How to Set up Remote AP and Configure Secure Wi-Fi to Secure the Wireless Environment on Nebula?

Nebula_Yvonne Posts: 51
First Comment Friend Collector Third Anniversary
 Zyxel Employee
edited November 2022 in Other Topics

To make teleworkers working remotely from home Wi-Fi networks more secure, remote AP feature allows teleworkers to install APs that automatically connect to the private network of central office. Remote AP acts as a VPN Client and establishes the IPsec tunnel to the Gateway and the traffic of tunnel mode SSID can be protected by IPsec VPN. This approach provides data encryption for teleworker’s traffic (GRE over IPsec VPN) without any settings on users’ end devices. The example instructs how to set up Secure Wi-Fi on Nebula to encrypt the traffic from the station in a remote site to the enterprise network.

The capability of Remote AP and remote status can be checked at: Access point > Monitor > Access points.

Set up Secure Wi-Fi on Nebula

There’re three stages when deploying the Secure Wi-Fi on Nebula.

1. Device Registration: USG FLEX and AP must be in the same Nebula Site. Remote AP requires Secure Wi-Fi license assigned to the USG FLEX. The license status can be checked at: Organization-wide > Configure > License & inventory. To buy Secure Wi-Fi license, you can go to the Zyxel Marketplace for purchasing the license. Then follow the steps to activate: How to Activate Secure WiFi License

2. Device setup on Nebula: Set gateway interfaces, AP Roles and Secure Tunnel on SSIDs.

Configure AP role as Remote AP and SSID setting

Remote AP setting at: Access point > Monitor > Access points. Select AP and click AP Role to configure SSID. Wireless clients connected to this SSID can access the central site through NVGRE tunnel. Wireless security follows settings applied in SSID settings page. Only set up to 4 secure tunnel SSIDs.

Configure Local SSID setting of each remote AP

Remote AP setting at: Access point > Monitor > Access points > [Specific AP]. Wireless clients connected to this SSID are forwarded normally to the local network of remote site. Local SSIDs settings are simplified and independent from the SSID Overview settings and only set up to 2 local SSIDs. Network administrators must provide an SSID name and may only apply Wi-Fi passwords with WPA2 or WPA3 Personal.

3. Device Deployment: Deploy APs to teleworkers’ homes, plug-and-play installation by teleworkers.

On remote AP, Storm Control is automatically activated in order to avoid huge broadcast traffic flooding from wireless part to the Gateway and to other Remote APs. Both Wireless and Ethernet Storm Control will be auto-enabled on Remote AP.

Test the Result

After Remote AP boots up in the remote site, AP will automatically establish the IPSec VPN connection with HQ. AP and tunnel information displays on the Nebula at: USG FLEX > Monitor > VPN Connection

What can go wrong?

1.   Configure all the corresponding settings on the interface before you connect the link.

2.   Maximum Remote AP number is limited by Device’s capability: