Site Router VPN Setup Guide
Network requirements for your IT team
What We're Installing
A small, pre-configured router (MikroTik hEX RB750Gr3) that connects HVAC controls equipment back to our cloud-hosted management platform. This allows us to securely monitor and control building automation equipment — thermostats, air handlers, rooftop units, and controllers — without requiring any changes to your existing network infrastructure.
| Detail | Description |
|---|---|
| Model | MikroTik hEX RB750Gr3 |
| Size | Approximately 4.5" × 3.5" × 1" — about the size of a paperback book |
| Type | Wired router (not a switch, not a wireless access point) |
| Ports | 5 Gigabit Ethernet — only Port 1 connects to your network |
| Power | 24W adapter (included), or 802.3af/at PoE with optional injector |
| Noise | Fanless, silent |
This is not a switch or hub. It is a dedicated router with its own firewall. It does not participate in your network's switching, spanning tree, VLANs, or routing protocols.
What We Need From You
One Ethernet port with internet access. That's it.
| Requirement | Details |
|---|---|
| Ethernet port | One RJ45 jack — wall port, switch port, or patch panel drop |
| IP assignment | DHCP preferred (static is fine too — let us know the details) |
| Internet access | Standard outbound internet — same as any workstation or IP camera |
Firewall / Outbound Rules
The router establishes a single encrypted tunnel to our cloud. All building automation traffic rides inside this tunnel. Your firewall only needs to allow:
| Direction | Protocol | Port | Destination | Purpose |
|---|---|---|---|---|
| Outbound | UDP | 51820 | 18.223.58.49 | Encrypted VPN tunnel (WireGuard) |
| Outbound | TCP | 443 | Internet | HTTPS — DNS, NTP, initial connectivity |
No inbound ports need to be opened. The router initiates all connections outbound. There is nothing listening on your network that accepts inbound connections from the internet.
Most corporate networks already allow outbound UDP and HTTPS traffic by default. If your firewall uses strict egress filtering, the only addition is outbound UDP 51820 to 18.223.58.49.
What Your Network Sees
From your network's perspective, the router looks like any other single device:
| What Your Network Sees | Details |
|---|---|
| MAC addresses | One (the router's Port 1) |
| IP addresses | One (assigned by your DHCP or static) |
| Traffic | One encrypted UDP stream to a single cloud IP |
| Protocols on your network | None — no STP, LLDP, CDP, OSPF, BGP, or multicast |
| Broadcast traffic | None generated onto your network |
| VLANs | None required — works on any access port or untagged VLAN |
Network Isolation
The HVAC controls equipment (controllers, sensors, etc.) connect to Ports 2–5 on the router, which is a completely separate network from your building LAN. The router provides:
- Its own private IP subnet for connected equipment (not routable from your network)
- Its own DHCP server for connected equipment
- NAT between the equipment network and your WAN port — your network never sees the internal device IPs
- A firewall that blocks all unsolicited inbound traffic from your network to the equipment
Your Building Network Our Equipment (isolated)
┌──────────────────────┐ ┌──────────────────────────────┐
│ │ One cable │ │
│ Your switch/jack ───┼───────────────►│ Port 1 (WAN) │
│ │ │ MikroTik hEX │
│ You see: │ │ Ports 2-5 (equipment) ──► │
│ - 1 MAC address │ │ HVAC controllers │
│ - 1 IP address │ │ Thermostats │
│ - 1 UDP stream │ │ Air handlers, RTUs │
│ │ │ │
│ You don't see: │ │ All equipment traffic stays │
│ - HVAC devices │ │ here or goes through the │
│ - Any internal IPs │ │ encrypted tunnel to our │
│ │ │ cloud — never touches │
│ │ │ your network │
└──────────────────────┘ └──────────────────────────────┘
Cloud Infrastructure
| Detail | Description |
|---|---|
| Cloud provider | Amazon Web Services (AWS) |
| Region | US East (Ohio) — us-east-2 |
| Encryption | WireGuard VPN — modern, audited, ChaCha20-Poly1305 encryption |
| Authentication | Public/private key pairs (no passwords traverse the network) |
| Static IP | The cloud endpoint has a fixed Elastic IP: 18.223.58.49 |
All communication between the site router and our cloud is encrypted end-to-end. The tunnel carries all building automation management traffic including device polling, configuration changes, and alarm data.
Frequently Asked Questions
Does this device need to be in a DMZ?
No. It works on any standard access port with internet access. It initiates all connections outbound.
Will this affect our network performance?
No. Building automation traffic is minimal — typically a few kilobytes per minute for device polling. Comparable to a single workstation browsing the web.
Can we monitor the traffic?
Yes. All traffic from the router exits through Port 1 on your network. You can mirror the switch port or use your firewall's traffic logs. You'll see a single encrypted UDP stream — the contents are not inspectable (by design), but the volume and destination are fully visible.
What if our firewall blocks UDP 51820?
The tunnel won't establish. We can work with your team to whitelist outbound UDP 51820 to 18.223.58.49. This is a single firewall rule.
Do we need to configure anything on our router/firewall?
Only if you have strict outbound filtering. If your network allows general outbound internet access (like for workstations), no changes are needed.
What happens if the internet goes down?
The HVAC equipment continues to operate locally on its own network. Cloud connectivity resumes automatically when internet is restored. No manual intervention required.
Can we restrict this to a specific VLAN?
Yes. Place the Ethernet port on any VLAN with outbound internet access. The router doesn't care which VLAN it's on — it just needs a path to the internet.
Who manages this device?
We do. The router is pre-configured and managed remotely through the encrypted tunnel. Your IT team does not need to manage, update, or monitor it.
Questions?
Contact us at any time. We're happy to schedule a call with your IT team to walk through the setup.