Help with network infra for a engineer competition team in Brazil

VPN
1

Hello everyone!
I’m part of an engineering competition team at a public university in Brazil, and we’ve recently been allocated a physical space for our project activities. We’re working on setting up a functional and secure technical infrastructure in this space, which involves establishing an internal network to connect our equipment.

I have some knowledge of computer networking but am not very experienced at this level, so I’d appreciate some guidance from those with more expertise.

Here’s the scenario:
We have several workstations running Windows (wired), a Dell server with Windows Server (wired), and we’d like to enable Wi-Fi for laptops and phones. Additionally, we need to connect various equipment to the network, such as storage systems, 3D printers, prototyping tools, thermal chambers, and other specialized devices. This also includes development hardware like microcontrollers and single-board computers.

Current Setup:

  • Access Point 1: Directly connected to the server, which is used for remote access (via RDP) and managing license servers for engineering tools like ANSYS and MATLAB/Simulink. The server has two network interfaces—one for internet access and one for internal communication with mikrotik.
  • Access Point 2: Connected to a university-provided router, which must remain in use due to institutional restrictions on MAC address and asset tracking.

Network Requirements:

  • Restrict network access to pre-approved devices only.
  • Provide secure Wi-Fi access with password protection.
  • Implement logging to monitor network activity, including device IP assignments and external traffic destinations.
  • Enable remote management of all connected devices via a secure method, ideally through a VPN.

Proposed Solution:

  1. Use the university-provided router in its bridge mode.
  2. Introduce a Mikrotik router as the main gateway (edge router) for our network. Configure it to:
    • Filter devices based on MAC addresses.
    • Maintain detailed logs of network activity, with the dude maybe.
    • Distribute connections to wired devices like PCs and equipment, we may need some switches here.
    • Manage different categories of devices with VLANs.
    • Connect to a dedicated Wi-Fi access point, or replace it with an all-in-one Mikrotik device that supports Wi-Fi, mikrotik hap ax3 or ax2 at moment.
  3. Research and implement a VPN server for secure remote access.
  4. Configure the PCs to authenticate local logins using accounts managed by the Windows Server.

Questions:

  1. Is this a viable network architecture, or are there better alternatives?
  2. Can you recommend any specific hardware for this setup?
  3. Any advice on setting up the VPN server or integrating user accounts with Windows Server for authentication?

Note: Security and user track is our primary concern due to recent incidents on campus, and we want to ensure our network remains secure against any unauthorized access.

2

Your proposed solution requires nothing more than a Windows domain controller, a managed switch, and a COTS SOHO Wifi router.

The problems will become apparent when actual IT security requirements appear, beyond fuzzy statements like “secure against any unauthorized access”. MAC filtering is easy, but it’s vulnerable to MAC address cloning. Beating than gets into 802.1x and certificate management, and that’s where things start getting interesting.