Recommended settings for Wi-Fi routers and access points
For the best security, performance and reliability, we recommend using these settings for all Wi-Fi routers, base stations or access points used with Apple products.
The information in this article is primarily for network administrators and others who manage their own network. For information about how to join a Wi-Fi network, consult these articles instead:
About Wi-Fi privacy and security warnings
If your Apple device shows a privacy warning or weak-security warning about a Wi-Fi network, such as a warning about a private Wi-Fi address, that network could expose information about your device. If you administer the Wi-Fi network, we recommend you update the settings of your Wi-Fi router to meet or exceed the security standards in this article. If you don’t administer the Wi-Fi network, bring these settings to the attention of the network administrator.
Router settings
To change your router’s settings, update its firmware or change the Wi-Fi password, use the configuration web page or app provided by the router’s manufacturer. For help, consult the router’s documentation, its manufacturer or your network administrator.
Before changing settings, back up your router’s existing settings in case you need to restore them. Also make sure your router’s firmware is up to date, and install the latest software updates for your Apple devices. After changing settings, you may need to forget the network on each device that previously joined the network. The device then uses the router’s new settings when rejoining the network.
To help ensure your Apple devices can connect securely and reliably to your network, apply these settings consistently to each Wi-Fi router and access point, and to each band of a dual-band, tri-band or other multiband router:
Security |
---|
Set to WPA3 Personal for better security, or set to WPA2/WPA3 Transitional for compatibility with older devices. |
The security setting defines the type of authentication and encryption used by your router, and the level of privacy protection for data transmitted over its network. Whichever setting you choose, always set a strong password for joining the network.
WPA3 Personal is the newest, most secure protocol currently available for Wi-Fi devices. It works with all devices that support Wi-Fi 6 (802.11ax), and some older devices too.
WPA2/WPA3 Transitional is a mixed mode that uses WPA3 Personal with devices that support that protocol, while allowing older devices to use WPA2 Personal (AES) instead.
WPA2 Personal (AES) is appropriate when you can't use one of the more secure modes. In that case, also choose AES as the encryption or cipher type, if available.
Weak security settings to avoid on your router
Don't create or join networks that use older, deprecated security protocols. They’re no longer secure, they reduce network reliability and performance, and they cause your device to show a security warning:
WPA/WPA2 mixed modes
WPA Personal
WEP, including WEP Open, WEP Shared, WEP Transitional Security Network or Dynamic WEP (WEP with 802.1X)
TKIP, including any security setting with TKIP in the name
Settings that turn off security, such as None, Open or Unsecured, are also strongly discouraged. Turning off security disables authentication and encryption and allows anyone to join your network, access its shared resources (including printers, computers and smart devices), use your internet connection, and monitor the websites you visit and other data that's transmitted over your network or internet connection. This is a risk even if security has been turned off temporarily or for a guest network.
Network name (SSID) |
---|
Set to a single, unique name (case-sensitive) for all bands. |
The SSID (service set identifier) is the name that your network uses to advertise its presence to other devices. It’s the name that nearby users see on their device’s list of available Wi-Fi networks.
Make sure all routers on your network use the same name for every band they support. If you give your 2.4 GHz, 5 GHz or 6 GHz bands different names, devices may not connect reliably to your network, to all routers on your network or to all available bands of your routers. If your router is providing a Wi-Fi 6E network that isn’t using the same name for all bands, Apple devices that support Wi-Fi 6E will identify the network as having limited compatibility.
Use a name that’s unique to your network. Don't use common names or default names such as linksys, netgear, dlink, wireless or 2wire. Otherwise, devices that join your network will be more likely to encounter other networks that have the same name, and then try to connect to them automatically.
A router can be configured to hide its network name, or SSID. Your router may incorrectly use “closed” to mean hidden, and “broadcast” to mean not hidden.
Hiding the network name doesn't conceal the network from being detected or secure it against unauthorised access. And because of how devices search for and connect to Wi-Fi networks, using a hidden network may expose information that can be used to identify you and the hidden networks you use, such as your home network. When connected to a hidden network, your device may display a privacy warning due to this privacy risk.
To secure access to your network, use the appropriate security setting instead.
MAC address filtering, authentication or access control |
---|
Set to Disabled. |
When this feature is enabled, your router can be set up to only allow devices that have specified media access control (MAC) addresses to join the network. Reasons why you shouldn't rely on this feature to prevent unauthorised access to your network:
It doesn't prevent network observers from monitoring or intercepting traffic on the network.
MAC addresses can easily be copied, spoofed (impersonated) or changed.
To help protect user privacy, some Apple devices use a different MAC address for each Wi-Fi network.
To secure access to your network, use the appropriate security setting instead.
Automatic firmware updates |
---|
Set to Enabled. |
If possible, set your router to install software and firmware updates automatically when they become available. These updates can affect the security settings available to you, and they deliver other important improvements to the stability, performance and security of your router.
Radio mode |
---|
Set to All (preferred), or set to Wi-Fi 2 to Wi-Fi 6 or later. |
Radio mode settings, available separately for 2.4 GHz, 5 GHz and 6GHz bands, control which versions of the Wi-Fi standard the router uses for wireless communication. Newer versions offer better performance and can support more devices concurrently.
It's usually best to enable every mode that's offered by your router, rather than a subset of these modes. All devices, including older devices, can then connect using the fastest radio mode they support. This also helps reduce interference from nearby legacy networks and devices.
Bands |
---|
Enable all bands supported by your router. |
A Wi-Fi band is like a road that data can flow down. More bands provide more data capacity and performance for your network.
Channel |
---|
Set to Auto. |
Each band of your router is divided into multiple, independent communication channels, like different lanes on a road. When channel selection is set to automatic, your router will select the best Wi-Fi channel for you.
If your router doesn't support automatic channel selection, choose whichever channel performs best in your network environment. That varies depending on the Wi-Fi interference in your network environment, which can include interference from other routers and devices that are using the same channel. If you have multiple routers, configure each one to use a different channel, especially if they are close to each other.
Channel width |
---|
Set to 20 MHz for the 2.4 GHz band. Set to Auto or all widths for the 5GHz and 6GHz bands. |
Channel width specifies how large of a "pipe" is available to transfer data. Wider channels are faster but more susceptible to interference, and also more likely to interfere with other devices.
20 MHz for the 2.4 GHz band helps to avoid performance and reliability issues, especially near other Wi-Fi networks and 2.4 GHz devices, including Bluetooth devices.
Auto or all channel widths for 5 GHz and 6 GHz bands ensures the best performance and compatibility with all devices. Wireless interference is less of a concern in these bands.
DHCP |
---|
Set to Enabled if your router is the only DHCP server on the network. |
Dynamic host configuration protocol (DHCP) assigns IP addresses to devices on your network. Each IP address identifies a device on the network and enables it to communicate with other devices on the network and internet. A network device needs an IP address, much like a phone needs a phone number.
Your network should only have one DHCP server. If DHCP is enabled on more than one device, such as on both your cable modem and router, address conflicts may prevent some devices from connecting to the internet or using network resources.
DHCP lease time |
---|
Set to 8 hours for home or office networks. Set to 1 hour for hotspots or guest networks. |
DHCP lease time is the length of time that an IP address assigned to a device is reserved for that device.
Wi-Fi routers usually have a limited number of IP addresses they can assign to devices on the network. If that number is depleted, the router can't assign IP addresses to new devices, preventing those devices from communicating with other devices on the network and internet. Reducing DHCP lease time allows the router to more quickly reclaim and reassign old IP addresses that are no longer being used.
NAT |
---|
Set to Enabled if your router is the only device providing NAT on the network. |
Network address translation (NAT) translates between addresses on the internet and addresses on your network. NAT can be understood by imagining a company's post room, where deliveries to employees at the company's address are directed to employee offices within the building.
You should generally only enable NAT on your router. If NAT is enabled on more than one device, such as on both your cable modem and router, the resulting "double NAT" may cause devices to lose access to certain resources on the network or internet.
WMM |
---|
Set to Enabled. |
WMM (Wi-Fi multimedia) prioritises network traffic to improve the performance of a variety of network applications, such as video and voice. All routers that support Wi-Fi 4 (802.11n) or later should have WMM enabled by default. Disabling WMM can affect the performance and reliability of devices on the network.
DNS server |
---|
Continue using the default DNS server, or specify a different primary or secondary server. |
To easily access websites on the Internet, devices need a DNS (Domain Name System) server to translate domain names (such as apple.com) into IP addresses. By default, your router uses the DNS server of your Internet service provider (ISP). If it’s configured to use a different DNS server, your devices will by default use that server while connected to your router’s network.
If your device warns you that your network is blocking encrypted DNS traffic, you can continue using the configured DNS server, but the names of websites and other servers that your device accesses on the network are unencrypted and therefore could be monitored and recorded by other devices on the network. You can contact your ISP or other DNS provider for more information, but first try these solutions: Make sure your software is up to date and your security setting is configured as recommended. Restart your device. Restart your router. Forget the Wi-Fi network and then rejoin it.
Features that can affect Wi-Fi connections
These features can affect how you set up your router or the devices that connect to it.
Private Wi-Fi Address
If you’re connecting to a Wi-Fi network from an iPhone, iPad, Apple Watch or Apple Vision Pro, find out about using private Wi-Fi addresses on those devices.
Location Services
Make sure your device has Location Services turned on for Wi-Fi networking, because regulations in each country or region define the Wi-Fi channels and wireless signal strength allowed there. Location Services helps to ensure your device can reliably see and connect to nearby devices, and that it performs well when using Wi-Fi or features that rely on Wi-Fi, such as AirPlay or AirDrop.
Mac with macOS Ventura or later
Choose Apple menu > System Settings, then click Privacy & Security in the sidebar.
Click Location Services on the right.
Scroll to the bottom of the list of apps and services, then click the Details button next to System Services.
Turn on "Networking and wireless", then click Done.
Mac with macOS Monterey or earlier
Choose Apple menu > System Preferences, then click Security & Privacy.
Click the
in the corner of the window, then enter your administrator password.In the Privacy tab, select Location Services, then select Enable Location Services.
Scroll to the bottom of the list of apps and services, then click the Details button next to System Services.
Select Networking & Wireless (or Wi-Fi Networking), then click Done.
iPhone, iPad and Apple Vision Pro
Go to Settings > Privacy & Security > Location Services.
Turn on Location Services.
Scroll to the bottom of the list, then tap System Services.
Turn on Networking & Wireless (or Wi-Fi Networking).
Auto-Join when used with wireless network provider Wi-Fi networks
Wireless network provider Wi-Fi networks are public networks set up by your wireless network provider and its partners. Your iPhone or other Apple mobile device will always recognise these as known, managed networks, and it will join them automatically. If you see a privacy warning under the network’s name in Wi-Fi settings, your mobile identity could be exposed if your device were to automatically join a malicious hotspot impersonating that network. To avoid this possibility and prevent your device from joining the network automatically, turn off Auto-Join for that network:
Go to Settings > Wi-Fi.
Tap Edit in the corner of the screen to see the networks known to your device.
Scroll down to the Managed Networks section of the list, which includes your wireless network provider’s public networks. (This section of the list is not editable.)
Tap the
next to the name of a network, then turn off Auto-Join for that network.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.