Transparent mode deployment

mbox HotSpot Gateway (HSG) is mostly deployed in "gateway deployment" (as a layer 3 device), like a router or firewall, having LAN and WAN in different network segments. Typically, in on-premise deployment, HSG runs as an all-in-one gateway, doing routing, firewall and hotspot access control. And within each hotspot instance, HSG LAN interface IP is the users' default gateway IP.

In certain scenarios, when we try to plug/insert HSG into an existing network which already has existing firewall/router/DHCP server (therefore user default gateway points to the existing router/firewall LAN interface), running HSG in gateway deployment will require adding a transit network between HSG WAN and existing firewall LAN -- big change of existing setup.

If customers prefer to make addition of HSG seamless without changing existing network setup and IP addressing etc, HSG can be configured to operate in "transparent" deployment, so that it remains invisible to existing users and firewall, as if it's part of the switched/bridged network,

Below diagram illustrates such scenario topology. In this transparent deployment topology,

  1. firewall LAN, HSG and users are in the same network.
  2. HSG appears as a bridge and is not dividing LAN and WAN into two different networks.
  3. Firewall is the DHCP server and its LAN interface IP address is users' default gateway.

Things to take note when HSG runs in transparent deployment:

  1. Only one hotspot instance is supported per HSG. For each instance, the LAN and WAN interfaces can be either physical interfaces (eg. eth0, eth1) or vlan/bridge interfaces (eg. vlan10, vlan20, br0..), or combination of any interface types.
  2. Only one IP address can be configured per HSG, on the hotspot LAN interface only, and this IP needs to be unique/available belonging to the user network, and excluded from upstream DHCP server address pool. No other IP addresses should be configured, not even loopback interface.
  3. Need to enable "proxy-arp" on both hotspot LAN and WAN interfaces, so that HSG will receive and intercept client requests and replies.
  4. In the hotspot instance setting, configure dhcp helper/relay to existing DHCP server (Firewall LAN). "client-static" needs to be configured so that HSG can recognize IP addresses assigned by external DHCP server.
  5. It is assumed, by default, that DHCP server is also client default gateway.
  6. No need to configure default route. HSG will use upstream router/firewall/DHCP server IP as the default gateway once hotspot is started
  7. Can support either local or external portal/AAA. If you use local portal/AAA, configure DNS rewrite to point splash.ransnet.com to the IP of hotspot LAN interface (which is used as the hotspot server IP once hotspot service is started)
  8. Start hotspot service in transparent deployment ("start transparent").
  9. All other features are the same as gateway deployment.

CONFIGURATION EXAMPLE

---------------------------------------------------

!hostname mbox!interface eth0 description "Connection to WAN" enable proxy-arp!interface eth1 description "Connection to LAN" enable!interface eth2!interface eth3!interface vlan 1 10 description "hotspot VLAN" enable proxy-arp ip address 192.168.50.2/24!interface loopback enable!ip name-server 8.8.8.8 8.8.4.4ip host mail 127.0.0.1ip host mysqldb 127.0.0.1ip host splash.ransnet.com 192.168.50.129 rewrite!ip ntp-server 203.211.159.1 62.201.225.9!security radius-server client 127.0.0.1 key testing123 name LOCALHOST start!security hotspot vlan10 hotspot-wan eth0 client-dhcp-helper 192.168.50.1 client-static 192.168.50.0 255.255.255.0 bypass-domain list dn akamaihd.net dn facebook.com dn facebook.net dn fbcdn.net dn y5zone.sg radius-server localhost testing123 hotspot-portal https://splash.ransnet.com/pid/demo/login.php start transparent!---------------------------------------------------

VERIFICATION COMMANDS


mbox# show ip interface brief Interface IP_Address NetMask Broadcast MAC_Address --------------------------------------------------------------------------------eth0 NON-IP NON-IP NON-IP 00:60:E0:64:63:B3eth1 NON-IP NON-IP NON-IP 00:60:E0:64:63:B4lo 127.0.0.1 255.0.0.0 0.0.0.0 00:00:00:00:00:00tun0 192.168.50.129 255.255.255.0 0.0.0.0 00:00:00:00:00:00vlan10 NON-IP NON-IP NON-IP 00:60:E0:64:63:B4
mbox# show ip routeCodes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, A - Babel, > - selected route, * - FIB routeK * 0.0.0.0/0 via 192.168.50.1, eth0 inactiveC>* 127.0.0.0/8 is directly connected, loC>* 192.168.50.0/24 is directly connected, tun0K>* 192.168.50.1/32 is directly connected, eth0
mbox# show security hotspot Authentication service: running---------------------------------HotSpot service: running---------------------------------LAN TUN Server IP Client-Net Client-DHCP DHCP Issued Clients -------------------------------------------------------------------------------------------------------------vlan10 tun0 192.168.50.129 192.168.50.0/255.255.255.0 / 2 2
mbox# show security hotspot clients Client-MAC Client-IP Username %/MaxUp %/MaxDown Idle/Max Duration/Max------[vlan10 ]--------------------------------------------------------------------------------------------------00-60-E0-64-63-B4 0.0.0.0 - 0/0 0/0 0/0 0/0 30-07-4D-53-70-C6 192.168.50.252 demouser 0%/0 0%/0 1/0 61/0 18-5E-0F-70-E2-02 192.168.50.97 demouser 0%/0 0%/0 0/0 89/0
mbox# show security radius-log Sat Jul 1 22:23:19 2017 : Info: rlm_sql_mysql: Starting connect to MySQL server for #23Sat Jul 1 22:23:19 2017 : Info: rlm_sql (sql): Connected new DB handle, #23Sat Jul 1 22:23:19 2017 : Info: rlm_sql (sql): Attempting to connect rlm_sql_mysql #24Sat Jul 1 22:23:19 2017 : Info: rlm_sql_mysql: Starting connect to MySQL server for #24Sat Jul 1 22:23:19 2017 : Info: rlm_sql (sql): Connected new DB handle, #24Sat Jul 1 22:23:19 2017 : Info: Loaded virtual server <default>Sat Jul 1 22:23:19 2017 : Info: Loaded virtual server inner-tunnelSat Jul 1 22:23:19 2017 : Info: Ready to process requests.Sat Jul 1 22:24:27 2017 : Auth: Login OK: [demouser] (from client LOCALHOST port 1 cli 18-5E-0F-70-E2-02)Sat Jul 1 22:24:56 2017 : Auth: Login OK: [demouser] (from client LOCALHOST port 2 cli 30-07-4D-53-70-C6)

Attached a sample config with multiple vlans:

- vlan4062 and vlan62 are for AP management purposes, so that AP gets DHCP IP from a different address pool and separated from user data- vlan4063 and vlan63 are hotspot WANIF and LANIF- we used external RADIUS and CP in this sample config