This kind of requirement comes up quite regularly and everyone will have their own approach depending on the politics and technical/compliance requirements but this is what I would do.
- Set the default LAN on the BR1 as the volunteer network. Let them connect via its wifi AP or plug in a switch to LAN1 for any volunteer wired device connectivity. They can do what they want on this network pretty much (within the bounds of available bandwidth).
- Create a new VLAN, assign it to the LAN2 port disable inter VLAN routing and plug the managed secure network VPN router into that Port. (the volunteer network users can’t even ping to this network using this configuration, but even if they could, the only thing that can access is the WAN of the secure router which will be locked down tight as a drum).
- Create a PepVPN tunnel between the BR1 and either a Cloud Hosted FusionHub (option 1) or a Balance device in the secure HQ/DC (option 2). Set the secure router to send all of its traffic over the PepVPN.
- Using either option 1 or 2 presents traffic from the WAN of the secure router from a known static IP (the Fusionhubs public IP or the Balance LAN IP in the DMZ). Which stays the same no matter how the BR1 is actually connected to the internet.
- Since the secure router has a static IP it can now create its own secure VPN connection over the existing PepVPN connection. All secure devices can be plugged into the LAN of the secure router onboard the vehicle and only these devices can communicate with the central secure network.
- The volunteers can then have full control of the BR1 and manage how it connects to the internet. They can connect to any public wifi hotspot, use cellular or wifi WAN or plug direct into a landline network connection (if one was available). Once they have connected the BR1 to the internet, the PepVPN connection will come up, then the secure router onboard can create its IPSEC tunnel and secure traffic will flow.
- If it was me, I would then physically isolate the onboard secure router. Likely in a lockable cabinet/comms rack or peli style case with a padlock so that no one can accidentally (or otherwise) plugin a volunteer device into the secure router. The onboard secure network is then logically and physically isolated from everything else.
- I would also consider a bigger MAX device that supports SpeedFusion Bonding so that I could enable WAN smoothing and use multiple WAN links at the same time to guarantee the delivery of the IPSEC VPN traffic.
