Contents
This sample scenario represents a typical router/CPE deployment with a single (or dual) SIM as a backup to primary WAN.

Understand HSA/UA Internal Architecture
- Can use any type of WAN connection (eg. fiber, PPPoE, ISP ONT/modem)
- Can use SIM cards from the same or different providers for LTE
- WAN is the primary, LTEs are used as a backup.

Configure UA With RansNet mfusion cloud
Prerequisites
- An Internet connection from ISP link ONT or Modem to UA WAN port.
- A mobile operator SIM card.
- PC with ‘LAN port network setting‘ configured as
- Know your mfusion cloud login credentials and Register the Device (UA).
- RansNet mfusion cloud: Contact RansNet Account Manager
- RansNet on-premises mfusion: Contact the on-premises administrator
- Create Entity and User login account.
- See link Create Entity
- See link Create mfusion user account
- See Link Add Host
- UA upgraded with latest firmware. (Optional)
- See link Console Access To RansNet Appliance
- See link Upgrade Firmware
NOTE
Firmware upgrade is not required for the newly shipped UA/HSA.
Procedures
In this Scenario user will be configurating:
- Step 1 – Physical Connectivity of UA
- Step 2 – Configure mfusion agent in Local HSA/UA
- Step 3 – Add and Provision UA to mfusion cloud
- Step 4 – Create Multi-WAN Group and Rule for WAN Interfaces
- Multi-WAN will be configure for eth0, wwan0 and wwan1
- Step 5 – Configure VLANs as Trunkport.
- Step 6 – Configure Wireless and SSID.
- Step 7 – Configure 5G and Multi-WAN (Failover/Load balancing)
- Step 8 – Configure Firewall Rules
- Step 9 – Configure UA with HSG Captive Portal
Step 1 – Physical Installation of UA
- Connect a UTP Cable from ISP Router / Modem to UA/HSA WAN port
- The UA/HSA WAN port is configured as DHCP client by default
- Insert the operator SIM to UA/HSA slot SIM1 as shown in Image 1 below.

NOTE
A reboot is required after the insert of the SIM
- Install the Wi-Fi and 5G antennas
- Connect the PC to any LAN port of UA.
- The UA LAN ports are mapped to VLAN-1 and configured as DHCP server.
- The LAN port needs to be configured to Auto obtain IP.
- The PC gets an IP from 192.168.8.0 network with /24 subnet with internet access.
.
Step 2 – Configure mfusion agent in Local HSA / UA
- Connect the laptop to HSA / UA using a console cable to access the device console terminal. See link Console Access To RansNet Appliance
- Login to console terminal with ‘Support‘ credential.
- Configure the below command in the ‘config mode‘ to enable the mfusion agent to communicate with mfusion cloud management.
mbox-hsa(config)#ip host portal.ransnet.com <IP Address>
mbox-hsa(config)#do write memory
mbox-hsa(config)# do show mfusion agent <----------- To view the mfusion working status------
[info] mfusion agent is running
mbox-hsa(config)#
Step 3 – Add and Provision UA to mfusion cloud
- Browse to RansNet mfusion cloud ( https://portal.ransnet.com/ ) / RansNet on-premises mfusion to access the Management Portal.
- Login with the mfusion credential.
- Add the UA as a SD-WAN device. See link Add New Gateway
- Click on the MAC address under the Remote column to configure the relevant UA
Step 4 – Create Multi-WAN Group and Rule for WAN Interfaces
User will learn how to enable Multi-WAN for WAN port (eth0, wwan0 (4G/5G-SIM1) , wwan1 (4G/5G-SIM2)) to preform Load balancing or Failover with-in multi wan group.

Enabling Multi-WAN on eth0
User can enable the ‘Multi-WAN Group‘ section for the interface (ethxx). See link Settings of Ethernet Interface (02. Multi-WAN Group)

- Configure the Multi-WAN Group setting for port (eth0) as per below table and save.
S/N | Field | Value | Remarks |
---|---|---|---|
01 | Multi-WAN Group | 0 | Group Number to map during the MWAN firewall rule |
02 | Track Remote Host | 8.8.8.8 | This verifies the connectivity to the remote device. |
03 | Tracking Interval / Attempts | 5 | Checks the Connectivity to the ‘Track Remote Host‘ to every x interval value mentioned. |
04 | Link Metric | 1 | The Metric value determines the link as Primary or standby based on the value among the MWAN group. The low value represents as Primary compared to the other value in the group. |
Enabling Multi-WAN on ‘wwan0 (4G/5G-SIM1) / wwan1 (4G/5G-SIM1)5G-SIM2’ Interface.
User can enable the ‘Multi-wan’ section for the wwan0 (4G/5G-SIM1) / wwan1 (4G/5G-SIM1)5G-SIM2.
See link Setting Up Interface (Ethernet / VLAN / LTE)

Configure the Multi-WAN Group setting for wwan0 (4G/5G-SIM1) & wwan1 (4G/5G-SIM2) as per below and save.
S/N | Field | Value (wwan0) | Value (wwan1) | Remarks |
---|---|---|---|---|
01 | Multi-WAN Group | 0 | 0 | Group Number to map during the MWAN firewall rule |
02 | Track Remote Host | 8.8.8.8 | 8.8.8.8 | This verifies the connectivity to the remote device. |
03 | Tracking Interval / Attempts | 5 | 5 | Checks the Connectivity to the ‘Track Remote Host‘ to every x interval value mentioned. |
04 | Link Metric | 2 | 2 | The Metric value determines the link as Primary or standby based on the value among the MWAN group. The low value represents as Primary compared to the other value in the group. |
Configure Multi-WAN (mwan-rule) Rule for Multi-WAN (mwan-group) Group.
Configuring Mwan-Rule is mandatory, User can enable the ‘Multi-wan’ section for the wwan0 (4G/5G-SIM1) / wwan1 (4G/5G-SIM1)5G-SIM2.
See link
Step 5 – Configure Firewall Rules
- Allow users to securely access (SSH) the UA device .
- Permit all Outbound access to Internet, through eth0, Lte1, Lte2, wwan0 and wwan1 based on the Mwan group rule. (pre-defined rule)
- Hide / SNAT all LAN interface IPs from Internet. (pre-defined rule)
SSH To UA Device
Navigate to SDWAN Edge device by clicking on the MAC address of the relevant UA, and create a new Input rule See link Firewall-Input Rule.

User can configure the SSH Input rule as per below setting
S/N | Section | Field | Value | Remarks |
---|---|---|---|---|
01 | Firewall Input (Base) | Rule No | 9 | |
Action | Permit | |||
Direction | All | |||
02 | Firewall Inputs (Optional) | Protocol | TCP | |
Source IP/Subnet | 192.168.0.0/16 | |||
Destination Port | 22 | |||
Remarks | ‘Firewall Input Rule to Access the Device using SSH’ |
Permit All Outbound Access To Internet.
Outbound refers to connections going-out to a specific device through any specific ports (WAN or LTE), e.g. A Web Browser connecting to outside Web Server is an outbound connection. In this scenario the outbound traffic can pass through WAN or LTE based on the Multi-WAN configuration (Active/Standby or Active/Active)
The user can pre-configure the ‘Access rule’ to pass outbound traffic though WAN (eth0) as well LTE (SIM1/SIM2)
Navigate to SDWAN Edge device by clicking on the MAC address of the relevant UA, and create a new Access rule. See link Firewall – Access Rule

Use can configure the outbound Access rule as per below settings
S/N | Section | Field | Value | Remarks |
---|---|---|---|---|
01 | Firewall Access (Base) | Rule No | 10 | |
Action | Permit | |||
Direction | Outbound | |||
Outbound Interface | eth0 |
User can configure the rest of the Outbound Interface (LTE0, wwan0)
Hide/SNAT all LAN Interface IPs From Internet
Source Network Address Translation (SNAT) allows traffic from a private network to go out to the internet. The systems on a private network can get to the internet by going through a gateway capable of performing SNAT. it replaces the source IP of the originating packet with the public side IP.
The following configuration shows how all private network allows to reach the public domain through the SNAT gateway.
To enable SNAT for a UA, go to ‘MFUSION CLOUD > Orchestrator > SDWAN Edge > In the MAC address list of UA , click the UA for which SNAT should be enabled. Click the ‘Firewall’ tab and select the SNAT menu . See link Firewall – SNAT Rule

Use can configure the Outbound SNAT rule as per below settings
S/N | Section | Field | Value | Remarks |
---|---|---|---|---|
01 | Firewall SNAT (Base) | Rule No | 10 | |
Action | Overload | |||
Direction | Outbound | |||
Outbound Interface | eth0 |
User can configure the rest of the SNAT Outbound rule (LTE0, wwan0).
Forward Dynamic Ports to Internal Host (DNAT).
This is typically for providing access from Internet (External network) to internal hosts. mbox changes packet destination headers (address or port number) as it passes through mbox (typical inbound access).
To enable DNAT for a UA, go to ‘MFUSION CLOUD > Orchestrator > SDWAN Edge > In the MAC address list of UA, click the UA for which DNAT should be enabled. Click the ‘Firewall’ tab and select the DNAT menu. See link Firewall – DNA Rule

Use can configure the Outbound DNAT rule as per below settings
S/N | Section | Field | Value | Remarks |
---|---|---|---|---|
01 | Firewall DNAT (Base) | |||
Rule No | 20 | |||
Action | Translate | |||
Direction | All | |||
02 | Firewall DNAT (Options) | |||
Protocol | TCP | |||
Destination – Destination IP | 192.168.1.12 | |||
Destination Port | 8080 |
Step 9 – Configure UA with HSG Captive Portal
In this section, the user will learn to configure the UA as a Hotspot Controller to push the Captive portal for Guest SSID. The UA Hotspot controller will be configured with Cloud Hotspot Gateway (HSG) for Captive portal and Radius authentication only for
NOTE
‘IP host‘ (‘splash.ransnet.com’ map to Cloud HSG) has to be configured before proceeding to the below procedure. See link New IP Host
To configure Captive Portal for a UA, navigate to ‘HOTSPOT SETTING > Captive Portal’ from the Captive Portals tab.
See link Create and Edit Captive Portal
See link Portal Customization
See link General Tab
Configure the Hotspot Instance
To enable Hotspot instance for a UA, go to ‘MFUSION CLOUD > Orchestrator > SDWAN Edge > In the MAC address list of UA, click the UA for which Hotspot Instance should be enabled

Use can configure the Hotspot Instance as per below settings and save.
S/N | Section | Field | Value | Remarks |
---|---|---|---|---|
01 | Hotspot (Base) | |||
Hotspot LAN | vlan10 | |||
Hotspot Server / Ports | 192.168.10.1 / 1400, 1499 | |||
Client Network / Netmask | 192.168.10.0 / 255.255.255.0 | |||
Radius Server / Key | splash.ransnet.com / testing123 | |||
Hotspot Portal | Paste the Full URL of the created Captive portal | |||
Hotspot Instance (Optional) | ||||
Redirect / Success URL | http://www.ransnet.com | |||
Bypass / Whitelist By | Domain List : akamaihd.net facebook.com facebook.net fb.me fbcdn.net fbsbx.com | |||
User can test the Captive portal by select the ‘Guest SSID’ to see the captive portal.