Campus Site Router Setup Guide
Multi-building deployment without a VPN on your firewall
Overview
For campuses with multiple buildings (schools, hospitals, corporate parks), we deploy a small pre-configured router on your network that connects all building automation equipment back to our cloud platform. No VPN is configured on your firewall. No inbound connections are opened. Your IT team creates a dedicated VLAN for BAS devices, and our router handles everything else.
How It Works
Your IT team creates a VLAN dedicated to building automation devices across all campus buildings. Our router plugs into that VLAN and acts as the gateway for all BAS devices. It assigns IP addresses, manages the network, and tunnels all traffic through an encrypted outbound connection to our cloud.
What We Install
| Detail | Description |
|---|---|
| Model | MikroTik hEX RB750Gr3 |
| Size | Approximately 4.5" × 3.5" × 1" — about the size of a paperback book |
| Ports used | Port 1 (WAN — internet access), Port 2 (BAS VLAN connection) |
| Power | 24W adapter (included), or 802.3af/at PoE with optional injector |
| Noise | Fanless, silent |
What We Need From You
| Requirement | Details |
|---|---|
| BAS VLAN | A dedicated VLAN for building automation devices, trunked across all buildings with BAS equipment |
| Access port for our router | One untagged (access mode) port on the BAS VLAN where our router plugs in — do not send the VLAN tagged |
| Internet port | One Ethernet port with internet access (separate from the BAS VLAN) for the router's WAN connection |
| BAS devices on the VLAN | All Jace controllers, thermostats, air handlers, and RTUs placed on the BAS VLAN |
- No DHCP server or IP helper — our router handles all IP assignment
- No gateway or SVI (switched virtual interface) — our router is the gateway
- No ACLs or inter-VLAN routing rules — the VLAN just needs layer 2 connectivity
- No DNS or NTP configuration — our router provides these to devices
The BAS VLAN only needs to be a layer 2 broadcast domain connecting our router to the BAS devices. We manage everything else.
Our router becomes the gateway for the BAS VLAN. It assigns IP addresses to all devices via DHCP and routes their traffic through the encrypted tunnel to our cloud. Your IT team does not need to manage device IPs or routing.
Firewall Rules
Your firewall only needs to allow one outbound connection from our router's WAN port:
| Direction | Protocol | Port | Destination | Purpose |
|---|---|---|---|---|
| Outbound | UDP | 51820 | 18.223.58.49 | Encrypted VPN tunnel (WireGuard) |
| Outbound | UDP | 123 | Internet | Time synchronization (NTP) |
If your network uses stateful firewalling (most do), the return traffic is automatically allowed and no additional rules are needed.
Switch Port ACLs or Stateless Firewalls
If the switch port where our router connects has an inbound ACL (common on campus networks), return traffic from our cloud must be explicitly permitted. Without this, the router can send packets out but never receives responses, and the tunnel will not establish.
Our router uses a fixed source port of 13231 for all VPN traffic. The full conversation looks like this:
| Direction | Protocol | Source | Source Port | Destination | Dest Port | Action |
|---|---|---|---|---|---|---|
| Outbound (from router) | UDP | Router IP | 13231 | 18.223.58.49 | 51820 | Allow |
| Inbound (to router) | UDP | 18.223.58.49 | 51820 | Router IP | 13231 | Allow |
How to tell if this is needed: If the router is powered on and has internet access (can browse, can ping other hosts) but the VPN tunnel never connects, a switch port ACL blocking UDP traffic on port 13231 is the most common cause.
Network Isolation
The BAS VLAN is completely isolated from your corporate network:
- BAS devices cannot reach corporate resources — they only talk to our router
- Our router does not route traffic between the BAS VLAN and your corporate network
- All BAS traffic goes through the encrypted tunnel to our cloud or stays local on the VLAN
- Your corporate network sees only one device (our router's WAN port) making one outbound UDP connection
What Your Network Sees
| What Your Network Sees | Details |
|---|---|
| On your corporate network | One device (router WAN port), one IP, one encrypted UDP stream |
| On the BAS VLAN | Our router acts as gateway — assigns IPs and manages all BAS device traffic |
| Cross-VLAN traffic | None — BAS devices cannot reach corporate resources |
| Protocols on your corporate network | None — no STP, LLDP, CDP, OSPF, BGP, or multicast |
| Inbound connections from the internet | None |
Cloud Infrastructure
| Detail | Description |
|---|---|
| Cloud provider | Amazon Web Services (AWS) |
| Region | US East (Ohio) — us-east-2 |
| Encryption | WireGuard VPN — modern, audited, ChaCha20-Poly1305 encryption |
| Authentication | Public/private key pairs (no passwords traverse the network) |
| Static IP | The cloud endpoint has a fixed Elastic IP: 18.223.58.49 |
Frequently Asked Questions
What if we already have IP addresses on our BAS devices?
If your BAS devices are currently on a different VLAN with static IPs, we migrate them one at a time using a coordinated process. This avoids any bulk outage.
How the migration works
- Your team creates the new BAS VLAN and delivers an access port to our router. We verify connectivity before touching any devices.
- We schedule a migration window — typically one hour with one of our engineers and one of your network engineers on a call together.
- We migrate devices one at a time:
- Our engineer connects to a device through the existing solution and changes it from static IP to DHCP. The device loses connectivity at this point.
- Your network engineer moves that device's switch port to the new BAS VLAN.
- The device picks up a new IP from our router via DHCP and reconnects through our tunnel. We confirm connectivity.
- Repeat for the next device.
Each device takes 2–5 minutes. A site with 10 devices typically completes in under an hour. Only the device being migrated is offline at any given time — everything else continues operating normally.
Does this require a VPN on our firewall?
No. Our router handles the encrypted tunnel entirely on its own. Your firewall has no VPN configuration.
Can BAS devices access our corporate network?
No. Our router does not route traffic between the BAS VLAN and your corporate network. BAS devices can only communicate with our cloud platform.
What if we have devices in 10 buildings?
As long as the BAS VLAN is trunked to all buildings, one router handles all of them. Every device on the VLAN gets an IP from our router and connects through the same encrypted tunnel.
What happens if the internet goes down?
BAS devices continue to operate locally. They lose cloud connectivity until internet is restored, at which point the tunnel automatically reconnects. No manual intervention required.
Who manages the router?
We do. The router is pre-configured and managed remotely through the encrypted tunnel. Your IT team does not need to manage, update, or monitor it.
Zero Trust Network Controls (Optional)
For organizations with strict zero-trust security requirements, the campus deployment model gives your IT team full control over BAS network traffic at the switch and firewall level. These are optional hardening measures you can apply to the BAS VLAN.
VLAN Egress ACL
Restrict what the BAS VLAN can reach. Apply an egress ACL on the BAS VLAN interface that permits only:
| Rule | Protocol | Destination | Purpose |
|---|---|---|---|
| Permit | UDP 51820 | 18.223.58.49 | Encrypted tunnel to our cloud |
| Permit | UDP 123 | Any | Time synchronization (NTP) |
| Deny | All | All | Block everything else |
This guarantees the BAS VLAN can only communicate with our cloud endpoint. No lateral movement to corporate resources is possible, even if a device is compromised.
Inter-VLAN Routing Block
Deny all traffic between the BAS VLAN and your corporate VLANs at the Layer 3 switch or firewall. The BAS VLAN should be a dead end — traffic either goes to our cloud or stays local.
DHCP Snooping
Enable DHCP snooping on the BAS VLAN and trust only the port where our router is connected. This prevents rogue DHCP servers and ensures only our router assigns addresses in the 10.50.X.0/24 range.
Port Security / MAC Limiting
Limit MAC addresses on BAS VLAN access ports to known BAS devices. Combined with DHCP snooping, this ensures only authorized equipment can join the VLAN.
IP Source Guard
Bind IP-to-MAC-to-port mappings on the BAS VLAN. This prevents IP spoofing — a device can only use the IP assigned to it by our router's DHCP server.
Static IP Mode (No DHCP)
For maximum control, we can disable DHCP on our router and manage all BAS device IPs as static assignments. In this mode:
- Every device gets a pre-assigned static IP in the
10.50.X.0/24range - No DHCP server runs on the BAS VLAN — unknown devices cannot obtain an address
- Your IT team has a complete inventory of every IP and what device it belongs to
- Combined with port security, only known devices on known ports with known IPs can communicate
We provide and maintain the IP assignment list. This option is ideal for environments that require a documented asset inventory for every connected device.
What This Gives You
- Known IP range: all BAS devices use
10.50.X.0/24only - Known destination: traffic can only reach one cloud IP
- Known protocol: only UDP, no TCP, no inbound
- No lateral movement: BAS VLAN is fully isolated from corporate network
- Full auditability: your firewall logs show exactly what leaves the VLAN
These controls are optional. The deployment works without them. But for organizations that require zero-trust segmentation, this gives your security team verifiable enforcement at your own infrastructure layer.
Questions?
Contact us at any time. We're happy to schedule a call with your IT team to walk through the deployment.