How WiFi Works: 802.11 from Radio to Router

Every time you connect a laptop, phone, or IoT sensor to the internet without plugging in a cable, you are using WiFi -- a family of wireless networking protocols defined by the IEEE 802.11 standard. WiFi converts digital data into radio waves, transmits them through the air, and reassembles them at the other end, all in microseconds. Understanding how this works -- from the physics of radio frequency propagation to the cryptographic handshakes that protect your traffic -- reveals an engineering stack every bit as deep as the wired protocols it replaced.

Radio Fundamentals: Frequency, Channels, and Bandwidth

WiFi operates in unlicensed spectrum -- frequency bands that governments allow anyone to use without purchasing a license. Three bands dominate modern WiFi deployments:

• 2.4 GHz (2.400--2.4835 GHz) -- The original WiFi band. It offers excellent range because lower frequencies propagate farther and penetrate walls better. The tradeoff is congestion: Bluetooth, microwave ovens, baby monitors, and millions of other WiFi networks all share this narrow 83.5 MHz slice of spectrum.
• 5 GHz (5.150--5.825 GHz) -- Introduced with 802.11a in 1999. Much more spectrum is available (up to 500 MHz in some regulatory domains), which means more non-overlapping channels and higher throughput. The penalty is shorter range: higher frequencies are absorbed more readily by walls, floors, and human bodies.
• 6 GHz (5.925--7.125 GHz) -- Opened for WiFi by the FCC in 2020 (and progressively by other regulators). This adds up to 1,200 MHz of clean spectrum with no legacy devices to cause interference. Only WiFi 6E (802.11ax) and WiFi 7 (802.11be) devices can use it.

Within each band, the spectrum is divided into channels. In the 2.4 GHz band, channels are 20 MHz wide but spaced only 5 MHz apart, which means adjacent channels overlap and interfere with each other. Only channels 1, 6, and 11 are truly non-overlapping -- this is why you should always pick one of these three when configuring a 2.4 GHz access point. The 5 GHz and 6 GHz bands offer enough room for many non-overlapping 20 MHz channels, and modern standards bond multiple channels together for wider bandwidths: 40 MHz, 80 MHz, 160 MHz, and in WiFi 7, a full 320 MHz.

802.11 Standards Evolution

The 802.11 family has evolved dramatically since its 1997 debut. The Wi-Fi Alliance introduced consumer-friendly generation numbers starting with WiFi 4, but every generation corresponds to an IEEE amendment:

• 802.11b (1999) -- 11 Mbps on 2.4 GHz using DSSS modulation. The first mass-market WiFi standard.
• 802.11a (1999) -- 54 Mbps on 5 GHz using OFDM. Technically superior to 802.11b but more expensive and shorter range, so it saw less adoption.
• 802.11g (2003) -- 54 Mbps on 2.4 GHz using OFDM. Combined the range of 2.4 GHz with the speed of OFDM. Backward-compatible with 802.11b.
• 802.11n / WiFi 4 (2009) -- Up to 600 Mbps. Introduced MIMO (multiple spatial streams using multiple antennas), channel bonding (40 MHz), and frame aggregation. Operated on both 2.4 GHz and 5 GHz.
• 802.11ac / WiFi 5 (2013) -- Up to 6.9 Gbps (theoretical). 5 GHz only. Introduced 80 MHz and 160 MHz channels, 256-QAM modulation, MU-MIMO (downlink only), and beamforming as a standard feature.
• 802.11ax / WiFi 6 and WiFi 6E (2020/2021) -- Up to 9.6 Gbps. The focus shifted from raw peak speed to efficiency in dense environments. Key innovations: OFDMA, uplink MU-MIMO, BSS coloring, Target Wake Time (TWT), and 1024-QAM. WiFi 6E extends 802.11ax into the 6 GHz band.
• 802.11be / WiFi 7 (2024) -- Up to 46 Gbps. Introduces Multi-Link Operation (MLO), 320 MHz channels, 4096-QAM, and multi-AP coordination. The most ambitious leap in WiFi's history.

CSMA/CA: How Devices Share the Air

Unlike wired Ethernet, which uses full-duplex links and switches, WiFi is a shared medium. All devices on a channel share the same radio frequency, and only one device can transmit at a time. The protocol that governs this sharing is CSMA/CA -- Carrier Sense Multiple Access with Collision Avoidance.

Before transmitting, a WiFi device listens to the channel. If the channel is idle for a period called the Distributed Inter-Frame Space (DIFS), the device waits an additional random backoff time (chosen from a contention window) and then transmits. If the channel is busy, the device defers and tries again later. After a successful transmission, the receiver sends an ACK frame after a shorter wait called SIFS (Short Inter-Frame Space). If the sender does not receive an ACK, it assumes a collision occurred and retransmits after a longer random backoff.

This "listen before talk" mechanism is why WiFi is fundamentally half-duplex: a radio cannot transmit and receive on the same frequency at the same time. It also explains why WiFi throughput drops as more devices contend for airtime -- each device must wait its turn, and the overhead of DIFS, backoff, SIFS, and ACK frames consumes a significant fraction of the available airtime.

The Hidden Node Problem

CSMA/CA relies on every device being able to hear every other device. But what if Station A and Station C can both hear the access point but cannot hear each other (because they are on opposite sides of a building)? Both might sense the channel as clear and transmit simultaneously, causing a collision at the AP. This is the hidden node problem.

The solution is the RTS/CTS (Request to Send / Clear to Send) mechanism. Before transmitting a large frame, Station A sends a short RTS frame to the AP. The AP responds with a CTS frame that is heard by all stations in range, including Station C. The CTS includes a duration field that tells everyone else to defer for the specified time. This reserves the channel for Station A without requiring Station C to hear Station A directly.

802.11 Frame Types

WiFi defines three categories of frames, each serving a distinct role in the protocol:

• Management frames -- Used for establishing and maintaining connections. This includes Beacon frames (broadcast by the AP every ~102.4 ms to advertise the network), Probe Request/Response (active scanning), Authentication, Association Request/Response, Deauthentication, and Disassociation. Management frames are critical targets for attackers -- deauthentication attacks, for instance, exploit the fact that these frames were historically unauthenticated.
• Control frames -- Short frames that assist with data delivery: ACK (acknowledging receipt), RTS/CTS (channel reservation), Block ACK (acknowledging multiple frames at once), and CTS-to-Self (a protection mechanism for backward compatibility).
• Data frames -- Carry the actual payload. The 802.11 data frame header includes four address fields (source, destination, BSSID, and optionally a fourth for wireless distribution systems), a duration/ID field used for virtual carrier sensing (NAV), and sequence control for reassembly and duplicate detection. Data frames can be encrypted (and should be, via WPA3/WPA2).

Association and Authentication Flow

Before a client (called a station or STA) can send data through an access point, it must complete a multi-step handshake. Here is the sequence for a WPA2/WPA3 Personal network:

1. Discovery -- The client either passively listens for Beacon frames or actively sends Probe Requests on each channel. The Beacon/Probe Response contains the SSID, supported data rates, security parameters (the RSN Information Element), and channel information.
2. Authentication -- The client sends an Authentication Request to the AP. For Open System authentication (used with WPA2-Personal), this is a formality -- the AP immediately responds with success. For WPA3-Personal (SAE), this step becomes a real cryptographic exchange (discussed below).
3. Association -- The client sends an Association Request that includes its supported rates, HT/VHT/HE capabilities, and power management preferences. The AP responds with an Association Response that includes an Association ID (AID) and the negotiated parameters. The client is now associated but not yet authenticated for data transfer.
4. 4-Way Handshake -- The EAPOL (Extensible Authentication Protocol over LAN) 4-way handshake derives the session keys (PTK -- Pairwise Transient Key) from the pre-shared key (PSK) or PMK (Pairwise Master Key). Both sides prove they know the password without ever transmitting it. The AP also delivers the Group Temporal Key (GTK) for decrypting broadcast/multicast traffic.

After the 4-way handshake completes, all data frames are encrypted. The client can now communicate through the AP, receive a DHCP lease, resolve ARP queries, and establish TLS connections.

WPA3 and the SAE Handshake

WPA2-Personal uses the PSK (Pre-Shared Key) model: the WiFi password is hashed with the SSID to produce a PMK, and the 4-way handshake derives session keys from that PMK. This design has a critical weakness -- an attacker who captures the 4-way handshake can perform an offline dictionary attack against the password. The KRACK attack (2017) further demonstrated vulnerabilities in the WPA2 handshake itself.

WPA3-Personal replaces the simple open-system authentication with SAE (Simultaneous Authentication of Equals), also known as the Dragonfly key exchange. SAE is a password-authenticated key agreement (PAKE) protocol based on elliptic curve cryptography. During the SAE exchange:

1. Both the client and AP independently derive a shared secret element on an elliptic curve from the password and MAC addresses.
2. They exchange commitments (Commit messages) containing elliptic curve points and scalar values.
3. They exchange confirmations (Confirm messages) proving they derived the same shared secret.
4. The resulting PMK is unique per session, even if the same password is used.

The critical advantage of SAE is forward secrecy: even if an attacker records the entire exchange and later learns the password, they cannot decrypt past sessions because each session used a unique PMK derived from ephemeral values. SAE also resists offline dictionary attacks -- an attacker who captures the handshake cannot test passwords offline; they must interact with the AP for each guess, making brute-force impractical.

OFDMA: WiFi 6's Biggest Innovation

Prior to WiFi 6, every transmission occupied the entire channel width. If an AP had a 80 MHz channel and a client only needed to send a 100-byte ACK, the entire 80 MHz was used for that tiny payload. This is extraordinarily wasteful in dense environments with many clients sending small packets.

OFDMA (Orthogonal Frequency Division Multiple Access) changes this by dividing a channel into smaller Resource Units (RUs). A 20 MHz channel is composed of 256 subcarriers; OFDMA groups these subcarriers into RUs that can be assigned to different clients simultaneously. A 20 MHz channel can be divided into as many as 9 RUs (26-tone each), allowing the AP to serve up to 9 clients in a single transmission opportunity.

For a 160 MHz channel, the AP can serve up to 74 clients simultaneously. This is transformative for environments like stadiums, conference halls, and dense apartment buildings where hundreds of devices compete for airtime. Instead of each device waiting its turn for the full channel, the AP acts as a scheduler, assigning RUs to clients based on their traffic needs.

OFDMA works in both downlink (AP to clients) and uplink (clients to AP) directions. In uplink OFDMA, the AP sends a Trigger Frame that tells multiple clients exactly when and on which RUs to transmit, effectively synchronizing their uplink transmissions.

MU-MIMO: Spatial Multiplexing to Multiple Users

MU-MIMO (Multi-User Multiple-Input Multiple-Output) allows an AP with multiple antennas to transmit to several clients simultaneously using beamforming -- shaping the radio signal so that distinct data streams are directed toward different clients in different spatial directions.

WiFi 5 introduced MU-MIMO but only for downlink (AP to clients) and only for up to 4 clients. WiFi 6 extends MU-MIMO to 8 clients simultaneously in both downlink and uplink. WiFi 7 further improves this with 16x16 MIMO support.

MU-MIMO and OFDMA are complementary. OFDMA divides the channel in the frequency domain (different subcarriers to different clients), while MU-MIMO divides it in the spatial domain (different antenna patterns to different clients). WiFi 6 and later can combine both techniques -- using OFDMA to assign frequency resources and MU-MIMO to serve multiple clients on each resource unit.

BSS Coloring: Solving the Co-Channel Interference Problem

In dense deployments, multiple access points often share the same channel. Under the traditional rules, a client that hears any transmission on its channel -- even from a distant AP it is not associated with -- must defer. This dramatically reduces throughput because devices spend most of their time waiting for transmissions from networks they do not belong to.

BSS Coloring (where BSS stands for Basic Service Set) assigns a 6-bit "color" identifier to each network. This color is embedded in the PHY header of every frame. When a device detects a frame with a different color (from a different BSS), it can classify it as an inter-BSS frame and, if the signal is weak enough (below the OBSS/PD threshold), ignore it and transmit anyway. This is called Spatial Reuse and can dramatically increase aggregate throughput in dense apartment buildings and office floors.

WiFi 7 (802.11be): The Next Generation

WiFi 7, ratified in 2024, introduces several groundbreaking capabilities:

Multi-Link Operation (MLO)

MLO is WiFi 7's headline feature. A single device can establish connections across multiple bands simultaneously -- for example, using 2.4 GHz, 5 GHz, and 6 GHz links concurrently through a single association. The benefits are substantial:

• Aggregation -- Combine throughput from multiple links for higher total bandwidth
• Low-latency switching -- If one link becomes congested or encounters interference, traffic instantly shifts to another link without reassociation
• Reliability -- Duplicate critical frames across multiple links to ensure delivery

MLO replaces the older band-steering approach (where the AP nudges clients toward 5 GHz) with a fundamentally better architecture where the client uses all available bands as a single logical connection.

320 MHz Channels

WiFi 7 doubles the maximum channel width from 160 MHz to 320 MHz, exclusively in the 6 GHz band where there is enough contiguous spectrum. A 320 MHz channel combined with 4096-QAM and 16 spatial streams yields a theoretical maximum PHY rate of over 46 Gbps.

4096-QAM

WiFi 6 introduced 1024-QAM, where each symbol encodes 10 bits. WiFi 7 pushes this to 4096-QAM (12 bits per symbol), a 20% improvement in data density. The tradeoff is that 4096-QAM requires an extremely clean signal (high SNR), so it only works at close range with minimal interference. In practice, it benefits the devices closest to the AP -- exactly the ones that least need help -- but in dense deployments, every efficiency gain matters.

Mesh Networking

A single access point can only cover so much area. Traditional solutions involved multiple APs connected by Ethernet cables, but running cables is not always practical. Mesh networking solves this by having access points communicate with each other wirelessly, forming a self-healing network where traffic can hop through multiple APs to reach the wired backhaul.

IEEE 802.11s defines the mesh networking standard, but most consumer mesh systems (Google Nest WiFi, Eero, TP-Link Deco) use proprietary implementations. Key concepts:

• Backhaul -- The wireless link between mesh nodes (as opposed to the fronthaul link between a mesh node and a client). Better mesh systems use a dedicated radio for backhaul so that client traffic does not compete with inter-node traffic.
• Path selection -- Mesh nodes determine the best route to the gateway. 802.11s uses HWMP (Hybrid Wireless Mesh Protocol), which combines proactive tree-based routing with reactive on-demand path discovery.
• Self-healing -- If a mesh node fails, other nodes automatically reroute traffic through alternative paths.

WiFi 7's MLO significantly improves mesh performance by allowing a mesh node to use one link for backhaul and another for client-facing traffic simultaneously, without the throughput halving that plagued earlier dual-band mesh systems.

Roaming: 802.11r, 802.11k, and 802.11v

When you walk through a building, your device must switch from one access point to another. Poor roaming causes dropped connections, momentary freezes in video calls, and inconsistent performance. Three 802.11 amendments work together to make roaming seamless:

• 802.11k (Radio Resource Management) -- The AP provides the client with a neighbor report listing nearby APs, their channels, and signal conditions. Without 802.11k, a client performing a roaming scan must scan all channels on all bands -- a process that takes hundreds of milliseconds during which the client cannot send or receive data. With a neighbor report, the client only scans the relevant channels.
• 802.11v (BSS Transition Management) -- The AP can send a BSS Transition Management Request suggesting that the client roam to a specific AP. This is useful when the AP detects that a client's signal has weakened and a neighbor AP would serve it better. The client is not forced to comply, but well-behaved clients honor the suggestion.
• 802.11r (Fast BSS Transition) -- In a normal roam, the client must perform a full 4-way handshake with the new AP, which takes tens of milliseconds. 802.11r pre-distributes key material across APs in the same mobility domain, allowing the client to authenticate with a new AP in just 2 frames (over-the-air fast transition) or even before disassociating from the old AP (over-the-DS fast transition). This reduces roaming time from ~50-300 ms to under 5 ms.

Together, these three amendments enable the kind of seamless roaming that enterprise environments require for VoIP and real-time applications. Consumer mesh systems typically implement all three.

Enterprise WiFi: WPA-Enterprise, RADIUS, and 802.1X

WPA-Personal (PSK) networks share a single password among all users. This is adequate for homes and small offices, but it means anyone who knows the password can decrypt traffic from anyone else (given a captured handshake). It also means revoking access requires changing the password for everyone.

WPA-Enterprise solves this with per-user authentication via 802.1X and a RADIUS (Remote Authentication Dial-In User Service) server. The flow works as follows:

1. The client associates with the AP (as before) but does not yet have network access.
2. The AP acts as an authenticator, relaying EAP (Extensible Authentication Protocol) messages between the client (supplicant) and the RADIUS server (authentication server).
3. The client authenticates using one of several EAP methods:
   • EAP-TLS -- Both the client and server present X.509 certificates. The most secure method but requires certificate deployment to every client.
   • EAP-PEAP -- The server presents a certificate (establishing a TLS tunnel), and the client authenticates with a username/password inside that tunnel. The most common enterprise method.
   • EAP-TTLS -- Similar to PEAP but supports more inner authentication methods.
4. If authentication succeeds, the RADIUS server sends a unique PMK to the AP for this client's session.
5. The 4-way handshake proceeds as usual, but now using a per-user PMK -- so each client has unique encryption keys.

Enterprise networks gain fine-grained access control (per-user, per-group, per-device policies), per-user encryption (users cannot decrypt each other's traffic), centralized credential management, and VLAN assignment based on user identity. WPA3-Enterprise adds 192-bit security mode (CNSA suite) for government and high-security environments, with mandatory use of GCMP-256 encryption and SHA-384 for key derivation.

WiFi and the Network Stack

WiFi operates at Layer 1 (Physical) and Layer 2 (Data Link) of the OSI model. Once a frame leaves the WiFi layer and enters the wired network through the access point, it becomes a standard Ethernet frame. From there, the device obtains an IP address via DHCP, resolves local addresses with ARP, and establishes encrypted connections with TLS. WiFi is often the first hop on a packet's journey to the public internet -- the point where data transitions from radio waves to copper or fiber before being routed across BGP-connected autonomous systems worldwide.

Understanding WiFi's lower-layer mechanics illuminates why wireless performance varies so much in practice. Channel contention, hidden nodes, interference from neighboring networks, and distance from the AP all introduce variability that simply does not exist on a wired link. Every layer of the WiFi stack -- from radio propagation to CSMA/CA to the SAE handshake -- represents an engineering compromise between speed, range, reliability, and security.

Look Up Your Network

Once your device connects via WiFi and obtains an IP address, that address is part of a prefix announced by your ISP's autonomous system via BGP. Try looking up your public IP address to see how your WiFi connection reaches the global internet:

• Look up your IP address -- See the BGP route for your connection
• AS7922 -- Comcast, a major residential ISP
• AS20001 -- Charter/Spectrum