Shortly after publishing the Ubiquiti Unifi Wi-Fi guide late in 2017 I started to notice more frequent issues in updates from Ubiquiti. Robust Wi-Fi is a absolute requirement in my environment as it supports both entertainment and work. The impact from these issues prompted me to research alternative enterprise level products. I ultimately decided on Ruckus and replaced the UniFi UAP-AC-SHD’s with Ruckus R710 access points early 2018. Since then I’ve used with great results Ruckus’ R720, R730, R750 and R850 access points. This guide provides configuration details on how to configure Ruckus access points running Unleashed firmware to complement the pfSense baseline guide guide I published.
Establishing a highly performant Wi-Fi network isn’t a trivial exercise. As a prelude to the configuration section I wanted to share some thoughts to aid the reader to think through some of the implications preventing achieving optimal results.
Placement
Any Wi-Fi access points performance will be significantly impacted if they are not optimally installed. Radio frequencies work best with clear line of sight so try and locate access points out of the way of obstructions and orientated as per the manufacturers guidance. Mounting access points designed for ceiling mounting vertically will degrade performance. Radiation patterns are provided in Ruckus’ technical documentation to aid optimal installation.
Building walls attenuate signal propagation, some materials are more impactful than others. Buildings with internal rooms constructed from brick or concrete will attenuate Wi-Fi signals significantly more than those constructed from drywall or plywood.
Material | 2.4Ghz attenuation | 5Ghz attenuation |
---|---|---|
Wooden Door | 4db | 7db |
Concrete Wall | 20db | 30db |
Plain Glass Window | 3db | 8db |
Steel Door | 20db | 30db |
Human Body | 3db | 5db |
Trees/Vegetation | 0.5db | 1db |
2.4Ghz broadcasts provide less bandwidth but are more resilient to attention from obstacles than 5GHz signals. 2.4Ghz may actually be preferable for low bandwidth devices that require situating in locations far away from access points, for example, IoT devices.
Connectivity
Access points connected by high quality Cat5 or better cable are preferable to meshed Wi-Fi connections. Mesh connections are convenient but suffer from reduced throughput and increased latency when compared to physical back-hauls due to the rebroadcast nature of operation. If using the latest generation of Wifi6 access points also consider utilising multi-gig 2.5 or 5gbps connections to support potential traffic loads.
Newer access points are often equipped with higher antenna counts and greater processing capabilities and may require additional power from a 802.3at source in order to avoid reduced performance.
Density
A single access point centrally located is unlikely to be optimal in anything but the smallest environment, irrelevant of price. In budget limited situations, consider two or more cheaper access points rather than a single more expensive one.
Bidirectional signal integrity
A Wi-Fi connection requires both send and receive to function. Increasing the access point broadcast volume is unlikely to resolve poor connection problems as the client may actually be the limiting factor. A battery powered mobile device is unable to broadcast as loudly as a high powered access point and may not be able to be heard.
Older Clients
Consider replacing older devices that only function on older protocols such as 802.11a or 802.11b. Access points will have to limit the performance of newer clients in order to support older devices.
Radio Frequency Interference
Even though there are 11 channels available in 2.4GHz, only 3 of them do not overlap or interfere with one other: 1, 6, and 11. Channels 2-5 interfere with 1 and 6, 7-10 interfere with 6 and 11. When an access point or client has something to transmit, it must wait for the channel to be clear. Only one device can transmit at a time. When overlapping channels are used any stations (STAs) on those channels will transmit independent of what is happening on the other channels causing a degradation of performance.
These 2.4Ghz channels also use the exact same frequencies as ZigBee channels 11-22. Consider IoT alternatives such as Z-wave that relies on sub 1Ghz bands and is less likely to conflict.
There is more spectrum available in the 5Ghz band with each channel occupying its own 20 MHz non-overlapping slice. 802.11ac unlocks 80MHz and 160MHz wide channels created by bonding 20Mhz channels together.
DFS channels
DFS (Dynamic Frequency Selection) channels share the spectrum with Weather Radar and Radar systems. To be approved for use the FCC and IEEE required a mechanism that would enable these systems to co-exist. DFS was created to enable Wi-Fi devices listen for radar events and either stop or automatically move away from affected channels. If an AP hears a radar event it must pick a new channel and inform its clients to move to this new channel, or stop transmitting for 30 minutes. There are several issues relating to the use of DFS channels
The time to scan the other DFS channels to find an adjacent channel to move to can take a few seconds and this can cause issues with latency sensitive applications including VoIP, video calls and media streaming.
Not all client support DFS channels due to the additional complexity and will fail to connect. Amazon FireTV sticks are known to have issues.
Wi-Fi planning
Summarising such a complex topic is a challenge and I may revisit this in the future to provide more comprehensive guidance. In the meanwhile, some guidelines and best practices that have been beneficial personally include:
Access point installation and network performance are difficult to optimise without dedicated tools. These tools are often aimed at enterprise users and therefore expensive to purchase, however it may be possible to rent from a local Wi-Fi specialist.
Software
Netspot : WiFi analyser and wireless survey tool.
WiFi Explorer Pro : Wi-Fi scanner app for Mac.
Metageek Chanalyzer : WiFi analyser.
Hardware Spectrum Analyzers
WiSpy DBx : dual-band spectrum analyser that measures Wi-Fi and non-Wi-Fi activity in both the 2.4 GHz and 5 GHz bands.
Oscium WiPry 2500X : Transform a smartphone or tablet into a dual band spectrum analyser (2.4 & 5 GHz).
Ruckus supports several types of firmware including stand-alone, enterprise focused Smartzone and the recently introduced SOHO focused Unleashed. Smartzone is a more advanced product but requires a costly license for both software controller plus access points. Unleashed doesn’t require any additional licenses. The following are the limitations of Unleashed compared to Smartzone.
Not all of Ruckus’ access points are compatible with Unleashed firmware, please review the release notes prior to purchasing.
Unleashed version 200.11.10.5.195
supports the following Ruckus models
Indoor models: C110 H320 H510 M510 R320 R510 R550 R610 R650 R710 R720 R750 R850 R350 H550
Outdoor models: E510 T310c T310d T310n T310s T610 T610s T710 T710s T750 T750se T350c T350d
Feature | R710 | R720 | R750 | R850 |
---|---|---|---|---|
Max PHY rate (5/2.4Ghz) Mbps | 1733 600 |
1733 600 |
2400 1148 |
4800 1148 |
Wi-FI tech (5/2.4Ghz) | 802.11ac 802.11n |
802.11ac 802.11n |
802.11ax (2.4GHz, 5GHz) WiFi 6 Certified |
802.11ax (2.4GHz, 5GHz) WiFi 6 Certified |
Concurrent Users | 512 | 512 | 1024 | 1024 |
Radio chains:streams (5/2.4Ghz) | 4x4:4 SU-MIMO 4x4:3 MU-MIMO |
4x4:4 | 4x4:4 | 8x8:8 MU-MIMO 4x4:4 MU-MIMO |
Antenna patterns (per band) | 4000+ | 4000+ | 4000+ | 4000+ |
Antenna gain | Up to 3dBi | Up to 3dBi | Up to 3dBi | Up to 2dBi |
PD-MRC | Y | Y | Y | Y |
RX sensitivity (2.4/5) | -104dBm | -104dBm | -102dBm | -101dBm |
ChannelFly | Y | Y | Y | Y |
SmartMesh | Y | Y | Y | Y |
USB (IoT ready) | Y | Y | Y | Y |
Ethernet ports | 2x1Gbe | 1x1Gbe 1x2.5Gbe |
1x1Gbe 1x2.5Gbe |
1x1/2.5/5 Gbps 1x10/100/1000Mbps |
Integrated BLE/ZigBee | Y | Y | Y | Y |
Feature | R650 | R610 | R550 | R510 |
---|---|---|---|---|
Max PHY rate (5/2.4Ghz) Mbps | 2400 574 |
1300 450 |
1200 574 |
867 300 |
Wi-FI tech (5/2.4Ghz) | 802.11ax (2.4GHz/5GHz) WiFi 6 Certified |
802.11ac 802.11n |
802.11ax (2.4GHz/5GHz) WiFi 6 Certified |
802.11ac 802.11n |
Concurrent Users | 512 | 512 | 512 | 512 |
Radio chains:streams (5/2.4Ghz) | 4x4:4 MU-MIMO 2x2:2 MU-MIMO |
3x3:3 | 2x2:2 | 2x2:2 |
Antenna patterns (per band) | 128 | 512 | 64 | 64 |
Antenna gain | Up to 3dBi | Up to 3dBi | Up to 3dBi | Up to 3dBi |
PD-MRC | Y | Y | Y | Y |
RX sensitivity (2.4/5) | -101dBm | -100dBm | -103dBm | -103dBm |
ChannelFly | Y | Y | Y | Y |
SmartMesh | Y | Y | Y | Y |
USB (IoT ready) | Y | Y | Y | Y |
Ethernet ports | 1x1Gbe 1x2.5Gbe |
2x1Gbe | 2x1Gbe | 2x1Gbe |
Integrated BLE/ZigBee | Y | N | Y | N |
Feature | R350 | R320 |
---|---|---|
Max PHY rate (5/2.4Ghz) Mbps | 1200 574 |
867 300 |
Wi-FI tech (5/2.4Ghz) | 802.11ax (2.4GHz/5GHz) WiFi 6 Certified |
802.11ac 802.11n |
Concurrent Users | 256 | 256 |
Radio chains:streams (5/2.4Ghz) | 2x2:2 | 2x2:2 |
Antenna patterns (per band) | 64 | 64 |
Antenna gain | Up to 3dBi | Up to 3dBi |
PD-MRC | Y | N |
RX sensitivity (2.4/5) | -101dBm | -101dBm |
ChannelFly | Y | Y |
SmartMesh | Y | N |
USB (IoT ready) | Y | N |
Ethernet ports | 1x1Gbe | 1x1Gbe |
Integrated BLE/ZigBee | N | N |
As mentioned this guide builds upon and supports the pfSense baseline guide and requires a switch port configured as follows:
Prefer 802.3at PoE supply to avoid limitations due to insufficient power. For example, the R750 model is limited as follows when supplied from a 802.3af supply.
Power Supply | Operating Characteristics | Max power Consumption |
---|---|---|
802.3af | - 2.4GHz radio: 2x4, 19dBm per chain - 5GHz radio: 2x4, 20dBm per chain - 2nd Ethernet port, onboard IoT & USB disabled |
PoE 12.54W |
802.3at | - Full Functionality - 2.4GHz radio: 4x4, 20 dBm per chain - 5GHz radio: 4x4, 22 dBm per chain - 2nd Ethernet Port, onboard IoT & USB Enabled (3W) |
PoE+ : 22.34W DC Power: 22.69W |
If your access point is not already running the Unleashed firmware, flash with Unleashed prior to configuration.
At the time of writing this guide, the current versions is 200.11.10.5.195
and can be downloaded from the Ruckus Support Portal
Connect to the access point and navigate to the default IP address of 192.168.0.1
Log into AP with default username name super and password sp-admin.
Navigate to Maintenance > Upgrade
Select Local, and locate the downloaded Unleashed firmware file.
Click Perform Upgrade.
Upgrading the firmware could take a few minutes and the access point will not be available during this time.
Do not remove the power from your access point until the upgrade finishes.
Once finished, Click OK to reconnect.
The AP will take a few minutes to initialise the Unleashed network before you are able to login.
The first access point configured will become the Master Access Point and will run the Unleashed software and manage other access points as and when connected. Preferably connect to the AP using a RJ45 cable or alternatively connect to the ConfigureMe-xxxx network broadcasted.
Navigate to 192.168.0.1
Provide initial configuration options
Wireless LAN
Administrator
Click Finish to apply the settings.
The AP will take a few minutes to apply the settings and restart.
Preferred Master
Switch Approval
Email server
Notifications and alerts can be sent via a SMTP mail service such as goodle if required.
You will need a enable and generate a Google applications password prior to configuring this section.
Log Settings
Enable logging to a remote syslog server if needed
Its preferable to use a static IP address for WiFi access points to reduce the dependency on local DHCP services.
Set time synchronization with pfSense NTP server
Country code: United States or your locale
If set to United States, an additional channel optimization option is available that can help with channel selection.
Optimization | Channels Used | Description | Uses |
---|---|---|---|
Compatibility | 36, 40, 44, 48, 149, 153, 157, 161, 165 (non-DFS channels). | DFS-capable Unleashed APs are limited to the same channels as all other APs (non-DFS channels only). | You have a mixture of APs that support DFS channels and other Ruckus APs that do not support DFS channels in a Smart Mesh configuration. |
Interopability | non-DFS channels plus channels 52, 56, 58, 60. | Unleashed APs are limited to non-DFS channels, plus four DFS channels supported by Centrino systems (may not be compatible with other wireless NICs). | You have only DFS-capable APs in your network, or Smart Mesh is not enabled, and you are confident that all wireless clients support DFS channels. |
Performance | all DFS/non-DFS channels, including 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140. | Unleashed APs can use all available DFS and non-DFS channels, without regard for compatibility or interoperability | You have only DFS-capable APs in your network, you are not concerned with DFS compatibility of client devices, and you want to make the maximum use of all possible available channels. |
Setting for Performance mode affords the greatest performance but be aware that some clients may fail to handle DFS channels correctly, for example the Amazon FireTV sticks have issues.
Background Scanning
Client Load Balancing
Band balancing
Radar Avoidance pre-Scanning
Ruckus Wi-Fi access points support Wi-Fi calling which may be of use if you live in a marginal signal area or have a limited cellular plan.
Before Wi-Fi calling can be enabled on a per SSID basis, a cellular provider profile needs creating.
Details of popular cellular provider ePDG’s (evolved Packet Data Gateway) are listed below. IP addresses can change so prefer the FQDN from the table below.
Carrier | ePDG endpoint |
---|---|
3HK | wlan.three.com.hk |
AT&T | epdg.epc.att.net |
EE (UK) | edgp.epc.mnc030.mcc234.pub.3gppnetwork.org |
O2 (UK) | edgp.epc.mnc010.mcc234.pub.3gppnetwork.org |
Rogers (Canada) | epdg.epc.mnc720.mcc302.pub.3gppnetwork.org |
SingTel Optus | epdg.epc.mnc002.mcc505.pub.3gppnetwork.org |
SmarTone | epdg.epc.mnc006.mcc454.pub.3gppnetwork.org |
Sprint | primgw.vowifi2.spcsdns.net |
Telestra Mobile | epdg.epc.mnc001.mcc505.pub.3gppnetwork.org |
T-Mobile | ss.epdg.epc.mnc260.mcc310.pub.3gppnetwork.org |
T-Mobile (Certificate Server) | crl.t-mobile.com |
Verizon | wo.vzwwo.com |
Verizon (Fempto Cell Unit) | sg.vzwfemto.com |
Vodafone (UK) | epdg.epc.mnc015.mcc234.pub.3gppnetwork.org |
Google Fi | *.3gppnetwork.org |
Additional provider information
Mobile Country Codes (MCC) and Mobile Network Codes (MNC)
Verizon, T-Mobile, AT&T
Navigate to Admin & Services > Services > WiFi-Calling > Profiles.
Create a profile for each cellular service you wish to enable Wi-Fi calling for.
For each required profvider, click Create
Click Save & OK
Here’s an example with three profiles added.
Client configuration
Your mobile device will need to be configured to use Wi-Fi calling.
Apple Wi-Fi calling
Android Wi-Fi calling
pfSense firewall configuration
Open firewall ports 500 & 4500 UDP.
Setting BSS min rate provides some advantages with modern wifi environments.
These settings aren’t currently exposed in the Unleashed GUI so instead use the command line to adjust. A SSH enabled role and user is required to enable this.
Navigate to Admin & Services > System > Roles
Create a new role
Navigate to Admin & Services > System > Roles
Create a new user
Using terminal of your choice, log in to your AP with ssh <ip address of access point>
Please login: sshAdmin
Password: <your_password>
Welcome to Ruckus Unleashed Network Command Line Interface
Enter privileged EXEC mode with enable
device> enable
device#
Enter global configuration mode with config
ruckus# config
You have all rights in this mode.
ruckus(config)#
Verify BSS Minrate’s of all WLANS with show wlan
show wlan
<snip>
NAME = Ruckus-Wireless
Tx. Rate of Management Frame(2.4GHz) = 2.0Mbps
Tx. Rate of Management Frame(5GHz) = 6.0Mbps
OFDM-Only State = Disabled
BSS Minrate = Disabled
<snip>
NAME = Ruckus-Wireless-Secure
Tx. Rate of Management Frame(2.4GHz) = 2.0Mbps
Tx. Rate of Management Frame(5GHz) = 6.0Mbps
OFDM-Only State = Disabled
BSS Minrate = Disabled
<snip>
NAME = Ruckus-Wireless-Guest
Tx. Rate of Management Frame(2.4GHz) = 2.0Mbps
Tx. Rate of Management Frame(5GHz) = 6.0Mbps
OFDM-Only State = Disabled
BSS Minrate = Disabled
<snip>
Set BSS Minrate for Ruckus-Wireless
Select WLAN Ruckus-Wireless with wlan Ruckus-Wireless
ruckus(config)# wlan Ruckus-Wireless
The WLAN service 'Ruckus-Wireless' has been loaded. To save the WLAN service, type 'end' or 'exit'.
Set ofdm-only mode with ofdm-only
ruckus(config-wlan)# ofdm-only
The mgmt-tx-rate will be set to the same value as bss-minrate due to ofdm-only change.
The command was executed successfully. To save the changes, type 'end' or 'exit'.
Set BSS minrate with bss-minrate 12
If you have a dense AP setup, try with a bss-minrate of 24.
ruckus(config-wlan)# bss-minrate 12
The mgmt-tx-rate will be set to the same value as bss-minrate.
The command was executed successfully. To save the changes, type 'end' or 'exit'.
Exit with end
ruckus(config-wlan)# end
The WLAN service 'Ruckus-Wireless' has been updated and saved.
Repeat for other WLANs, i.e Ruckus-Wireless-Secure and Ruckus-Wireless-Guest
Verify BSS Minrate has been updated with show wlan
show wlan
<snip>
NAME = Ruckus-Wireless
Tx. Rate of Management Frame(2.4GHz) = 12.0Mbps
Tx. Rate of Management Frame(5GHz) = 12.0Mbps
OFDM-Only State = Enabled
BSS Minrate = 12.0 Mbps
<snip>
NAME = Ruckus-Wireless-Secure
Tx. Rate of Management Frame(2.4GHz) = 12.0Mbps
Tx. Rate of Management Frame(5GHz) = 12.0Mbps
OFDM-Only State = Enabled
BSS Minrate = 12.0 Mbps
<snip>
NAME = Ruckus-Wireless-Guest
Tx. Rate of Management Frame(2.4GHz) = 12.0Mbps
Tx. Rate of Management Frame(5GHz) = 12.0Mbps
OFDM-Only State = Enabled
BSS Minrate = 12.0 Mbps
<snip>
Navigate to Access Points, highlight Summary and click Edit
I recommend only using the non-overlapping channels 1,6 & 11 and with a 20Mhz channel width. Higher bandwidth requirements are preferably handled on the 5GHz network. I reduce the broadcast power to reduce signal strength of the 2.4Ghz band and encourage devices to migrate to the 5Ghz channels or adjacent access points.
Radio 2.4Ghz
Providing a recommendation for 5Ghz is challenging especially if using more than two access points due to the limitation of only 2 non-overlapping 80Mhz bands (42 & 155). DFS channels could be an solution if you aren’t affected by RADAR related issues, or incompatible clients. Testing is the best strategy. If you do have issues revert to 40Mhz channels where there are four non conflicting bands available.
Radio 5Ghz
Model Specific Control
These section will configure several WLANs and map them to the subnets configured in the pfSense baseline guide.
The WPA2 handshake is vulnerable to KRACK attacks. WPA3 fixes this vulnerability and mitigates other problems by using the Dragonfly key exchange which provides forward secrecy and resistance to offline decryption for authenticating to a Wi-Fi network. The downside is that not all WiFi devices yet support WPA3. If you have issues with connectivity revert to WPA2.
Navigate to WiFi networks and click Create
Name: Ruckus-Wireless-Secure
Usage Type: Standard
Authentication Method: Open
Encryption Method: WPA3
SAE Password: something_secure
Accounting Server: Disabled
Unhide Advanced Options
WLAN Priority
Priority: High
Hide SSID:
Access VLAN: 20
Max Clients: 100
Service Schedule: Always on
Access Control
Call Admission Control:
Rate Limit: Disabled
Access Control: No ACL
Application Visibility:
URL Filtering:
Wi-Fi Calling:
Radio Control, Wireless Media Management
Fast BSS Transition, enable 802.11r:
Radio Resource Management, Enable 802.11k Neighbor-list:
Background Scanning:
Load Balancing:
Band Balancing:
802.11d:
Enable WLAN on: All Radios
WiFi 6:
Others
Force DHCP:
Inactivity Timeout: [5]
Isolate wireless client traffic from other clients on the same AP:
Isolate wireless client traffic from all hosts on the same VLAN/subnet:
DTIM Interval: 1
Directed MC/BC Threshold: 1
Client Traffic Logging:
Name: Ruckus-Wireless
Usage Type: Standard
Authentication Method: Open
Encryption Method: WPA3
SAE Password: something_secure
Accounting Server: Disabled
Unhide Advanced Options
WLAN Priority
Priority: High
Hide SSID:
Access VLAN: 30
Max Clients: 100
Service Schedule: Always on
Access Control
Call Admission Control:
Rate Limit: Disabled
Access Control: No ACL
Application Visibility:
URL Filtering:
Wi-Fi Calling:
- Move desired profiles to selected column
Radio Control, Wireless Media Management
Fast BSS Transition, enable 802.11r:
Radio Resource Management, Enable 802.11k Neighbor-list:
Background Scanning:
Load Balancing:
Band Balancing:
802.11d:
Enable WLAN on: All Radios
WiFi 6:
Others
Force DHCP:
Inactivity Timeout: [5]
Isolate wireless client traffic from other clients on the same AP:
Isolate wireless client traffic from all hosts on the same VLAN/subnet:
DTIM Interval: 1
Directed MC/BC Threshold: 1
Client Traffic Logging:
This configuration provides secure access to the guest network (VL40_GUEST) via a SSID password. pfSense is configured to permit broad access to the Internet, and limited access to the other local subnets. Although not configured as part of this guide, Ruckus Unleashed supports a Guest Access Service that can provide guest passes via SMS or email.
Navigate to WiFi networks and click Create
Name: Ruckus-Wireless-Guest
Usage Type: Standard
Authentication Method: Open
Encryption Method: WPA3
SAE Password: something_secure
Accounting Server: Disabled
Unhide Advanced Options
WLAN Priority
Priority: High
Hide SSID:
Access VLAN: 40
Max Clients: 100
Service Schedule: Always on
Access Control
Call Admission Control:
Rate Limit: Disabled
Access Control: No ACL
Application Visibility:
URL Filtering:
Wi-Fi Calling:
Radio Control, Wireless Media Management
Fast BSS Transition, enable 802.11r:
Radio Resource Management, Enable 802.11k Neighbor-list:
Background Scanning:
Load Balancing:
Band Balancing:
802.11d:
Enable WLAN on: All Radios
WiFi 6:
Others
Force DHCP:
Inactivity Timeout: [5]
Isolate wireless client traffic from other clients on the same AP:
Isolate wireless client traffic from all hosts on the same VLAN/subnet:
DTIM Interval: 1
Directed MC/BC Threshold: 1
Client Traffic Logging:
Additional access points are trivial to deploy.
Install Unleashed firmware as per Flash Unleashed firmware section above.
Connecting additional access point via Ethernet to the same Layer 2 network.
They will discover the Unleashed Master and join automatically.
The second AP that joins an Unleashed network will automatically assume the role of Standby Master.
Ruckus is actively developing Unleashed and regular updates are made available that address issues or expose new features.
Update by navigating to Admin & Services > Administration > Upgrade and click Check for Updates.
Access points will restart post update.
Verify you can connect to each SSID and access the internet.
Verify performance at a number of locations within your space.
The Ruckus SpeedFlex application is a useful testing tool. Download from Apple and Android.
Enable SpeedFlex testing in the Unleashed user interface.
Navigate to Admin & Services > Administration > Diagnostics > Speedflex Service
Disable your cell phones cellular connection. The display will confirm Wi-Fi calling is enabled and active.
Verify the ability to make a regular phone call.
Navigate to Admin & Services > Services > Wi-Fi Calling and verify data shows in user interface
Unleashed 200.10 HTML Guide
Ruckus 2021 product guide
Apple Wi-Fi calling
Android Wi-Fi calling
23 December 2021
Baseline guide published