mbox HotSpot Gateway (HSG) is mostly deployed in "gateway deployment" (as a layer 3 device), like a router or firewall, having LAN and WAN in different network segments. Typically, in on-premise deployment, HSG runs as an all-in-one gateway, doing routing, firewall and hotspot access control. And within each hotspot instance, HSG LAN interface IP is the users' default gateway IP.
In certain scenarios, when we try to plug/insert HSG into an existing network which already has existing firewall/router/DHCP server (therefore user default gateway points to the existing router/firewall LAN interface), running HSG in gateway deployment will require adding a transit network between HSG WAN and existing firewall LAN -- big change of existing setup.
If customers prefer to make addition of HSG seamless without changing existing network setup and IP addressing etc, HSG can be configured to operate in "transparent" deployment, so that it remains invisible to existing users and firewall, as if it's part of the switched/bridged network,
Below diagram illustrates such scenario topology. In this transparent deployment topology,
firewall LAN, HSG and users are in the same network.
HSG appears as a bridge and is not dividing LAN and WAN into two different networks.
Firewall is the DHCP server and its LAN interface IP address is users' default gateway.
Things to take note when HSG runs in transparent deployment:
Only one hotspot instance is supported per HSG. For each instance, the LAN and WAN interfaces can be either physical interfaces (eg. eth0, eth1) or vlan/bridge interfaces (eg. vlan10, vlan20, br0..), or combination of any interface types.
Only one IP address can be configured per HSG, on the hotspot LAN interface only, and this IP needs to be unique/available belonging to the user network, and excluded from upstream DHCP server address pool. No other IP addresses should be configured, not even loopback interface.
Need to enable "proxy-arp" on both hotspot LAN and WAN interfaces, so that HSG will receive and intercept client requests and replies.
In the hotspot instance setting, configure dhcp helper/relay to existing DHCP server (Firewall LAN). "client-static" needs to be configured so that HSG can recognize IP addresses assigned by external DHCP server.
It is assumed, by default, that DHCP server is also client default gateway.
No need to configure default route. HSG will use upstream router/firewall/DHCP server IP as the default gateway once hotspot is started
Can support either local or external portal/AAA. If you use local portal/AAA, configure DNS rewrite to point splash.ransnet.com to the IP of hotspot LAN interface (which is used as the hotspot server IP once hotspot service is started)
Start hotspot service in transparent deployment ("start transparent").
All other features are the same as gateway deployment.
CONFIGURATION EXAMPLE
---------------------------------------------------
!hostname mbox!interface eth0 description "Connection to WAN" enable proxy-arp!interface eth1 description "Connection to LAN" enable!interface eth2!interface eth3!interface vlan 1 10 description "hotspot VLAN" enable proxy-arp ip address 192.168.50.2/24!interface loopback enable!ip name-server 8.8.8.8 8.8.4.4ip host mail 127.0.0.1ip host mysqldb 127.0.0.1ip host splash.ransnet.com 192.168.50.129 rewrite!ip ntp-server 203.211.159.1 62.201.225.9!security radius-server client 127.0.0.1 key testing123 name LOCALHOST start!security hotspot vlan10 hotspot-wan eth0 client-dhcp-helper 192.168.50.1 client-static 192.168.50.0 255.255.255.0 bypass-domain list dn akamaihd.net dn facebook.com dn facebook.net dn fbcdn.net dn y5zone.sg radius-server localhost testing123 hotspot-portal https://splash.ransnet.com/pid/demo/login.php start transparent!---------------------------------------------------VERIFICATION COMMANDS
Attached a sample config with multiple vlans:
- vlan4062 and vlan62 are for AP management purposes, so that AP gets DHCP IP from a different address pool and separated from user data- vlan4063 and vlan63 are hotspot WANIF and LANIF- we used external RADIUS and CP in this sample config