RansNet Doc - 4. SD-WAN with Wi-Fi hotspot

SD-WAN with Wi-Fi Hotspot (cloudx design)

In this sample senario, we will build a demo setup for mbox HSA working with cloud HSG for captive portal, while functioning as a SD-WAN router.

Common use cases

CloudX design, where HSA is used as mini-HSG, with additional MAP or 3rd-party AP behind it to extend wireless coverage. (see details on cloudx design)
"Wi-Fi on the go", where HSA acts as an all-in-one device with single/dual LTE backhaul to provide Wi-Fi in buses or trains. (See video demo "bus Wi-Fi")
hotspot over SD-WAN, where HSA provides wireless hotspot access, on top SD-WAN connectivity. (see details)

In all of above design scenario, HSA will function as a mini-HSG utilizing below key features

router & firewall
dual-band Wi-Fi (802.11a/b/g/n/ac, wave 2)
hotspot controller to redirect user to external/HSG captive portal
dual-LTE slots (optional, for "Wi-Fi on the go")
SD-WAN capabilities (as an all-in-one retail solution)

and we use cloud HSG for:

hosting hotspot/captive portal (with CMS)
hotspot users database and authentication
analytics and reporting

Deployment preparation

1 x cloud HSG. Enable RADIUS and provision captive portal for HSA to use.
- Cloud HSG can be physical appliance or VM, hosted in customer HQ or DC.
- HSG needs to be accessible by HSA (eg. HSG needs public IP), with firewall ports open for TCP/80, TCP/443, UDP/1812, UDP/1813
1 x HSA-500 per site (can make use of HSA built-in Wi-Fi, together with additional AP for wireless coverage extension)
- Connect HSA WAN port to ISP modem/ONT, and slot in dual SIM card into the LTE slots (optional, for "Wi-Fi on the go") .
Connect management PC to HSA LAN4 port (configure PC with DHCP, then connect to mbox GUI using http://192.168.1.1/mbox, login with root/Letmein99). Follow below steps to restore sample config.

2-Step deployment from sample config

download sample config for HSA4-hotspot-MWAN
follow this video guide to deploy HSA by restoring from sample config

After configs are restored, please make two minimum changes:

On your HSG, please add your HSA WAN IP as radius client with a redius key, or you can set 0.0.0.0/0 to allow all if they have a correct key, eg.

!security radius-server client 0.0.0.0/0 key testing123 name Allow-HSA start!

On your HSA CLI, change splash.ransnet.com to point to your HSG WAN IP, and also change the portal URL to map to what's provisioned on HSG.

!ip host splash.ransnet.com 49.128.58.71 rewrite <--change 49.128.58.71 to your own HSG WAN IP!security hotspot br-vlan10 ...... hotspot-portal http://splash.ransnet.com/pid/tcc/login.php <--change /pid/tcc to your own portal name radius-server splash.ransnet.com testing123 start!

Sample config default settings

the WAN port is pre-configured to get dhcp IP from ISP ONT/modem (or upstream router). If you need to change interface IP/route, please follow this guide.
WAN port is the primary
LTE SIMs are backup to WAN (active/active while WAN fails)
HSA is pre-configured with vlan10, and LAN ports 1-3 are assigned to vlan10. (see details on how to configure HSA VLAN). NOTE: we don't need to assign any IP address to interface br-vlan10 (unmanaged), because the hotspot-server command will auto create tunnel IP and attach to br-vlan10.
- HSA is also enabled with Wi-Fi, using SSID "mbox_wifi", and the SSID is assigned to vlan10 (configure HSA wireless setting).
- (optionally) To extend Wireless coverage, connect MAP (or 3rd-party AP) to LAN port 1-3, and broadcast SSID "mbox_wifi".
  - simply bridge mbox_wifi SSID to vlan1 on AP (it will fall into vlan10 on HSA).
  - Refer to vendor documentation on configuring wireless, or for MAP wireless config, please refer to MAP lab2.

NOTE for older/used box

1. upgrade your HSA box to firmware version 20190715-0030, and above (follow this guide to upgrade firmware)