In a Meter network, the controller is the central point for information ingress and egress. It routes all traffic between the local area network and the internet (ISP) It orchestrates network security (ACLs) and configuration (Dashboard), access point provisioning, VLAN tagging, and communication between Meter devices and the Meter Cloud.

Meter devices are secured against attacks as best as possible. All ports are blocked by default which means, all traffic not originating from local devices is dropped. Ports can be enabled as needed. 

There are two types of communication that happen on the Meter network:

Access Points (APs) never access the Internet directly, and all traffic from the APs goes through the controller. If an AP is removed from the network, the AP is deactivated, and its identity is deleted.. The AP must be re-provisioned to the specific controllers to become part of the network again.

Controllers are configured with four VLANs by default:

Communication between VLANs can be controlled via ACLs, and customers may configure additional VLANs to meet their needs. All devices on the VLANs have the capability to communicate with each other, ensuring connectivity within the network while maintaining security through access control.

Requests to the API are over a secure WireGuard tunnel using a private key that only lives on the controller. The Meter Cloud API authenticates requests using the controller's public key. The Meter Cloud API does not have access to the controller’s private key.

We store network configuration and general network metrics metadata in the Meter Cloud. Network configuration is also stored on the device as a backup.

Metrics data includes DHCP logs (client IP and MAC addresses, when a client was last seen), Client roaming data (which AP is a client connected to now and which AP was it connected to last), Bandwidth usage (how much bandwidth is each client using), and other wireless client network data (RSSI, packet drops, etc). All of these metrics are available to the customers via our dashboard.

Only admins of your Meter Dashboard can access this data and logs.

All Meter employees use two-factor authentication for all services that support it (email and Github for example), as well as a password manager to ensure strong and random passwords.

In the event of network problems, for debugging and customer service, we access your controller through a secure WireGuard tunnel encrypted via public-key encryption. Secure Shell (SSH) access to the controller is secured with a long (>50 characters) unique password encrypted with SHA-512.

An attacker who gains physical access to the controller may gain access to the data on the controller. You are responsible for securing physical access to the controller.

We do not decrypt any network traffic — it's your private data. Most internet traffic today is made using HTTPS. We do not do MITM (man-in-the-middle / decrypt SSL) to read any of your data nor do we provide a mechanism for the network administrator to do so.