Turning a Problem Deployment Into a Modern MDU Network: A Real-World Redesign Story

https://www.linkedin.com/pulse/turning-problem-deployment-modern-mdu-network-story-de-oliveira-klvre 

A little while ago, I was brought into a recently renovated block of flats that offered a mix of permanent residents and short-term holiday tenants. On paper, the building had been given a “premium” Wi-Fi upgrade during the renovation.

Every apartment had an in-wall access point mounted in the lounge and the building was fed by a 10 Gb internet circuit. Each AP broadcast its own SSID, client isolation was enabled and the investor believed this would provide a fast, secure, apartment-by-apartment wireless service.

It didn’t take long for reality to set in.

A few months after the installation went live, complaints across the complex began to pile up with poor speeds, unstable connections, devices failing to pass traffic and coverage dead zones in almost every bedroom.

That’s when we were called in to perform a health check and help the customer make sense of what had gone wrong.

What We Found During the Health Check

Walking the site, the issues were obvious.

1. RF looked great in the lounges… and nowhere else.

Coverage inside each lounge was strong, but stepping into any bedroom caused a dramatic drop in RSSI for each apartments assigend SSID.

This wasn’t surprising, the APs were placed on lounge walls and every bedroom sat behind several layers of construction and neighbouring apartments.

The moment you stepped out of direct line-of-sight, attenuation stacked quickly.

2. Excessive channel width and transmit power

Every AP was running 5 GHz at 80 MHz wide, coupled with maximum transmit power.

From an RF design perspective, that combination in a high-density MDU is a recipe for chaos:

• 80 MHz channels drastically reduce the number of unique channels available (leading to widespread co-channel contention and OBSS)

• High transmit power forces APs to talk far louder than necessary, “bleeding” into neighbouring apartments.

The result? Dozens of APs could see and hear each other at very usable RSSI levels across floors and adjacent flats. Every apartment effectively contributed to the noise floor of its neighbours.

3. Hundreds of SSIDs on a single /16 network

Each apartment had its own SSID, but all were dropped into one massive flat network. Client isolation on the wireless side was enabled, but every AP’s wired port was left open and those ports weren’t isolated. That meant residents could unknowingly plug something in and become visible to the entire building.

4. No ability to cast or stream between devices in the same flat

The legacy setup broke a fundamental requirement for many tenants: local device discovery. Because everything was in one giant isolated guest network, devices couldn’t discover TVs, smart speakers, or consoles, even inside the same apartment.

The customer was understandably nervous at this point. They were expecting that fixing coverage gaps meant running new cables and installing multiple APs per apartment, which would double their cost.

They also had upcoming requirements for:

• A secure corporate network (gym, office, building management)

• A public guest Wi-Fi service

• A way to keep tenants isolated but still give each flat its own “home network” feel

So we sat down with them for a redesign workshop and walked through how we could transform the deployment rather than rip it out.

The Redesign: Leveraging Proper MDU Architecture

Fortunately, the vendor they had chosen supported two key technologies that completely changed the approach:

• MDU networking, allowing VLAN-per-apartment segmentation

• DPSK (Dynamic PSK) authentication models

These opened the door to a cleaner, scalable design without adding extra APs.

1. One Building-Wide SSID with DPSK

Instead of broadcasting hundreds of individual SSIDs, we deployed a single building-wide SSID named after the property and used DPSK to automate unique per-tenant keys.

Why DPSK?

DPSK creates a unique PSK per user or per apartment while still using one SSID.

This gave us:

• Strong tenant isolation

• Per-apartment VLAN assignment

• No need for 200+ SSIDs

• Cleaner beacon airtime

• Simpler onboarding for non-technical residents

This also allowed all APs in the building to broadcast the same SSID, fixing the bedroom coverage issue through natural roaming, even if the “best” AP radio happened to be the one mounted in the next-door lounge.

2. Per-Apartment VLANs

Instead of a shared /16 network, each apartment received its own dedicated VLAN and DHCP space.

This immediately solved:

• Security concerns

• Cross-tenant visibility

• Wired port isolation

• IP exhaustion and broadcast domain inefficiency

Now, when a tenant joins the SSID with their DPSK, the network dynamically drops them into their apartment’s private VLAN.

3. Wired Port Isolation, Casting and Local Networking

With the new design, the in-wall AP ports inside each lounge were mapped to the tenant’s own VLAN, enabling:

• Chromecast / AirPlay

• Smart speakers

• Consoles

• Home IoT devices

This was a requirement that the previous deployment completely broke despite having the right hardware available.

4. Fixing RF: Channel Width, Power and Contention

We rebuilt the RF plan from scratch:

• 20 MHz channel widths for 5 GHz (best practice for high-density MDUs)

• Controlled transmit power rather than “max power everywhere”

• Redesigned channel reuse across floors

• Removal of unnecessary SSIDs to improve airtime efficiency

This eliminated the co-channel contention that was ruining performance.

5. Public Guest Wi-Fi on the Ground Floor Only

The building also needed a public access guest network, but there was no need for it to cover every apartment.

We deployed it only in communal spaces such as:

• Reception

• Gym

• Lounge areas

• Car park

It lived in its own isolated bandwidth-managed network with captive portal support.

The Outcome

The customer went from being worried about doubling their investment to realising that their existing hardware could be leveraged intelligently with the right design.

They gained:

• Reliable whole-flat coverage without adding additional APs

• Proper tenant isolation using VLANs and DPSK

• Clean RF with far fewer SSIDs and properly tuned radios

• Enabled casting and device discovery within each home

• A building-wide roaming experience

• A fully separated guest Wi-Fi network

• A scalable network foundation for future residents and services

In the end, the building got the high-quality MDU Wi-Fi experience the original renovation was meant to deliver, just designed and implemented properly.

Final Thoughts

MDU environments are some of the most unforgiving spaces for poorly planned Wi-Fi. Apartments are stacked, densely packed, full of RF obstacles and overloaded with consumer devices.

Client isolation, dozens of SSIDs and max-power omnidirectional blasting aren’t solutions, they’re symptoms of a design-first problem.

With the right approach and clean RF, proper segmentation, DPSK and a shared SSID, you can take a challenging deployment and turn it into a streamlined, secure and user-friendly network that feels like a private home network for each resident.