In retail chains, F&B outlets, and small branch locations, Wi-Fi access is commonly provided as a free facility. At the same time, these locations rely on reliable SD-WAN connectivity to support secure transactions and access to centralized corporate systems such as CRM and ERP platforms.

RansNet Wi-Fi Hotspot over SD-WAN is designed to address both requirements using a single, shared infrastructure, by leveraging the same SD-WAN deployment:

• RansNet SD-WAN edge routers deployed at branch or outlet locations

• Redundant internet backhaul links (fiber, broadband, 4G/5G)

• Secure SD-WAN overlay tunnels to HQ or cloud environments

• Centralized management, monitoring, and security services

• Integrated guest Wi-Fi services with captive portal and advertisement platform

Rather than deploying a separate hotspot or captive portal system, guest Wi-Fi is implemented as a logically isolated service over the same SD-WAN fabric. This ensures strict separation from corporate traffic while reusing the same transport, security, and management infrastructure.

As a result, organizations can maximize return on their SD-WAN investment by extending it to support guest Wi-Fi services—without compromising security, performance, or operational simplicity.

In this sample scenario, we will build a demo setup for HSA working with cloud HSG for captive portal, while functioning as a SD-WAN router.

Common use cases

1. CloudX design, where HSA is used as SD-WAN edge router, with additional AP behind it to extend wireless coverage.

2. "Wi-Fi on the go", where HSA acts as an all-in-one device with 4/5G backhaul to provide Wi-Fi in buses or trains.

3. Hotspot over SD-WAN, where HSA provides wireless hotspot access, on top SD-WAN connectivity.

In all of above design scenario, HSA will function as a mini-HSG utilizing below key features

1. router & firewall

2. dual-band Wi-Fi (802.11a/b/g/n/ac/ax)

3. hotspot controller to redirect user to external/HSG captive portal

4. wireless WAN with 4/5G dual-SIM

5. SD-WAN capabilities (as an all-in-one retail solution)

And we use cloud HSG for:

1. hosting hotspot/captive portal (with CMS)

2. hotspot users database and authentication

3. analytics and reporting

Deployment preparation

• 1 x cloud HSG. Enable RADIUS and provision captive portal for HSA to use.

  • Cloud HSG can be physical appliance or VM, hosted in customer HQ or DC.

  • HSG needs to be accessible by HSA (eg. HSG needs public IP), with firewall ports open for TCP/80, TCP/443, UDP/1812, UDP/1813

• 1 x HSA-500 per site (can make use of HSA built-in Wi-Fi, together with additional AP for wireless coverage extension)

  • Connect HSA WAN port to ISP modem/ONT, and slot in dual SIM card into the LTE slots (optional, for "Wi-Fi on the go") .

• Connect management PC to HSA LAN4 port (configure PC with DHCP, then connect to mbox GUI using http://192.168.1.1/mbox, login with root/Letmein99). Follow below steps to restore sample config.

2-Step deployment from sample config

1. download sample config for HSA4-hotspot-MWAN

2. follow this video guide to deploy HSA by restoring from sample config

After configs are restored, please make two minimum changes:

• On your HSG, please add your HSA WAN IP as radius client with a redius key, or you can set 0.0.0.0/0 to allow all if they have a correct key, eg.

• On your HSA CLI, change splash.ransnet.com to point to your HSG WAN IP, and also change the portal URL to map to what's provisioned on HSG.

Sample config default settings

• the WAN port is pre-configured to get dhcp IP from ISP ONT/modem (or upstream router). If you need to change interface IP/route, please follow this guide.

• WAN port is the primary

• LTE SIMs are backup to WAN (active/active while WAN fails)

• HSA is pre-configured with vlan10, and LAN ports 1-3 are assigned to vlan10. (see details on how to configure HSA VLAN). NOTE: we don't need to assign any IP address to interface br-vlan10 (unmanaged), because the hotspot-server command will auto create tunnel IP and attach to br-vlan10.

  • HSA is also enabled with Wi-Fi, using SSID "mbox_wifi", and the SSID is assigned to vlan10 (configure HSA wireless setting).

  • (optionally) To extend Wireless coverage, connect MAP (or 3rd-party AP) to LAN port 1-3, and broadcast SSID "mbox_wifi". 

    • simply bridge mbox_wifi SSID to vlan1 on AP (it will fall into vlan10 on HSA).

    • Refer to vendor documentation on configuring wireless, or for MAP wireless config, please refer to MAP lab2.

NOTE for older/used box

• 1. upgrade your HSA box to firmware version 20190715-0030, and above (follow this guide to upgrade firmware)