Single Site with Multi-WAN - docs.ransnet.com

Contents

This sample scenario represents a typical router/CPE deployment with a single (or dual) SIM as a backup to primary WAN.

**Image 1** : Three WAN with Simple Failover

Understand HSA/UA Internal Architecture

Can use any type of WAN connection (eg. fiber, PPPoE, ISP ONT/modem)
Can use SIM cards from the same or different providers for LTE
WAN is the primary, LTEs are used as a backup.

**Image 2** : UA/HSA Internal Architecture with Multi-WAN

Configure UA With RansNet mfusion cloud

Prerequisites

An Internet connection from ISP link ONT or Modem to UA WAN port.
A mobile operator SIM card.
PC with ‘LAN port network setting‘ configured as
Know your mfusion cloud login credentials and Register the Device (UA).
- RansNet mfusion cloud: Contact RansNet Account Manager
- RansNet on-premises mfusion: Contact the on-premises administrator
- Create Entity and User login account.
  - See link Create Entity
  - See link Create mfusion user account
  - See Link Add Host
UA upgraded with latest firmware. (Optional)
- See link Console Access To RansNet Appliance
- See link Upgrade Firmware

NOTE

Firmware upgrade is not required for the newly shipped UA/HSA.

Procedures

In this Scenario user will be configurating:

Step 1 – Physical Connectivity of UA
Step 2 – Configure mfusion agent in Local HSA/UA
Step 3 – Add and Provision UA to mfusion cloud
Step 4 – Create Multi-WAN Group and Rule for WAN Interfaces
- Multi-WAN will be configure for eth0, wwan0 and wwan1
Step 5 – Configure VLANs as Trunkport.
Step 6 – Configure Wireless and SSID.
Step 7 – Configure 5G and Multi-WAN (Failover/Load balancing)
Step 8 – Configure Firewall Rules
Step 9 – Configure UA with HSG Captive Portal

Step 1 – Physical Installation of UA

Connect a UTP Cable from ISP Router / Modem to UA/HSA WAN port
- The UA/HSA WAN port is configured as DHCP client by default
Insert the operator SIM to UA/HSA slot SIM1 as shown in Image 1 below.

**Image 2** : Insert SIM to UA/HSA SIM slot

NOTE

A reboot is required after the insert of the SIM

Install the Wi-Fi and 5G antennas
Connect the PC to any LAN port of UA.
- The UA LAN ports are mapped to VLAN-1 and configured as DHCP server.
- The LAN port needs to be configured to Auto obtain IP.
- The PC gets an IP from 192.168.8.0 network with /24 subnet with internet access.

Step 2 – Configure mfusion agent in Local HSA / UA

Connect the laptop to HSA / UA using a console cable to access the device console terminal. See link Console Access To RansNet Appliance
Login to console terminal with ‘Support‘ credential.
Configure the below command in the ‘config mode‘ to enable the mfusion agent to communicate with mfusion cloud management.

mbox-hsa(config)#ip host portal.ransnet.com <IP Address>
mbox-hsa(config)#do write memory
mbox-hsa(config)# do show mfusion agent   <----------- To view the mfusion working status------
[info] mfusion agent is running
mbox-hsa(config)#

Step 3 – Add and Provision UA to mfusion cloud

Browse to RansNet mfusion cloud ( https://portal.ransnet.com/ ) / RansNet on-premises mfusion to access the Management Portal.
- Login with the mfusion credential.
Add the UA as a SD-WAN device. See link Add New Gateway
Click on the MAC address under the Remote column to configure the relevant UA

Step 4 – Create Multi-WAN Group and Rule for WAN Interfaces

User will learn how to enable Multi-WAN for WAN port (eth0, wwan0 (4G/5G-SIM1) , wwan1 (4G/5G-SIM2)) to preform Load balancing or Failover with-in multi wan group.

**Image 3** : HSA/UA Multi-WAN Architecture design

Enabling Multi-WAN on eth0

User can enable the ‘Multi-WAN Group‘ section for the interface (ethxx). See link Settings of Ethernet Interface (02. Multi-WAN Group)

**Image 4** : SDWAN Edge Ethernet interface UI

Configure the Multi-WAN Group setting for port (eth0) as per below table and save.

S/N	Field	Value	Remarks
01	Multi-WAN Group	0	Group Number to map during the MWAN firewall rule
02	Track Remote Host	8.8.8.8	This verifies the connectivity to the remote device.
03	Tracking Interval / Attempts	5	Checks the Connectivity to the ‘Track Remote Host‘ to every x interval value mentioned.
04	Link Metric	1	The Metric value determines the link as Primary or standby based on the value among the MWAN group. The low value represents as Primary compared to the other value in the group.

Table1: Interface (eth0-WAN) Multi-WAN Group Settings

Enabling Multi-WAN on ‘wwan0 (4G/5G-SIM1) / wwan1 (4G/5G-SIM1)5G-SIM2’ Interface.

User can enable the ‘Multi-wan’ section for the wwan0 (4G/5G-SIM1) / wwan1 (4G/5G-SIM1)5G-SIM2.
See link Setting Up Interface (Ethernet / VLAN / LTE)

**Image 5** : SDWAN Edge wwan0 interface UI

Configure the Multi-WAN Group setting for wwan0 (4G/5G-SIM1) & wwan1 (4G/5G-SIM2) as per below and save.

S/N	Field	Value (wwan0)	Value (wwan1)	Remarks
01	Multi-WAN Group	0	0	Group Number to map during the MWAN firewall rule
02	Track Remote Host	8.8.8.8	8.8.8.8	This verifies the connectivity to the remote device.
03	Tracking Interval / Attempts	5	5	Checks the Connectivity to the ‘Track Remote Host‘ to every x interval value mentioned.
04	Link Metric	2	2	The Metric value determines the link as Primary or standby based on the value among the MWAN group. The low value represents as Primary compared to the other value in the group.

Table x : WWAN0 & WWAN1 Multi-WAN Group Settings

Configure Multi-WAN (mwan-rule) Rule for Multi-WAN (mwan-group) Group.

Configuring Mwan-Rule is mandatory, User can enable the ‘Multi-wan’ section for the wwan0 (4G/5G-SIM1) / wwan1 (4G/5G-SIM1)5G-SIM2.
See link

Step 5 – Configure Firewall Rules

Allow users to securely access (SSH) the UA device .
Permit all Outbound access to Internet, through eth0, Lte1, Lte2, wwan0 and wwan1 based on the Mwan group rule. (pre-defined rule)
Hide / SNAT all LAN interface IPs from Internet. (pre-defined rule)

SSH To UA Device

Navigate to SDWAN Edge device by clicking on the MAC address of the relevant UA, and create a new Input rule See link Firewall-Input Rule.

User can configure the SSH Input rule as per below setting

S/N	Section	Field	Value
01	Firewall Input (Base)	Rule No	9
		Action	Permit
		Direction	All
02	Firewall Inputs (Optional)	Protocol	TCP
		Source IP/Subnet	192.168.0.0/16
		Destination Port	22
		Remarks	‘Firewall Input Rule to Access the Device using SSH’

Permit All Outbound Access To Internet.

Outbound refers to connections going-out to a specific device through any specific ports (WAN or LTE), e.g. A Web Browser connecting to outside Web Server is an outbound connection. In this scenario the outbound traffic can pass through WAN or LTE based on the Multi-WAN configuration (Active/Standby or Active/Active)

The user can pre-configure the ‘Access rule’ to pass outbound traffic though WAN (eth0) as well LTE (SIM1/SIM2)

Navigate to SDWAN Edge device by clicking on the MAC address of the relevant UA, and create a new Access rule. See link Firewall – Access Rule

**Image x** : wwan0 outbound Firewall – Access rule setting

Use can configure the outbound Access rule as per below settings

S/N	Section	Field	Value
01	Firewall Access (Base)	Rule No	10
		Action	Permit
		Direction	Outbound
		Outbound Interface	eth0

Table x : Firewall Access rule – Outbound settings

User can configure the rest of the Outbound Interface (LTE0, wwan0)

Hide/SNAT all LAN Interface IPs From Internet

Source Network Address Translation (SNAT) allows traffic from a private network to go out to the internet. The systems on a private network can get to the internet by going through a gateway capable of performing SNAT. it replaces the source IP of the originating packet with the public side IP.

The following configuration shows how all private network allows to reach the public domain through the SNAT gateway.

To enable SNAT for a UA, go to ‘MFUSION CLOUD > Orchestrator > SDWAN Edge > In the MAC address list of UA , click the UA for which SNAT should be enabled. Click the ‘Firewall’ tab and select the SNAT menu . See link Firewall – SNAT Rule

Image x : Interface (eth0) Firewall – SANT rule setting

Use can configure the Outbound SNAT rule as per below settings

S/N	Section	Field	Value
01	Firewall SNAT (Base)	Rule No	10
		Action	Overload
		Direction	Outbound
		Outbound Interface	eth0

Table x : Firewall SNAT rule – Outbound settings

User can configure the rest of the SNAT Outbound rule (LTE0, wwan0).

Forward Dynamic Ports to Internal Host (DNAT).

This is typically for providing access from Internet (External network) to internal hosts. mbox changes packet destination headers (address or port number) as it passes through mbox (typical inbound access).

To enable DNAT for a UA, go to ‘MFUSION CLOUD > Orchestrator > SDWAN Edge > In the MAC address list of UA, click the UA for which DNAT should be enabled. Click the ‘Firewall’ tab and select the DNAT menu. See link Firewall – DNA Rule

Use can configure the Outbound DNAT rule as per below settings

S/N	Section	Field	Value
01	Firewall DNAT (Base)
		Rule No	20
		Action	Translate
		Direction	All
02	Firewall DNAT (Options)
		Protocol	TCP
		Destination – Destination IP	192.168.1.12
		Destination Port	8080

Step 9 – Configure UA with HSG Captive Portal

In this section, the user will learn to configure the UA as a Hotspot Controller to push the Captive portal for Guest SSID. The UA Hotspot controller will be configured with Cloud Hotspot Gateway (HSG) for Captive portal and Radius authentication only for

NOTE

‘IP host‘ (‘splash.ransnet.com’ map to Cloud HSG) has to be configured before proceeding to the below procedure. See link New IP Host

To configure Captive Portal for a UA, navigate to ‘HOTSPOT SETTING > Captive Portal’ from the Captive Portals tab.
See link Create and Edit Captive Portal
See link Portal Customization
See link General Tab

Configure the Hotspot Instance

To enable Hotspot instance for a UA, go to ‘MFUSION CLOUD > Orchestrator > SDWAN Edge > In the MAC address list of UA, click the UA for which Hotspot Instance should be enabled

Use can configure the Hotspot Instance as per below settings and save.

S/N	Section	Field	Value
01	Hotspot (Base)
		Hotspot LAN	vlan10
		Hotspot Server / Ports	192.168.10.1 / 1400, 1499
		Client Network / Netmask	192.168.10.0 / 255.255.255.0
		Radius Server / Key	splash.ransnet.com / testing123
		Hotspot Portal	Paste the Full URL of the created Captive portal
	Hotspot Instance (Optional)
		Redirect / Success URL	http://www.ransnet.com
		Bypass / Whitelist By	Domain List : akamaihd.net facebook.com facebook.net fb.me fbcdn.net fbsbx.com

User can test the Captive portal by select the ‘Guest SSID’ to see the captive portal.