Secure WiFi service is used to build a secure L2 tunnel for Work-From-Home user to the office, guaranteeing the same security level, user experience, WiFi, and even IP address as in the office, which boosts up productivity and eases IT support.
The following appliances and access points currently support secure WiFi:
USG FLEX series - ATP series - VPN series (requires at least Firmware 5.00)
WAX650S - WAX610D - WAX510D - WAC500 - WAC500H (Requires at least Firmware 6.20)
Compared to the classic "Tunnel Mode", Secure Wifi provides data encryption for remote workers by using "GRE over IPsec VPN"
There is no gateway configuration needed on the remote site.
The maximum number of Remote APs is limited by the following 2 factors on your gateway:
- Max. Number of "Concurrent IPsec VPN Tunnels"
- 50% of the maximum manageable APs of your gateway
1. Manage APs in LAN
Monitor -> Wireless -> AP Information -> AP List -> "Show advanced Settings"
In the Web GUI, we can check if the managed AP supports the "RemoteAP" role.
2. Configure AP role and SSID
Configuration -> Wireless -> AP Management -> Mgnt. AP List
Select the AP where you want to enable the Remote AP role.
Secure Wi-Fi is a per AP setting. First, we need to switch the AP Role to Remote AP via the checkbox.
After that, we can configure up to four Secure Tunnel SSIDs, define which interface the traffic will be tunnelled to, and where to broadcast the traffic.
In the GUI there are two local bridge SSIDs, where traffic won’t be tunnelled back to the Enterprise network.
3. Assign your Gateways' "WAN IP" as the AP's "Controller IP"
Configuration -> Wireless -> AP Management -> AP Policy
Please check the box for "Force Override AC IP Config on AP"
If your gateway is set up for Dual WAN, you can add the 2nd public IP to "Secondary Controller
You can also add an FQND if you, for example, use a DDNS service.
4. Verify the results
Now, the future Remote AP can be disconnected and moved to the Remote Site. Once it is booted up in the remote site, the AP will automatically establish the IPsec VPN connection with your gateway.
You can check the status here:
Monitor -> VPN Monitor -> Remote AP VPN
Auto Added Config:
After enabling the Remote AP Feature, the following settings will be auto-enabled:
- New Firewall Policy to allow CAPWAP traffic coming from WAN
- A new Subnet (192.168.60.1/24) for the Remote AP VPN Clients
- On the remote AP, Wireless Storm Control is automatically activated in order to avoid huge broadcast traffic flooding from the wireless part to your gateway and to other Remote APs.
Secure Wifi requires a separate License.
The Secure WiFi service also unlocks the number of managed APs to the maximum for the ATP/USG FLEX/VPN firewall.
Detailed information about the correct license for your device can be looked up here: