how to get traffic across internal network to the internet, while being isolated from it?
with minimum Setup complexity (ideally hardware solution)
Details
So I’m currently facing the problem that “we” have two wind generators that need to be connected with a fairly high reliability connection to the internet.
This is so the power grid management can check and control the power output, and the people handling the day to day operations can also check and control.
current Situation
The two wind turbines are connected by a fiber link, and at one end they are connected via satellite. This naturally is very expensive ( over 10000€ / year for about 2.5GB of data per month)
They are also within sight of the premises of one of the stakeholder companies (about 3km). So we are thinking about connecting them via a ptp radio system (probably Ubiquity NanoBeam). We are also thinking about using that connection as a hop over to another location that is another 3km away.
Within the company premises i only have access to the (very small, only 4PCs and some IP cameras, just a chain of dumb switches really) internal network, which in turn is connected to the internet via normal DSL (with a static ip though).
The actual Question(s)
I want to connect the wind turbines through the network to its own separate connection (with a static ip, probably).
The ideas i have come up with thus far are:
using vlans to route the traffic through the network and its unmanaged switches to just another DSL box
i’m not really sure if that even works, and not all that happy about all of it being accessible for any device on that LAN
doing basically the same thing but with a VPN inside that network
just having the LAN extend to the turbines where i set up a VPN router that connects to a VPN server somewhere on the internet (are there services for that, or should i just get a VServer for that?)
Ideally the solution should follow the KISS principle and not involve any fragile/complicated software setup, and instead use just normal hardware solutions.
Any comments on the stupidity/practicality of my ideas? Or even better any suggestions on how you would do it.
about me:
Just to clarify i am just an electical engineering student, and although i have a technical diploma in IT (just from “secondary school” mind you) - i don’t have any professional experience and am just helping with this on the side.
I’d imagine that the designers of the system running on the turbines have already taken care of securing access through an untrusted ISP - I don’t see why connecting the turbines to that LAN through a pair of nanobeams or lightbeams should necessarily be any different than connecting it to the internet directly.
Any reason you don’t just install an LTE capable router on these, and use whatever is the local telco in that area?
LTE reliability in the area is abysmal, and normal LTE is behind a NAT on the carrier level, so they not only wouldn’t have a static IP (which their system might be able to work with - not sure yet), they also would have to share a IP with other endpoints, so i couldn’t guarantee that they are reachable on a specific port even.
Oh and also i want the connection somewhat separate from the local DSL box so when someone changes or misconfigures (or whatever) that, they don’t get disconnected just because of that. (I know there is still the possibility of someone pulling out the wrong plug, but i’m less worried about that)
Ok, so a pair of nanobeams to bring both turbines to the office, and then plug the nanobeam at the office into something like a gl-inet x750 that has both LTE and Ethernet wan support. It can stay connected to both simultaneously and can let you establish any kind of VPN you like from there to anywhere or from anywhere to it. It even supports Wireguard out of the box, and you can do any kind of port forwarding firewalling magic you like. That way you’d need both DSL and LTE to be gone at the office to get disconnected for your turbines to go offline.
Make sure you get some kind of UPS to power the nanobeam and router. (really any kind of openwrt capable router with a USB port for LTE backup would do, really not a big deal at all).
Whoever uses the telemetry from the turbines can tell you if they have any specific networking requirements.
Make notes as you set this up and store them in Google drive or private GitHub or email them to yourself so if you ever need to drop by that office to replace stuff you’ll know how to set things up.
Also, try setting everything up before you get on site and start mounting things in hard to reach places.
Old school Vlans will do the job for you just fine as long as they alone meet the security standards for your network. The whole point of Vlans is to create a separate ethernet segment.
You would need to create the vlan on each switch in path, and make sure it is added to the trunks between the switches in path to your separate internet connection, set the default gateway to your new router and you’re done.
There are far more sophisticated and secure ways of doing this depending on your equipment’s features but that will work as intended.