Site-to-site VPN Wireless Access Point recommedations

Hi Sysadmins,

I’m at a company that has a cloud-based setup for their applications, so far it’s just been using the vendor provided access point at the two sites. But a video security system is getting installed and the recommendation from the vendor is to setup a VPN between the two sites.

I’m a bit out of my depth when it comes to Networking and looking for recommendations on a wireless access point that can setup site-to-site VPN.

So far I found a Meraki MX68CW, looks like it will work well. Any thoughts on this or other recommendations? Other requirements are North American/European countries for the manufacturer. Thank you

You only have a a wap at the sites and nothing else? It goes directly to the circuit the isp provides? If so that’s weird.

Does the documentation actually ask to have a tunnel directly connected to a wap? If so that’s weird.

You would most likely just have the cameras on their own vlan/ssid and the ipsec tunnel would be established on the firewall or router if you don’t have one at the edge of the network at the site. And create a security policy allowing the feeds to their destination.

Does the vendor really want a ipsec tunnel on the wap? Can you elaborate on the current network

I don’t know what your performance needs are but a FortiWifi 60F might do the trick but I would recommend splitting wifi off from the firewall/router.

Seems like you want an all-in-one firewall/router/wireless access point that will let you do site-to-site VPN?

Any other requirements? Budget? Availability?

Most firewalls will let you do site-to-site VPN, and a lot of them will also have some extra ports to do routing/switching. Looking for the wifi on top of that really limits your field, so honestly I think the Meraki is a good solution if that’s what you need. I think Fortinet and Sonicwall make wifi-capable firewalls you could check out too.

Some other things to keep in mind:

-Licensing: Meraki devices require a license to operate, and that license must be purchased annually (or you can buy several years up front) to keep the device working. Something to factor into your costs.

-Availability: I hear Meraki devices are on SEVERE backorder, so I hope you don’t need this soon. Check with your seller for more info though.

-Bandwidth: Do both sites have the bandwidth to support whatever you’re sending over that VPN tunnel without bogging down your network? Would suck to buy the equipment and then have to upgrade your internet too.

Normally I would recommend separating wifi and the firewall, But if you need wifi built in there are a few untangle setups that have wifi built in, untangle uses openvpn or there tunnel VPN to do site to site. Here is one of the wireless appliances: https://www.untangle.com/shop/w4-appliance/ .

EDIT - Dealing with licencing, When you purchase the application they require you to purchase one of the packages, but you can let that expire and they will downgrade you to the free tier which still allows you to vpn between locations.

So how does the site currently get internet? Typically you would set a site-to-site VPN up between the firewalls on each site.

Yes, only a WAP and nothing else. It’s been cobbled together from a small company and I would like to put in some best practices for a small/medium enterprise.

The documentation is saying that for the security cameras to talk to each other we should have it in a VPN tunnel.

I worked with the vendor and Bosch has a cloud service that allows for the functionality that we’re looking for. However I would still like to get a firewall and non-consumer grade access points for better management.

FortiWifi 60F

That’s a good point, any recommendations on a firewall for a ~50 person site?

There’s no requirement that it’s all in one device. We have about ~50 users max on the site, and I’ll be looking at getting a firewall and some wireless access points that aren’t out of the box from a vendor.

Good point about the licensing. I wasn’t a fan of it due to the extra costs that have to be accounted for yearly.

Availability is a good point, I found some vendors that might have it, but I’m not sure if their site’s just have backorders as available.

Bandwidth should be good enough for the regular usage and some cameras. I don’t foresee much need for more, but it will depend as the user base grows

The requirement was that the user could view both camera locations’ active status. I think the tunnel was so when you’re on one site, you could view the other site’s cameras

Good point about separating the wifi and firewall. An all-in-one appliance seemed easier but I also want to follow some best practices.

Currently the site uses a vendor provided router/wap. From the other recommendations there should be a separate firewall from the WASP.

Is each site just on a residential isp? There is no company Lan across sites or anything right?

Something like a SRX 300 would be simple but with no experience a learning curve. A ipsec tunnel would drive the site traffic back home and you can do something like a dynamic tunnel if it’s on a residential IP that could change. Another product you could look at is Ubiquity Networks line of products more consumer friendly interface and products.

Vendor as in ISP? Ask them if site-to-site VPN is available. In my experience vendors typically provide that because it’s a basic business requirement. It’s a client VPN that they usually disable or charge for.

SRX 300

It’s basically a static IP from the ISP on a “corporate” service.

There’s no company LAN or anything. I looked into the Ubiquity stuff, it looks like it has just enough functionality and I know it’s supposed to be easy to use.

I think a port forward is a possibility. I was just reading that it might not be as safe as a VPN

Juniper command is really fairly simple once you get into it but ubnt is kinda no brainer… The edge router lite is a nice branch office size device. It’s purpose is what it is. Their “unifi” line is sort of hybrid hardware/software ui management that pairs well if you use their aps cameras etc. I belive they have a self hosted version of the ap software.

Either way obe will need general networks experience to set up the tunnels, security policies and etc.

If I was consulting and being the maintainer for a client I would go srx, if I was consulting for a business with a few small branch offices to self manage I would probably go ubnt.