Install & Configure UA-800 Series

This scenario represents a typical Router/CPE deployment with a single SIM as the backup to primary WAN, Wireless for Mobile users with Hotspot.

Use Cases
  • Enterprises requiring resilient WAN/Internet connection
  • Service providers, to deploy SD-WAN to replace MPLS and manage remote CPEs
  • Backhaul large IoT deployment
  • SD-WAN deployment for remote branches, retail outlets, logistics smart lockers or bank ATM
  • Transport, to offer ‘Wi-Fi on the go’
Image 1 : Dual WAN Simple Failover

Understand UA Internal Architecture

  • Can use any type of WAN connection (eg. fiber, PPPoE, ISP ONT/modem)
  • Can use SIM cards from same or different providers for LTE
  • WAN is the primary, LTEs are used as backup.
  • Built-in wireless for Wi-Fi user.

Image 2 : VLANs reference diagram

Configure UA With RansNet mfusion cloud

Prerequisites

  • Internet connection from ISP link ONT or Modem to UA WAN port .
  • A mobile operator SIM card.
  • PC with ‘LAN port network setting‘ configured as
  • Know your mfusion cloud login credentials and Register the Device (UA).
  • UA upgraded with latest firmware. (Optional)

NOTE

Firmware upgrade is not required for the newly shipped UA/HSA.

Procedures

In this Scenario user will be configurating:

  • Step 1 – Physical Connectivity of UA
  • Step 2 – Add and Provision UA to mfusion cloud
  • Step 3 – Creating VLANs
  • Step 4 – Assign VLAN as Switchport
  • Step 5 – Configure VLANs as Trunkport.
  • Step 6 – Configure Wireless and SSID.
  • Step 7 – Configure 5G and Multi-WAN (Failover/Load balancing)
  • Step 8 – Configure Firewall Rules
  • Step 9 – Configure UA with HSG Captive Portal

Step 1 – Physical Installation of UA

  • Connect a UTP Cable from ISP Router / Modem to UA/HSA WAN port
    • The UA/HSA WAN port is configured as DHCP client by default
  • Insert the operator SIM to UA/HSA slot SIM1 as shown in Image 1 below.

Image 1: Insert SIM to UA SIM slot

NOTE

A reboot is required after the insert of the SIM

  • Install the Wi-Fi and 5G antennas
  • Connect the PC to any LAN port of UA.
    • The UA LAN ports are mapped to VLAN-1 and configured as DHCP server.
    • The LAN port needs to be configured to Auto obtain IP.
    • The PC gets an IP from 192.168.8.0 network with /24 subnet with internet access.

.

Step 2Add and Provision UA to mfusion cloud

  • Browse to RansNet mfusion cloud ( https://portal.ransnet.com/ ) / RansNet on-premises mfusion to access the Management Portal.
    • Login with the mfusion credential.
  • Add the UA as a SD-WAN device. See link Add New Gateway
  • Click on the MAC address under the Remote column to configure the relevant UA

Step 3 – Creating VLANs

In this section, the user will learn to Create VLANs as assign them as ‘Switchport’ / ‘Trunk port’. User can create ‘VLAN-10’ as Switchport, ‘VLAN-21’, and ‘VLAN-22’ as a Trunk port.

New VLANs

  • Add new VLAN interface by navigate to ‘MFUSION CLOUD > Orchestration > SDWAN Edge‘ tab, See link New VLAN Interface.

Step 4 – Assign VLAN as Switchport

????????

Map the Switchport of port 1 to VLAN10 as per below settings and save.

.

Step 5 – Configure VLANs as Trunkport.

Image 4 : New VLAN setting as Trunk port

Configure New VLAN settings as per below table and save.

S/NSectionsFieldsValueRemarks
01New/Edit VLAN
1.1Physical 802.1q Trunking Interfaceeth1It creates the VLAN interface (Logical Interface) under physical interface.
1.2VLAN IDvlan21The VLAN interface-id
1.3Admin StatusEnableThis enables the status of the VLAN interface.
1.4IP Address/Netmask192.168.21.1/24 This sets the VLAN interface IP/Subnet
1.5Optional SettingsDescription = “VLAN-21 tagged to port 2”
02DHCP Server
2.1Client Default Gateway192.168.21.1The Client device’s Default gateway point to VLAN IP address.
2.2Client DHCP Pool Range192.168.21.2 – 192.168.21.254Issues IP Address to device from defined pool
2.3Optional SettingsDNS Server = 8.8.8.8, 8.8.4.4
All users to access internet.
Table 4 : Parameters to configure New VLAN Interface – UA

  • Create the other two VLANs (VLAN-22)
    • VLAN22: Trunk Interface – eth1 | IP address – 192.168.22.1/24 | Description – “VLAN-22 tagged to port 2” & DHCP Settings

.

Step 6 – Enable Wireless and SSID

In this section user will learn to enable the Wi-Fi and broadcast two SSID through UA. Dual radio (2.4 & 5 Ghz) will be configured with the Channel, SSID name, encryption type, network map to SSID, etc.

User can create a Global Wireless Template (See link Global Wireless Template) and map the same to UA or can create the same wireless config in the UA network setting (Wireless menu) by following the below steps..

Image 5 :
  • Enable Radio 2.4Ghz and 5Ghz as per below settings
S/NSectionFieldsValuesRemarks
01Radio0 (2.4Ghz)
ChannelAuto
CountrySingapore
Power23dbm
02Radio1 (5Ghz)
ChannelAuto
CountrySingapore
Power27dbm
Table 2 :

  • Configure New Wireless SSID (Guest and Staff), See link SSID. as per the Table 3 and Table 4 settings below.

S/NFieldValueRemark
01SSID NameGuest_WiFi
02Encryption ModeMode = Open
03Optional SettingsSelect ‘Broadcast’
VLAN/Networking= vlan10@eth1
Table 3 :

Configure ‘Staff SSID‘ details as per below settings

S/NFieldValueRemark
01SSID NameStaff_WiFi
02Encryption ModeMode = “WPA2-PSK”
Password = “test123”
03Optional SettingsSelect ‘Broadcast’
VLAN/Networking= vlan10@eth1
Table 3 :

.

Step 7 – Configure 5G and Multi-WAN (Failover/Load balancing)

User will learn how to enable Multi-WAN for WAN port (eth0, LTE1, LTE2, etc) to preform Load balancing or Failover with-in multi wan group. User can

Enabling Multi-WAN on eth0

User can enable the ‘Multi-WAN Group‘ section for the interface (eth0). See link Settings of Ethernet Interface (02. Multi-WAN Group)

  • Configure the Multi-WAN Group setting for port (eth0) as per below and save.
S/NFieldValueRemarks
01Multi-WAN Group0Group Number to map during the MWAN firewall rule
02Track Remote Host8.8.8.8This verifies the connectivity to the remote device.
03Tracking Interval / Attempts5Checks the Connectivity to the ‘Track Remote Host‘ to every x interval value mentioned.
04Link Metric1The Metric value determines the link as Primary or standby based on the value among the MWAN group.
The low value represents as Primary compared to the other value in the group.
Interface (eth0-WAN) Multi-WAN Group Settings

Enabling Multi-WAN on 5G-SIM1 (wwan0)

User can enable the ‘xxxxxx multiwan’ section for the 5G-SIM1(wwan0). See link Wireless WAN

<<<Image of 5G MWAN enable screen>>

Configure the Multi-WAN Group setting for LTE (SIM 1) as per below and save.

S/NFieldValueRemarks
01Multi-WAN Group0Group Number to map during the MWAN firewall rule
02Track Remote Host8.8.8.8This verifies the connectivity to the remote device.
03Tracking Interval / Attempts5Checks the Connectivity to the ‘Track Remote Host‘ to every x interval value mentioned.
04Link Metric1The Metric value determines the link as Primary or standby based on the value among the MWAN group.
The low value represents as Primary compared to the other value in the group.
LTE (SIM 1) Multi-WAN Group Settings

Step 8 – Configure Firewall Rules

User will learn how to create firewall rules to:

  • Allow users to securely access (SSH) the UA device .
  • Permit all Outbound access to Internet.
  • Hide / SNAT all LAN interface IPs from Internet
  • Forward dynamic ports to internal host.

SSH To UA Device

Navigate to SDWAN Edge device by clicking on the MAC address of the relevant UA, and create a new Input rule See link Firewall-Input Rule.

Image x : SSH Input rule setting

User can configure the SSH Input rule as per below setting

S/NSectionFieldValueRemarks
01Firewall Input (Base)Rule No9
ActionPermit
DirectionAll
02Firewall Inputs (Optional)ProtocolTCP
Source IP/Subnet192.168.0.0/16
Destination Port22
Remarks‘Firewall Input Rule to Access the Device using SSH’

Permit All Outbound Access To Internet.

Outbound refers to connections going-out to a specific device through any specific ports (WAN or LTE), e.g. A Web Browser connecting to outside Web Server is an outbound connection. In this scenario the outbound traffic can pass through WAN or LTE based on the Multi-WAN configuration (Active/Standby or Active/Active)

The user can pre-configure the ‘Access rule’ to pass outbound traffic though WAN (eth0) as well LTE (SIM1/SIM2)

Navigate to SDWAN Edge device by clicking on the MAC address of the relevant UA, and create a new Access rule. See link Firewall – Access Rule

Image x : wwan0 outbound Firewall – Access rule setting

Use can configure the outbound Access rule as per below settings

S/NSectionFieldValueRemarks
01Firewall Access (Base)Rule No10
ActionPermit
DirectionOutbound
Outbound Interfaceeth0
Table x : Firewall Access rule – Outbound settings

User can configure the rest of the Outbound Interface (LTE0, wwan0)

Hide/SNAT all LAN Interface IPs From Internet

Source Network Address Translation (SNAT) allows traffic from a private network to go out to the internet. The systems on a private network can get to the internet by going through a gateway capable of performing SNAT. it replaces the source IP of the originating packet with the public side IP.

The following configuration shows how all private network allows to reach the public domain through the SNAT gateway.

To enable SNAT for a UA, go to ‘MFUSION CLOUD > Orchestrator > SDWAN Edge > In the MAC address list of UA , click the UA for which SNAT should be enabled. Click the ‘Firewall’ tab and select the SNAT menu . See link Firewall – SNAT Rule

Image x : Interface (eth0) Firewall – SANT rule setting

Use can configure the Outbound SNAT rule as per below settings

S/NSectionFieldValueRemarks
01Firewall SNAT (Base)Rule No10
ActionOverload
DirectionOutbound
Outbound Interfaceeth0
Table x : Firewall SNAT rule – Outbound settings

User can configure the rest of the SNAT Outbound rule (LTE0, wwan0).

Forward Dynamic Ports to Internal Host (DNAT).

This is typically for providing access from Internet (External network) to internal hosts. mbox changes packet destination headers (address or port number) as it passes through mbox (typical inbound access).

To enable DNAT for a UA, go to ‘MFUSION CLOUD > Orchestrator > SDWAN Edge > In the MAC address list of UA, click the UA for which DNAT should be enabled. Click the ‘Firewall’ tab and select the DNAT menu. See link Firewall – DNA Rule

Image x : Firewall DNAT rule settings

Use can configure the Outbound DNAT rule as per below settings

S/NSectionFieldValueRemarks
01Firewall DNAT (Base)
Rule No20
ActionTranslate
DirectionAll
02Firewall DNAT (Options)
ProtocolTCP
Destination – Destination IP192.168.1.12
Destination Port8080

Step 9 – Configure UA with HSG Captive Portal

In this section, the user will learn to configure the UA as a Hotspot Controller to push the Captive portal for Guest SSID. The UA Hotspot controller will be configured with Cloud Hotspot Gateway (HSG) for Captive portal and Radius authentication only for

NOTE

IP host‘ (‘splash.ransnet.com’ map to Cloud HSG) has to be configured before proceeding to the below procedure. See link New IP Host

To configure Captive Portal for a UA, navigate to ‘HOTSPOT SETTING > Captive Portal’ from the Captive Portals tab.
See link Create and Edit Captive Portal
See link Portal Customization
See link General Tab

Configure the Hotspot Instance

To enable Hotspot instance for a UA, go to ‘MFUSION CLOUD > Orchestrator > SDWAN Edge > In the MAC address list of UA, click the UA for which Hotspot Instance should be enabled

Use can configure the Hotspot Instance as per below settings and save.

S/NSectionFieldValueRemarks
01Hotspot (Base)
Hotspot LANvlan10
Hotspot Server / Ports192.168.10.1 / 1400, 1499
Client Network / Netmask192.168.10.0 / 255.255.255.0
Radius Server / Keysplash.ransnet.com / testing123
Hotspot PortalPaste the Full URL of the created Captive portal
Hotspot Instance (Optional)
Redirect / Success URLhttp://www.ransnet.com
Bypass / Whitelist ByDomain List :
akamaihd.net
  facebook.com
  facebook.net
  fb.me
  fbcdn.net
  fbsbx.com

User can test the Captive portal by select the ‘Guest SSID’ to see the captive portal.