SD-WAN with Wi-Fi Hotspot (cloudx design)

In this sample senario, we will build a demo setup for mbox HSA working with cloud HSG for captive portal, while functioning as a SD-WAN router.

Common use cases

  1. CloudX design, where HSA is used as mini-HSG, with additional MAP or 3rd-party AP behind it to extend wireless coverage. (see details on cloudx design)
  2. "Wi-Fi on the go", where HSA acts as an all-in-one device with single/dual LTE backhaul to provide Wi-Fi in buses or trains. (See video demo "bus Wi-Fi")
  3. hotspot over SD-WAN, where HSA provides wireless hotspot access, on top SD-WAN connectivity. (see details)

In all of above design scenario, HSA will function as a mini-HSG utilizing below key features

  1. router & firewall
  2. dual-band Wi-Fi (802.11a/b/g/n/ac, wave 2)
  3. hotspot controller to redirect user to external/HSG captive portal
  4. dual-LTE slots (optional, for "Wi-Fi on the go")
  5. SD-WAN capabilities (as an all-in-one retail solution)

and we use cloud HSG for:

  1. hosting hotspot/captive portal (with CMS)
  2. hotspot users database and authentication
  3. analytics and reporting

Deployment preparation

  • 1 x cloud HSG. Enable RADIUS and provision captive portal for HSA to use.
    • Cloud HSG can be physical appliance or VM, hosted in customer HQ or DC.
    • HSG needs to be accessible by HSA (eg. HSG needs public IP), with firewall ports open for TCP/80, TCP/443, UDP/1812, UDP/1813
  • 1 x HSA-500 per site (can make use of HSA built-in Wi-Fi, together with additional AP for wireless coverage extension)
    • Connect HSA WAN port to ISP modem/ONT, and slot in dual SIM card into the LTE slots (optional, for "Wi-Fi on the go") .
  • Connect management PC to HSA LAN4 port (configure PC with DHCP, then connect to mbox GUI using, login with root/Letmein99). Follow below steps to restore sample config.

2-Step deployment from sample config

  1. download sample config for HSA4-hotspot-MWAN
  2. follow this video guide to deploy HSA by restoring from sample config

After configs are restored, please make two minimum changes:

  • On your HSG, please add your HSA WAN IP as radius client with a redius key, or you can set to allow all if they have a correct key, eg.
!security radius-server client key testing123 name Allow-HSA start!
  • On your HSA CLI, change to point to your HSG WAN IP, and also change the portal URL to map to what's provisioned on HSG.
!ip host rewrite <--change to your own HSG WAN IP!security hotspot br-vlan10 ...... hotspot-portal <--change /pid/tcc to your own portal name radius-server testing123 start!

Sample config default settings

  • the WAN port is pre-configured to get dhcp IP from ISP ONT/modem (or upstream router). If you need to change interface IP/route, please follow this guide.
  • WAN port is the primary
  • LTE SIMs are backup to WAN (active/active while WAN fails)
  • HSA is pre-configured with vlan10, and LAN ports 1-3 are assigned to vlan10. (see details on how to configure HSA VLAN). NOTE: we don't need to assign any IP address to interface br-vlan10 (unmanaged), because the hotspot-server command will auto create tunnel IP and attach to br-vlan10.
    • HSA is also enabled with Wi-Fi, using SSID "mbox_wifi", and the SSID is assigned to vlan10 (configure HSA wireless setting).
    • (optionally) To extend Wireless coverage, connect MAP (or 3rd-party AP) to LAN port 1-3, and broadcast SSID "mbox_wifi".
      • simply bridge mbox_wifi SSID to vlan1 on AP (it will fall into vlan10 on HSA).
      • Refer to vendor documentation on configuring wireless, or for MAP wireless config, please refer to MAP lab2.

NOTE for older/used box

    1. upgrade your HSA box to firmware version 20190715-0030, and above (follow this guide to upgrade firmware)