Configure in-session ads streaming

mbox can integrate with external ads server to stream live/real-time ads to user devices without terminating their existing user sessions.

mbox connects to an external ads server (where ads is originated) and pushes the ads to user device via http injection (overlay on top of existing browser).

This feature is supported on all mbox models (CMG, HSG, HSA). However, do note that there's significant performance impact once the feature is turned on. A few notes on this feature:

  • Ads will only appear if users visit http based websites using standard browsers, either through PC or mobile devices.
  • The streamed ads appears as a full-screen flash which overlays on top of existing user browser (full screen). User has the option to close the flash or just wait for a few seconds for it to disappear automatically.
  • mbox uses its proxy-server to perform http injection to overlay the ads on top of users existing http sessions. existing user sessions are not terminated/impacted.
  • the frequency of ads streaming is controller by ads server, eg. every 15 mins per push, or 30 mins per push, etc etc.
  • each mbox will be pre-installed with a connector/injector which works with external ads server hosted by RansNet or RansNet partners.

This feature is utilizing mbox web proxy capability added with ads injection scripts. More details on mbox proxy-server can be found here.

Follow below configuration steps to enable this feature.

  • enable proxy-server service, and permit (proxy-access) client source network address
  • create in-session injection code from RansNet cloud ads server and add to CLI "ads-enable"
  • enable http redirection to force http traffic to mbox proxy service so that we can inject ads into these clients' browser


!security proxy-server!client networks that are allowed for browsing and will be streamed with ads proxy-access 18 permit src proxy-access 19 permit src!specify injection code URL ads-enable start!


  1. each time when we add/remove "proxy-access" rules, we must restart (stop then start) proxy server.
  2. customer or partner can subscribe to RansNet cloud ads platform to upload ads banner, schedule campaign, and generate the in-session ads script URL, and apply to HSG command "ads-enable<ads-script>


CMG/HSG is an integrated router & firewall. As long as traffic is passing through mbox (works as a gateway), it has the capability to stream ads.

  1. first we will configure firewall rules to redirect user http requests to mbox proxy service (which does ads injection)
  2. then we specify which client works are allowed for Internet access and will be stream for ads too. (default RFC1918 networks)
  3. please take note to exempt/bypass proxy for local traffic
!firewall-dnat 80 exempt all tcp dport 80 dst remark "bypass proxy for local web"firewall-dnat 81 exempt all tcp dport 80 dst remark "bypass proxy for local web" firewall-dnat 82 exempt all tcp dport 80 dst remark "bypass proxy for RansNet cloud" firewall-dnat 83 redirect all tcp dport 80 rdport 3128 src remark "enable proxy for vlan20"!

NOTE: there's no need to have firewall-input to permit tcp/3128 for hotspot users (it's auto permitted once users login)


HSA natively intercepts user traffic and seamlessly streams ads once it's enabled.

!security hotspot br_WSG ..... client-network ads-enable ..... start!

Checkout online video demo here.