WiFi 6E Triband Cybersecurity Gateway
Project Overview
A US-based cybersecurity company approached Qmax Systems to design and manufacture a WiFi 6E Triband Cybersecurity Gateway for deployment across small and medium-sized enterprises (SMEs) in North America. The product needed to combine a high-performance tri-band WiFi 6E router with an AI-powered network security stack — delivering enterprise-grade threat protection in a compact, easy-to-deploy appliance managed through iOS and Android mobile apps and a cloud-based dashboard.
Qmax Systems delivered the complete product from concept to volume production: hardware design, OpenWRT firmware development, Android and iOS mobile app development, cloud management platform, industrial design, FCC certification, and fulfilment — packaging thousands of units and shipping them directly to the customer's US distribution point. The product has been running in the field for nearly two years with zero reported hardware failures.
Product Brief
The WiFi 6E Triband Cybersecurity Gateway is a compact, wall-mountable security appliance built around the MediaTek MT7986AV quad-core SoC. It operates simultaneously on three WiFi bands — 2.4 GHz, 5.1 GHz, and 5.8 GHz — with 4×4 MU-MIMO on each band, driven by dedicated MediaTek radio chips, and housed entirely within the enclosure using a 12-element internal antenna array with no protruding external antennas.
The unit runs a custom OpenWRT firmware stack enhanced with a multi-layer AI-powered cybersecurity engine: DNS-level threat blocking, IP/domain/URL reputation filtering, network attack prevention, IoT device monitoring, and scam detection — all processed on-device without packet payload inspection. Onboard 4 GB DDR4 and 32 GB eMMC provide the memory footprint for real-time threat intelligence databases. It ships with a UL-certified US power adapter, packed in a custom carton ready for end-user installation, with OTA firmware and security-policy updates fully operational from day one.
Qmax Scope of Work
Qmax Systems executed the entire product lifecycle under one roof, from the first architectural sketch to palletized shipments bound for North America:
- Hardware Architecture — full schematic design and BOM development centred on the MediaTek MT7986AV SoC and WiFi radio ecosystem
- PCB Design — 6-layer impedance-controlled PCB layout covering RF, high-speed DDR4/PCIe, power, and analog design domains
- RF Engineering — 12-antenna tri-band internal array design, antenna placement optimisation, RF isolation between bands, and antenna matching network design
- Prototype & DVT — prototype builds, bring-up, design iterations through DVT (Design Validation Testing) and PVT (Production Validation Testing)
- Firmware (OpenWRT) — U-Boot bootloader porting, Linux kernel and BSP bring-up, WiFi driver integration, cybersecurity stack integration, and throughput optimisation on MT7986AV
- Android Application — native Kotlin app for device setup, real-time security monitoring, threat notifications, parental controls, and OTA management
- iOS Application — native Swift/SwiftUI app with full feature parity to the Android app, passing Apple review on first submission
- Cloud Management Dashboard — web-based fleet management portal with centralised OTA update delivery, threat analytics, and device health monitoring
- WiFi Calibration & Testing — DVT WiFi calibration achieving rated throughput on all three bands; FCC Part 15B certification passed on first regulatory submission; full RoHS compliance
- Manufacturing & Logistics — PVT, mass manufacturing of thousands of units, UL-certified power adapter sourcing, custom packaging design, and cross-border fulfilment to North America
Engineering Challenges
12-antenna internal array in a sealed enclosure
Packing three 4×4 MU-MIMO antenna sets (12 antennas total) inside a compact, antenna-less enclosure required custom antenna layout engineering and RF isolation techniques to prevent inter-band interference while maintaining rated throughput on all three bands
Simultaneous tri-band WiFi 6E throughput
Achieving maximum 802.11ax throughput on 2.4 GHz, 5.1 GHz, and 5.8 GHz simultaneously under real-world multi-user loads demanded careful radio coexistence tuning and OpenWRT scheduler optimisation
SI/PI/EMI on a dense BGA PCB
Routing DDR4 (high-speed memory), PCIe Gen 2, Gigabit Ethernet RGMII, and three RF radio interfaces on a compact 6-layer PCB required meticulous impedance control, layer stack-up planning, and SI/PI analysis
Fanless thermal management in plastic enclosure
The MT7986AV under full WiFi load and security processing generates significant heat; the enclosure and PCB were engineered with thermal via arrays and airflow paths to sustain continuous operation without active cooling
Concurrent security processing without throughput degradation
Running DNS blocking, IP/domain reputation filtering, AI-powered threat detection, and firewall rules simultaneously with high-throughput WiFi routing required hardware NAT offload, kernel flow offload, and multi-core packet-processing tuning
Onboard threat-intelligence database management
Storing, updating, and hot-reloading large blocklists (IPs, domains, URLs) within cost-optimised 32 GB eMMC without service interruption required atomic staging and reload mechanisms in firmware
Dual-platform mobile app with shared backend
Developing and maintaining feature-parity Android and iOS apps, each meeting their respective platform review requirements, while sharing a common REST API backend
Cryptographically signed OTA at scale
Implementing a reliable, RSA-signed OTA update mechanism for firmware and security-policy updates across thousands of deployed field units, with staged rollout and automatic rollback on failure
FCC Part 15B first-submission pass — tri-band device
Achieving FCC certification on the first submission for a device with 12 internal antennas across three simultaneous RF bands required precise antenna placement, controlled impedance routing, and careful EMC management
Mass manufacturing and cross-border logistics
Producing thousands of units on schedule including custom packaging, UL-certified power adapters, and cross-border fulfilment to North America within cost and time targets
Major Hardware Components
MediaTek MT7986AV
Quad-core ARM Cortex-A53 main SoC with integrated Network Processing Unit (NPU), hardware NAT offload, and the processing headroom to run the full cybersecurity stack concurrently with multi-band WiFi routing
MediaTek MT7531AE
5-port Gigabit Ethernet switch providing WAN and LAN ports via RGMII interface to the main SoC
MediaTek MT7976AN
WiFi 6E 5.1 GHz band 4×4 MU-MIMO radio chip connected via PCIe
MediaTek MT7915AN
WiFi 6 5.8 GHz band 4×4 MU-MIMO radio chip connected via PCIe
MediaTek MT7976GN
WiFi 6 2.4 GHz band 4×4 MU-MIMO radio chip connected via PCIe
4 GB DDR4 DRAM
High-speed system memory providing the bandwidth required for simultaneous WiFi packet processing, threat-intelligence lookups, and OpenWRT workloads
32 GB eMMC Flash
Embedded storage (HS400 mode) for OS, firmware, blocklists, security logs, and OTA staging with A/B partition support
USB 3.0 Controller
SuperSpeed host port for external storage or diagnostic interface
12-Element Internal Antenna Array
Custom-designed tri-band antenna set for 4×4 MU-MIMO on all three bands, fully enclosed inside the sealed plastic enclosure with no external protrusions
UL-Certified 12 V DC Power Supply
UL-listed power adapter selected and qualified for US/North American market compliance and bundled with every unit
Major Interfaces & Protocols
Gigabit Ethernet (WAN + LAN)
Via RGMII interface to MT7531AE 5-port Gigabit switch; supports 10/100/1000 Mbps on all ports
Wi-Fi 6E 802.11ax — Triband
Simultaneous 4×4 MU-MIMO on 2.4 GHz, 5.1 GHz, and 5.8 GHz; OFDMA; BSS Colouring; WPA3; Target Wake Time (TWT)
PCIe Gen 2
Internal interconnect between the MT7986AV SoC and the three WiFi radio modules
DDR4
High-speed 64-bit wide memory interface between MT7986AV and system RAM
eMMC (HS400)
Embedded storage interface between SoC and onboard flash for OS and data
USB 3.0
SuperSpeed host port for external storage attachment or diagnostic console
SPI
Bootloader NOR flash and peripheral configuration
I2C
Power management IC (PMIC) control and peripheral sensor communication
UART
Serial debug console for firmware development, bring-up, and factory test
DC Power Jack
12 V DC input; UL-certified power adapter supplied for the US market
Key Firmware & Software Activities
OpenWRT BSP & Platform Bring-up
U-Boot bootloader ported to MT7986AV; Linux kernel configured and brought up with custom device tree covering PCIe (WiFi radios), RGMII (Ethernet switch), USB 3.0, eMMC, SPI, I2C, UART, and GPIO. PMIC sequencing validated.
WiFi Driver Integration & RF Calibration
WiFi drivers integrated for all three bands (MT7976AN, MT7915AN, MT7976GN); per-band RF calibration performed to achieve rated 802.11ax throughput; radio coexistence tuned for simultaneous tri-band operation under full load. FCC Part 15B passed on first regulatory submission.
OpenWRT Performance & Throughput Optimisation
Hardware NAT offload and kernel flow offload enabled; multi-core packet-processing affinity tuned on MT7986AV to sustain maximum WiFi throughput under high concurrent-user loads while running the full security stack — with no measurable latency increase.
Security Stack — Multi-Layer Threat Detection
AI-powered cloud threat intelligence integrated with on-device enforcement across multiple protection layers: DNS-level phishing and malware blocking, IP/domain/URL reputation filtering, network attack prevention (DDoS/brute-force), IoT device traffic monitoring, identity theft detection, and scam detection — all without packet payload inspection.
DNS Security, URL Filtering & Firewall Engine
On-device DNS resolver integrated with continuously updated cloud blocklists; malicious domain queries blocked at resolution time before any connection is established. Domain and IP reputation-based URL blocking enforced at network level. Stateful firewall rules engine with zone-based policy management, connection tracking, and geo-IP blocking.
Threat-Intelligence Database & Secure OTA
Automated pull, cryptographic verification, staging, and atomic hot-reload of IP/domain/URL blocklists to eMMC without service interruption. RSA-signed OTA update engine for firmware and security-policy packages with staged rollout, delta update support, and automatic rollback on failure.
Factory Test Firmware
Automated production-line self-test application written to validate all interfaces: all Ethernet ports, WiFi RF on all three bands, USB enumeration, eMMC read/write, power-rail verification, LED, and button GPIO. Custom test fixture built for rapid in-line testing during manufacture.
Android Application — Security Dashboard & Controls
Native Android app (Kotlin): guided QR-code/mDNS device setup, real-time threat and device dashboard, FCM push notifications for threat alerts and OTA events, parental controls with per-device scheduling, remote firewall rule management, biometric login, and in-app network speed test.
iOS Application — Native App with Feature Parity
Native iOS app (Swift/SwiftUI) with full Android feature parity: guided setup, encrypted REST API dashboard sync, APNs push notifications, iOS Screen Time integration for parental controls, Touch ID/Face ID authentication, and pre-built security policy templates. Passed Apple App Store review on first submission.
Cloud Management Dashboard & Fleet OTA
Web-based portal for IT administrators and MSPs: centralised OTA update scheduling and tracking across the fleet, aggregated threat analytics with trend reporting, per-unit device health monitoring, multi-tenant user and role management (SSO-ready), and REST API for webhook alerting and future SIEM/SOC integrations.
Technical Specifications
Summary
The WiFi 6E Triband Cybersecurity Gateway demonstrates Qmax Systems' end-to-end product development capability — from an architecturally demanding challenge (12 internal antennas across three simultaneous RF bands in a sealed, compact enclosure) through to volume-manufactured units running in SME networks across North America. The project required deep simultaneous expertise across hardware design, RF engineering, OpenWRT firmware development, mobile application engineering (Android and iOS), cloud platform development, regulatory certification, and manufacturing operations.
With thousands of units deployed and zero field failures over nearly two years of continuous operation, the product stands as a flagship reference for Qmax's concept-to-production methodology. The WiFi calibration hitting rated throughput on all three bands and FCC Part 15B certification achieved on the first submission underscore the rigour of Qmax's engineering and testing processes.
The same full-stack capability — hardware architecture, PCB design, RF engineering, OpenWRT firmware, cross-platform mobile apps, cloud platforms, industrial design, certification, and manufacturing — is available to customers bringing connected-security and networking products to market.