold, and then move the traffic rule up or down in the table.
The priority number adjusts.
10. Click the **Apply** button.
Your settings are saved.
#### Change a traffic rule in a MAC/IP Traffic Filter group {#task_ejb_zq1_2bc}
You can change an existing traffic rule in a MAC/IP Traffic Filter group.
To change an existing traffic rule in a MAC/IP Traffic Filter group:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Security &gt; ACLs &gt; MAC/IP Traffic Filters**.
The MAC/IP Traffic Filters page displays.
5. Click the group in which you want to change a traffic rule.
The table shows the traffic rules that you added to the group.
6. If the group is disabled, click the **Enable Group** check box.
7. Select the check box for the traffic rule, and click the **pencil** icon.
The Add / Edit Traffic Rule pop-up window displays.
8. Change the settings as needed.
For more information about the settings, see [Add a traffic rule to a MAC/IP Traffic Filter group](#task_ggh_mn1_2bc).
9. In the pop-up window, click the **Apply** button.
The MAC/IP Traffic Filters page displays again.
10. To change the priority of the traffic rule, point to the **six dots** icon at the left of the traffic rule, click and hold, and then move the traffic rule up or down in the table.
The priority number adjusts.
11. Click the **Apply** button.
Your settings are saved.
#### Change the priority for a traffic rule in a MAC/IP Traffic Filter group {#task_rdl_ns1_2bc}
You can change the priority for a traffic rule in a MAC/IP Traffic Filter group.
To change the priority for a traffic rule in a MAC/IP Traffic Filter group:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Security &gt; ACLs &gt; MAC/IP Traffic Filters**.
The MAC/IP Traffic Filters page displays.
5. Click the group in which you want to change the priority for a traffic rule.
The table with traffic rules displays.
6. If the group is disabled, click the **Enable Group** check box.
7. Point to the **six dots** icon at the left of the traffic rule for which you want to change the priority, click and hold, and then move the traffic rule up or down in the table.
The priority number adjusts.
8. Click the **Apply** button.
Your settings are saved.
#### Remove a traffic rule from a MAC/IP Traffic Filter group {#task_h1v_x2b_2bc}
You can remove a traffic rule that you no longer need.
To remove a traffic rule from a MAC/IP Traffic Filter group:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Security &gt; ACLs &gt; MAC/IP Traffic Filters**.
The MAC/IP Traffic Filters page displays.
5. Click the group from which you want to remove a traffic rule.
The table with traffic rules displays.
6. If the group is disabled, click the **Enable Group** check box.
7. Select the check box for the traffic rule, and click the **trash can** icon.
The traffic rule is removed.
8. Click the **Apply** button.
Your settings are saved.
## Enable L2 security {#task_hzg_l3w_g1c}
L2 security can prevent attacks via VLAN stacking by blocking VLAN-tagged packets on the WiFi interface. If you enable L2 security, the AP allows only certain types of client traffic, such as ARP, IPv4, and IPv6 traffic, on any WiFi network. L2 security is disabled by default.
To enable L2 security:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Security &gt; L2 Security**.
The L2 Security page displays.
5. Select the **Yes** radio button.
By default the No radio button is selected, and L2 security is disabled.
6. Click the **Apply** button.
Your settings are saved.
# Manage the Local Area Network and IP Settings {#concept_vct_yqw_g1c .concept}
This chapter describes how you can manage the local area network \(LAN\) and IP settings of the AP.
The chapter includes the following sections:
**Note:** In this manual, *WiFi network* means the same as SSID \(service set identifier or WiFi network name\) or VAP \(virtual access point\). That is, when we refer to a WiFi network we mean an individual SSID or VAP.
## Disable the DHCP client and set a fixed IP address {#task_qvk_frw_g1c}
By default, the DHCP client of the AP is enabled and the AP receives an IP address from a DHCP server \(or a router that functions as a DHCP server\) in your network. If your network does not include a DHCP server or you prefer to specify a fixed \(static\) IP address, disable the DHCP client of the AP.
To disable the DHCP client and set a fixed IP address:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; IP &gt; LAN**.
The IPv4 Settings page displays. The fields are masked because the DHCP client is enabled.
5. Select the **Disable** radio button.
The fields are unmasked.
6. Specify the settings that are described in the following table.
<table id="table_vvk_frw_g1c"><thead><tr><th>
Setting
</th><th>
Description
</th></tr></thead><tbody><tr><td>
IP Address
</td><td>
IP address in the range that is used by your LAN. By default, the IP address is 192.168.0.100.
</td></tr><tr><td>
Subnet Mask
</td><td>
The subnet mask must be compatible with your LAN. By default, the network mask is 255.255.255.0.
</td></tr><tr><td>
Gateway
</td><td>
IP address of the gateway on your LAN.
</td></tr><tr><td>
Primary DNS
</td><td>
IP address of the primary Domain Name System \(DNS\) server on your LAN.
</td></tr><tr><td>
Secondary DNS
</td><td>
IP address of the secondary DNS server on your LAN, or leave this field blank.
</td></tr></tbody>
</table>7. Click the **Apply** button.
Your settings are saved. The AP restarts with the new IP settings.
## Enable the DHCP client {#task_ssh_2sw_g1c}
By default, the DHCP client of the AP is enabled and the AP receives an IP address from a DHCP server \(or a router that functions as a DHCP server\) in your network.
If you disabled the DHCP client, you can reenable it.
To enable the DHCP client:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; IP &gt; LAN**.
The IPv4 Settings page displays.
5. Select the **Enable** radio button.
The fields are masked.
6. Click the **Apply** button.
Your settings are saved. The AP restarts with the new IP settings. It might take a while before the AP receives its IP address setting from the DHCP server.
## Set the 802.1Q VLAN and management VLAN {#task_b45_rsw_g1c}
The 802.1Q VLAN protocol on the AP logically separates traffic on the same physical \(wired\) network. This protocol can work with tagged and untagged VLANs, as follows:
- **Untagged VLAN**: The AP sends untagged frames from its Ethernet interface. Incoming untagged frames are assigned to the untagged VLAN. By default, the untagged VLAN is VLAN 1. By default, the AP functions with an untagged VLAN.
- **Tagged VLAN**: The AP tags all frames that it sends from its Ethernet interface. Only the incoming frames that are tagged with known VLAN IDs are accepted.
The management VLAN is used for managing traffic such as Telnet, SNMP, HTTP, and HTTPS traffic sent to and from the AP. Frames that belong to the management VLAN and that are sent over the trunk do not receive an 802.1Q header. If a port is a member of a single VLAN, its traffic can be untagged.
A management VLAN other than the default VLAN 1 and the following features are mutually exclusive:
- mDNS gateway \(see [Manage the multicast DNS gateway](#concept_dm4_tpx_g1c)\)
- NAT mode \(see [Set NAT mode or Bridge mode for addressing and traffic](#task_cjb_tvd_h1c)\)
To set the 802.1Q VLAN and management VLAN:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; IP &gt; LAN**.
The IPv4 Settings page displays.
5. To change the 802.1Q VLAN, either clear or select the **Untagged VLAN** check box:
- **Untagged VLAN**: By default, the **Untagged VLAN** check box is selected. The AP sends untagged frames from its Ethernet interface. Incoming untagged frames are assigned to the untagged VLAN. By default, the untagged VLAN is VLAN 1 but you can enter another VLAN ID in the field if that VLAN ID is supported on your network.
- **Tagged VLAN**: Clear the **Untagged VLAN** check box only if the hubs and switches on your LAN support the 802.1Q VLAN protocol. The AP tags all frames that it sends from its Ethernet interface. Only the incoming frames that are tagged with known VLAN IDs are accepted. Similarly, change the ID for the untagged VLAN only if the hubs and switches on your LAN support the 802.1Q VLAN protocol and the new VLAN ID is supported on your network.
A VLAN ID must be in the range from 1 to 4094.
6. To change the VLAN ID for the management VLAN, enter another VLAN ID in the **Management VLAN** field.
By default, the management VLAN is VLAN 1. If you change the VLAN ID, be sure that the VLAN ID is supported on your network.
7. Click the **Apply** button.
Your settings are saved. The AP restarts with the new VLAN settings.
## Set an existing domain name {#task_kcr_zsw_g1c}
You can specify an existing fully qualified domain name \(FQDN\) for the AP so that you can access the AP by using a domain name instead of an IP address.
The FQDN must be a domain name that is registered with a Domain Name System \(DNS\) provider.
The following are the requirements for the FQDN:
- The maximum length of the FQDN is 255 characters, with a maximum of 63 characters per label, separated by a dot \(.\) between each label.
- Alphanumeric characters are allowed \(az and 19\).
- A space is not allowed.
- A dot \(.\) and a hyphen \(-\) are allowed but the name cannot start with either.
- Numbers and special characters are not allowed in the last label of the FQDN.
An example is *myap01-firstfloor-myorganization.com*.
To set an existing FQDN:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; IP &gt; LAN**.
The IPv4 Settings page displays.
5. In the **Fully Qualified Domain Name** field, specify the FQDN.
6. Click the **Apply** button.
Your settings are saved. The AP attempts to resolve the FDQN to an IP address.
## Enable or disable Spanning Tree Protocol {#task_wsm_k5w_g1c}
For locations where multiple APs are active and redundant network paths might be present, Spanning Tree Protocol \(STP\) can prevent network loops. If your location might include redundant network paths, we recommend that you enable STP.
To enable or disable Spanning Tree Protocol:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; General**.
The General page displays.
5. Select a Spanning Tree Protocol radio button:
- **Enable**: STP is enabled.
- **Disable**: STP is disabled. This is the default setting.
6. Click the **Apply** button.
Your settings are saved.
## Enable or disable the network integrity check function {#task_svc_p5w_g1c}
The network integrity check function enables the AP to validate whether the upstream link is active before the AP allows WiFi associations. Make sure that the default gateway is configured correctly. By default, the network integrity check function is disabled.
To enable or disable the network integrity check function:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; General**.
The General page displays.
5. Select a Network Integrity Check radio button:
- **Enable**: The network integrity check function is enabled.
- **Disable**: The network integrity check function is disabled. This is the default setting.
6. Click the **Apply** button.
Your settings are saved.
## Enable or disable IGMP snooping {#task_pgm_t5w_g1c}
IGMP snooping allows IP multicast packets to be transmitted only to the members of a corresponding multicast group. Enabling IGMP snooping prevents flooding of multicast traffic to all the ports in a broadcast domain. By default, IGMP snooping is disabled on the AP.
To enable or disable IGMP snooping:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; General**.
The General page displays.
5. Select an IGMP Snooping radio button:
- **Enable**: IGMP snooping is enabled.
- **Disable**: IGMP snooping is disabled. This is the default setting.
6. Click the **Apply** button.
Your settings are saved.
## Enable or disable the hardware assisted datapath {#task_lxr_mnx_g1c}
The hardware assisted datapath, which is enabled by default, increases the maximum throughput on the AP.
We recommend that you leave the hardware assisted datapath enabled unless you need to enable inter-VLAN routing or support jumbo frames in the network. Disabling the hardware assisted datapath reduces the maximum throughput, but the throughput is still high enough for an enterprise deployment.
To enable or disable the hardware assisted datapath:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; General**.
The General page displays.
5. Select a Hardware Assisted Datapath radio button:
- **Enable**: The hardware assisted datapath is enabled. This is the default setting.
- **Disable**: The hardware assisted datapath is disabled.
6. Click the **Apply** button.
Your settings are saved.
## Enable or disable Ethernet LLDP {#task_yrb_kqx_g1c}
Link Layer Discovery Protocol \(LLDP\), as specified in IEEE 802.1AB, can provide link-layer messages to adjacent network devices. For example, LLDP lets network devices such as switches and management devices discover the AP in a network.
LLDP can also detect if the AP receives power through PoE. By default, LLDP is enabled.
To enable or disable the LLDP:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; Ethernet LLDP**.
The Ethernet LLDP page displays.
5. Select a radio button:
- **Enable**: LLDP is enabled. This is the default setting.
- **Disable**: LLDP is disabled.
CAUTION:
If the AP receives power from a PoE switch and you disable LLDP, power to the AP might be turned off after you click the **Apply** button. In that case, restart the AP.
6. Click the **Apply** button.
Your settings are saved.
## Enable or disable UPnP {#unique_1476027400}
Universal Plug and Play \(UPnP\) lets the AP be discovered by other devices in a network that support UPnP. UPnP is enabled by default.
To enable or disable UPnP:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; UPnP**.
The UPnP page displays.
5. Select a radio button:
- **Enable**: UPnP is enabled. This is the default setting.
- **Disable**: UPnP is disabled.
6. Click the **Apply** button.
Your settings are saved.
## Manage the multicast DNS gateway {#concept_dm4_tpx_g1c}
The AP can function as a multicast DNS \(mDNS\) gateway to allow devices and services to be shared across different VLANs and WiFi networks. mDNS works even if inter-VLAN routing is disabled in the network to which the AP is connected.
Shared devices include printers, scanners, storage devices, and other hardware devices. Services include multiple predefined telephone, music, and video streaming services, file sharing services, and other services and applications.
For example, if a group of WiFi clients are on VLAN 20 and a printer is on VLAN 1, an mDNS gateway policy can make the printer available to the WiFi clients. Or, if a meeting participant wants to use a phone connected to a WiFi network on VLAN 20 to cast a presentation to a large-screen device connected to a WiFi network on VLAN 30, another mDNS gateway policy can make this possible.
A service can run either on a wired or WiFi device, but for a WiFi client to be able to access the service, the WiFi client must be connected to a WiFi network on an AP that has the mDNS gateway feature enabled.
In a network with multiple APs that support the mDNS gateway feature, you can set one AP as the mDNS reflector AP, which re-advertises shared devices and services throughout the network.
An mDNS gateway and the following features are mutually exclusive:
- WPA2 Enterprise security and WPA3 Enterprise security that use a dynamic VLAN \(see [Set up an open or secure WiFi network](#task_ujs_4pt_dzb)\)
- Multi PSK \(see [Set up Multi PSK for a WiFi network](#task_jh1_c5k_h1c)\)
- Management VLAN \(see [Set the 802.1Q VLAN and management VLAN](#task_b45_rsw_g1c)\)
- NAT mode \(see [Set NAT mode or Bridge mode for addressing and traffic](#task_cjb_tvd_h1c)\)
- Client isolation \(see [Enable or disable client isolation for a WiFi network](#task_qpk_cxd_h1c)\)
### Enable the multicast DNS gateway and add a policy {#task_wzf_brx_g1c}
After you enable the multicast DNS \(mDNS\) gateway and add a policy, the AP can automatically discover devices and services that can be shared. The policy forms a bridge between the following two VLANs:
- **Service VLAN**: The VLAN that includes shared devices or services as members. For example, the type of shared device can be *printer*, in which case the service VLAN is the VLAN of which the printer is a member. Or, the type of shared service can be *Googlecast*, in which case the service VLAN is the VLAN of which the Googlecast device is a member.
- **VLANs on allowed WiFi networks**: The VLAN that includes as members the WiFi devices that must be able to use the shared devices or service on the service VLAN.
You can add up to eight policies. A policy enables access to a shared device or service. A WiFi client can access a shared device or service if the AP to which the client is connected has a policy configured for the shared device of service.
To enable the multicast DNS gateway and add a policy:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; mDNS Gateway**.
The mDNS Gateway page displays.
5. Select the mDNS Gateway **Enable** radio button.
By default, the mDNS gateway is disabled and the Disable radio button is selected.
6. If your network includes multiple APs that support the mDNS gateway feature and this AP must function as the mDNS reflector AP in your network, select the **Yes** radio button.
By default, the No radio button is selected.
7. Click the **Apply** button.
Your settings are saved. A section with policy information displays.
8. Click the Add Policy **+** button.
A row is added to the table the with mDNS gateway policies. \(You can add multiple rows for multiple policies.\)
9. Define the mDNS gateway policy by specifying the following:
- **Policy Name**: A name that lets you identify the policy. You can use up to 32 alphanumeric and special characters, except for the double quote \(“”\) and backslash \(\\\) characters.
- **Shared Services**: From the **Shared Services** menu, select the type of device \(for example, printer\) or service \(for example, Googlecast\) that must be shared.
- **Service VLAN**: In the **Service VLAN** field, enter the VLAN ID that includes as members the type of shared device or service that you select from the **Shared Services** menu.
The VLAN ID can be in the range from 1 to 4094.
- **Service IP**: Enter the IP address of the shared device or service that you select from the **Shared Services** menu.
- **Allowed WiFi Network**: From the **Allowed WiFi Network** menu, select the WiFi networks with their associated VLANs, which include as members the WiFi devices that must be able to use the type of shared devices or service that you select from the **Shared Services** menu.
10. To add another mDNS policy, click the Add Policy **+** button, and repeat the previous step.
11. Click the **Apply** button.
Your settings are saved.
### Change or remove a multicast DNS policy {#task_rnz_srx_g1c}
You can change or remove a multicast DNS \(mDNS\) policy.
To change or remove an mDNS policy:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; mDNS Gateway**.
The mDNS Gateway page displays.
5. To change a policy:
1. Click the **pencil and notebook** icon to the right of the policy.
2. Change the settings.
For more information about the settings, see [Enable the multicast DNS gateway and add a policy](#task_wzf_brx_g1c).
3. Click the **Apply** button.
Your settings are saved.
6. To remove a policy:
1. Click the **trash can** icon to the right of the policy.
2. Confirm the deletion.
# Manage and Maintain the AP {#concept_j2c_q5x_g1c .concept}
This chapter describes how you can manage and maintain the AP.
The chapter includes the following sections:
**Note:** In this manual, *WiFi network* means the same as SSID \(service set identifier or WiFi network name\) or VAP \(virtual access point\). That is, when we refer to a WiFi network we mean an individual SSID or VAP.
## Change the management mode to NETGEAR Insight or Web-browser {#task_an4_y5x_g1c}
The AP can function in either of the following management modes:
- **NETGEAR Insight \(Cloud/Remote\)**: For NETGEAR Insight Premium and Insight Pro subscribers, you can manage the AP remotely through the Insight Cloud Portal or from a mobile device on which the NETGEAR Insight app is installed.
The NETGEAR Insight mode is the default setting. In this mode, you *can* connect to the AP over the device UI, but only a basic and limited device UI is available. For information about the NETGEAR Insight Cloud Portal and Insight app, visit [insight.netgear.com](https://insight.netgear.com/) and see the NETGEAR knowledge base at [netgear.com/support/product/insight.aspx](https://www.netgear.com/support/product/insight.aspx).
CAUTION:
When you change the management mode from Web-browser mode to NETGEAR Insight mode, the configuration of the AP is reset \(cleared\) with the exception of the IP address, AP name, and password for the device UI. The AP restarts and broadcasts SSID Netgearxxxxxx, in which xxxxxx represents the last six hexadecimal digits of the APs MAC address. The MAC address is listed on the product label. The default WiFi passphrase is **sharedsecret**.
- **Web-browser \(Local\)**: You can manage the AP locally from a WiFi or wired device through the device UI. In this mode, the AP functions as a standalone device and is not connected to the Insight cloud-based management platform.
**Note:** If you first add the AP to a NETGEAR Insight network location and manage the AP through the Insight Cloud Portal or Insight app and then you change the management mode to Web-browser mode, you must continue to use the Insight network password to access the device UI until you manually change the admin password on the AP.
To change the management mode to NETGEAR Insight mode or Web-browser mode:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Basic &gt; Management Mode**.
The Management Mode page displays.
5. Select one of the following radio buttons:
- **NETGEAR Insight \(Cloud/Remote\)**: The AP functions in NETGEAR Insight management mode.
- **Web-browser \(Local\)**: The AP functions in Web-browser management mode.
CAUTION:
When you change the management mode from Web-browser mode to NETGEAR Insight mode, the configuration of the AP is reset \(cleared\) with the exception of the IP address, AP name, and password for the device UI. The AP restarts and broadcasts SSID Netgearxxxxxx, in which xxxxxx represents the last six hexadecimal digits of the APs MAC address. The MAC address is listed on the product label. The default WiFi passphrase is **sharedsecret**.
6. Click the **Apply** button.
A warning pop-up window displays.
7. Click the **OK** button.
The pop-up window closes and your settings are saved. The AP restarts in the new management mode.
## Change the country or region of operation {#task_t15_nsc_h1c}
You can change the country or region in which the AP operates. Note the following:
- In some countries, the AP is sold with a preconfigured country or region setting and you cannot change it.
- If you do not see your country or region listed in the menu, update the APs firmware and check again. If you still do not see your country or region listed, contact NETGEAR support.
- Make sure that the country is set to the location where the device is operating. It might not be legal to operate the AP in a region other than the regions listed in the menu. You are responsible for complying with the local, regional, and national regulations that are set for channels, power levels, and frequency ranges.
To change the country or region of operation:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Basic &gt; General**.
The General page displays the basic system settings.
5. Select a country or region from the **Country / Region** menu.
6. Click the **Apply** button.
A warning pop-up window displays.
7. Click the **OK** button.
The pop-up window closes and your settings are saved. The AP restarts with the default WiFi and radio settings that are specific to the selected country or region.
## Change the admin user account password {#task_jdh_2kv_g1c}
This admin user account password is the password that you use to log in to the device UI of the AP with the user name admin. \(It is not the passphrase that you use for WiFi access.\)
The password must be 8 to 63 characters in length and must contain at least one uppercase letter, one lowercase letter, and one number.
To change the password for the user name admin:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; User Accounts**.
The page that displays lets you change the user accounts.
5. Next to admin, in the **Password** field, enter the new password.
6. In the **Confirm Password** field, enter the same new password.
**Note:** You cannot change the user name. The name must remain admin.
7. Click the **Apply** button.
Your settings are saved. The next time that you log in to the AP, you must use the new password. If you forget the new password, you must reset the AP to factory default settings. Doing so restores the password to the default password.
## Change the system name {#task_a25_hsc_h1c}
The system name \(also referred to as AP name, or AP name\) is a unique NetBIOS name for the AP. The default system name is located on the AP label. By default, the system name is Netgearxxxxxx, in which xxxxxx represents the last six hexadecimal digits of the APs MAC address.
To change the system name:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Basic &gt; General**.
The General page displays the basic system settings.
5. Enter a new name in the **System Name** field.
Use the following guidelines:
- The name must contain alphanumeric characters, can contain hyphens, and cannot be longer than 64 characters.
- The name cannot start or end with a hyphen.
- The name must contain at least one alphabetical character.
6. Click the **Apply** button.
Your settings are saved.
## Specify a custom NTP server {#task_nxz_bvc_h1c}
By default, the AP receives its time from a default NETGEAR Network Time Protocol \(NTP\) server, but you can also specify a custom NTP server.
To specify a custom NTP server:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Basic &gt; Time**.
The Time page displays.
By default, the Enable radio button is selected and the AP functions as an NTP client that receives its time from a default NETGEAR NTP server.
5. Select the **Use Custom NTP Server** check box.
6. Take one of the following actions:
- Enter the host name of the NTP server.
By default, the Hostname radio button is selected.
- Select the **IP address** radio button and enter the IP address of the NTP server.
7. Click the **Apply** button.
Your settings are saved. When the AP connects over the Internet to the new NTP server, the date and time that display on the page are adjusted according to your settings.
For information about setting the time zone, see [Set the time zone](#task_wb3_fvc_h1c).
## Set the time zone {#task_wb3_fvc_h1c}
When the AP synchronizes its clock with a Network Time Protocol \(NTP\) server, the page shows the date and time. If the page does not show the correct date and time, you might need to set the time zone.
To set the time zone:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Basic &gt; Time**.
The page that displays lets you change the time settings.
5. From the **Time Zone** menu, select the time zone for the area in which the AP operates.
6. Click the **Apply** button.
Your settings are saved. When the AP connects over the Internet to an NTP server, the date and time that display on the page are adjusted according to your settings.
For information about other time settings, see [Specify a custom NTP server](#task_nxz_bvc_h1c).
## Manage the syslog settings {#task_ojy_rvc_h1c}
If a syslog server is present on your network, you can configure the AP to send its system logs to the syslog server.
To manage the syslog settings and enable the syslog function:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; Syslog**.
The Syslog page displays.
5. To enable the syslog server function, select the **Enable Syslog** check box.
6. Specify the IP address and port number for the syslog server:
- **Syslog Server IP Address**: Enter the IP address of the syslog server on your network.
- **Port Number**: Enter the port number at which the syslog can be reached. The port number can be in the range from 1 to 65535. By default, the port number is 514.
7. To log information that is collected from devices that are actively seeking network connections on the configured syslog server, select the **Log Probing Clients** check box.
The log message uses the following format:
`Probe request-Client:<aa:bb:cc:dd:ee:ff>, SSID: <Name>, BSSID: <aa:bb:cc:dd:ff:ee>, RSSI: <-xx dbM>, Radio: <x>, Channel: <y>`
The fields in a log message mean the following:
- Probe request-Client: MAC address
- SSID: Name
- BSSID: MAC address
- RSSI: Negative value in dBm
- Radio: Value in GHz
- Channel: Value in GHz
8. Click the **Apply** button.
Your settings are saved.
## Manage the firmware of the AP {#concept_qpc_2dd_h1c}
The AP firmware is stored in flash memory.
You can check to see if new firmware is available and update the AP to the new firmware. You can also visit the NETGEAR support website, download the firmware manually to a local computer, and update the AP to the new firmware. If someone \(usually the network administrator\) places new firmware on a secure FTP \(SFTP\) server in the network, you can load the firmware from the server and update the firmware of the AP.
Depending on how you are connected to the AP, we recommend the following firmware update methods:
- **WiFi connection**: If you are connected over WiFi to the AP, let the AP check the Internet to see if new firmware is available. See [Let the AP check for new firmware and update the firmware](#task_pwt_ldd_h1c).
With this method, if new firmware is available, it is downloaded directly to the AP.
- **LAN connection**: If you are connected over the LAN to the AP, manually update the firmware from a computer or SFTP server. See [Manually download firmware and update the AP](#task_mwj_c2d_h1c) or [Use an SFTP server to update the AP](#task_tgj_vfd_h1c).
With this mode, if new firmware is available, you must either download it to your computer and then upload it to the AP or upload it from an SFTP server to the AP.
The following sections describe the firmware management methods:
### Let the AP check for new firmware and update the firmware {#task_pwt_ldd_h1c}
For you to let the AP check for new firmware, the AP must be connected to the Internet.
To let the AP check for new firmware and update the AP:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Click the **Check for Upgrade** button.
The AP detects new firmware if any is available and displays the latest version available.
5. To read the release notes if any are available, click the **Release Notes** link.
A web page displays the release notes.
6. To download and install the new firmware, click the **Upgrade Now** button, and follow the prompts and dialog boxes.
The AP locates the firmware, downloads it, and begins the update.
**Warning:** To avoid the risk of corrupting the firmware, do not interrupt the update. For example, do not close the browser, click a link, or load a new page. Do not turn off the AP. Wait until the AP finishes restarting and the LED remains solid green or solid blue.
The firmware update process takes several minutes. When the update is complete, your AP restarts.
7. Verify that the AP runs the new firmware version by logging back in to the AP.
The firmware version is displayed on the Dashboard.
8. Read the new firmware release notes to determine whether you must reconfigure the AP after updating.
### Manually download firmware and update the AP {#task_mwj_c2d_h1c}
Downloading firmware to a local computer and updating the AP are two separate tasks that are combined in the following procedure. After you update the AP to new firmware, the old firmware is saved as backup firmware so that you can revert to it \(see [Revert to the backup firmware](#task_ext_dfd_h1c)\).
CAUTION:
When you install an older firmware version \(or the backup firmware version\), that is, you downgrade rather than update the firmware, the configuration of the AP is reset \(cleared\) with the exception of the IP address, AP name, and password for the device UI. The AP restarts and broadcasts SSID Netgearxxxxxx, in which xxxxxx represents the last six hexadecimal digits of the APs MAC address. The MAC address is listed on the product label. The default WiFi passphrase is **sharedsecret**.
To download firmware manually and update the AP:
1. Visit [netgear.com/support/download/](https://www.netgear.com/support/download/), locate the support page for your product, and download the new firmware.
2. Read the new firmware release notes to determine whether you must reconfigure the AP after upgrading.
3. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
4. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
5. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
6. Select **Management &gt; Maintenance &gt; Upgrade &gt; Firmware Upgrade**.
The Firmware Upgrade page displays.
7. Make sure that **Local** is selected from the **Upgrade Options** menu.
Local is the default selection.
8. Locate and select the firmware file on your computer by doing the following:
1. Click the **Browse** button.
2. Navigate to the firmware file.
The file name ends in `.tar`.
3. Select the firmware file.
9. Click the **Upgrade** button.
**Warning:** To avoid the risk of corrupting the firmware, do not interrupt the update. For example, do not close the browser, click a link, or load a new page. Do not turn off the AP. Wait until the AP finishes restarting and the LED remains solid green or solid blue.
The firmware update process takes several minutes. When the update is complete, the AP restarts.
10. Verify that the AP runs the new firmware version by logging back in to the AP.
The firmware version is displayed on the Dashboard.
### Revert to the backup firmware {#task_ext_dfd_h1c}
After you upgrade the AP to new firmware, the old firmware is saved as backup firmware so that you can revert to it.
CAUTION:
When you revert to the backup firmware and the backup firmware is an earlier version than the firmware version that is running on the AP, the configuration of the AP is reset \(cleared\) with the exception of the IP address, AP name, and password for the device UI. The AP restarts and broadcasts SSID Netgearxxxxxx, in which xxxxxx represents the last six hexadecimal digits of the APs MAC address. The MAC address is listed on the product label. The default WiFi passphrase is **sharedsecret**.
To revert to the backup firmware on the AP:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Maintenance &gt; Upgrade &gt; Firmware Upgrade**.
The Firmware Upgrade page displays. The page shows both the current firmware version and the backup firmware version.
5. Click the **Boot up Backup Firmware** button.
A warning pop-up window displays.
CAUTION:
When you revert to the backup firmware, the configuration of the AP is reset \(cleared\) with the exception of the IP address, AP name, and password for the device UI. The AP restarts and broadcasts SSID Netgearxxxxxx, in which xxxxxx represents the last six hexadecimal digits of the APs MAC address. The MAC address is listed on the product label. The default WiFi passphrase is **sharedsecret**.
6. Click the **Swap** button.
The pop-up window closes, the firmware reversion process initiates, and the AP restarts.
**Warning:** To avoid the risk of corrupting the firmware, do not interrupt the reversion. For example, do not close the browser, click a link, or load a new page. Do not turn off the AP. Wait until the AP finishes restarting and the LED remains solid green or solid blue.
7. Verify that the AP runs the backup firmware version by logging back in to the AP.
The firmware version is displayed on the Dashboard.
### Use an SFTP server to update the AP {#task_tgj_vfd_h1c}
If someone \(usually the network administrator\) places new firmware on a secure FTP \(SFTP\) server in the network, you can load the firmware from the SFTP server and update the firmware of the AP.
To update the firmware of the AP from an SFTP server:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Maintenance &gt; Upgrade &gt; Firmware Upgrade**.
The Firmware Upgrade page displays.
5. From the **Upgrade Options** menu, select **SFTP**.
6. Specify the following server settings:
- **Firmware File**: The name of the AP firmware file on the SFTP server.
- **SFTP Server IP**: The IP address of the SFTP server on your network.
- **User Name**: The user name that is required to access the SFTP server.
- **Password**: The password that is required to access the SFTP server.
7. Click the **Upgrade** button.
**Warning:** To avoid the risk of corrupting the firmware, do not interrupt the update. For example, do not close the browser, click a link, or load a new page. Do not turn off the AP. Wait until the AP finishes restarting and the LED remains solid green or solid blue.
The firmware update process takes several minutes. When the update is complete, the AP restarts.
8. Verify that the AP runs the new firmware version by logging back in to the AP.
The firmware version is displayed on the Dashboard.
## Manage the configuration file of the AP {#concept_sjx_wpc_h1c}
The configuration settings of the AP are stored within the AP in a configuration file. You can back up \(save\) this file to your computer or restore it.
### Back up the AP configuration {#task_xdc_qpc_h1c}
You can save a copy of the current configuration settings. If necessary, you can restore the configuration settings later.
**Note:** The backup file is saved in a binary format so that it is protected and cannot be opened by a regular application.
To back up the APs configuration settings:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Maintenance &gt; Upgrade &gt; Backup and Restore &gt; Backup Settings**.
The Backup Settings page displays.
5. Click the **Backup** button.
A pop-up window displays.
6. Enter a password to protect the backup file, and click the **Continue** button.
You can either use your existing password \(the one that you use to log in to the AP\) or enter a unique password.
The password must be 8 to 63 characters in length and must contain at least one uppercase letter, one lowercase letter, and one number. The following special characters are allowed:
! @ \# $ % ^ &amp; \* \( \)
**Note:** We recommend that you save the password because you must enter it again if you restore the configuration from the backup file.
7. Choose a location to store the file on your computer.
The name of the backup file can be `WBE7XX-NETGEARYYYYYY-dd-mm-yy_hh-mm-ss-config.tar` or `WBE7XX-WBE7XX-YYYYYY-dd-mm-yy_hh-mm-ss-config.tar`.
7XX represents the model number, YYYYYY represents the last six hexadecimal digits of the APs MAC address \(or the system name\), dd is the date, mm is the month, yy is the year, hh is the hour \(in 24-hour format\), mm is the minutes, and ss is the seconds.
Examples of the name of a backup file are `WBE7XX-NETGEAR1A2B3C-02-18-24_16-44-12-config.tar` and `WBE7XX-WBE7XX-1A2B3C-02-18-24_16-44-12-config.tar`.
8. Follow the directions of your browser to save the file.
### Restore the AP configuration {#task_d4q_hqc_h1c}
If you backed up the configuration file, you can restore the configuration from this file.
To restore configuration settings that you backed up:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Maintenance &gt; Upgrade &gt; Backup and Restore &gt; Restore Settings**.
The Restore Settings page displays.
5. Click the **Browse** button and navigate to and select the saved configuration file.
The name of the backup file can be `WBE7XX-NETGEARYYYYYY-dd-mm-yy_hh-mm-ss-config.tar` or `WBE7XX-WBE7XX-YYYYYY-dd-mm-yy_hh-mm-ss-config.tar`.
7XX represents the model number, YYYYYY represents the last six hexadecimal digits of the APs MAC address \(or the system name\), dd is the date, mm is the month, yy is the year, hh is the hour \(in 24-hour format\), mm is the minutes, and ss is the seconds.
Examples of the name of a backup file are `WBE7XX-NETGEAR1A2B3C-02-18-24_16-44-12-config.tar` and `WBE7XX-WBE7XX-1A2B3C-02-18-24_16-44-12-config.tar`.
6. Click the **Restore** button.
A pop-up window displays.
7. Enter the password that you specified when you saved the backup file, and click the **Continue** button.
8. Click the **Restore** button.
The pop-up window closes and the configuration is uploaded to the AP. When the restoration is complete, the AP reboots. This process takes about two minutes.
**Warning:** To avoid the risk of corrupting the firmware, do not interrupt the restoration. For example, do not close the browser, click a link, or load a new page. Do not turn off the AP. Wait until the AP finishes restarting and the LED turns solid green or solid blue.
## Use the Reset button to reboot the AP {#task_uhf_d5s_mbc}
You can use the **Reset** button to reboot the AP.
To reboot the AP using the **Reset** button:
1. On the bottom panel of the AP, locate the recessed **Reset** button.
2. Using a straightened paper clip, press and hold the **Reset** button for about two seconds until the LED lights solid amber, and then immediately release the button.
CAUTION:
If you continue to hold the **Reset** button, the AP might return to its factory default settings. Release the button as soon as the LED lights solid amber.
The AP reboots, which takes about two minutes.
**Warning:** To avoid the risk of corrupting the firmware, do not interrupt the reboot. Do not turn off the AP. Wait until the AP finishes restarting and the LED turns solid green or solid blue.
## Reboot the AP from the device UI {#task_ork_1jd_h1c}
If you cannot physically access the AP to reboot it \(that is, disconnect the power and reconnect the power\), you can use the device UI to reboot the AP.
To reboot the AP from the device UI:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Maintenance &gt; Reset &gt; Reboot AP**.
The Reboot AP page displays.
5. Click the **Reboot AP** button.
A warning pop-up window displays.
6. Click the **Reboot** button.
The pop-up window closes and the AP reboots, which takes about one minute.
## Schedule the AP to reboot {#task_cl4_xkd_h1c}
You can schedule the AP to reboot at a time that is more convenient for the network, for example, when you do not expect any \(or only a few\) WiFi clients to be connected to the AP. The schedule that you set up is a recurring schedule.
To schedule the AP to reboot:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Maintenance &gt; Reset &gt; Reboot AP**.
The Reboot AP page displays.
5. Click the **Enable Scheduled Reboot** button so that the button displays blue.
The scheduling controls display.
6. Select the check box for the day on which you want the AP to reboot.
You can select multiple days.
7. Using the **Start Time** menus, specify the hour and minutes for the time at which the AP must reboot.
Specify the hour in 24-hour format.
8. Click the **Apply** button.
Your settings are saved.
## Return the AP to its factory default settings {#concept_gxl_1kd_h1c}
Under some circumstances \(for example, if you lost track of the changes that you made to the AP settings or you move the AP to a different network\), you might want to erase the configuration and reset the AP to factory default settings.
If you do not know the current IP address of the AP, first try to use an IP scanner application to detect the IP address before you reset the AP to factory default settings.
**Note:** You can also use the NETGEAR Insight app to discover the IP address that is assigned to the AP. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
To reset the AP to factory default settings, you can use either the **Reset** button on the AP or the reset function in the device UI. However, if you cannot find the IP address or you lost the password to access the AP, you must use the **Reset** button.
After you reset the AP to factory default settings, the password for the admin user name is **password**, the APs DHCP client is enabled, the setup SSID is shown in the format NETGEARxxxxxx-SETUP, and the default password for WiFi access is **sharedsecret**. If the AP does not receive an IP address from a DHCP server, the LAN IP address is set to 192.168.0.100.
For an extensive list of factory default settings, see [Factory default settings](#concept_cnr_rfs_h1c).
### Use the Reset button to reset the AP {#task_ocl_rkd_h1c}
You can use the **Reset** button to return the AP to its factory default settings.
CAUTION:
This process erases all settings that you configured in the AP.
To reset the AP to factory default settings:
1. On the bottom panel of the AP, locate the recessed **Reset** button.
2. Using a straightened paper clip, press and hold the **Reset** button until the LED starts blinking amber.
**Note:** If you hold the **Reset** button, the LED first lights solid amber, and then about 5 seconds later, starts blinking amber. If you release the button while the LED lights solid amber, the AP reboots rather than resets. The LED must be blinking amber.
3. Release the **Reset** button.
The configuration is reset to factory default settings. When the reset is complete, the AP reboots. This process takes about two minutes.
**Warning:** To avoid the risk of corrupting the firmware, do not interrupt the reset. Do not turn off the AP. Wait until the AP finishes restarting and the LED turns solid green or solid blue.
### Use the device UI to reset the AP {#task_fy2_pvx_g1c}
You can use the APs device UI to return the AP to its factory default settings.
CAUTION:
This process erases all settings that you configured in the AP.
To reset the AP to factory default settings through the device UI:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Maintenance &gt; Reset &gt; Restore Defaults**.
The Restore Defaults page displays.
5. Click the **Restore Defaults** button.
A warning pop-up window displays.
6. Click the **Restore** button.
The pop-up windows closes and the configuration is reset to factory default settings. When the reset is complete, the AP reboots. This process takes about two minutes.
**Warning:** To avoid the risk of corrupting the firmware, do not interrupt the reset. For example, do not close the browser, click a link, or load a new page. Do not turn off the AP. Wait until the AP finishes restarting and the LED turns solid green or solid blue.
## Enable SNMP and manage the SNMP settings {#task_oss_s3d_h1c}
You can access the AP over a Simple Network Management Protocol \(SNMP\) connection, which allows SNMP network management software such as HP OpenView to manage the AP by using the SNMPv1 or SNMPv2 protocol. By default, SNMP is disabled.
To enable SNMP and manage the SNMP settings:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Maintenance &gt; Remote Management**.
The Remote Management page displays.
5. Select the SNMP **Enable** radio button.
By default, SNMP is disabled.
6. Specify the following settings:
- **Read-Only Community Name**: The community string that allows the SNMP manager to read the APs MIB objects. The default is public. This name must be different from the read-write community name.
- **Read-Write Community Name**: The community string that allows the SNMP manager to read and write the APs MIB objects. The default is private. This name must be different from the read-only community name.
- **Trap Community Name**: The community name that is associated with the IP address that must receive traps. The default is trap.
- **IP Address \(to receive traps\)**: The IP address of the SNMP manager that must receive traps.
- **Trap Port**: The port number at which the SNMP manager must receive traps. The default port number is 162. The only other option is port number 161.
**Note:** For the read-only community name, read-write community name, and the trap community name each, the name can be a maximum of 32 characters, and the following special characters are supported: - \_ \\ / : . , @
7. Click the **Apply** button.
Your settings are saved.
## Manage the LED {#task_zzj_n3d_h1c}
By default, the single LED is enabled and functions as described in [Top panel LED](#concept_yf3_35p_czb). You can manage whether the LED lights at all. This function is useful if you want the AP to function in a dark environment.
To enable or disable the LED:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; LED Control**.
The LED Control page displays.
5. Select or clear one of the following radio buttons:
- **Enable the LED**: The LED is enabled. This is the default setting.
- **Disable the LED**: The LED is disabled.
- **Enable the LED for power and cloud functions**: The LED is enabled for power and cloud functions only.
6. Click the **Apply** button.
Your settings are saved.
## Manage the Energy Efficiency Mode {#task_css_3zv_g1c}
If no WiFi clients are connected to the AP, the AP can automatically enter Energy Efficiency Mode \(EEM\) to reduce power consumption and save energy. When one or more WiFi clients connect, the AP automatically leaves the EEM to resume normal operation.
If EEM is enabled and no WiFi clients are connected to the AP, antenna stream operation is limited to 1x1. \(Under normal circumstances, the AP can support multiple antenna streams.\) If a WiFi client initiates a connection to the AP, the antenna streams resume normal operation.
Note the following restrictions:
- **Wireless distribution system**: EEM is mutually exclusive with a wireless distribution system \(WDS, see [Set up a WiFi Bridge in a Wireless Distribution System](#concept_y3f_gtj_h1c)\).
- **Neighbor AP detection**: EEM does not let the 5 GHz and 6 GHz radios detect neighbor APs \(see [Manage neighbor AP detection](#concept_xxs_qzv_wlb)\).
- **DFS channels**: When WiFi clients connect to the AP and the AP resumes normal operation, 5 GHz radio transmissions can be temporarily suspended if the AP operates in a DFS channel \(about 1 minute suspension for a DFS channel; about 10 minutes suspension for a weather DFS channel\).
**Note:** If use you use EEM, we recommend that you enable band steering in your WiFi networks. Band steering lets 5-GHz-capable WiFi clients that are connected to the 2.4 GHz band to be steered to the 5 GHz or 6 GHz band for improved performance. For more information, see [Enable or disable band steering](#task_lwy_1yk_h1c).
To enable or disable the Energy Efficiency Mode:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; System &gt; Advanced &gt; Energy Efficiency Mode**.
The Energy Efficiency Mode page displays.
5. Select a radio button:
- **Enable**: Energy Efficiency Mode is enabled.
- **Disable**: Energy Efficiency Mode is disabled. This is the default setting.
6. Click the **Apply** button.
Your settings are saved.
# Monitor the AP and the Network {#concept_d5z_p1l_h1c .concept}
This chapter describes how you can monitor the AP and the network.
The chapter includes the following sections:
**Note:** In this manual, *WiFi network* means the same as SSID \(service set identifier or WiFi network name\) or VAP \(virtual access point\). That is, when we refer to a WiFi network we mean an individual SSID or VAP.
## Display the AP Internet, IP, and system settings {#task_t5v_h2l_h1c}
To display the AP, Internet, IP, and system settings:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Locate the Connection Status Information pane \(usually at the left of the page\), System Information pane \(usually at the upper center of the page\), and IP Settings Information pane \(usually at the lower center of the page\).
If the page width on your device is narrow, these panes might be located elsewhere on the Dashboard.
For information about the radio settings pane \(usually at the right of the page\), see [Display the WiFi radio settings](#task_fd4_wfl_h1c).
The following settings are displayed:
- **Connection Status Information pane**: This pane is in the top, left corner of the Dashboard \(if the page width on your device is sufficient; otherwise, it might be elsewhere\) and displays the following:
- Status of the connection to the NETGEAR Insight cloud-based management platform, if any
- Status of the Internet connection
- Functioning mode of the AP, which is always Access Point
- Number of devices connected to the AP
- **System Information pane**: This pane is in the center at the top of the Dashboard \(if the page width on your device is sufficient; otherwise, it might be elsewhere\) and displays the following:
- System name of the AP and country or region of operation
- Ethernet MAC address
- The serial number
- AP uptime
- Firmware version
- The date and time that the AP itself or someone manually last checked if new firmware was available
This pane also contains a button that you can click to check for firmware updates for the AP. If an update is available, the **Update Available** button displays. \(For more information about firmware updates, see [Let the AP check for new firmware and update the firmware](#task_pwt_ldd_h1c)\).
- **IP Settings Information pane**: This pane is in the center of the Dashboard \(if the page width on your device is sufficient; otherwise, it might be elsewhere\) and displays the following:
- IP address of the AP and its DHCP status
- Gateway IP address
- Gateway status
- Wired traffic volume
5. To display more detailed information, select **Management &gt; Monitoring &gt; System**.
The System page displays.
The page shows five sections:
- **System Information section**: The following settings are displayed:
- **System Name**: The AP NetBIOS name
- **System Mode**: The AP system mode \(AP\)
- **LAN MAC Address**: The MAC address of the LAN Ethernet port of the AP
- **Wireless MAC Address for 2.4 GHz**: The MAC address of 2.4 GHz WiFi interface \(radio\) of the AP
- **Wireless MAC Address for 5 GHz**: The MAC address of 5 GHz WiFi interface \(radio\) of the AP
- **Wireless MAC Address for 6 GHz**: The MAC address of 6 GHz WiFi interface \(radio\) of the AP
- **Power Source**: The type of power source \(the detected level of PoE power or Power Adapter\)
For more information about the PoE level, see [The AP functions as a PoE PD and the LED is blinking green continuously](#task_z4q_dnr_xlb).
- **Ethernet LLDP**: The status of Ethernet LLDP feature \(Enabled or Disabled\)
- **LLDP Neighbor**: The neighbor that LLDP detected
- **Country / Region**: The country or region in which the AP operates or for which the AP is licensed
- **Current Firmware Version**: The version of the firmware that is running on the AP
- **Backup Firmware Version**: The version of the backup firmware on the AP
- **Bootloader Version**: The primary bootloader \(U-Boot\) version that is installed on the AP
- **Serial Number**: The serial number of the AP
- **Current Time**: The current system time of the AP
- **Uptime**: The time since the AP was last restarted
- **AP Interface Status**: A green icon indicates that the interface is in use. A gray icon indicates that the interface is not in use.
- **IPv4 Settings section**: The following settings are displayed:
- **IPv4 Address**: The IPv4 address of the AP
- **Subnet Mask**: The subnet mask of the AP
- **Default Gateway**: The default gateway for the AP
- **DHCP Client**: The status of DHCP client \(Enabled or Disabled\)
- **Fan Operational Status**: The following settings are displayed:
- **System Temperature \(°C\)**: The internal temperature of the AP in Celsius
- **Fan RPM**: The revolutions per minute \(RPM\) speed of the internal fan
- **Wireless Settings section**: The following settings are displayed, with separate columns for the radios:
- **Antenna**: The type of antenna \(by default, 2x24x4\).
- **Wireless Mode**: The operating WiFi mode of the radio.
- **Channel / Frequency**: The channel and frequency that are used by the radio.
- **Tx Power \(in dBm\)**: The transmit power in dBm.
## Display the WiFi radio settings {#task_fd4_wfl_h1c}
To display the WiFi radio settings of the AP:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Locate the Radio Information pane at the top, right corner of the Dashboard \(if the page width on your device is sufficient; otherwise, it might be elsewhere\).
The following settings are displayed:
- Radio status \(If the 2.4 GHz, 5 GHz, or 6 GHz icon is displayed as gray, the radio is turned off.\)
- Mode
- Channel
- Channel width
- Number of connected clients and maximum number of supported clients
- WiFi traffic volume
- Channel utilization
- Antenna
5. To display information about another radio, click the **2.4 GHz**, **5 GHz**, or **6 GHz** tab.
The pane adjusts.
6. To display more detailed information, select **Management &gt; Monitoring &gt; System**.
The System page displays.
The page shows five sections:
- **System Information section**: The following settings are displayed:
- **System Name**: The AP NetBIOS name
- **System Mode**: The AP system mode \(AP\)
- **LAN MAC Address**: The MAC address of the LAN Ethernet port of the AP
- **Wireless MAC Address for 2.4 GHz**: The MAC address of 2.4 GHz WiFi interface \(radio\) of the AP
- **Wireless MAC Address for 5 GHz**: The MAC address of 5 GHz WiFi interface \(radio\) of the AP
- **Wireless MAC Address for 6 GHz**: The MAC address of 6 GHz WiFi interface \(radio\) of the AP
- **Power Source**: The type of power source \(the detected level of PoE power or Power Adapter\)
For more information about the PoE level, see [The AP functions as a PoE PD and the LED is blinking green continuously](#task_z4q_dnr_xlb).
- **Ethernet LLDP**: The status of Ethernet LLDP feature \(Enabled or Disabled\)
- **LLDP Neighbor**: The neighbor that LLDP detected
- **Country / Region**: The country or region in which the AP operates or for which the AP is licensed
- **Current Firmware Version**: The version of the firmware that is running on the AP
- **Backup Firmware Version**: The version of the backup firmware on the AP
- **Bootloader Version**: The primary bootloader \(U-Boot\) version that is installed on the AP
- **Serial Number**: The serial number of the AP
- **Current Time**: The current system time of the AP
- **Uptime**: The time since the AP was last restarted
- **AP Interface Status**: A green icon indicates that the interface is in use. A gray icon indicates that the interface is not in use.
- **IPv4 Settings section**: The following settings are displayed:
- **IPv4 Address**: The IPv4 address of the AP
- **Subnet Mask**: The subnet mask of the AP
- **Default Gateway**: The default gateway for the AP
- **DHCP Client**: The status of DHCP client \(Enabled or Disabled\)
- **Fan Operational Status**: The following settings are displayed:
- **System Temperature \(°C\)**: The internal temperature of the AP in Celsius
- **Fan RPM**: The revolutions per minute \(RPM\) speed of the internal fan
- **Wireless Settings section**: The following settings are displayed, with separate columns for the radios:
- **Antenna**: The type of antenna \(by default, 2x24x4\).
- **Wireless Mode**: The operating WiFi mode of the radio.
- **Channel / Frequency**: The channel and frequency that are used by the radio.
- **Tx Power \(in dBm\)**: The transmit power in dBm.
## Display unknown and known neighbor access points {#task_xdz_lgl_h1c}
If you enabled neighbor access point \(AP\) detection \(see [Manage neighbor AP detection](#concept_xxs_qzv_wlb)\), you can display the unknown access points in the Unknown AP list and the known access points in the Known AP list.
To display the detected neighbor access points:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Monitoring &gt; Neighbor AP**.
The Neighbor AP page displays.
At the top of the page, for each radio band, the page displays the total number of unknown access points.
For information about moving unknown access points to the Known AP list, see [Enable neighbor access point detection and move access points to the Known AP List](#task_gxj_1bw_g1c).
5. To display the most recent unknown access points, click the **Refresh** button.
6. To display the Known AP list, click the **Known AP** tab.
The page adjusts.
At the top of the page, for each radio band, the page displays the total number of known access points.
7. To display the most recent known access points, click the **Refresh** button.
## Display statistics for MAC and IP-based traffic policies {#task_dj5_vkr_2bc}
You can display the traffic statistics for global and SSID-specific MAC and IP-based traffic policies \(traffic rules\). For each rule, these statistics consist of the number of packets and the number of bytes that a rule has taken effect on.
In order to display traffic statistics, you must have enabled traffic rules:
- **Wireless Noise Filter**: If you enable the Wireless Noise Filter \(see [Enable or disable the Wireless Noise Filter](#task_jl3_lw1_2bc)\) and you enable one or more global traffic rules \(see [Enable, disable, or change a traffic rule in the Wireless Noise Filter](#task_bdd_hx1_2bc)\), you can display the traffic statistics that are associated with the MAC level or IP level of the traffic rules.
- **Global Traffic Filter**: If you enable the Global Traffic Filter \(see [Enable or disable the Global Traffic Filter](#task_l3s_4v1_2bc)\) and you add *and* enable one or more global traffic rules \(see [Add a traffic rule to the Global Traffic Filter](#task_rmj_gp1_2bc)\), you can display the traffic statistics that are associated with the MAC level or IP level of the traffic rules.
- **SSID-Specific Group**: If you enable at least one MAC/IP Traffic Filter group \(see [Enable or disable a MAC/IP Traffic Filter group](#task_nts_bv1_2bc)\), add *and* enable one or more traffic rules \(see [Add a traffic rule to a MAC/IP Traffic Filter group](#task_ggh_mn1_2bc)\), and attach the group to a WiFi network \(see [Select a MAC/IP Traffic Filter group for a WiFi network](#task_fgg_jl3_2bc)\), you can display the traffic statistics that are associated with the MAC level or IP level of the traffic rules.
To display statistics for MAC and IP-based traffic policies:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. To display traffic statistics, select **Management &gt; Monitoring &gt; MAC/IP Traffic Filter Statistics**.
The MAC/IP Traffic Filters Statistics page displays.
5. To display traffic statistics for the Wireless Noise Filter, in the System-Wide Groups section, click the **&gt; Wireless Noise Filter** tab. \(The tab might be selected by default.\)
The page displays the following information and statistics for each enabled traffic rule in the Wireless Noise Filter:
- **Priority**: The priority order of the rule.
- **Rule Name**: The rule name.
- **Action**: Indicates whether traffic is allowed or denied.
- **Network Layer**: Indicates whether the rule operates at the MAC or IP level.
- **Packets**: The number of packets that the rule has taken effect on.
- **Bytes**: The number of bytes that the rule has taken effect on.
6. To display traffic statistics for the Global Traffic Filter, in the System-Wide Groups section, click the **&gt; Global Traffic Filter** tab.
The page displays the following information and statistics for each enabled traffic rule in the Global Traffic Filter:
- **Priority**: The priority order of the rule.
- **Rule Name**: The rule name.
- **Action**: Indicates whether traffic is allowed or denied.
- **Network Layer**: Indicates whether the rule operates at the MAC or IP level.
- **Packets**: The number of packets that the rule has taken effect on.
- **Bytes**: The number of bytes that the rule has taken effect on.
7. To display traffic statistics for a specific group that you associated with a WiFi network \(SSID\), in the SSID-Specific Groups section, click the **&gt; Group** tab for the group number.
The page displays the following information and statistics for each enabled traffic rule in the group:
- **Priority**: The priority order of the rule.
- **Rule Name**: The rule name.
- **Action**: Indicates whether traffic is allowed or denied.
- **Network Layer**: Indicates whether the rule operates at the MAC or IP level.
- **Packets**: The number of packets that the rule has taken effect on.
- **Bytes**: The number of bytes that the rule has taken effect on.
8. To display the most recent statistics, click the **Refresh** button.
9. To let the page refresh automatically, click the **Auto Refresh** button.
When the page is set to refresh automatically, the Auto Refresh button displays blue, and the page is refreshed every 30 seconds.
10. To reset all counters, click the **Reset Counters** button.
## Display client distribution, connected clients, and client trends {#task_rq4_qsw_wlb}
To display the clients that are connected to the AP over WiFi:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Locate the Client Distribution pane \(usually at the middle left of the page\) and the Recent Clients pane \(usually at the middle right of the page\).
The Client Distribution pane shows the types of clients \(Windows, Mac, iOS, Android, Linux, and other operating systems\) and how these clients are distributed over the networks. \(By default, the Network button is selected.\)
The Recent Clients pane shows the top 5 recently connected clients list.
5. To display how the clients are distributed over the radios, click the **Radio** button in the Client Distribution pane.
The page adjusts and shows the types of clients for each radio.
6. To display recent clients for all networks or a single network, in the Recent Clients pane, click the filter icon, and select **All WiFi Clients** or the clients for a specific WiFi network \(SSID\).
For your selection, the pane displays the total number of connected clients and the device names of the connected clients.
7. To display information about a connected client, click its device name.
The page displays the MAC address, device type, IP address, and SSID for the client. You can also display more information, including very detailed information \(see [11](#step_pbp_2yt_51b) and [12](#step_hsx_x2k_xlb)\).
8. To display trends about clients, scroll down to the Hours Trend pane \(usually at the bottom of the page\).
The Hours Trend pane shows a graph with the number of clients, the traffic in MBps, the channel utilization, or the fan condition over a period that you can select.
By default, the client information is selected \(that is, the **Client** button is selected\) and the graph shows the total number of clients for all radios and the number of clients for each radio \(2.4 GHz, 5 GHz, and 6 GHz\).
You can also click the **Traffic** button, the **Channel Utilization** button, or the **Fan** button. For more information, see [Display traffic volume, fan information, statistics, and channel utilization](#task_o45_g3q_h1c).
9. To display more information, point to a node on one of the lines on the graph.
10. To change the period over which information is filtered and displayed, select the number of recent hours from the menu to the right of the buttons.
11. To display more information about currently connected clients, select **Management &gt; Monitoring &gt; Connected Clients**.
The Connected Clients page displays.
For each radio, the page displays the number of connected clients and the maximum number of supported clients. Connected clients that support multi-link operation \(MLO\) are highlighted under the partner radios on the page.
For each radio and each WiFi client, the page displays the SSID, MAC address, IP address, host name \(for more information, see [Assign host names to WiFi clients and manage the host name list](#task_upx_512_h1c)\), operating system \(OS\), WiFi mode, VLAN ID, and user name or key identifier \(for a Multi PSK configuration\).
12. To display very detailed information about a WiFi client, click the information \(I\) icon to the left of the client.
The Detailed Client Information page displays and shows the following information:
- **MAC Address**: The MAC address of the client.
- **IP Address**: The IP address associated with the client.
- **Host Name**: The host name of the client.
- **OS**: The operating system that runs on the client.
- **BSSID**: The BSSID that the client connects to.
- **SSID**: The SSID of the radio that the client connects to.
- **Channel**: The channel that the client connects to.
- **Channel Width**: The width of the channel that the client connects to.
- **Tx Rate**: The rate of traffic transmission of the client.
- **Rx Rate**: The rate of traffic reception of the client.
- **RSSI**: The RSSI threshold value of the client.
- **Tx Bytes**: The number of bytes that the client transmitted.
- **Rx Bytes**: The number of bytes that the client received.
- **State**: The QoS state of the connection.
- **Type**: The type of WiFi security that is used for the connection.
- **Device Type**: The type of device that the client is.
- **Mode**: The WiFi mode of the connection.
- **MLO Supported**: Indicates if the client supports MLO.
- **MLD Address**: If the client supports MLO, the multi link device \(MLD\) MAC address.
- **Status**: The security status of the connection.
- **Idle Time**: The time that the client remained idle.
- **Assoc Time Stamp**: The time that is associated with the information on the Detailed Client Information page.
- **VLAN ID**: The VLAN in which the client is placed.
- **User Name / Key Identifier**: The user name or key identifier \(for a Multi PSK configuration\) of the client.
- **PMF Support**: If PMF is enabled on the AP, indicates if the client supports PMF.
13. If you opened the Detailed Client Information page, click the **Close** button.
The Detailed Client Information page closes.
14. To display the most recent information, click the **Refresh** button.
## Display traffic volume, fan information, statistics, and channel utilization {#task_o45_g3q_h1c}
To display WiFi and Ethernet \(wired LAN\) traffic, fan information, traffic and ARP statistics, and channel utilization:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Scroll down to the Hours Trend pane at the bottom of the Dashboard.
By default, the **Clients** button is selected. \(For more information, see [Display client distribution, connected clients, and client trends](#task_rq4_qsw_wlb).\)
5. To display traffic information, do the following:
1. Click the **Traffic** button.
The graph shows the information for Ethernet \(wired LAN\) traffic, total WiFi traffic, WiFi traffic for the 2.4 GHz radio, WiFi traffic for each 5 GHz radio, and WiFi traffic for the 6 GHz radio.
2. To display more information, point to a node on one of the lines on the graph.
6. To display channel utilization, do the following:
1. Click the **Channel Utilization** button.
The graph shows the channel utilization for the 2.4 GHz radio.
2. To display the channel utilization for another radio, click the **5 GHz** or **6 GHz** button.
3. To display more information, point to a bar.
7. To display fan information, do the following:
1. Click the **Fan** button.
The graph shows the system temperature and fan RPM.
2. To display more information, point to a bar.
8. To change the period over which information is filtered and displayed, select the number of recent hours from the menu to the right of the buttons.
9. To display traffic statistics, select **Management &gt; Monitoring &gt; Statistics**.
The Statistics page displays.
The page shows the network traffic statistics and number of packets and bytes for both the WiFi and Ethernet interfaces of the AP since the AP started or rebooted. The page also displays the number of clients that are associated with each radio.
If the ARP proxy is enabled \(see [Manage the ARP proxy](#task_or5_drk_h1c)\), the page also displays the ARP statistics, including the number of proxied and dropped packets.
10. To display the most recent information, click the **Refresh** button.
## Display or download tracked URLs {#task_dbt_njq_h1c}
If you enabled URL tracking for a WiFi network \(see [Enable or disable URL tracking for a WiFi network](#task_i23_jxd_h1c)\), you can display the tracked URLs by URL, WiFi client, and SSID. You can also download a URL tracking report as a `.csv` file.
To display or download tracked URLs:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Monitoring &gt; URL Tracking**.
The URL Tracking page displays.
By default, the table shows the URLs that were accessed, each with the MAC address of the WiFi client that accessed the URL, the associated SSID, and the number of times that the WiFi client accessed the URL.
5. To display additional information, click the **…** link to the right of a MAC address or SSID.
6. To display URL tracking information by WiFi client, do the following:
1. From the **List by** menu, select **Client**.
The table shows the MAC addresses of the WiFi clients, each with the client host name, and the first URL of the list of URLs that the client accessed.
2. To display all URLs that a WiFi client accessed, click the **…** link to the right of the first URL.
A pop-up window displays all URLs that the WiFi client accessed.
3. Click the **Close** button.
The pop-up window closes.
7. To display URL tracking information by SSID, do the following:
1. From the **List by** menu, select **SSID**.
The table shows the SSIDs and the first URL of the list of URLs that were accessed on the SSID.
2. To display all URLs that were accessed on the SSID, click the **…** link to the right of the first URL.
A pop-up window displays all URLs that the were accessed on the SSID.
3. Click the **Close** button.
The pop-up window closes.
8. To download a URL tracking report as a `.csv` file, click the **Download** button, and follow the directions of your browser.
9. To display the most recent information, click the **Refresh** button.
10. To clear all URL tracking information, do the following:
1. Click the **Clear** button.
A warning pop-up window displays.
2. Click the **OK** button.
The pop-up window closes and the information is cleared.
## Display, save, download, or clear the logs {#task_g4q_lkq_h1c}
You can display and manage the activity logs of the AP. You can also download a detailed log file.
**Note:** If the AP functions in the NETGEAR Insight management mode, you can also display and manage the cloud activity logs, which show the connection of the AP to the Insight cloud-based management platform. If the AP functions in the NETGEAR Insight management mode, this is option is available from the Dashboard by selecting **Management &gt; Monitoring &gt; Cloud Logs**.
To display, save, download, or clear the logs:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Monitoring &gt; Logs**.
The Logs page displays, showing all recent events with a date and time stamp.
5. To save the logs, do the following:
1. Click the **Save** button.
2. Follow the directions of your browser to save the file to your computer.
6. To download the detailed log entries as zip file, do the following:
1. Click the **Download Detailed Logs** button.
Depending on the size of the file, downloading the detailed log entries might take several minutes.
2. Follow the directions of your browser to save the file to your computer.
7. To refresh the log entries onscreen, click the **Refresh** button.
CAUTION:
After you clear the log entries, you can no longer save or download them.
8. To clear the log entries, click the **Clear** button.
## Display a WiFi bridge connection {#task_dtn_xkq_h1c}
You can configure a wireless distribution system \(WDS\) that consists of point-to-point WiFi bridge connections between two APs \(see [Set up a WiFi Bridge in a Wireless Distribution System](#concept_y3f_gtj_h1c)\). This is different from a NETGEAR Insight Instant Mesh WiFi network.
You can display whether a WiFi bridge is established and display the function \(base station or repeater\), MAC addresses, and IP addresses of the APs that form the WiFi bridge.
To display a WiFi bridge connection:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Monitoring &gt; Wireless Bridge**.
The page that displays lets you select a WDS profile \(WDS 1, WDS 2, WDS 3, or WDS 4\).
5. Click the **&gt;** button to the left of a WDS profile.
The Wireless Bridge page displays for the selected WDS profile.
6. To display the function, MAC address, and IP address of an AP, point to the AP.
## Display alarms and notifications {#task_jjm_2lq_h1c}
You can display the alarms and notifications from any AP page. The following procedure describes how you can display them from the Dashboard.
To display the alarms and notifications:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Locate the alarm bell icon at the top-right of the page.
The icon shows a number, indicating the total number of new alarms and notifications since the last time that you displayed alarms and notifications.
5. Click the alarm bell icon.
The pop-up window shows the alarms \(indicated by a red bell\) and notifications \(indicated by a blue bell\) with a description and time.
6. To display more alarms and notification, scroll down in the pop-up window.
# Manage the Advanced WiFi Features for a WiFi network {#concept_o4y_v5d_h1c .concept}
This chapter describes how you can manage the advanced WiFi features for a WiFi network.
For information about the basic WiFi features for a WiFi network, see [Manage the Basic WiFi Features for a WiFi network](#concept_lnp_sjt_dzb).
The chapter includes the following sections:
**Note:** If you want to change the settings of a WiFi network on the AP, then use a wired connection to avoid being disconnected when the new WiFi settings take effect.
**Note:** In this manual, *WiFi network* means the same as SSID \(service set identifier or WiFi network name\) or VAP \(virtual access point\). That is, when we refer to a WiFi network we mean an individual SSID or VAP.
## Set NAT mode or Bridge mode for addressing and traffic {#task_cjb_tvd_h1c}
By default, the addressing and traffic mode of the AP is Bridge mode, which means that WiFi clients receive IP addresses from a DHCP server \(or a router that functions as a DHCP server\) in your network. This is usually the same DHCP server that assigns an IP address to the AP itself.
You can also set NAT mode, which enables the APs DHCP server for WiFi clients. The APs DHCP server assigns an IP address in a different range from the IP address of the AP itself.
NAT mode and the following features are mutually exclusive:
- Dynamic VLAN \(see [Set up an open or secure WiFi network](#task_ujs_4pt_dzb)\)
- Multi PSK \(see [Set up Multi PSK for a WiFi network](#task_jh1_c5k_h1c)\)
- mDNS gateway \(see [Manage the multicast DNS gateway](#concept_dm4_tpx_g1c)\)
- Management VLAN other than the default VLAN 1 \(see [Set the 802.1Q VLAN and management VLAN](#task_b45_rsw_g1c)\)
To set NAT mode or Bridge mode for addressing and traffic:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Scroll down and click the **&gt; Advanced** tab.
The page expands.
7. From the **Addressing and Traffic** menu, select the addressing and traffic mode:
- **Bridge**: The WiFi clients receive their IP addresses from the DHCP server in the same network as the AP. This is the default mode.
- **NAT**: WiFi clients receive their IP addresses from a private DHCP address pool on the AP. If you select this mode, by default, the WLAN network address is 172.31.4.0 and the default subnet mask is 255.255.252.0. This means that WiFi clients are assigned an IP address in the range from 172.31.4.2 to 172.31.7.254. The IP address of the default DNS server for the WLAN is 8.8.8.8, and the default lease time is 1440 minutes \(24 hours\).
To change the default range for the DHCP address pool, the default DNS server, the lease time, or all NAT settings, do the following:
1. In the **Network Address** field, enter a network address that is different from the network address for the AP. For example, if the APs IP address is in the range from 192.168.0.1 to 192.168.0.254 \(a common IP address range\), enter a network address that is different from 192.168.0.0.
2. From the **Subnet Mask** menu, select the subnet mask that is appropriate for your network address.
3. In the **DNS** field, enter the IP address for the DNS server that you want to use. This IP address must be different from the WLAN network address that you set in the previous step.
4. In the **Lease Time \(in mins\)** field, enter the lease time that is applied to WiFi clients.
The lease time can be from 5 to 43200 minutes.
8. Click the **Apply** button.
Your settings are saved.
## Enable or disable client isolation for a WiFi network {#task_qpk_cxd_h1c}
By default, client isolation is disabled for a WiFi network \(SSID or VAP\), allowing communication between WiFi clients that are associated with the same or different WiFi networks on the AP. For additional security, you can enable client isolation so that clients that are associated with the same or different WiFi networks *cannot* communicate with each other, except for communication over the Internet, which remains possible.
WiFi client isolation is mutually exclusive with the following features:
- MAC/IP Traffic Filter group \(see [Select a MAC/IP Traffic Filter group for a WiFi network](#task_fgg_jl3_2bc)\)
- WPA2 Enterprise security and WPA3 Enterprise security that use a dynamic VLAN \(DVLAN, see [Set up an open or secure WiFi network](#task_ujs_4pt_dzb) and [Change the authentication and encryption for a WiFi network](#task_afq_pz1_2zb)\)
- Multi Pre-Shared Key \(PSK, see [Set up Multi PSK for a WiFi network](#task_jh1_c5k_h1c)\)
- Multicast DNS \(mDNS\) gateway \(see [Manage the multicast DNS gateway](#concept_dm4_tpx_g1c)\)
- Blocking of broadcast and multicast traffic \(see [Block all broadcast and multicast traffic for a WiFi network](#task_f3w_5m3_2bc)\)
- A MAC ACL for broadcast and multicast traffic from WiFi clients \(see [Select a MAC ACL for broadcast and multicast traffic from WiFi clients in a WiFi network](#task_rm3_zl3_2bc)\)
To enable or disable client isolation for a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Scroll down and click the **&gt; Advanced** tab.
The page expands.
7. Under Wireless Client Isolation, select one of the following radio buttons:
- **Disable**: Client isolation is disabled for the WiFi network. This is the default setting.
- **Enable**: Client isolation is enabled for the WiFi network. The following check boxes display:
If you select the **Enable** radio button, a check box displays \(see the following step\).
8. If the **Allow access to devices listed below** check box displays: To add network devices that are exempt from isolation so that clients are allowed to reach them, do the following:
1. Select the **Allow access to devices listed below** check box.
By default, the check box is cleared.
The Allowlist displays.
2. In the field to the right, enter up to 16 static IP addresses and domain names of devices that clients are allowed to reach over the WiFi network.
For example, you could enter the static IP address or domain name of a network printer that you want to make available to WiFi clients. A domain name on the Allowlist must resolve to a static IP address. A domain name can be up to 255 characters.
3. Click the **Move** button.
The addresses and domain names are added to the Allowlist.
4. To remove one, several, or all addresses and domain names, select individual check boxes or the **Select All** check box, and click the **Remove** button.
9. Click the **Apply** button.
Your settings are saved.
## Enable or disable URL tracking for a WiFi network {#task_i23_jxd_h1c}
You can enable the AP to track all URLs that are requested by WiFi clients that are connected to a WiFi network \(SSID or VAP\). This feature is disabled by default, but you can enable it.
For information about how to display the tracked URLs per SSID or per WiFi client, see [Display or download tracked URLs](#task_dbt_njq_h1c).
To enable or disable URL tracking for a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Scroll down and click the **&gt; Advanced** tab.
The page expands.
7. Under URL Tracking, select one of the following radio buttons:
- **Enable**: URL Tracking is enabled for the WiFi network.
- **Disable**: URL Tracking is disabled for the WiFi network.
8. Click the **Apply** button.
Your settings are saved.
## Select a MAC ACL for WiFi clients in a WiFi network {#task_zg4_jyd_h1c}
After you set up one or more local MAC access control lists \(ACLs, also referred to as access lists; see [Manage MAC ACLs for WiFi clients](#concept_gld_kdw_g1c)\), you can select an ACL for use with an SSID.
Depending on the policy that you defined for an ACL, WiFi devices for which the MAC address is on the MAC ACL are either allowed access to the AP through this SSID or denied access to the SSID. If denied access to the SSID, these devices might be able to connect to the AP through another SSID if you did not set up MAC ACL security for that SSID.
You can also set up a RADIUS server \(see [Set up RADIUS servers](#task_jvz_zpp_c1c)\) and select the RADIUS MAC ACL. You must define the ACL on the RADIUS server, using the following format for client MAC addresses in the RADIUS server: If the client MAC address is 00:0a:95:9d:68:16, specify it as 000a959d6816 in the RADIUS server.
**Note:** A RADIUS MAC ACL cannot function if the WiFi security is WPA2 Enterprise or WPA3 Enterprise. If you want to use a RADIUS MAC ACL, select a different type of WiFi security for the WiFi network \(see [Change the authentication and encryption for a WiFi network](#task_afq_pz1_2zb)\).
Before you select a MAC ACL for a WiFi network, review the policy of the ACL:
- **ACL policy that allows access**: A WiFi device on the ACL is allowed access to the SSID while all other WiFi devices are denied access to the SSID.
- **ACL policy that denies access**: A WiFi device on the ACL is denied access to the SSID while all other WiFi devices are allowed access to the SSID.
To select a MAC ACL for WiFi clients in a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Scroll down and click the **&gt; Advanced** tab.
The page expands.
7. Select the **MAC ACL** check box.
8. Do one of the following:
- Select the **Local MAC ACL** radio button, and from the **Select Group** menu, select the MAC ACL that you defined earlier.
To change the MAC ACL policy, MAC addresses in the ACL, or both, click the link next to the group. For more information, see [Manage MAC ACLs for WiFi clients](#concept_gld_kdw_g1c).
- Select the **Radius MAC ACL** radio button.
This option functions only if you set up a RADIUS server \(see [Set up RADIUS servers](#task_jvz_zpp_c1c)\).
CAUTION:
If you are accessing the device UI of the AP over a WiFi connection, make sure that your device is allowed access to the SSID. Otherwise, your device is denied access to the device UI after you click the **Apply** button.
9. Click the **Apply** button.
Your settings are saved.
## Set bandwidth rate limits for a WiFi network {#task_q21_bzd_h1c}
You can set rate limits for the upload and download bandwidths for devices that are connected to a WiFi network. The minimum bandwidth rate is 64 Kbps, the maximum bandwidth rate is 1024 Mbps. You can set one rate for the upload bandwidth and another rate for the download bandwidth.
**Note:** You can set bandwidth rate limits for a maximum of two WiFi networks on the AP.
To set bandwidth rate limits for devices that are connected to a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Scroll down and click the **&gt; Advanced** tab.
The page expands.
7. Select the **Rate Limit** check box.
8. Specify the values:
- **Upload**: For the upload bandwidth limitation, enter a value from 64 to 1024 and select **Kbps** or **Mbps** from the menu.
- **Download**: For the download bandwidth limitation, enter a value from 64 to 1024 and select **Kbps** or **Mbps** from the menu.
9. Click the **Apply** button.
Your settings are saved.
## Change the format of the DHCP offer messages in a WiFi network {#task_oxf_pxd_h1c}
When a device tries to associate with the WiFi network and negotiates an IP address, the AP converts the broadcast DHCP offer message that it receives from the DHCP server to a unicast message, and forwards it to the device. This is the default configuration. For the DHCP message exchange, unicast packets are more reliable and minimize the traffic in the network.
If your situation requires that DHCP offer messages must be distributed as broadcast packets in a specific WiFi network, you can change the message format for that WiFi network so that the AP does *not* convert the broadcast DHCP offer messages to unicast messages.
To change the format of the DHCP offer messages in a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Scroll down and click the **&gt; Advanced** tab.
The page expands.
7. Scroll down and click the **&gt; Traffic Policy** tab.
The page expands.
8. Under DHCP Offer Broadcast to Unicast, select one of the following radio buttons:
- **Enable**. The AP forwards DHCP offer messages as unicast packets in the WiFi network. This is the default selection.
- **Disable**. The AP forwards DHCP offer messages as broadcast packets in the WiFi network.
9. Click the **Apply** button.
Your settings are saved
## Select a MAC ACL for broadcast and multicast traffic from WiFi clients in a WiFi network {#task_rm3_zl3_2bc}
After you set up one or more local MAC access control lists \(ACLs, also referred to as access lists\) for broadcast and multicast traffic from WiFi clients, you can select an ACL for use with an SSID. For more information about setting up ACLs for broadcast and multicast traffic from WiFi clients, see [Manage MAC ACLs for broadcast and multicast traffic from WiFi clients](#concept_j23_5db_2bc).
By default, all WiFi devices allowed to send broadcast and multicast traffic into a WiFi network. If you allow traffic only from specified devices and select an ACL, the ACL functions as follows:
- A WiFi device for which you place the MAC address in the ACL is allowed to send broadcast and multicast traffic into the WiFi network.
The broadcast and multicast traffic is allowed within the same SSID on which the WiFi client sends the traffic, regardless of the radio on which the SSID broadcasts. If another SSID is using the same VLAN, clients on the other SSID can also receive the broadcast or multicast traffic.
For example:
- The “Main Lobby” SSID uses VLAN 1 and broadcasts on both the 2.4 GHz radio and the 5 GHz radio.
- The MAC address of Client 1 is on the MAC ACL, and Client 1 sends multicast traffic on the 5 GHz radio of the “Main Lobby” SSID.
- The “Auditorium” SSID is also configured on the same VLAN 1 and broadcasts on the 2.4 GHz radio.
- The “Accounting Department” SSID is configured on VLAN 2 and broadcasts on both the 2.4 GHz radio and the 5 GHz radio.
In this situation, the multicast traffic from Client 1 can reach all clients that are connected to the “Main Lobby” SSID as well as all clients that are connected to the “Auditorium” SSID, but it cannot reach clients that are connected to the “Accounting Department” SSID.
- Broadcast and multicast traffic from all other WiFi devices is rejected by the WiFi network.
To select a MAC ACL for broadcast and multicast traffic from WiFi clients a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Scroll down and click the **&gt; Advanced** tab.
The page expands.
7. Scroll down and click the **&gt; Traffic Policy** tab.
The page expands.
By default, the Allow Broadcast/Multicast Traffic check box is selected.
8. Select the **Allow traffic only from specified devices** radio button.
9. From the **Allowed Device Group** menu, select the MAC ACL that you defined earlier.
To change the MAC addresses in the ACL, click the **Edit Group** link next to the menu. For more information, see [Manage MAC ACLs for broadcast and multicast traffic from WiFi clients](#concept_j23_5db_2bc).
10. Click the **Apply** button.
Your settings are saved.
## Block all broadcast and multicast traffic for a WiFi network {#task_f3w_5m3_2bc}
By default, broadcast and multicast traffic from any device can reach a WiFi network. You can also block all broadcast and multicast traffic on a WiFi network.
To block all broadcast and multicast traffic on a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Scroll down and click the **&gt; Advanced** tab.
The page expands.
7. Scroll down and click the **&gt; Traffic Policy** tab.
The page expands.
By default, the Allow Broadcast/Multicast Traffic check box is selected.
8. Clear the **Allow Broadcast/Multicast Traffic** check box.
9. Click the **Apply** button.
Your settings are saved.
Broadband and multicast traffic is not allowed to reach the WiFi network.
## Select a MAC/IP Traffic Filter group for a WiFi network {#task_fgg_jl3_2bc}
After you enable a MAC/IP Traffic Filter group and add one or more traffic rules to the group, you can select the group for use with a WiFi network \(SSID\). Depending on the settings of the traffic rules in the group, the traffic rules then apply to incoming, outgoing, or both incoming and outgoing traffic in the SSID.
For more information about setting up MAC/IP Traffic Filter group, see [Manage MAC/IP Traffic Filter groups for WiFi networks](#concept_ekl_m2b_2bc).
**Note:** If you apply a MAC/IP Traffic Filter group to a WiFi network, the throughput might be affected and could be lower than normal.
To select a MAC/IP Traffic Filter group for a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The page that displays lets you select an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Scroll down and click the **&gt; Advanced** tab.
The page expands.
7. Scroll down and click the **&gt; Traffic Policy** tab.
The page expands.
8. Select the **MAC/IP Traffic Filters** check box.
9. From the **Select Group** menu, select a group that you defined earlier.
To change the traffic rules in the group, click the **Edit Group** link next to the menu. For more information, see [Manage MAC/IP Traffic Filter groups for WiFi networks](#concept_ekl_m2b_2bc).
10. Click the **Apply** button.
Your settings are saved.
## Configure advanced rate selection for a WiFi network {#task_cps_112_h1c}
Advanced rate selection lets you improve the capacity of an *individual* WiFi network \(as opposed to a radio, which affects *all* WiFi network on the radio\) so that you can reach the optimal balance between the following components in the WiFi network:
- Types of traffic \(multicast, management, control, and data traffic\)
- Number and proximity of clients \(the client density\)
- Types of clients \(the WiFi modes that clients can support, including legacy WiFi modes\)
- Throughput speed for clients
- Area that the WiFi network must cover
To successfully configure advanced rate selection, we recommend that you determine what the clients in your network can require \(the types of traffic, the supported WiFi modes, and the expected throughput speed\), how many clients potentially can connect simultaneously to the WiFi network, and where the clients can be located.
**Note:** By default, advanced rate selection is disabled. If you enable advanced rate selection, the AP applies rate control settings to WiFi connections in a regular WiFi network but not to connections in a wireless distribution system \(WDS\) or Insight Instant Mesh WiFi network.
Advanced rate selection lets you configure the following settings for the 2.4 GHz and 5 GHz radio bands in a WiFi network \(the feature does not apply to the 6 GHz radio band\):
- **Fixed multicast rate**: The multicast traffic transmission rate that you select is automatically applied. The rates that you can select are the basic multicast rates that the radio band supports.
- **Rate control**: The rate that you select is automatically applied to beacon and other management frames and to control and data frames. If you enable rate control, you can set the density level, which consists of four components that are described below. That is, the density level includes much more than the client density \(the number and proximity of clients in the WiFi network\).
The available settings for the density level in the WiFi network depend on the WiFi mode in which the radio operates. \(For more information about WiFi modes, see [Change the WiFi mode for a radio](#task_vx3_yyp_c1c).\)
You can set a density level of 0 \(actually spanning 04, the default setting\), 1 \(spanning 14\), 2 \(spanning 24\), 3 \(spanning 34\), or 4. The setting is then applied to the following *interdependent* components, which you cannot set individually precisely because they are interdependent:
- **Density**: The density \(the number and proximity\) of clients in the WiFi network. \(The density is one of the four components of the density *level*.\) A setting of 0 means a very low client density. A setting of 4 means a very high client density.
- **Compatibility**: The compatibility with WiFi modes for legacy clients in the WiFi network. For the 2.4 GHz radio, a setting of 0 means compatibility with 802.11b/g/n/ax clients; A setting of 4 means compatibility with 802.11g/n/ax clients but not with 802.11b legacy clients.
- **Overall performance**: The throughput speed for the clients in the WiFi network. A setting of 0 means a reduced performance. A setting of 4 means an optimal performance. As an example, you can deliberately select a reduced performance if you require a very wide coverage area.
- **Coverage**: The area that the WiFi network must cover. A setting of 0 means a very wide coverage area. A setting of 4 means a very narrow coverage area. As an example, you can deliberately select a very narrow area if you require an optimal performance.
Another way to describe the density level is that a selected level is mapped to a corresponding client density level, WiFi mode, minimum legacy rate, beacon rate, and minimum Modulation Coding Scheme \(MCS\) rate.
To configure advanced rate selection for a WiFi network:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Basic &gt; Wireless Settings**.
The page that displays lets you select and add an SSID.
5. Click the **&gt;** button to the left of the SSID.
The settings for the selected SSID display.
6. Scroll down and click the **Advanced Rate Selection** tab.
The page adjusts and displays rate selection settings for the 2.4 GHz and 5 GHz radio bands.
**Note:** For the selected SSID, you can specify the radio settings for the 2.4 GHz and 5 GHz radio bands individually. The descriptions in the following steps apply to both radios.
7. To apply basic fixed multicast rates, from the **Fixed Multicast Rate** menu, select one of the following rates, depending on the radio band:
- **2.4 GHz**: **1**, **2**, **5.5**, or **11** Mbps or **Auto** \(the default setting\).
- **5 GHz**: **6**, **12**, or **24** Mbps or **Auto** \(the default setting\).
8. To enable automatic minimum rate control for beacon and other management frames and for control and data frames, select the **Rate Control** check box.
If you select the **Rate Control** check box, the **Density Level** slider becomes available.
9. To set the density level for your environment, move the **Density Level** slider to **0**, **1**, **2**, **3**, or **4**.
As you move the slider, the selected density level is mapped to a corresponding WiFi mode, beacon rate, minimum legacy rate, and minimum MCS rate. The available settings depend on the WiFi mode that you select for the radio \(see [Change the WiFi mode for a radio](#task_vx3_yyp_c1c)\). By default, the WiFi mode for each radio is 11ax.
The density level for the WiFi network is based on the following interdependent components, for which a setting is assigned by the position of the slider but *which you cannot set individually*:
- **Density of the WiFi clients**: In the default 11ax WiFi mode for the radios, the setting can be very low, low, medium, high, or very high, depending on the position of the slider.
- **Compatibility with WiFi modes for legacy clients**: In the default 11ax WiFi mode for the radios, this setting can be as follows:
- **2.4 GHz**: The 802.11b/g/n/ax setting, which supports 802.11b clients, or the 802.11g/n/ax setting, which does not support 802.11b clients.
- **5 GHz**: The 802.11a/n/ac/ax/be setting, which supports all types of clients in the 5 GHz radio band in any position of the slider.
- **Overall performance for the WiFi clients**: In the default 11ax WiFi mode for the radios, the setting can be reduced, moderate, good, very good, or optimal, depending on the position of the slider.
- **WiFi coverage**: In the default 11ax WiFi mode for the radios, the setting can be very narrow, narrow, average, wide, or very wide, depending on the position of the slider.
**Note:** The help text in the device UI provides a table with detailed information about how the WiFi mode of a radio affects these components and how these components depend on each other.
10. Click the **Apply** button.
Your settings are saved.
## Assign host names to WiFi clients and manage the host name list {#task_upx_512_h1c}
You can manually assign host names to WiFi clients for easier identification. The AP can support a maximum of 600 host name entries.
You must know the MAC address of the WiFi client for which you want to add a host name. The MAC address might be displayed on the Connected Clients page \(see [Display client distribution, connected clients, and client trends](#task_rq4_qsw_wlb)\).
**Note:** You cannot assign a host name for a randomized MAC address.
To assign host names to WiFi clients and manage the host name list:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; HostName Override**.
The HostName Override page displays.
5. To manually add a host name for a WiFi client, do the following in the fields below the Client Hostnames List:
1. In the left field, type or copy the MAC address of the client in the format 00-00-00-00-00-00.
2. In the **Enter a host name** field, type a name for the client.
The host name must contain alphanumeric characters, can contain hyphens, and cannot be longer than 32 characters. The host name cannot start or end with a hyphen.
3. To add another host name, repeat the previous two substeps.
You can add a maximum of 10 host names at a time.
4. Click the **Add** button.
Your settings are saved.
6. To change a host name, do the following in the Client Hostnames List:
1. Select the check box for the name.
2. Click the **Edit** button.
3. Change the host name.
4. To change another host name, repeat the previous three substeps.
You can change a maximum of 10 host names at a time.
5. Click the **Apply** button.
Your settings are saved.
7. To delete one or more host names, do the following in the Client Hostnames List:
1. Select the check boxes for the names.
You can delete a maximum of 10 host names at a time.
2. Click the **Delete** button.
The host names are removed.
# Set up a WiFi Bridge in a Wireless Distribution System {#concept_y3f_gtj_h1c .concept}
This chapter describes how you can configure a wireless distribution system \(WDS\) that consists of point-to-point WiFi bridge connections between two APs. Each WiFi bridge connection requires a WDS profile for which the settings must match on the APs that make up the bridge.
A WDS is *not* the same as a NETGEAR Insight Instant Mesh WiFi network, which requires you to use NETGEAR Insight and one access point to function as a root \(see [Install the AP in an Insight Instant Mesh WiFi Network](#concept_gfp_pmf_dzb)\).
The chapter includes the following sections:
**Note:** If you enable Energy Efficiency Mode, you cannot use a WDS. To use a WDS, first disable Energy Efficiency Mode. For more information, see [Manage the Energy Efficiency Mode](#task_css_3zv_g1c).
**Note:** In this manual, *WiFi network* means the same as SSID \(service set identifier or WiFi network name\) or VAP \(virtual access point\). That is, when we refer to a WiFi network we mean an individual SSID or VAP.
## WiFi base station, WiFi repeater, and WiFi bridge requirements {#concept_ksr_nwj_h1c}
If the AP is connected to the Internet over a wired connection, the AP can function as the WiFi base station for up to four other APs that function as WiFi repeaters. The AP itself can also function as a WiFi repeater if it is connected to another AP that functions as a WiFi base station.
A WiFi base station connects to the Internet, wired and WiFi clients can connect to the base station, and the base station sends its WiFi signal to one or more APs that function as WiFi repeaters. Wired and WiFi clients can also connect to a WiFi repeater, but the repeater connects to the Internet through the WiFi base station.
The following figure shows two APs in a WiFi repeating setup with a WiFi base station on the left side and a single WiFi repeater on the right side.
![](../WBE700%20Series%20Base%20UM/Img/WBE700_wireless_bridge_r1.ai "WiFi bridge configuration between two APs in the 5 GHz radio band")
To use a WiFi bridge, you cannot use the auto channel feature for the AP and the SSID broadcast must be enabled.
For a WiFi bridge, you must set up one AP as a WiFi base station and another AP as a WiFi repeater:
- **WiFi base station**: The base station is connected over Ethernet to a network switch \(usually with an Internet connection\) and bridges traffic to and from the repeater. The base station also handles local WiFi and wired traffic. To configure this mode, you must know the MAC address of the 2.4 GHz, 5 GHz, or 6 GHz radio on the repeater.
- **WiFi repeater**: The repeater sends all traffic from its local WiFi or wired devices to the WiFi base station. Similarly, the repeater receives all traffic for its local WiFi or wired computers from the base station. The repeater is connected to the network \(and Internet\) over the WiFi connection to the base station. To configure this mode, you must know the MAC address of the 2.4 GHz, 5 GHz, or 6 GHz radio on the base station.
Before you can set up a WiFi network with WDS, your configuration must meet the following conditions:
- Both APs must use the same WiFi channel and WiFi security settings.
- Both APs must be on the same LAN IP subnet. That is, all of the AP LAN IP addresses are in the same network.
- All LAN devices \(wired and WiFi computers\) are configured to operate in the same LAN network address range as the APs.
**Note:** If you are using the AP as the base station with a non-NETGEAR access point as a repeater, you might need to change more configuration settings. In particular, you might need to disable the DHCP server function on the non-NETGEAR access point that is the repeater.
CAUTION:
Before you set up a WiFi bridge between two APs, enable STP on the APs \(see [Enable or disable Spanning Tree Protocol](#task_wsm_k5w_g1c)\) and on the switches to which the APs are connected. If your switches do not support STP, after the WiFi bridge is established, disconnect one of the APs from its switch to prevent a network loop and connectivity problems. If you used a PoE+ switch for that AP, you now must use a power adapter.
CAUTION:
Before you set up a WiFi bridge between two APs, enable STP on the APs \(see [Enable or disable Spanning Tree Protocol](#task_wsm_k5w_g1c)\) and on the switches to which the APs are connected. If your switches do not support STP, after the WiFi bridge is established, disconnect one of the APs from its switch to prevent a network loop and connectivity problems. If you used a PoE++ switch for that AP, you now must use a power adapter.
## Set up a WiFi bridge between APs {#task_cbr_4fk_h1c}
The following procedure describes how you can configure the WiFi bridge settings on one AP and then do the same on another AP, allowing the WiFi bridge to be established.
To set up a WiFi bridge between two APs:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless Bridge**.
The page that displays lets you select a WDS profile \(WDS 1, WDS 2, WDS 3, or WDS 4\).
5. Click the **&gt;** button to the left of a WDS profile.
The WDS profile page displays.
6. Select the Band **2.4 GHz**, **5 GHz**, or **6 GHz** radio button.
Your selection determines the radio band on which the WDS is established. For countries that do not support dual-band or tri-band operation, you cannot select the radio.
7. Select the VAP **Enable** radio button.
By default, a WDS profile is disabled.
8. Configure the WDS profile settings as described in the following table.
<table id="table_gbr_4fk_h1c"><thead><tr><th>
Setting
</th><th>
Description
</th></tr></thead><tbody><tr><td>
Wireless Network Name \(SSID\)
</td><td>
The WiFi network name of the network on which the WDS is established. The default name is Netgear-WDS-x, in which x is the number of the WDS \(1, 2, 3, or 4\).
The WiFi name can be up to 32 characters in length and cannot include backslash or double quote characters.
**Note**: The WiFi network name must be identical on the WiFi base station and the WiFi repeater.
</td></tr><tr><td>
Local MAC Address
</td><td>
The MAC address of the local WDS radio interface, that is, the MAC address of the local radio on which the WDS is established. You cannot change this MAC address on this page. The MAC address is displayed for your information.
Enter this MAC address on the remote AP of the WDS connection.
**Note**: The local MAC address must be different from the remote MAC address.
</td></tr><tr><td>
Remote MAC Address
</td><td>
The MAC address of the remote WDS radio interface, that is, the MAC address of the remote radio on which the WDS is established.
**Note**: The remote MAC address must be different from the local MAC address.
</td></tr><tr><td>
Network Authentication, Data Encryption, and Passphrase
</td><td>
If you configure the WDS on the 2.4 GHz or 5 GHz radio, the default selection from the menu is Open, in which case authentication and data encryption are not applicable. To secure the WDS connection, select **WPA2 Personal**.
If you configure the WDS on the 6 GHz radio, the default and only selection from the menu is WPA3 Personal.
For WPA Personal or WPA3 Personal security, specify the following settings:
- **Encryption**: The data encryption is AES and you cannot change this setting.
- **Passphrase**: The passphrase for the WDS connection. The passphrase can be between 8 and 63 characters in length.
For you to enable the WDS connection, the passphrase on the remote AP must match the passphrase that you define in this field.
</td></tr></tbody>
</table>9. Click the **Apply** button.
Your settings are saved.
10. Configure the WiFi bridge settings on the AP at the other end of the WiFi bridge and restart that AP.
**Note:** If the device at the other end of the WiFi bridge is a NETGEAR access point, you might not need to restart it.
The WiFi bridge is established.
11. Verify connectivity across the LANs of both APs.
If the configuration is set up correctly, a computer on any WiFi or wired LAN segment of the AP that functions as the WiFi repeater can connect to the Internet or share files and printers with any other computer or server connected to the AP that functions as the WiFi base station.
**Note:** After the WiFi bridge is established, you cannot change the WiFi channel for the radio on which the WiFi bridge is established.
# Manage the Advanced Radio Features {#concept_rhw_3gk_h1c .concept}
This chapter describes how you can manage the advanced radio features of the AP. For information about the basic radio features, see [Manage the Basic Radio Features](#concept_qjn_c5p_c1c).
CAUTION:
If you change a radio feature on the 2.4 GHz radio, the change affects all WiFi networks that broadcast on the 2.4 GHz radio. Similarly, if you change a radio feature on the 5 GHz or 6 GHz radio, the change affects all WiFi networks that broadcast on the 5 GHz or 6 GHz radio. If the change is not specific to one radio, the change affects *all* WiFi networks on the AP.
The chapter includes the following sections:
**Note:** If you want to change the radio settings, use a wired connection to avoid being disconnected when the new radio settings take effect.
**Note:** In this manual, *WiFi network* means the same as SSID \(service set identifier or WiFi network name\) or VAP \(virtual access point\). That is, when we refer to a WiFi network we mean an individual SSID or VAP.
## Manage the advanced WiFi settings for the radios {#task_fh1_xjk_h1c}
The advanced WiFi settings for the radios apply to all WiFi networks \(VAPs or SSIDs\). Although these settings work fine for most network environments and it is unlikely that you need to change them, you *can* change the radio settings, and you can do so for the 2.4 GHz, 5 GHz, and 6 GHz radios individually.
CAUTION:
We recommend that you change these advanced WiFi settings only if you fully understand the consequences. Incorrect configuration might cause connectivity problems for devices trying to connect to the AP.
A radio must be turned on for you to change the settings. For more information about turning on a radio, see [Turn a radio on or off](#task_vdl_3yp_c1c).
To manage the advanced WiFi settings for the radios:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Advanced &gt; Wireless Settings**.
The Wireless Settings page for advanced settings displays.
5. Configure the settings as described in the following table.
The descriptions in the table apply to all radios. You can specify the radio settings for the 2.4 GHz, 5 GHz, and 6 GHz radios individually, but the check box for the 802.11n 256 QAM feature applies to the 2.4 GHz radio only \(the feature is always enabled for the 5 GHz and 6 GHz radios\). In addition, you can enable or disable 802.11h for the 5 GHz and 6 GHz radios but not for the 2.4 GHz radio.
<table id="table_jh1_xjk_h1c"><thead><tr><th>
Setting
</th><th>
Description
</th></tr></thead><tbody><tr><td>
Max. Wireless Clients
</td><td>
Enter the maximum number of WiFi clients that can simultaneously associate with the radio.
For the each radio, the range is from 1 to 200 WiFi clients, and the default is 200.
</td></tr><tr><td>
RTS Threshold \(256-2346\)
</td><td>
Enter the Request to Send \(RTS\) threshold. The range is from 256 to 2346. The default is 2346.
If the packet size is equal to or less than the RTS threshold, the radio uses the Carrier Sense Multiple Access with Collision Detection \(CSMA/CD\) mechanism and the data frame is transmitted immediately after the silence period. If the packet size is larger than the RTS threshold, the system uses the CSMA with Collision Avoidance \(CSMA/CA\) mechanism. In this situation, the transmitting device sends the RTS packet to the receiving device and waits for the receiving device to return a Clear to Send \(CTS\) packet before sending the actual packet data.
</td></tr><tr><td>
Beacon Interval \(100-300\)
</td><td>
Enter an interval between 100 ms and 300 ms for each beacon transmission, which allows the radio to synchronize the WiFi network. The default is 100 ms.
**Note**: If you set up more than four WiFi networks, the beacon interval is automatically changed to 300.
</td></tr><tr><td>
802.11n 256 QAM
</td><td>
When the WiFi mode is 802.11n, you can select the **802.11n 256 QAM** check box to enable the 2.4 GHz radio to function over 256-quadrature amplitude modulation \(QAM\), which can increase the 2.4 GHz radio throughput for 802.11n clients that are capable of supporting 256 QAM. By default, 256 QAM is enabled for the 2.4 GHz radio, that is, the check box is selected.
By default, 256-QAM is enabled for the 5 GHz radio and you cannot disable it \(the page does not provide a check box for the 5 GHz radio\). The 6 GHz radio uses a higher QAM \(the page does not provide a check box for the 6 GHz radio\).
</td></tr><tr><td>
DTIM Interval \(1-255\)
</td><td>
Move the slider to specify the delivery traffic indication message \(DTIM\) interval or the data beacon rate, which indicates the beacon delivery traffic indication message period in multiples of beacon intervals. This value must be between 1 and 255. The default is 3.
</td></tr><tr><td>
Broadcast/Multicast Rate Limiting
</td><td>
Multicast and broadcast rate limiting is enabled by default to improve the overall network performance by limiting the number of packets that are transmitted across the network. By default, the setting is 50 \(the maximum possible value\), which specifies a maximum rate limit of 50 packets per second. To change the setting, move the slider. To disable multicast and broadcast rate limiting, clear the small check box.
</td></tr><tr><td>
MU-MIMO
</td><td>
By default, the MU-MIMO **Enable** radio button is selected and multiuser MIMO \(MU-MIMO\) is enabled. To disable MU-MIMO, select the MU-MIMO **Disable** radio button.
MU-MIMO enables multiple users to receive data from the AP simultaneously using the same channel. With MU-MIMO, the AP can transmit to multiple clients simultaneously using the same channel. MU-MIMO is used in the downstream direction and requires both the AP and the WiFi clients to be capable of 802.11ac Wave 2 or 802.11ax.
</td></tr><tr><td>
802.11h
</td><td>
Select the 802.11h **Enable** radio button to enable 802.11h-capable WiFi clients to automatically switch to a new channel without disconnecting from the AP and without losing any data when the AP changes to another channel. To disable the feature, select the **Disable** radio button. By default, the 802.11h Enable radio button is selected and 802.11h is enabled.
You can enable or disable 802.11h for the 5 GHz and 6 GHz radios but not for the 2.4 GHz radio.
</td></tr></tbody>
</table>6. Click the **Apply** button.
A warning pop-up window displays.
7. Click the **OK** button.
The pop-up window closes and your settings are saved. The radio or radios restart and WiFi clients might need to reconnect.
## Manage the maximum number of clients for a radio {#task_j2m_5kk_h1c}
The number of clients that are allowed to associate with a radio affects the reliability and throughput of the WiFi connection. A smaller number can increase the reliability and throughput and a large number can decrease the reliability and throughput.
By default, each radio allows up to 200 client associations. You can specify a lower number of clients. If the number of associated clients exceeds the maximum number that you specify, the radio rejects new client associations until the number drops below that maximum number.
To manage the maximum number of clients for a radio:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Advanced &gt; Wireless Settings**.
The Wireless Settings page for advanced settings displays.
5. In the **Max.Wireless Clients** field for the radio, enter the maximum number of WiFi clients that can simultaneously associate with the radio.
The range is from 1 to 200 WiFi clients, and the default is 200.
6. Click the **Apply** button.
A warning pop-up window displays.
7. Click the **OK** button.
The pop-up window closes and your settings are saved. The radio or radios restart and WiFi clients might need to reconnect.
## Manage the broadcast and multicast settings for a radio {#task_mq5_ylk_h1c}
Because multicast and broadcast traffic can adversely affect the throughput and latency of a WiFi network, you can change the multicast and broadcast rate limiting settings for a radio.
By default, multicast and broadcast rate limiting is enabled to improve the overall network performance by limiting the number of packets that are transmitted across the network. By default, the setting is 50 \(the maximum possible value\), which specifies a maximum rate limit of 50 packets per second. You can lower this number.
To manage the broadcast and multicast settings for a radio:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Advanced &gt; Wireless Settings**.
The Wireless Settings page for advanced settings displays.
5. To change the multicast and broadcast rate limiting setting for a radio, move the **Broadcast/Multicast Rate Limiting** slider.
By default, the setting is 50 \(the maximum possible value\), which specifies a maximum rate limit of 50 packets per second.
6. To disable or enable multicast and broadcast rate limiting for a radio, clear or select the **Broadcast/Multicast Rate Limiting** check box.
7. Click the **Apply** button.
A warning pop-up window displays.
8. Click the **OK** button.
The pop-up window closes and your settings are saved. The radio or radios restart and WiFi clients might need to reconnect.
## Manage load balancing for the radios {#task_krr_dnk_h1c}
You can configure the radio utilization thresholds to enable each radio to maintain the speed and performance of the WiFi network as clients associate with and disassociate from the WiFi network.
If you enable load balancing, client associations depend on the maximum number of clients per radio, the channel load per radio, and each clients Received Signal Strength Indicator \(RSSI\). New client associations are allowed if a radios utilization remains within the defined load balancing settings. If a radios utilization exceeds the defined load balancing settings, new client associations are temporary halted until the radios utilization falls within the defined load balancing settings.
**Note:** The Dashboard can show information about the client and traffic distribution per radio as well as the client, traffic, and channel utilization for each radio \(see [Display client distribution, connected clients, and client trends](#task_rq4_qsw_wlb) and [Display traffic volume, fan information, statistics, and channel utilization](#task_o45_g3q_h1c)\).
By default, all of the following types of load balancing are enabled with their default settings:
- **Load balancing based on the maximum number of clients**: The AP allows client associations up to the specified maximum number of clients. After the maximum number is exceeded, new clients are rejected. Even though this is a global setting, it is implemented per radio.
- **Load balancing based on the channel load**: The AP allows client associations up to the defined maximum channel utilization. After the maximum channel utilization is exceeded, new clients are rejected. Even though this is a global setting, it is implemented per radio.
**Note:** If a client is rejected but persistently tries to associate with the AP, the AP grants access to that client.
- **Load balancing based on the RSSI of the client**: Clients with an RSSI that is equal to or higher than the defined minimum are allowed to associate with the AP. Clients with an RSSI below the defined minimum are rejected. Even though this is a global setting, it is implemented per radio.
**Note:** If a client is rejected but persistently tries to associate with the AP, the AP grants access to that client.
You can change the default settings for each type of load balancing, or completely disable one or more types of load balancing.
To manage load balancing for the radios:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Advanced &gt; Load Balancing**.
The Load Balancing page displays.
5. To globally enable load balancing for the radios, select the Load Balancing Mode **Enable** radio button.
The page adjusts and displays a slider for each type of load balancing and each radio.
By default, load balancing is disabled. When you enable load balancing, all three types of load balancing are enabled. You can individually disable one or more types of load balancing.
6. To individually enable or disable one or more types of load balancing, do the following:
- To disable a particular type of load balancing, clear the small blue check box to the left of the *Based On ...* text.
- To enable a particular type of load balancing, select the small blue check box to the left of the *Based On ...* text.
7. To change the load balancing settings, do the following:
- **Based On Maximum Number Of Clients**: For each radio, move the associated slider to specify the maximum number of clients allowed, before the radio stops accepting new client associations.
For each radio, the minimum number of clients is 5 and the maximum number is 200, and the default number is 200.
- **Based On Channel Load**: For each radio, move the associated slider to specify the maximum percentage of channel load that is allowed on the radio, before it stops accepting new client associations.
For each radio, the minimum percentage of channel load is 50, the maximum percentage is 90, and the default percentage is 70.
- **Based on Channel Receive Signal Strength**: For each radio, move the associated slider to specify the minimum required RSSI value for an individual client, below which the radio does not accept the client association.
For each radio, the minimum RSSI value is 1, the maximum value is 50, and the default value is 23.
8. Click the **Apply** button.
Your settings are saved.
## Manage sticky clients {#task_qhl_rqk_h1c}
During roaming, sticky clients do not change to an access point with a better signal but remain associated with \(that is, *stick to*\) their initial access point, even though the quality of the connection to that access point is degraded. Such a situation causes delay for other clients that are associated with that access point.
**Note:** For a home WiFi network with a single access point, a sticky client is useful because no other access point is available to associate with during roaming. For a business or enterprise network with multiple access points, a sticky client can cause a drain on WiFi resources.
You can force sticky clients to disassociate from the radios of the AP.
If load balancing based on the RSSI of the client is enabled \(see [Manage load balancing for the radios](#task_krr_dnk_h1c)\), after a client is forced to disassociate, the client can join again in the following situations:
- The client can associate again if its RSSI is equal to or higher than the minimum required RSSI.
- If the client persistently tries to associate with the AP, the AP grants access to that client, even if its RSSI is below minimum required RSSI.
To manage sticky clients:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Advanced &gt; Load Balancing**.
The Load Balancing page displays.
5. Either select or clear the **Force Sticky Clients To Disassociate** check box:
- **Sticky clients are forced to disassociate**: Select the check box. If a clients RSSI value falls below the minimum required RSSI value that you set for a radio, the client is forcibly disassociated.
For each radio, you can move the **Based on Channel Receive Signal Strength** slider to specify the minimum required RSSI value for an individual client, below which the radio does not accept the client association.
For each radio, the minimum RSSI value is 1, the maximum value is 50, and the default value is 23.
- **Sticky clients are allowed to remain associated**: Clear the check box. This is the default setting.
6. Click the **Apply** button.
Your settings are saved.
## Manage the ARP proxy {#task_or5_drk_h1c}
By default, the ARP proxy is enabled on the AP, allowing it to inspect all ARP broadcast packets for its clients. In this way, the AP responds to ARP requests for its clients, preventing unnecessary broadcast traffic on the radios.
For information about the ARP statistics, including the number of proxied and dropped packets, see [Display traffic volume, fan information, statistics, and channel utilization](#task_o45_g3q_h1c).
To manage the ARP proxy:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Configuration &gt; Wireless &gt; Advanced &gt; ARP Proxy**.
The ARP Proxy page displays.
5. Select one of the following radio buttons
- **Enable**: The ARP proxy is enabled. This is the default setting.
- **Disable**: The ARP proxy is disabled. Broadcast traffic on the radios might increase.
6. Click the **Apply** button.
Your settings are saved.
# Diagnostics and Troubleshooting {#concept_khy_2yq_h1c .concept}
This chapter describes how you can capture WiFi packets and troubleshoot the AP and network.
The chapter includes the following sections:
**Note:** In this manual, *WiFi network* means the same as SSID \(service set identifier or WiFi network name\) or VAP \(virtual access point\). That is, when we refer to a WiFi network we mean an individual SSID or VAP.
## Capture WiFi and Ethernet packets {#task_pcm_b1r_h1c}
You can capture WiFi and Ethernet packets that are received and transmitted by the AP and save the file with captured packets to your computer. During the packet capture process, normal functioning of the AP is not affected.
The packet capture capability can be useful for analyzing a WiFi deployment, monitoring a WiFi network, debugging protocols, determining WiFi network bottlenecks, and, in general, troubleshooting any irregularities in a WiFi network.
You can select to capture all packets or selected packets only.
**Note:** To display the captured packets, you need an application that can open `.pcap` files.
To capture packets:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Diagnostics &gt; Packet Capture**.
The Packet Capture page displays.
5. Specify the settings that are described in the following table.
<table id="table_tcm_b1r_h1c"><thead><tr><th>
Setting
</th><th>
Description
</th></tr></thead><tbody><tr><td>
Capture Interface
</td><td>
From the **Capture Interface** menu, select one of the following interfaces on which packets must be captured:
- **br-lan**. All packets are captured, that is, packets on the Ethernet interfaces, 2.4 GHz radio, 5 GHz radio, and 6 GHz radio. This is the default setting.
- **eth0**. Only packets on the LAN Ethernet interface are captured.
- **radio1**. Only packets on the 2.4 GHz radio are captured.
- **radio2**. Only packets on the 5 GHz radio are captured.
- **radio3**. Only packets on the 6 GHz radio are captured.
</td></tr><tr><td>
Max. Capture File Size \(64-12288 KB\)
</td><td>
Enter the maximum size that the file with captured packets is limited to. The range is from 64 to 12288 KB. The default is 1024 KB.
</td></tr><tr><td>
Promiscuous Capture
</td><td>
To enable the AP to capture packets in promiscuous mode, select the **Enable** check box. By default, promiscuous mode is disabled.
In promiscuous mode the radio or radios receive all traffic on the channel, including traffic that is not destined for the AP. While the radio or radios are operating in promiscuous mode, they continue to serve associated clients. Packets that are not destined for the AP are not forwarded. When the capture process stops, the radio or radios revert to nonpromiscuous mode.
</td></tr><tr><td>
Client Filter
</td><td>
To capture packets for a specific client only, select the **Client Filter** check box and enter the clients MAC address in the **Client Filter MAC Address** field.
</td></tr><tr><td>
Client Filter MAC Address
</td><td>
If you select the **Client Filter** check box, enter the clients MAC address to capture the packets only for the specific client on the selected interface.
You must enter the MAC address in hexadecimal format with each octet separated by a hyphen, for example 00-11-22-33-44-55.
</td></tr><tr><td>
Capture Duration \(10-3600 secs\)
</td><td>
Enter the maximum duration of the capture process \(that is, if you do not click the **Stop** button\).
The range is from 10 to 3600 seconds. By default, the maximum duration is 300 seconds.
</td></tr></tbody>
</table>6. To start the packet capture process, click the **Start** button.
If any captured packets are already stored on the AP, you are prompted to allow the packet capture process to overwrite the old information.
7. To stop the packet capture process, click the **Stop** button.
If you do not stop the process manually, the process is automatically stopped when the capture duration period is exceeded.
8. To download the file with captured packets, do the following:
1. Click the **Download** button.
2. Follow the directions of your browser to save the file to your computer.
9. To display the latest information on the page, click the **Refresh** button.
## Perform a ping test {#task_amd_vbr_h1c}
You can ping the IP address of a device or network location from the AP and display the results of the ping test.
To perform a ping test:
1. Launch a web browser from a computer that is connected to the same network as the AP or directly to the AP through an Ethernet cable or WiFi connection.
2. In the browser address bar, type the IP address that is assigned to the AP.
The login page displays.
If your browser displays a security warning, you can proceed, or add an exception for the security warning. For more information, see [What to do if you get a browser security warning](#concept_c2d_g4q_czb).
3. Type the AP user name and password, and click the **Login** button.
The user name is **admin**. The password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
The Dashboard displays.
4. Select **Management &gt; Diagnostics &gt; Ping Test**.
The Ping Test page displays.
5. Specify the settings that are described in the following table.
<table id="table_dmd_vbr_h1c"><thead><tr><th>
Setting
</th><th>
Description
</th></tr></thead><tbody><tr><td>
Ping Count
</td><td>
The number of pings that the AP must send. The number can be between 1 and 1024. The default number is 16.
</td></tr><tr><td>
Packet Size \(in Bytes\)
</td><td>
The size of each ping packet. The size can be between 4 and 1024 bytes. The default size is 64 bytes.
</td></tr><tr><td>
Ping Interval \(in sec\)
</td><td>
The interval between pings. The interval can be between 0.5 and 10 seconds. The default interval is 1 second.
</td></tr><tr><td>
Ping Timeout \(in sec\)
</td><td>
The period after which a ping times out. The period can be between 1 and 300 seconds. The default period is 60 seconds.
</td></tr><tr><td>
Remote Host
</td><td>
The IP address that the AP must ping. This field can contain a maximum of 100 characters. The default address is 8.8.8.8.
</td></tr></tbody>
</table>6. To start the ping test, click the **Start** button.
The results of the ping test display in the Ping Result field.
7. To stop the ping test before the ping count is reached or if the ping times out, click the **Stop** button.
## Quick tips for WiFi troubleshooting {#concept_jmw_c2r_h1c}
**Problems with a WiFi network**
If one or more WiFi networks do not function normally, consider to repower the AP:
1. Unplug the Ethernet cable from the AP to the network switch.
2. If you use a power adapter, disconnect it from the AP.
3. Plug in the Ethernet cable from the AP to the network switch. Wait two minutes.
4. If you use a power adapter, connect it to the AP. Wait two minutes.
**Problems with a WiFi client**
If a WiFi client cannot connect to the AP, check the following:
- Make sure that the WiFi radios are not off. For more information about the WiFi radios, see [Turn a radio on or off](#task_vdl_3yp_c1c).
- Make sure that the WiFi settings in the WiFi client and AP match exactly.
The WiFi network name \(SSID\) and WiFi security settings of the AP and WiFi client must match exactly.
For information about accessing the AP for initial configuration over a WiFi connection, see [Connect to the AP for initial configuration](#concept_l2y_snq_czb).
- Make sure that the WiFi client supports the authentication and encryption that you are using for the WiFi network. For more information, see [Change the authentication and encryption for a WiFi network](#task_afq_pz1_2zb).
**Note:** If the APs WiFi authentication and encryption is set to WPA3 Personal and the WiFi client does support WPA3, make sure that the WiFi adapter device driver is updated to the latest version on the WiFi client.
- Make sure that the WiFi client is not too far from the AP or too close. To see if the signal strength improves, move the WiFi client near the AP but at least 6 feet \(1.8 meters\) away.
- Make sure that the WiFi signal is not blocked by objects between the AP and the WiFi client.
- Make sure that the APs SSID broadcast is not disabled.
If the APs SSID broadcast is disabled, the WiFi network name is hidden and does not display in the WiFi clients scanning list. To connect to a hidden network, the user must enter the network name and the WiFi password. For more information about the SSID broadcast, see [Hide or broadcast the SSID for a WiFi network](#task_egv_ddb_2zb).
- Make sure that the WiFi client does not use a static IP address but is configured to receive an IP address automatically with DHCP. \(For most devices, DHCP is the default setting.\)
## Troubleshoot with the LED {#concept_jyq_mfr_h1c}
For general information about the LED, see [Top panel LED](#concept_yf3_35p_czb).
When you connect the AP to a power source and you did not disable the LED \(see [Manage the LED](#task_zzj_n3d_h1c)\), the LED lights as described here:
1. The LED lights solid amber initially and then blinks amber slowly. After about two minutes, the LED turns either solid green or solid blue, indicating that the startup procedure is complete and the AP is ready:
- **Solid green**: The AP functions either as a standalone AP, or as an Insight discovered AP that is *not* connected to the Insight cloud-based management platform.
- **Solid blue**: The AP functions in Insight mode and is connected to the Insight cloud-based management platform.
2. When the startup procedure is complete, if clients are connected to a radio, the LED is blinking blue.
You can use the LED for troubleshooting. For more information, see the following sections:
### LED remains off {#concept_ctw_ghr_h1c}
If you use a PoE++ connection and the LED is off when the Ethernet cable is connected to a PoE++ switch, do the following:
- Make sure that the LED is not disabled \(see [Manage the LED](#task_zzj_n3d_h1c)\).
- Make sure that the Ethernet cable between the AP and the PoE++ switch is correctly connected at both ends.
- Make sure that the other end of the Ethernet cable is plugged into a PoE++ port on a PoE++ switch that is receiving power.
- Make sure that the PoE power budget of the PoE+ switch is not oversubscribed so that the PoE+ switch is capable of delivering PoE+ \(802.3at\) power to the AP.
- Make sure that the PoE power budget of the PoE++ switch is not oversubscribed so that the PoE++ switch is capable of delivering PoE++ \(802.3bt\) power to the AP.
If you use an optional power adapter and the LED remains off when the AP is turned on, do the following:
- Make sure that the LED is not disabled \(see [Manage the LED](#task_zzj_n3d_h1c)\).
- Make sure that the power adapter is correctly connected to the AP, and that the power adapter is correctly connected to a functioning power outlet. If it is plugged into a power strip, make sure that the power strip is turned on. If it is plugged directly into the wall, verify that the outlet is not switched off.
- Make sure that you are using the NETGEAR power adapter for this product. That is, do not use the NETGEAR power adapter for another NETGEAR product or a third-party power adapter.
If the error persists, a hardware problem might exist. For recovery instructions or help with a hardware problem, contact technical support at [netgear.com/support](http://www.netgear.com/support).
### LED remains solid amber {#task_s4y_rjr_h1c}
When you connect the AP to a power source, the LED lights solid amber initially, then blinks amber slowly, and finally turns solid green or solid blue, indicating that the startup procedure is complete and the AP is ready.
If the LED remains solid amber after five minutes, either a boot error occurred or the AP is malfunctioning.
Do the following:
1. Disconnect the AP from its power source, reconnect it, and wait several minutes to see if the startup procedure completes successfully.
2. If the startup procedure still does not complete successfully and the LED remains solid amber after five minutes, use the **Reset** button to return the AP to its factory default settings.
For more information, see [Use the Reset button to reset the AP](#task_ocl_rkd_h1c).
If the AP functions as a PoE PD, see [The AP functions as a PoE PD and the LED is blinking green continuously](#task_z4q_dnr_xlb).
If the error persists, a hardware problem might exist. For recovery instructions or help with a hardware problem, contact technical support at [netgear.com/support](http://www.netgear.com/support).
### The AP functions as a PoE PD and the LED is blinking green continuously {#task_z4q_dnr_xlb}
When you connect the AP to a power source, the LED lights solid amber initially, then blinks amber slowly, and finally turns solid green or solid blue, indicating that the startup procedure is complete and the AP is ready.
If the AP functions as a PoE powered device \(PD\) and the LED is blinking green continuously, the AP might not be receiving power at the required 802.3at \(PoE+\) level. For example, this situation might occur if the AP is connected to a switch that provides only 802.3af \(PoE\) rather than 802.3at \(PoE+\).
If the AP functions as a PoE powered device \(PD\) and the LED is blinking green continuously, the AP might not be receiving power at the required 802.3bt \(PoE++\) level. For example, this situation might occur if the AP is connected to a switch that provides only 802.3at \(PoE+\) rather than 802.3bt \(PoE++\).
**Note:** If the AP receives insufficient power at the 802.3af \(PoE\) level, the AP reduces the transmit power on the 2.4 GHz and 5 GHz radios, and disables the 6 GHz radio.
**Note:** If the AP receives insufficient power at the 802.3at \(PoE+\) level, the AP reduces its maximum throughput by 50% on the 2.4 GHz radio, 25% on the 5 GHz radio, and 25% on the 6 GHz radio.
Do the following:
1. Disconnect and reconnect the Ethernet cable at the LAN/PoE+ port on the AP and at the 802.3at \(PoE+\) port on the PoE+ switch.
The AP restarts.
2. Disconnect and reconnect the Ethernet cable at the LAN 1/PoE++ port on the AP and at the 802.3bt \(PoE++\) port on the PoE++ switch.
The AP restarts.
3. If the LED continuous to blink green, check to see why the PoE+ switch cannot provide sufficient PoE power to the AP.
Most likely, the PoE power budget of the PoE+ switch is oversubscribed and you might need to disconnect another PoE device from the PoE+ switch to make sufficient PoE power available for the AP.
4. If the LED continuous to blink green, check to see why the PoE++ switch cannot provide sufficient PoE power to the AP.
Most likely, the PoE power budget of the PoE++ switch is oversubscribed and you might need to disconnect another PoE device from the PoE++ switch to make sufficient PoE power available for the AP.
### LED is blinking amber slowly, continuously {#concept_prq_bkr_h1c}
When you connect the AP to a power source, the LED lights solid amber temporarily and then turns solid green or solid blue, indicating that the startup procedure is complete and the AP is ready. During regular operation, the only time that the LED blinks amber temporarily is when firmware is being upgraded. Also, in that situation, the LED blinks amber quickly, not slowly.
If the blinks amber slowly and continuously, the AP did not receive an IP address from a DHCP server.
Check to make sure that the DHCP client of the AP is enabled \(see [Enable the DHCP client](#task_ssh_2sw_g1c)\), that your network includes a DHCP server \(or a router that functions as a DHCP server\), and that the DHCP server can reach the AP \(both must be on the same network\).
In the unlikely situation that your network does not include a DHCP server, you might need to configure a fixed \(static\) IP address on the AP \(see [Disable the DHCP client and set a fixed IP address](#task_qvk_frw_g1c)\).
### LED does not light blue in the NETGEAR Insight management mode {#task_cxk_zkr_h1c}
If the AP functions in the Web-browser management mode, the LED lights green. This is normal LED behavior.
However, if the AP functions in the NETGEAR Insight management mode and the LED does not light blue but remains green, the AP is not connected to the Insight cloud-based management platform.
If the AP functions in the NETGEAR Insight management mode and the LED does not light blue, try the following troubleshooting steps until the problem is resolved:
1. Verify that the management mode of the AP is NETGEAR Insight.
For more information, see [Change the management mode to NETGEAR Insight or Web-browser](#task_an4_y5x_g1c).
2. Make sure that the Ethernet cable connection between the AP and your network is good.
3. Make sure that the AP is connected to the Internet and that the Internet connection is good.
4. Make sure that the AP is running the latest firmware version.
For more information, see [Manage the firmware of the AP](#concept_qpc_2dd_h1c).
5. Disconnect and reconnect the Ethernet cable at the LAN/PoE++ port and wait five minutes to see if the LED lights solid blue.
If you use a power adapter with the AP, disconnect and reconnect the power adapter and wait five minutes to see if the LED lights solid blue.
6. If the problem is still not resolved, use the **Reset** button to return the AP to its factory default settings, and reconfigure the AP.
For more information, see [Use the Reset button to reset the AP](#task_ocl_rkd_h1c).
If the error persists, a hardware problem might exist. For recovery instructions or help with a hardware problem, contact technical support at [netgear.com/support](http://www.netgear.com/support).
### LED does not stop blinking amber, green, and blue {#concept_khy_qlr_h1c}
During the initial installation and configuration process in an Insight Instant Mesh WiFi network, the LED blinks amber, green, and blue while the AP is being configured as a node. For more information, see [Connect the AP as a node to a root using the Insight app](#task_rvq_v5m_dzb).
If the LED does not stop blinking amber, green, and blue, the node cannot connect.
Check the following items or try the following troubleshooting steps:
- Make sure that at least one root is available for the node to connect to.
- Make sure that all roots run the latest firmware version.
- Make sure that the output power of each radio on each root is at its maximum level. By default, the output power for a radio is at its maximum level. For more information, see [Change the output power for a radio](#task_xlh_q2q_c1c).
- Make sure that the node is not too far away from a root. For more information, see [The node and root cannot connect](#task_rcq_dmr_h1c).
- Restart the node.
- Remove the node from your Insight network location and from your Insight account. Then, add the node to your Insight account again and to your Insight network location.
## The node and root cannot connect {#task_rcq_dmr_h1c}
When you add the AP as a node to an Insight network location that includes one or more roots \(see [Connect the AP as a node to a root using the Insight app](#task_rvq_v5m_dzb)\), we recommend that you place the node in the same room as a root during the initial sync. After a successful sync, move the node to the location where you intend to use it.
For a reliable WiFi connection, place the node less than 25 feet \(7.5 m\), in a line of sight with minimal obstacles from the closest root.
To sync the node and the root after you already added the node to an Insight network location:
1. Place the node in the same room as the root.
Use this node location only during the sync process.
2. Connect the node to a power source.
If you do not use a PoE++connection to a PoE++ switch, connect a power adapter to the DC power connector.
The LED on the node lights solid amber.
3. Wait for the node to go through the initial connection and configuration process and for the LED to stop blinking amber, green, and blue and to light solid blue.
**Note:** The initial connection and configuration process might take up to 10 minutes. The node might restart during the configuration process.
The LED lights as follows during the initial connection and configuration process:
- **Blinking green**: The node is attempting to detect a root.
- **Solid green**: The node is making its first connection with the root that provides the strongest WiFi signal.
- **Blinking amber slowly**: The node is contacting the network router or DHCP server to receive an IP address.
If the LED does not stop blinking amber, see [LED is blinking amber slowly, continuously](#concept_prq_bkr_h1c).
- **Blinking amber, green, and blue**: The node is being configured as a managed device in the Insight Instant Mesh WiFi network.
If the LED does not stop blinking amber, green, and blue, see [LED does not stop blinking amber, green, and blue](#concept_khy_qlr_h1c).
When the configuration is complete, the LED lights as follows:
- **Solid blue**: The configuration is complete and the node is ready for operation. The node functions in the Insight Instant Mesh WiFi network and is connected to the Insight cloud.
4. Disconnect the node and move it to the location where you intend to use it.
5. At the new location, repeat [2](#step_ddp_pmr_h1c) and [3](#step_zbv_pmr_h1c).
6. Wait for the node to resync with the root.
When the nodes LED lights solid blue, the node and root synced successfully.
If the node and root did not sync, move the node closer to the root and try again. The node must be within the roots WiFi coverage area to establish a good or fair WiFi connection.
## Troubleshoot WiFi connectivity for a WiFi client {#concept_gsy_5pr_h1c}
If a WiFi client cannot connect to the AP or the WiFi connectivity is not normal, try to isolate the problem:
- Make sure that the WiFi settings in the WiFi client and AP match exactly.
The WiFi network name \(SSID\) and WiFi security settings of the AP and WiFi device must match exactly. Make sure that the WiFi client uses the correct passphrase for the WiFi network.
For information about accessing the AP for initial configuration over a WiFi connection, see [Connect to the AP for initial configuration](#concept_l2y_snq_czb).
- Does the WiFi client support the authentication and encryption that you configured for the WiFi network?
For more information, see [Change the authentication and encryption for a WiFi network](#task_afq_pz1_2zb).
**Note:** If the APs WiFi authentication and encryption is set to WPA3 Personal and the WiFi client does support WPA3, make sure that the WiFi adapter device driver is updated to the latest version on the WiFi client.
- Make sure that the WiFi radios are not off. For more information about the WiFi radios, see [Turn a radio on or off](#task_vdl_3yp_c1c).
- If you disabled the APs SSID broadcast for the WiFi network, the WiFi network is hidden and does not display in the WiFi devices network scanning list. \(By default, SSID broadcast is enabled.\) For more information about the SSID broadcast, see [Hide or broadcast the SSID for a WiFi network](#task_egv_ddb_2zb).
**Note:** If you want to change the settings of a WiFi network on the AP, use a wired LAN connection to avoid being disconnected when the new WiFi settings take effect.
If the WiFi client finds the WiFi network but the signal strength is weak, check these conditions:
- Is the WiFi client too far from the AP, or too close?
Place the WiFi client near the AP, but at least 6 feet \(1.8 meters\) away, and see whether the signal strength improves.
- Are objects between the WiFi client and the AP blocking the WiFi signal?
## Troubleshoot Internet browsing {#concept_y2j_wqr_h1c}
If a WiFi device is connected to the AP but unable to load any web pages from the Internet, it might be for one of the following reasons:
- The WiFi device might not recognize any DNS server addresses.
If you manually entered a DNS address when you set up the AP \(that is, the AP uses static IP address settings\), restart the WiFi device and verify the DNS address.
- The WiFi device might not use the correct TCP/IP settings.
If the WiFi device obtains its information by DHCP, reboot the WiFi device and verify the address of the switch or Internet modem to which the AP is connected.
For information about TCP/IP problems, see [Troubleshoot your network using the ping utility](#concept_m3z_jqr_h1c).
## You cannot log in to the AP over a LAN connection {#concept_jmq_wrr_h1c}
If you are unable to log in to the AP from a computer on your LAN and use the APs device UI, check the following:
- Make sure that you are using the correct login information. The user name is **admin** and the password is the one that you specified. The user name and password are case-sensitive.
If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
- Make sure that the IP address of your computer is in the same subnet as the AP.
If you disabled the APs DHCP client and configured a fixed \(static\) IP address when you connected the AP to your network \(see [Disable the DHCP client and set a fixed IP address](#task_qvk_frw_g1c)\), change the IP address and subnet mask on your computer to so that the IP addresses of your computer and the AP are in the same IP subnet.
- Try quitting the browser and launching it again.
- If you are using on older type of browser, make sure that Java, JavaScript, or ActiveX is enabled in your browser. For example, if you are using Internet Explorer, click the **Refresh** button to be sure that the Java applet is loaded.
- If your APs IP address was changed \(for example, the DHCP server in your network issued an IP address to the AP\) and you do not know the current IP address, use an IP scanner application to detect the IP address.
**Note:** You can also use the NETGEAR Insight app to discover the IP address that is assigned to the AP. For more information, see [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
If you still cannot find the IP address, reset the APs configuration to factory defaults. This sets the APs IP address to 192.168.0.100 and enables the DHCP client. For more information, see [Use the Reset button to reset the AP](#task_ocl_rkd_h1c).
## Changes are not saved {#concept_mhv_yqr_h1c}
If you are logged in to the APs device UI and the AP does not save the changes that you make on a page, do the following:
- When entering configuration settings, always click the **Apply** button before moving to another page or tab or your changes are lost.
- Click the **Refresh** or **Reload** button in the web browser. It is possible that the changes occurred but that the old settings remain in the web browsers cache.
## You enter the wrong password and can no longer log in to the AP {#concept_vt3_wsr_h1c}
If you enter the wrong admin password five times, access to the APs device UI is blocked for five minutes.
After five minutes, the counter for failed login attempts is reset, and you can attempt to log in again.
In addition, the following rules apply to the number of failed login attempts:
- The last access attempt determines whether the counter for failed login attempts is increased.
- If you restart the AP, the counter for failed login attempts is reset.
## Troubleshoot your network using the ping utility {#concept_m3z_jqr_h1c}
Most network devices and routers contain a ping utility that sends an echo request packet to the designated device. The device then responds with an echo reply. You can easily troubleshoot a network using the ping utility in your computer or workstation.
### Test the LAN path to your AP {#task_d3f_v5r_h1c}
You can ping the AP from your computer to verify that the LAN path to your AP is set up correctly.
To ping the AP from a Windows-based computer:
1. From the Windows taskbar, click the **Start** button and find and select **Run**.
2. In the field provided, enter **ping** followed by the IP address of the AP, as in this example:
**ping 192.168.0.100**
3. Click the **OK**button.
A message such as the following one displays:
`Pinging <IP address> with 32 bytes of data`
If the path is working, you see this message:
`Reply from < IP address >: bytes=32 time=NN ms TTL=xxx`
If the path is not working, you see this message:
`Request timed out`
If the path is not functioning correctly, one of the following problems might be occurring:
- Wrong physical connections
Check that the appropriate LEDs are on for your network devices. If your AP and computer are connected to a separate Ethernet switch, make sure that the link LEDs are lit for the switch ports that are connected to your computer and AP.
- Wrong network configuration
Verify that the IP addresses for your computer and the AP are correct and that the addresses are in the same subnet.
### Test the path from your computer to a remote device {#task_c4f_3vr_h1c}
After you verify that the LAN path works correctly, test the path from your computer to a remote device.
To test the path from your computer to a remote device:
1. From the Windows taskbar, click the **Start** button and find and select **Run**.
2. In the field provided, enter **ping -n 10** *IP address*.
*IP address* is the IP address of a remote device such as a remote DNS server.
If the path is functioning correctly, replies as described in [Test the LAN path to your AP](#task_d3f_v5r_h1c) display. If you do not receive replies, do the following:
- Check to see that your computer lists the IP address of the router to which the AP is connected as the default router. If the IP configuration of your computer is assigned by DHCP, this information is not visible in your computers Network Control Panel.
- Check to see that the network address of your computer \(the portion of the IP address specified by the netmask\) is different from the network address of the remote device.
# Factory Default Settings and Technical Specifications {#concept_rlg_3fs_h1c .concept}
This appendix includes the following sections:
## Factory default settings {#concept_cnr_rfs_h1c}
You can reset the AP to the factory default settings, which are shown in the following table.
For more information about resetting the AP to its factory settings, see [Return the AP to its factory default settings](#concept_gxl_1kd_h1c).
<table id="table_dnr_rfs_h1c"><thead><tr><th>
Feature
</th><th>
Default Setting
</th></tr></thead><tbody><tr><td colspan="2">
**Management and login settings**
</td></tr><tr><td>
Management mode
</td><td>
NETGEAR Insight \(Cloud/Remote\)
**Note**: To access the device UI, you must select Web-browser \(Local\) as the management mode.
</td></tr><tr><td>
User login URL
</td><td>
192.168.0.100, if not connected to a network.
**Note**: If connected to a network, the AP receives an IP address from a DHCP server or router in the network.
</td></tr><tr><td>
User name
</td><td>
**admin**, nonconfigurable
</td></tr><tr><td>
AP login password
</td><td>
**password**, case-sensitive, configurable
**Note**: The first time that you log in to the device UI, you must change the AP login password. If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, enter the Insight network password for that location. For more information, see [Connect over the Internet using the NETGEAR Insight Cloud Portal](#task_vnk_dtq_czb) or [Connect over WiFi using the NETGEAR Insight app](#task_kw1_drq_czb).
</td></tr><tr class="keep-with-next"><td colspan="2">
**WiFi network settings for initial setup and WiFi login**
</td></tr><tr><td>
Initial SSID name
</td><td>
The SSID for initial setup is NETGEARxxxxxx-SETUP, where xxxxxx is the last six hexadecimal digits of the APs MAC address.**Note**: The first time that you log in to the device UI, you must change the SSID. If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, this requirement might not apply.
</td></tr><tr><td>
Initial WiFi security
</td><td>
WPA3/WPA2 Personal \(which is WPA3-PSK/WPA2-PSK\)WiFi password \(network key\): **sharedsecret**
**Note**: The first time that you log in to the device UI, you must change the WiFi password. If you previously added the AP to a NETGEAR Insight network location and managed the AP through the Insight Cloud Portal or Insight app, this requirement might not apply.
</td></tr><tr><td>
RF channels
</td><td>
Automatically selected \(Auto\) for all radios.
**Note**: The available and supported channels depend on the country and region that you select for the AP.
</td></tr><tr><td colspan="2">
**General system settings**
</td></tr><tr><td>
Operating mode
</td><td>
AP mode
</td></tr><tr><td>
DHCP client
</td><td>
Enabled so that the AP receives an IP address from a DHCP server or router in the network.
</td></tr><tr><td>
NTP client
</td><td>
Enabled
</td></tr><tr><td>
Spanning Tree Protocol
</td><td>
Disabled
</td></tr><tr><td>
Network integrity check
</td><td>
Disabled
</td></tr><tr><td>
IGMP snooping
</td><td>
Disabled
</td></tr><tr><td>
Hardware Assisted Datapath
</td><td>
Enabled
</td></tr><tr><td>
802.1Q VLAN
</td><td>
Untagged VLAN with VLAN ID 1
</td></tr><tr><td>
Management VLAN
</td><td>
VLAN ID 1
</td></tr><tr><td>
Syslog
</td><td>
Disabled
</td></tr><tr><td>
Ethernet LLDP
</td><td>
Enabled
</td></tr><tr><td>
UPnP
</td><td>
Enabled
</td></tr><tr><td>
LED
</td><td>
Enabled
</td></tr><tr><td>
Energy Efficiency Mode
</td><td>
Disabled
</td></tr><tr><td>
Multicast DNS gateway
</td><td>
Disabled
</td></tr><tr><td colspan="2">
**WLAN settings for an individual WiFi network \(SSID or VAP\)**
</td></tr><tr><td>
Broadcast SSID
</td><td>
Enabled
</td></tr><tr><td>
VLAN ID \(for WiFi clients\)
</td><td>
1
</td></tr><tr><td>
Network authentication
</td><td>
WPA3/WPA2 Personal \(which is WPA3-PSK/WPA2-PSK\)
The nonconfigurable data encryption for WPA3 is SAE
The nonconfigurable data encryption for WPA2 is AES
</td></tr><tr><td>
802.11w \(PMF\)
</td><td>
Optional
</td></tr><tr><td>
Multi PSK
</td><td>
Disabled
Multi PSK is available only when the authentication is WPA2 Personal or WPA2/WPA Personal.
</td></tr><tr><td>
Multi-link operation
</td><td>
Disabled
</td></tr><tr><td>
Broadcast schedule
</td><td>
Always on
</td></tr><tr><td>
Radio bands
</td><td>
2.4 GHz and 5 GHz enabled but 6 GHz disabled
</td></tr><tr><td>
Band steering
</td><td>
Disabled
Automatic band steering includes automatic 802.11k RRM and automatic 802.11v WiFi network management.
</td></tr><tr><td>
Addressing and Traffic
</td><td>
Bridge
</td></tr><tr><td>
WiFi client isolation
</td><td>
Disabled
</td></tr><tr><td>
URL tracking
</td><td>
Disabled
</td></tr><tr><td>
DHCP offer broadcast to unicast
</td><td>
Enabled
</td></tr><tr><td>
MAC ACL for WiFi client access
</td><td>
None assigned
</td></tr><tr><td>
MAC ACL for broadband and multicast traffic from WiFi clients
</td><td>
None assigned
</td></tr><tr><td>
MAC/IP Traffic Filter group
</td><td>
None assigned
</td></tr><tr><td>
Captive portal
</td><td>
None
</td></tr><tr><td>
MAC ACL
</td><td>
None assigned
</td></tr><tr><td>
Rate limit
</td><td>
None
</td></tr><tr><td>
Advanced rate selection
</td><td>
Fixed multicast rate: 11 Mbps for the 2.4 GHz radio and 24 Mbps for the 5 GHz radio
Rate control: Disabled
Density level: 0
</td></tr><tr><td colspan="2">
**Basic radio settings that apply to all WiFi networks \(SSIDs or VAPs\)**
</td></tr><tr><td>
Radio broadcast
</td><td>
2.4 GHz radio: Enabled5 GHz radio: Enabled
6 GHz radio: Enabled
</td></tr><tr><td>
WiFi mode
</td><td>
2.4 GHz radio: 11be mode, which also supports 11ax, 11b, 11bg, and 11na
2.4 GHz radio: 11ax mode, which also supports 11b, 11bg, and 11na
5 GHz radio: 11be mode, which also support 11a, 11na, 11ac, and 11ax
6 GHz radio: 11be mode, which also supports 11ax
</td></tr><tr><td>
Channel width
</td><td>
2.4 GHz radio: 20 MHz
5 GHz radio: 40 MHz
6 GHz radio: 80 MHz
</td></tr><tr><td>
Guard interval
</td><td>
2.4 GHz radio: Long-800 ns
5 GHz radio: Long-800 ns
6 GHz radio: Long-800 ns
</td></tr><tr><td>
Output power
</td><td>
2.4 GHz radio: Maximum \(100%\)
5 GHz radio: Maximum \(100%\)
6 GHz radio: Maximum \(100%\)
</td></tr><tr><td>
Channel
</td><td>
2.4 GHz radio: Auto
5 GHz radio: Auto
6 GHz radio: Auto
</td></tr><tr><td>
Wi-Fi Multimedia \(WMM\)
</td><td>
2.4 GHz radio: Enabled
5 GHz radio: Enabled
6 GHz radio: Enabled
</td></tr><tr><td>
WMM Powersave
</td><td>
2.4 GHz radio: Enabled
5 GHz radio: Enabled
6 GHz radio: Enabled
</td></tr><tr class="keep-with-next"><td colspan="2">
**Advanced radio settings that apply to all WiFi networks \(SSIDs or VAPs\)**
</td></tr><tr><td>
Number of WiFi clients
</td><td>
2.4 GHz radio: 200 default \(also the maximum number\)
5 GHz radio: 200 default \(also the maximum number\)
6 GHz radio: 200 default \(also the maximum number\)
</td></tr><tr><td>
RTS threshold
</td><td>
2.4 GHz radio: Enabled at 2346
5 GHz radio: Enabled at 2346
6 GHz radio: Enabled at 2346
</td></tr><tr><td>
Beacon interval
</td><td>
2.4 GHz radio: 100 millisec.
5 GHz radio: 100 millisec.
6 GHz radio: 100 millisec.
</td></tr><tr><td>
802.11n 256 QAM
</td><td>
2.4 GHz radio: Enabled \(applies in 11ng WiFi mode only\)
5 GHz radio: Nonconfigurable
6 GHz radio: Nonconfigurable
</td></tr><tr><td>
MU-MIMO
</td><td>
2.4 GHz radio: Enabled
5 GHz radio: Enabled
6 GHz radio: Enabled
</td></tr><tr><td>
DTIM interval
</td><td>
2.4 GHz radio: 3
5 GHz radio: 3
6 GHz radio: 3
</td></tr><tr><td>
Broadcast and multicast rate limiting
</td><td>
2.4 GHz radio: Enabled with a limit of 50 pps
5 GHz radio: Enabled with a limit of 50 pps
6 GHz radio: Enabled with a limit of 50 pps
</td></tr><tr><td>
802.11h
</td><td>
2.4 GHz radio: Not applicable
5 GHz radio: Enabled
6 GHz radio: Enabled
</td></tr><tr><td>
Load balancing between radios
</td><td>
Disabled
</td></tr><tr><td>
Force sticky clients to disassociate
</td><td>
Disabled
</td></tr><tr><td>
ARP proxy
</td><td>
Enabled
</td></tr><tr><td>
Hostname override
</td><td>
None
</td></tr><tr><td>
Wireless bridge
</td><td>
None configured
</td></tr><tr><td colspan="2">
**Security**
</td></tr><tr><td>
RADIUS servers
</td><td>
None configured
</td></tr><tr><td>
Neighbor AP detection
</td><td>
2.4 GHz radio: Disabled
5 GHz radio: Disabled
6 GHz radio: Disabled
</td></tr><tr><td>
Global MAC ACLs for broadcast and multicast traffic from the wired LAN
</td><td>
None configured
</td></tr><tr><td>
Wireless Noise Filter
</td><td>
Eight default traffic policies, all of which are disabled
</td></tr><tr><td>
Global Traffic Filter
</td><td>
No traffic policies configured
</td></tr><tr><td>
MAC ACLs for WiFi client access
</td><td>
Eight default ACLs but none configured with MAC addresses
</td></tr><tr><td>
MAC ACLs for broadcast and multicast traffic from WiFi clients
</td><td>
Eight default ACLs but none configured with MAC addresses
</td></tr><tr><td>
MAC/IP Traffic Filters for WiFi networks
</td><td>
Eight default groups but none configured with traffic policies
</td></tr><tr><td>
L2 security
</td><td>
Disabled
</td></tr><tr><td colspan="2">
**Remote management**
</td></tr><tr><td>
SNMP
</td><td>
Disabled
</td></tr><tr><td colspan="2">
**Other**
</td></tr><tr><td>
Hostname override
</td><td>
None configured
</td></tr></tbody>
</table>## Technical specifications {#concept_wkt_rgs_h1c}
The following table shows the technical specifications.
<table id="table_xkt_rgs_h1c"><thead><tr><th>
Feature
</th><th>
Description
</th></tr></thead><tbody><tr><td>
WiFi modes
</td><td>
2.4 GHz radio: 802.11be, 802.11ax, 802.11ng, 801.11bg, and 802.11b
2.4 GHz radio: 802.11ax, 802.11ng, 801.11bg, and 802.11b
5 GHz radio: 802.11be, 802.11ax, 802.11ac, 802.11na, and 802.11a
6 GHz radio: 802.11be and 802.11ax
The AP supports concurrent operation in the 2.4 GHz, 5 GHz, and 6 GHz radio bands.
</td></tr><tr><td>
Maximum theoretical throughput
</td><td>
About 9.4 Gbps simultaneous throughput \(688 Mbps in the 2.4 GHz band, 2882 Mbps in the 5 GHz band, and 5765 Mbps in the 6 GHz band\).
About 18.4 Gbps simultaneous throughput \(1147 Mbps in the 2.4 GHz band, 5765 Mbps in the 5 GHz band, and 11530 Mbps in the 6 GHz band\).
**Note**: Throughput can vary. Network conditions and environmental factors, including volume of network traffic, building materials and construction, and network overhead, affect the data throughput rate.
</td></tr><tr><td>
Maximum number of supported clients
</td><td>
2.4 GHz radio: 200
5 GHz radio: 200
6 GHz radio: 200
</td></tr><tr><td>
802.11 security
</td><td>
WPA3 Personal, WPA3 Enterprise, WPA3/WPA2 Personal, WPA2 Personal, WPA2 Enterprise, WPA2/WPA Personal, Open Enhanced, and Open
</td></tr><tr><td>
WiFi standards
</td><td>
WiFi Multimedia Prioritization \(WMM\)
Wireless distribution system \(WDS\)
</td></tr><tr><td>
WiFi streams
</td><td>
2.4 GHz radio: 2 streams \(2x2 antenna\)
5 GHz radio: 2 streams \(2x2 antenna\)
6 GHz radio: 2 streams \(2x2 antenna\)
</td></tr><tr><td>
WiFi streams
</td><td>
2.4 GHz radio: 4 streams \(4x4 antenna\)
5 GHz radio: 4 streams \(4x4 antenna\)
6 GHz radio: 4 streams \(4x4 antenna\)
</td></tr><tr><td>
Operating frequency ranges
</td><td>
2.4 GHz band: 2.4122.462 GHz
5 GHz band: 5.185.825 GHz
6 GHz band: 5.9257.125 GHz
</td></tr><tr><td>
Power over Ethernet
</td><td>
If you do not use a power adapter, the LAN/PoE port requires 802.3at \(PoE+\) power.
If you do not use a power adapter, the LAN/PoE port requires 802.3bt \(PoE++\) power.
**Note**: PoE might be considered a network environment 0 per IEC TR 62101, and thus the interconnected ITE circuits might be considered safety extra low voltage \(SELV\).
</td></tr><tr><td>
PoE power consumption
</td><td>
25W
39W maximum
</td></tr><tr><td>
Power adapter
</td><td>
12 VDC, 2.5A
12 VDC, 3.5A
The plug is localized to the country of sale.
</td></tr><tr><td>
Hardware interfaces
</td><td>
One RJ-45 LAN/PoE Ethernet port that supports 2.5 Gbps, 1 Gbps, and 100 Mbps. The port also supports Auto Uplink \(Auto MDI-X\).
**Note:** Without a power adapter, the LAN/PoE port requires 802.3at \(PoE+\).
</td></tr><tr><td>
Hardware interfaces
</td><td>
One RJ-45 LAN/PoE Ethernet port that supports 10 Gbps, 5 Gbps, 2.5 Gbps, 1 Gbps, and 100 Mbps. The port also supports Auto Uplink \(Auto MDI-X\).
**Note:** Without a power adapter, the LAN/PoE port requires 802.3bt \(PoE++\).
</td></tr><tr><td>
Dimensions \(W x D x H\)
</td><td>
6.18 x 6.18 x 1.57 in
\(157 x 157 x 40 mm\)
</td></tr><tr><td>
Dimensions \(W x D x H\)
</td><td>
6.77 x 6.77 x 1.73 in
\(172 x 172 x 44 mm\)
</td></tr><tr><td>
Weight
</td><td>
1.52 lb \(0.69 kg\)
2.09 lb \(0.95 kg\)
</td></tr><tr><td>
Operating temperature
</td><td>
32º to 104ºF \(0° to 40°C\)
</td></tr><tr><td>
Operating humidity
</td><td>
5 to 95% maximum relative humidity, noncondensing
</td></tr><tr><td>
Storage temperature
</td><td>
22° to 158°F \(30º to 70ºC\)
</td></tr><tr><td>
Storage humidity
</td><td>
5 to 95% maximum relative humidity, noncondensing
</td></tr><tr><td>
EMI certification
</td><td>
FCC Part 15 Report \(EMI\) SubPart B
CE EMC Report, EN 55032/24/35 Report
EN 301 489-17 EMC Report
</td></tr><tr><td>
Regulatory compliance US
</td><td>
FCC Grant
FCC Spectrum Report, Part 15, SubPart C \(15.247\)
FCC Spectrum Report, Part 15, SubPart E \(15.407\)
FCC DFS Report
FCC Standard Absorption Rate Report \(MPE\)
</td></tr><tr><td>
Regulatory compliance Europe
</td><td>
EN 300 328 Radio Spectrum Report
EN 301 893 Radio Spectrum Report
EN 301 893 DFS Report
EN 303 687 Report
EN RF Exposure \(MPE\)
</td></tr><tr><td>
Safety and energy compliance
</td><td>
IEC 62368-1 Certificate and Test Report, CE IEC 62368-1
</td></tr></tbody>
</table>
Reference in New Issue View Git Blame Copy Permalink