Contents
This scenario represents a typical Router/CPE deployment with a single SIM as the backup to primary WAN, Wireless for Mobile users with Hotspot.
Use Cases
- Enterprises requiring resilient WAN/Internet connection
- Service providers, to deploy SD-WAN to replace MPLS and manage remote CPEs
- Backhaul large IoT deployment
- SD-WAN deployment for remote branches, retail outlets, logistics smart lockers or bank ATM
- Transport, to offer ‘Wi-Fi on the go’
Understand UA Internal Architecture
- Can use any type of WAN connection (eg. fiber, PPPoE, ISP ONT/modem)
- Can use SIM cards from same or different providers for LTE
- WAN is the primary, LTEs are used as backup.
- Built-in wireless for Wi-Fi user.
Configure UA With RansNet mfusion cloud
Prerequisites
- Internet connection from ISP link ONT or Modem to UA WAN port .
- A mobile operator SIM card.
- PC with ‘LAN port network setting‘ configured as
- Know your mfusion cloud login credentials and Register the Device (UA).
- RansNet mfusion cloud: Contact RansNet Account Manager
- RansNet on-premises mfusion: ???
- Create Entity and User login account.
- See link Create Entity
- See link Create mfusion user account
- See Link Add Host
- UA upgraded with latest firmware. (Optional)
- See link Console Access To RansNet Appliance
- See link Upgrade Firmware
NOTE
Firmware upgrade is not required for the newly shipped UA/HSA.
Procedures
In this Scenario user will be configurating:
- Step 1 – Physical Connectivity of UA
- Step 2 – Add and Provision UA to mfusion cloud
- Step 3 – Creating VLANs
- Step 4 – Assign VLAN as Switchport
- Step 5 – Configure VLANs as Trunkport.
- Step 6 – Configure Wireless and SSID.
- Step 7 – Configure 5G and Multi-WAN (Failover/Load balancing)
- Step 8 – Configure Firewall Rules
- Step 9 – Configure UA with HSG Captive Portal
Step 1 – Physical Installation of UA
- Connect a UTP Cable from ISP Router / Modem to UA/HSA WAN port
- The UA/HSA WAN port is configured as DHCP client by default
- Insert the operator SIM to UA/HSA slot SIM1 as shown in Image 1 below.
NOTE
A reboot is required after the insert of the SIM
- Install the Wi-Fi and 5G antennas
- Connect the PC to any LAN port of UA.
- The UA LAN ports are mapped to VLAN-1 and configured as DHCP server.
- The LAN port needs to be configured to Auto obtain IP.
- The PC gets an IP from 192.168.8.0 network with /24 subnet with internet access.
.
Step 2 – Add and Provision UA to mfusion cloud
- Browse to RansNet mfusion cloud ( https://portal.ransnet.com/ ) / RansNet on-premises mfusion to access the Management Portal.
- Login with the mfusion credential.
- Add the UA as a SD-WAN device. See link Add New Gateway
- Click on the MAC address under the Remote column to configure the relevant UA
Step 3 – Creating VLANs
In this section, the user will learn to Create VLANs as assign them as ‘Switchport’ / ‘Trunk port’. User can create ‘VLAN-10’ as Switchport, ‘VLAN-21’, and ‘VLAN-22’ as a Trunk port.
New VLANs
- Add new VLAN interface by navigate to ‘MFUSION CLOUD > Orchestration > SDWAN Edge‘ tab, See link New VLAN Interface.
Step 4 – Assign VLAN as Switchport
????????
Map the Switchport of port 1 to VLAN10 as per below settings and save.
.
Step 5 – Configure VLANs as Trunkport.
Configure New VLAN settings as per below table and save.
| S/N | Sections | Fields | Value | Remarks |
|---|---|---|---|---|
| 01 | New/Edit VLAN | |||
| 1.1 | Physical 802.1q Trunking Interface | eth1 | It creates the VLAN interface (Logical Interface) under physical interface. | |
| 1.2 | VLAN ID | vlan21 | The VLAN interface-id | |
| 1.3 | Admin Status | Enable | This enables the status of the VLAN interface. | |
| 1.4 | IP Address/Netmask | 192.168.21.1/24 | This sets the VLAN interface IP/Subnet | |
| 1.5 | Optional Settings | Description = “VLAN-21 tagged to port 2” | ||
| 02 | DHCP Server | |||
| 2.1 | Client Default Gateway | 192.168.21.1 | The Client device’s Default gateway point to VLAN IP address. | |
| 2.2 | Client DHCP Pool Range | 192.168.21.2 – 192.168.21.254 | Issues IP Address to device from defined pool | |
| 2.3 | Optional Settings | DNS Server = 8.8.8.8, 8.8.4.4 | All users to access internet. |
- Create the other two VLANs (VLAN-22)
- VLAN22: Trunk Interface – eth1 | IP address – 192.168.22.1/24 | Description – “VLAN-22 tagged to port 2” & DHCP Settings
.
Step 6 – Enable Wireless and SSID
In this section user will learn to enable the Wi-Fi and broadcast two SSID through UA. Dual radio (2.4 & 5 Ghz) will be configured with the Channel, SSID name, encryption type, network map to SSID, etc.
User can create a Global Wireless Template (See link Global Wireless Template) and map the same to UA or can create the same wireless config in the UA network setting (Wireless menu) by following the below steps..
- Configure the new Wireless LAN. See link Configure Wireless Interface
- Enable Radio 2.4Ghz and 5Ghz as per below settings
| S/N | Section | Fields | Values | Remarks |
|---|---|---|---|---|
| 01 | Radio0 (2.4Ghz) | |||
| Channel | Auto | |||
| Country | Singapore | |||
| Power | 23dbm | |||
| 02 | Radio1 (5Ghz) | |||
| Channel | Auto | |||
| Country | Singapore | |||
| Power | 27dbm |
- Configure New Wireless SSID (Guest and Staff), See link SSID. as per the Table 3 and Table 4 settings below.
| S/N | Field | Value | Remark |
|---|---|---|---|
| 01 | SSID Name | Guest_WiFi | |
| 02 | Encryption Mode | Mode = Open | |
| 03 | Optional Settings | Select ‘Broadcast’ VLAN/Networking= vlan10@eth1 |
Configure ‘Staff SSID‘ details as per below settings
| S/N | Field | Value | Remark |
|---|---|---|---|
| 01 | SSID Name | Staff_WiFi | |
| 02 | Encryption Mode | Mode = “WPA2-PSK” Password = “test123” | |
| 03 | Optional Settings | Select ‘Broadcast’ VLAN/Networking= vlan10@eth1 |
.
Step 7 – Configure 5G and Multi-WAN (Failover/Load balancing)
User will learn how to enable Multi-WAN for WAN port (eth0, LTE1, LTE2, etc) to preform Load balancing or Failover with-in multi wan group. User can
Enabling Multi-WAN on eth0
User can enable the ‘Multi-WAN Group‘ section for the interface (eth0). See link Settings of Ethernet Interface (02. Multi-WAN Group)
- Configure the Multi-WAN Group setting for port (eth0) as per below and save.
| S/N | Field | Value | Remarks |
|---|---|---|---|
| 01 | Multi-WAN Group | 0 | Group Number to map during the MWAN firewall rule |
| 02 | Track Remote Host | 8.8.8.8 | This verifies the connectivity to the remote device. |
| 03 | Tracking Interval / Attempts | 5 | Checks the Connectivity to the ‘Track Remote Host‘ to every x interval value mentioned. |
| 04 | Link Metric | 1 | The Metric value determines the link as Primary or standby based on the value among the MWAN group. The low value represents as Primary compared to the other value in the group. |
Enabling Multi-WAN on 5G-SIM1 (wwan0)
User can enable the ‘xxxxxx multiwan’ section for the 5G-SIM1(wwan0). See link Wireless WAN
<<<Image of 5G MWAN enable screen>>
Configure the Multi-WAN Group setting for LTE (SIM 1) as per below and save.
| S/N | Field | Value | Remarks |
|---|---|---|---|
| 01 | Multi-WAN Group | 0 | Group Number to map during the MWAN firewall rule |
| 02 | Track Remote Host | 8.8.8.8 | This verifies the connectivity to the remote device. |
| 03 | Tracking Interval / Attempts | 5 | Checks the Connectivity to the ‘Track Remote Host‘ to every x interval value mentioned. |
| 04 | Link Metric | 1 | The Metric value determines the link as Primary or standby based on the value among the MWAN group. The low value represents as Primary compared to the other value in the group. |
Step 8 – Configure Firewall Rules
User will learn how to create firewall rules to:
- Allow users to securely access (SSH) the UA device .
- Permit all Outbound access to Internet.
- Hide / SNAT all LAN interface IPs from Internet
- Forward dynamic ports to internal host.
SSH To UA Device
Navigate to SDWAN Edge device by clicking on the MAC address of the relevant UA, and create a new Input rule See link Firewall-Input Rule.
User can configure the SSH Input rule as per below setting
| S/N | Section | Field | Value | Remarks |
|---|---|---|---|---|
| 01 | Firewall Input (Base) | Rule No | 9 | |
| Action | Permit | |||
| Direction | All | |||
| 02 | Firewall Inputs (Optional) | Protocol | TCP | |
| Source IP/Subnet | 192.168.0.0/16 | |||
| Destination Port | 22 | |||
| Remarks | ‘Firewall Input Rule to Access the Device using SSH’ |
Permit All Outbound Access To Internet.
Outbound refers to connections going-out to a specific device through any specific ports (WAN or LTE), e.g. A Web Browser connecting to outside Web Server is an outbound connection. In this scenario the outbound traffic can pass through WAN or LTE based on the Multi-WAN configuration (Active/Standby or Active/Active)
The user can pre-configure the ‘Access rule’ to pass outbound traffic though WAN (eth0) as well LTE (SIM1/SIM2)
Navigate to SDWAN Edge device by clicking on the MAC address of the relevant UA, and create a new Access rule. See link Firewall – Access Rule
Use can configure the outbound Access rule as per below settings
| S/N | Section | Field | Value | Remarks |
|---|---|---|---|---|
| 01 | Firewall Access (Base) | Rule No | 10 | |
| Action | Permit | |||
| Direction | Outbound | |||
| Outbound Interface | eth0 |
User can configure the rest of the Outbound Interface (LTE0, wwan0)
Hide/SNAT all LAN Interface IPs From Internet
Source Network Address Translation (SNAT) allows traffic from a private network to go out to the internet. The systems on a private network can get to the internet by going through a gateway capable of performing SNAT. it replaces the source IP of the originating packet with the public side IP.
The following configuration shows how all private network allows to reach the public domain through the SNAT gateway.
To enable SNAT for a UA, go to ‘MFUSION CLOUD > Orchestrator > SDWAN Edge > In the MAC address list of UA , click the UA for which SNAT should be enabled. Click the ‘Firewall’ tab and select the SNAT menu . See link Firewall – SNAT Rule
Use can configure the Outbound SNAT rule as per below settings
| S/N | Section | Field | Value | Remarks |
|---|---|---|---|---|
| 01 | Firewall SNAT (Base) | Rule No | 10 | |
| Action | Overload | |||
| Direction | Outbound | |||
| Outbound Interface | eth0 |
User can configure the rest of the SNAT Outbound rule (LTE0, wwan0).
Forward Dynamic Ports to Internal Host (DNAT).
This is typically for providing access from Internet (External network) to internal hosts. mbox changes packet destination headers (address or port number) as it passes through mbox (typical inbound access).
To enable DNAT for a UA, go to ‘MFUSION CLOUD > Orchestrator > SDWAN Edge > In the MAC address list of UA, click the UA for which DNAT should be enabled. Click the ‘Firewall’ tab and select the DNAT menu. See link Firewall – DNA Rule
Use can configure the Outbound DNAT rule as per below settings
| S/N | Section | Field | Value | Remarks |
|---|---|---|---|---|
| 01 | Firewall DNAT (Base) | |||
| Rule No | 20 | |||
| Action | Translate | |||
| Direction | All | |||
| 02 | Firewall DNAT (Options) | |||
| Protocol | TCP | |||
| Destination – Destination IP | 192.168.1.12 | |||
| Destination Port | 8080 |
Step 9 – Configure UA with HSG Captive Portal
In this section, the user will learn to configure the UA as a Hotspot Controller to push the Captive portal for Guest SSID. The UA Hotspot controller will be configured with Cloud Hotspot Gateway (HSG) for Captive portal and Radius authentication only for
NOTE
‘IP host‘ (‘splash.ransnet.com’ map to Cloud HSG) has to be configured before proceeding to the below procedure. See link New IP Host
To configure Captive Portal for a UA, navigate to ‘HOTSPOT SETTING > Captive Portal’ from the Captive Portals tab.
See link Create and Edit Captive Portal
See link Portal Customization
See link General Tab
Configure the Hotspot Instance
To enable Hotspot instance for a UA, go to ‘MFUSION CLOUD > Orchestrator > SDWAN Edge > In the MAC address list of UA, click the UA for which Hotspot Instance should be enabled
Use can configure the Hotspot Instance as per below settings and save.
| S/N | Section | Field | Value | Remarks |
|---|---|---|---|---|
| 01 | Hotspot (Base) | |||
| Hotspot LAN | vlan10 | |||
| Hotspot Server / Ports | 192.168.10.1 / 1400, 1499 | |||
| Client Network / Netmask | 192.168.10.0 / 255.255.255.0 | |||
| Radius Server / Key | splash.ransnet.com / testing123 | |||
| Hotspot Portal | Paste the Full URL of the created Captive portal | |||
| Hotspot Instance (Optional) | ||||
| Redirect / Success URL | http://www.ransnet.com | |||
| Bypass / Whitelist By | Domain List : akamaihd.net facebook.com facebook.net fb.me fbcdn.net fbsbx.com | |||
User can test the Captive portal by select the ‘Guest SSID’ to see the captive portal.