Cloud MACC and MAP

  1. Solution overview

RansNet offers complete end-to-end Wi-Fi hotspot solutions, either cloud based or on-premised based. It consists of below major components:

  • RansNet mfusion platform

  • RansNet HotSpot Gateway (HSG)

  • RansNet mbox Access Point (MAP)

RansNet mfusion platform is a multi-tenant cloud-based service platform to monitor and manage all RansNet on-premise hardware devices (CMG, HSG, HSA, MAP)

  • Deployment provisioning and configuration management (SD-WAN orchestration)

  • Remote monitoring, alerting and reporting

  • Cloud central captive portal and AAA/authentication

  • Cloud advertisement banner management and scheduling

  • Cloud WLAN controller for MAP (MACC)

RansNet HotSpot Gateway (HSG) functions as an all-in-one gateway to provide all required hotspot functions at gateway level:

  • Router, stateful firewall, link balancer

  • RADIUS/AAA authentication server (local RADIUS, or can proxy to external central RADIUS/AD)

  • Captive portal server (local CMS, or can redirect to external central portal)

  • Built-in wireless LAN Controller (optional, can use cloud WLAN controller)

NOTE: for small venues, when using a cloud portal and RADIUS, HotSpot Access (HSA) can be used instead of HSG.

mbox Access Point (MAP) is Wi-Fi alliance certified 802.11a/b/g/n/ac/ax access points. It can be managed using a cloud controller, or on-premise controller builtin inside HSG.

  • Dual-radio, dual-band, supporting 2x2 spatial streams and the latest OFDMA, MU-MIMO, and BSS technology.

  • Enterprise-grade hardware. High performance and reliable. All support PoE LAN switches.

  • Wi-Fi Alliance certified. Support all standard WFA security, EAP, WPA, WPA2/3, WPA2/3-dot1x

  • Support advanced wireless security, such as client isolation, rogue AP detection, wireless intrusion detection, per device rate limiting, etc.

  • Support up to 1024 devices (for MAP-820), multiple 16 SSID per AP. Each SSID can be configured either in bridge mode (map to a VLAN) or nat mode (functions as a router). This flexibility makes MAP ideal for both large WLAN networks (bridge) or small F&B outlets (nat).

Common use cases

  • Enterprise offices

  • Hotels, shopping malls, retail and F&B outlets

  • Tourism places, airports, stadiums, etc.

2. Deployment guide

2.1 Physical installations

Based on the above topology, below are the key activities needed:

  • Physical installations. Cabling, AP mounting, switch, and cabling patching, etc.

  • HSG Gateway Configuration

  • PoE Switch Configuration. Add all VLANs on a switch, configure all switch-ports to be in trunk mode, and permit all VLANs for each port (default)

  • AP/MACC Configuration. Configure AP to broadcast the desired SSID and map each SSID to respective target VLAN

Physical Installation steps:

  • Connect HSG eth0 (WAN) to the Internet (ISP link ONT or modem).
    NOTE: If you're using 10G ports for LAN and WAN, the port number is different, please consult vendor.

  • Connect HSG eth1 (LAN) to LAN switch (make sure the connected switch port is in trunk mode)

  • Connect HSG eth2 to management PC (configure PC with DHCP, then connect to mbox GUI using, login with default password)

  • HSG eth3 is reserved for private LAN. It's pre-configured to issue DHCP IP.

  • Connect MAP to LAN PoE switch, according to your design. For large networks, you may have a core fiber switch (core switch) to connect all distribution/access PoE switches. Each PoE switch will uplink to core switch over fiber (SM or MM mode, depending on the distance).

  • For Private Cloud MACC/mfusion deployment, you should be given a <partnerid> by RansNet and inform RansNet to map subdomain DNS name ( to your actual <your-macc-ip> address, so that you can manage all your deployment from

2.2 Configure HotSpot Gateway (HSG)

2.2.1 Bootstrap HSG/HSA/MAP

Please follow this guide to bootstrap HSG/HSA and MAP

2.2.2 Configure Network Interfaces and DHCP Settings

Assuming the WAN/ISP side is using DHCP, there is no need to configure the default gateway and name-server settings as these will be pushed down from the ISP side over DHCP.

!hostname mbox!interface eth0 description "connection to WAN/Internet" enable ip address dhcp!interface eth1 description "AP management network." enable ip address dhcp-server dns router range enable!interface vlan 1 90 description "VLAN-90 for Wireless@xx SSID, with captive portal" enable!interface vlan 1 91 description "VLAN-90 for Wireless@xxx SSID, using WPA2/EAP" enable ip address dhcp-server dns router range enable!interface vlan 1 92 description "(optional) VLAN-92 customer private SSID using WPA2-PSK" enable ip address dhcp-server dns router range enable!

If WAN is using static IP, we need to configure static IP under eth0, add default gateway and name-server. Below is a snip of changes required (replace the public IP with your actual IP addresses).

!interface eth0 description "connection to WAN/Internet" enable ip address!ip route nexthop!ip name-server!

2.2.3 Configure firewall settings to enable Internet access for LAN users

Below rules are in the default startup-config. If you're not using eth0 as WAN interface, please change to your respective interface name.

!firewall-access 10 permit outbound eth0!firewall-snat 10 overload outbound eth0!

2.2.4 Configure DNS re-write to enable MAP to auto register with private Cloud MACC.

By default each MAP will auto register with, which is the RansNet Public Cloud MACC (WLAN controller). However, for Private Cloud MACC, instead of changing each MAP default bootstrap configure, we can do DNS re-write on the gateway to for all MAP to auto register with private MACC IP address. Refer to this link for more details on DNS re-write feature.

!ip host <your-macc-ip> rewriteip host <your-macc-ip> rewrite!firewall-dnat 90 redirect all udp dport 53 rdport 53 remark "force DNS re-write"!firewall-input 90 permit all udp dport 53 remark "allow DNS re-writed requests"!

2.2.5 Configure hotspot instance for target VLAN

For the VLAN that needs captive portal, we need to enable hotspot service for the VLAN and assign captive portal to it. Please follow this guide for detail guide on hotspot instance configuration.

For this scenario using cloud mfusion (combined with cloud portal and RADIUS), please refer to below snip of hotspot configuration for VLAN-90 (replace <radius-key>, <entity> and <partalname> with your actual values).

!security hotspot vlan90 description "Wireless@xx Captive Portal" hotspot-server ports 5000 5001 client-network client-dhcp lease 1800 client-dhcp-dns client-static client-timeout 1800 10800 radius-server <radius-key> hotspot-portal<customerentity>/<portalname>/login.php start!

2.3 Create cloud captive portal on mfusion

Login to your mfusion server https://<partnerid> to create captive portal for your respective instance.

Refer to this video guide on how to create captive portal for each hotspot instance.

Make sure the full portal URL matches with the HSG hotspot instance configuration (hotspot-portal URL) in section #2.2.5.

You could optionally define a portal pre-shared key for enhanced security. Make sure the pre-shared key is configured in the HSG hotspot instance setting (if it's defined in the portal setting).

2.4 Provision MAP settings on mfusion/MACC

Login to your mfusion server https://<partnerid> to access MACC (WLAN controller for MAP).

Refer to this video guide on provision MAP on MACC to configure MAP settings.

Make sure each SSID is mapped to the respective VLAN defined in HSG.

2.5 Provision HSG/HSA on mfusion for remote monitoring and orchestration

Login to your mfusion server https://<partnerid>

Refer to this video guide on managing mbox on mfusion so that you can remotely monitoring and managing HSG/HSA settings from cloud mfusion.

Refer to additional video guide on more management features. (backup and restore) (scheduled reports)