SD-WAN with Wi-Fi Hotspot – cloudx design

In this sample scenario, we will build a demo setup for mbox HSA/UA/XE working with cloud HSG for the captive portal, while functioning as an SD-WAN router.

.

.

Common use cases

  1. CloudX design, where HSA/UA/XE is used as mini-HSG, and with additional MAP or 3rd-party AP behind it can be used to extend wireless coverage.
  2. “Wi-Fi on the go”, where HSA/UA/XE acts as an all-in-one device with single/dual LTE backhaul to provide Wi-Fi in buses or trains.
  3. Hotspot over SD-WAN, where HSA/UA/XE provides wireless hotspot access, on top of SD-WAN connectivity.

In all of the above design scenarios, HSA/UA/XE will function as a mini-HSG utilizing the below key features.

  1. Router & firewall
  2. dual-band Wi-Fi (802.11a/b/g/n/ac, wave 2)
  3. hotspot controller to redirect the user to the external/HSG captive portal
  4. dual-LTE slots (optional, for “Wi-Fi on the go”)
  5. SD-WAN capabilities (as an all-in-one retail solution)

At the same the cloud HSG is for:

  1. hosting hotspot/captive portal
  2. hotspot user’s database and authentication(AAA)
  3. analytics and reporting

.

Deployment prerequisite

  • STEP 1 – 1 x Cloud HSG required. (Enable RADIUS and provision a captive portal for HSA/UA/XE to use).

NOTE

Cloud HSG can be a physical appliance or VM, hosted in the customer HQ or DC.

  • STEP 2 – Bootstrap (Factory reset) HSG and HSA/UA/XE if it’s not a new device. Refer to Reset Host To Factory Default (Reset HSG / CMG to factory reset) and (Reset HSA / UA to factory reset)
  • STEP 3 – Login to mfusion to provision and configure HSG and HSA/UA/XE.
  • STEP 4 – Provision HSA/UA/XE and HSG in the mfusion. Refer to Devices Provisioning (Preparing mfusion Access)
  • STEP 5 – Add HSG and HSA/UA/XE to the mfusion ORCHESTRATOR platform with ‘Default Template‘. Refer to New Gateway
  • STEP 6 – HSG needs to be accessible by HSA/UA/XE (eg. HSG needs public IP), with firewall ports open for TCP/80, TCP/443, UDP/1812, and UDP/1813)
  • STEP 7 – 1 x HSA-500/UA-800/XE-300 per site (can use HSA/UA/XE built-in Wi-Fi, together with additional AP (optional) for wireless coverage extension)
  • STEP 8 – Connect the HSA/UA/XE WAN port to the ISP modem/ONT, or slot in dual SIM card into the LTE slots (optional, for “Wi-Fi on the go”).
  • STEP 9 – Configure VLAN10 for the wireless network and for Hotspot Instance
  • STEP 10 – Configure Hotspot Instance in HSA/UA/XE, pointing radius to HSG.

Deployment steps

STEP 6

  • User can click on the mac address of the Gateway to enter the Gateway configuration panel.
  • User can configure the HSG eth0 with a public IP address by clicking on the interface name.

  • User can navigate to the ‘Security tab > Input menu‘ and click on the button to configure TCP/80, TCP/443, UDP/1812, and UDP/1813 rules

STEP 9

  • User can click on the mac address of the SD-Branch to enter the SD-Branch configuration panel.
  • Configure Wi-Fi by navigating to ‘Network Tab > Wi-Fi menu‘. Refer to Configure Wireless Interface / Global Wireless Policy.
  • Configure the IP host of the HSA/UA/XE to HSG public IP / reachable IP address.
Image: IP Host GUI Configuration

  • Configure Hotspot by navigating to ‘Network Tab > Hotspot menu‘ to configure Hotspot Instance.
  • Click on the button to configure a new Hotspot instance.
Hotspot Instance GUI Configuration
Hotspot Instance Information Fields
S/NFieldsValue
01.Hotspot Interfaceeth1/VLANx
02.Auth. Server (RADIUS) [RADIUS Server | RADIUS key]splash.ransnet.com | testing123
03.Captive Portal URLCopy the captive portal URL from HSG
04.Optional Hotspot Settings [Server/Ports | Client Network | Static Network][Hotspot Interface IP address / 5213, 4361 |
Hotspot Interface Network | Hotspot Interface Network]
05.Optional Client Parameters [Redirect URL | Local DNS][http://www.ransnet.com | Local DNS ON]
06.Bypass / Whitelist By [Domain List | Destination IP/URL][.ransnet.com | splash.ransnet.com,2.1.2.1]
Hotspot Instance fields
hostname mbox-hsg-cmg
!
interface eth0
 description "WAN Interface"
 enable
 ip address <Public IP address>
!
interface eth1
 description "LAN Network"
 enable
 ip address 192.168.8.1/22
 dhcp-server
  router 192.168.8.1
  dns 8.8.8.8 8.8.4.4
  range 192.168.8.10 192.168.11.254
  enable
!
interface eth2
 description Management
 enable
 ip address 10.10.10.1/24
 dhcp-server
  router 10.10.10.1
  dns 8.8.8.8 8.8.4.4
  range 10.10.10.200 10.10.10.254
  enable
!
interface eth3
 description "Reserved network"
!
interface vlan 1 10
 description "Wireless Users"
 enable
 ip address 172.16.10.1/24
 dhcp-server
  router 172.16.10.1
  dns 8.8.8.8 8.8.4.4
  range 172.16.10.10 172.16.10.100
  enable
!
interface loopback
 enable
 ip address 2.1.2.1/32
!
ip name-server 8.8.8.8 8.8.4.4
!
ip ntp-server 203.211.159.1 62.201.225.9
!
ip host mail 127.0.0.1
ip host splash.ransnet.com 2.1.2.1 rewrite
!

ip default gateway <IP address/Subnet>
!
firewall-dnat 100 redirect inbound eth1 udp dport 53 rdport 53 remark "intercepts client DNS requests"
!
firewall-input 100 permit all tcp dport 22
firewall-input 101 permit all tcp dport 443
firewall-input 102 permit all tcp dport 80

firewall-input 102 permit all tcp dport 1812
firewall-input 102 permit all tcp dport 1813
firewall-input 499 permit all
!
firewall-access 100 permit outbound eth0
!
firewall-snat 100 overload outbound eth0
!
security radius-server
client 2.1.2.1 key tesing123 name localhost1
client 0.0.0.0/0 key tesing123 name ExternalDEV1
start
hostname mbox-hsaWT
!
interface eth0
 description "Default connection to WAN"
 enable
 ip address dhcp
!
interface eth1
 description "Default bridges all 4 LAN ports"
 bridge
 enable
 ip address 192.168.8.1/22
 dhcp-server
  lease-time 86400 86400
  router 192.168.8.1
  dns 8.8.8.8 8.8.4.4
  range 192.168.8.10 192.168.11.254
  enable
!
interface eth2
 description "Default OOB-Mgmt"
 enable
 ip address 10.10.10.1/24
 dhcp-server
  lease-time 86400 86400
  router 10.10.10.1
  dns 8.8.8.8 8.8.4.4
  range 10.10.10.10 10.10.10.20
  enable
!
interface wwan0
 enable
!
ip name-server 8.8.8.8 8.8.4.4
!
ip host splash.ransnet.com <HSG Public IP address> rewrite
!
ip route 118.189.175.168 nexthop 192.168.1.1 remark "Route for HQ mfusion only"
!
firewall-input 100 permit all tcp dport 22
!
firewall-access 100 permit outbound eth0
firewall-access 101 permit outbound lte0
firewall-access 102 permit outbound lte1
firewall-access 103 permit outbound wwan0
firewall-access 104 permit outbound wwan1
firewall-access 105 permit all udp dport 1812
firewall-access 106 permit all udp dport 1813
!
firewall-snat 100 overload outbound eth0
firewall-snat 101 overload outbound lte0
firewall-snat 102 overload outbound lte1
firewall-snat 103 overload outbound wwan0
firewall-snat 104 overload outbound wwan1
!
security hotspot eth1
 hotspot-server 192.168.8.1 ports 5213 4361
 client-network 192.168.8.0 255.255.252.0
 client-static 192.168.8.0 255.255.252.0
 client-local-dns on
 bypass-domain .ransnet.com
 bypass-dst 2.1.2.1,portal.ransnet.com,splash.ransnet.com
 redirect-url http://www.ransnet.com
 radius-server splash.ransnet.com testing123
 hotspot-portal <Captive portal URL>
 start