Campus Site Router Setup Guide
Multi-building deployment without a VPN on your firewall
Overview
For campuses with multiple buildings (schools, hospitals, corporate parks), we deploy a small pre-configured router on your network that connects all building automation equipment back to our cloud platform. No VPN is configured on your firewall. No inbound connections are opened. Your IT team creates a dedicated VLAN for BAS devices, and our router handles everything else.
How It Works
Your IT team creates a VLAN dedicated to building automation devices across all campus buildings. Our router plugs into that VLAN and acts as the gateway for all BAS devices. It assigns IP addresses, manages the network, and tunnels all traffic through an encrypted outbound connection to our cloud.
What We Install
| Detail | Description |
|---|---|
| Model | MikroTik hEX RB750Gr3 |
| Size | Approximately 4.5" × 3.5" × 1" — about the size of a paperback book |
| Ports used | Port 1 (WAN — internet access), Port 2 (BAS VLAN connection) |
| Power | 24W adapter (included), or 802.3af/at PoE with optional injector |
| Noise | Fanless, silent |
What We Need From You
| Requirement | Details |
|---|---|
| BAS VLAN | A dedicated VLAN for building automation devices, trunked across all buildings with BAS equipment |
| Access port for our router | One untagged (access mode) port on the BAS VLAN where our router plugs in — do not send the VLAN tagged |
| Internet port | One Ethernet port with internet access (separate from the BAS VLAN) for the router's WAN connection |
| BAS devices on the VLAN | All Jace controllers, thermostats, air handlers, and RTUs placed on the BAS VLAN |
Our router becomes the gateway for the BAS VLAN. It assigns IP addresses to all devices via DHCP and routes their traffic through the encrypted tunnel to our cloud. Your IT team does not need to manage device IPs or routing.
Firewall Rules
Your firewall only needs to allow one outbound connection from our router's WAN port:
| Direction | Protocol | Port | Destination | Purpose |
|---|---|---|---|---|
| Outbound | UDP | 51820 | 18.223.58.49 | Encrypted VPN tunnel (WireGuard) |
| Outbound | TCP | 443 | Internet | HTTPS — DNS, NTP, initial connectivity |
No inbound ports need to be opened. No VPN is configured on your firewall. The router initiates all connections outbound.
Network Isolation
The BAS VLAN is completely isolated from your corporate network:
- BAS devices cannot reach corporate resources — they only talk to our router
- Our router does not route traffic between the BAS VLAN and your corporate network
- All BAS traffic goes through the encrypted tunnel to our cloud or stays local on the VLAN
- Your corporate network sees only one device (our router's WAN port) making one outbound UDP connection
What Your Network Sees
| What Your Network Sees | Details |
|---|---|
| On your corporate network | One device (router WAN port), one IP, one encrypted UDP stream |
| On the BAS VLAN | Our router acts as gateway — assigns IPs and manages all BAS device traffic |
| Cross-VLAN traffic | None — BAS devices cannot reach corporate resources |
| Protocols on your corporate network | None — no STP, LLDP, CDP, OSPF, BGP, or multicast |
| Inbound connections from the internet | None |
Cloud Infrastructure
| Detail | Description |
|---|---|
| Cloud provider | Amazon Web Services (AWS) |
| Region | US East (Ohio) — us-east-2 |
| Encryption | WireGuard VPN — modern, audited, ChaCha20-Poly1305 encryption |
| Authentication | Public/private key pairs (no passwords traverse the network) |
| Static IP | The cloud endpoint has a fixed Elastic IP: 18.223.58.49 |
Frequently Asked Questions
Does this require a VPN on our firewall?
No. Our router handles the encrypted tunnel entirely on its own. Your firewall has no VPN configuration.
Can BAS devices access our corporate network?
No. Our router does not route traffic between the BAS VLAN and your corporate network. BAS devices can only communicate with our cloud platform.
What if we have devices in 10 buildings?
As long as the BAS VLAN is trunked to all buildings, one router handles all of them. Every device on the VLAN gets an IP from our router and connects through the same encrypted tunnel.
What happens if the internet goes down?
BAS devices continue to operate locally. They lose cloud connectivity until internet is restored, at which point the tunnel automatically reconnects. No manual intervention required.
Who manages the router?
We do. The router is pre-configured and managed remotely through the encrypted tunnel. Your IT team does not need to manage, update, or monitor it.
What if we already have IP addresses on our BAS devices?
If your devices already have static IPs on a different subnet, we can work with your team on a transition plan. The simplest approach is to let our router assign new addresses via DHCP when devices are moved to the BAS VLAN.
Questions?
Contact us at any time. We're happy to schedule a call with your IT team to walk through the deployment.