To enhance the security of teleworkers operating from home Wi-Fi networks, the remote AP feature enables teleworkers to install access points (APs) that automatically connect to the central office's private network. These remote APs act as VPN clients and establish an IPsec tunnel to the Gateway, ensuring that the traffic from the tunnel mode SSID is protected by IPsec VPN. By adopting this approach, data encryption for teleworker traffic (using GRE over IPsec VPN) is achieved without requiring any additional settings on users' end devices. The following example provides instructions on how to configure Secure Wi-Fi on Nebula, enabling the encryption of traffic from remote sites to the enterprise network.
To verify the capability of Remote AP and check its remote status, you can follow these steps:
Go to: Site-wide -> Devices -> Access points
Set up Secure Wi-Fi on Nebula
Device Registration: USG FLEX and AP must be in the same Nebula Site. Remote AP requires a Secure Wi-Fi license assigned to the USG FLEX. The license status can be checked at License & Inventory. To buy a Secure Wi-Fi license, you can go to the Zyxel Marketplace for purchasing the license. Then follow the steps to activate: How to Activate Secure WiFi License
Configure AP role as Remote AP and SSID setting
Go to: Site-wide -> Devices -> Access points
By selecting a specific access point and clicking on "AP Role," you can configure the SSID. The wireless clients connecting to this SSID will have access to the central site through an NVGRE tunnel. The security settings for this SSID will follow those applied in the SSID settings page. Please note that there can be up to 4 secure tunnel SSIDs configured.
Configure the Local SSID setting of each remote AP
Go to: Site-wide -> Devices -> Access points
The local SSID settings are simplified, allowing for up to 2 local SSIDs to be set up. Network administrators must provide an SSID name and may only apply Wi-Fi passwords with WPA2 or WPA3 Personal encryption.
On a remote access point (AP), Storm Control is automatically enabled to prevent excessive broadcast traffic from flooding the wireless segment, affecting both the Gateway and other remote APs. Both Wireless and Ethernet Storm Control features will be automatically activated on the remote AP.
Check the result and what can go wrong ?
After Remote AP boots up in the remote site, AP will automatically establish the IPSec VPN connection with HQ. AP and tunnel information displayed on the Nebula at:
Go to Site-wide -> Monitor -> Firewall -> VPN connections
- Configure all the corresponding settings on the interface before you connect the link.
- Maximum Remote AP number is limited by Device’s capability: