In this sample senario, we will build a demo setup for mbox HSA working with cloud HSG for captive portal, while functioning as a SD-WAN router.
Common use cases
- CloudX design, where HSA is used as mini-HSG, with additional MAP or 3rd-party AP behind it to extend wireless coverage. (see details on cloudx design)
- “Wi-Fi on the go”, where HSA acts as an all-in-one device with single/dual LTE backhaul to provide Wi-Fi in buses or trains. (See video demo “bus Wi-Fi”)
- hotspot over SD-WAN, where HSA provides wireless hotspot access, on top SD-WAN connectivity. (see details)
In all of above design scenario, HSA will function as a mini-HSG utilizing below key features
- router & firewall
- dual-band Wi-Fi (802.11a/b/g/n/ac, wave 2)
- hotspot controller to redirect user to external/HSG captive portal
- dual-LTE slots (optional, for “Wi-Fi on the go”)
- SD-WAN capabilities (as an all-in-one retail solution)
and we use cloud HSG for:
- hosting hotspot/captive portal (with CMS)
- hotspot users database and authentication
- analytics and reporting
- 1 x cloud HSG. Enable RADIUS and provision captive portal for HSA to use.
- Cloud HSG can be physical appliance or VM, hosted in customer HQ or DC.
- HSG needs to be accessible by HSA (eg. HSG needs public IP), with firewall ports open for TCP/80, TCP/443, UDP/1812, UDP/1813
- 1 x HSA-500 per site (can make use of HSA built-in Wi-Fi, together with additional AP for wireless coverage extension)
- Connect HSA WAN port to ISP modem/ONT, and slot in dual SIM card into the LTE slots (optional, for “Wi-Fi on the go”) .
- Connect management PC to HSA LAN4 port (configure PC with DHCP, then connect to mbox GUI using http://192.168.1.1/mbox, login with root/Letmein99). Follow below steps to restore sample config.
2-Step deployment from sample config
- download sample config for HSA4-hotspot-MWAN
- follow this video guide to deploy HSA by restoring from sample config
After configs are restored, please make two minimum changes:
- On your HSG, please add your HSA WAN IP as radius client with a redius key, or you can set 0.0.0.0/0 to allow all if they have a correct key, eg.
!security radius-server client 0.0.0.0/0 key testing123 name Allow-HSA start!
- On your HSA CLI, change splash.ransnet.com to point to your HSG WAN IP, and also change the portal URL to map to what’s provisioned on HSG.
!ip host splash.ransnet.com 220.127.116.11 rewrite <–change 18.104.22.168 to your own HSG WAN IP!security hotspot br-vlan10 …… hotspot-portal http://splash.ransnet.com/pid/tcc/login.php <–change /pid/tcc to your own portal name radius-server splash.ransnet.com testing123 start!
Sample config default settings
- the WAN port is pre-configured to get dhcp IP from ISP ONT/modem (or upstream router). If you need to change interface IP/route, please follow this guide.
- WAN port is the primary
- LTE SIMs are backup to WAN (active/active while WAN fails)
- HSA is pre-configured with vlan10, and LAN ports 1-3 are assigned to vlan10. (see details on how to configure HSA VLAN). NOTE: we don’t need to assign any IP address to interface br-vlan10 (unmanaged), because the hotspot-server command will auto create tunnel IP and attach to br-vlan10.
- HSA is also enabled with Wi-Fi, using SSID “mbox_wifi“, and the SSID is assigned to vlan10 (configure HSA wireless setting).
- (optionally) To extend Wireless coverage, connect MAP (or 3rd-party AP) to LAN port 1-3, and broadcast SSID “mbox_wifi”.
- simply bridge mbox_wifi SSID to vlan1 on AP (it will fall into vlan10 on HSA).
- Refer to vendor documentation on configuring wireless, or for MAP wireless config, please refer to MAP lab2.
NOTE for older/used box