Getting Started with RansNet

RansNet offers 4G/5G SD-WAN and Wi-Fi Hotspot solution, together with mfusion/SD-WAN orchestrator platform, as an end-to-end solution for enterprise customers and service providers. end-to-end Wi-Fi hotspot solution consists of three product families:

• mbox product family includes all the on-premise hardware appliance that provide reliable end-to-end connectivity to end users, including HotSpot Gateway (HSG), Cloud Managed Gateway (CMG), HotSpot Access (HSA) Series and Universal Access (UA) Series. Different models are available depending on size of the network and no. of users etc.

• mfusion is a SD-WAN platform that helps administrators or service providers remotely monitor and manage massive mbox appliances. mfusion delivers centralized orchestration, patch management, fault/threshold alerting and real-time/scheduled reporting etc.

• mlog security logger, is an optional but highly needed appliance. It collects user access logs, alarms for anomalies, and stores logs for long-term retention and security audit compliance.

mbox - Purpose-built industrial appliances

mbox is a high performance network appliance designed for serious enterprises, fully featured with all the advanced networking & security technologies, such as ethernet switching, TCP/IP routing, virtual private networking, stateful firewall inspection and user access control etc. Running on hardened Linux kernel and installed with a series of proprietary applications, mbox produces extremely high performance, manageability, reliability and security, all packed in a purpose-built industrial grade computing platform.

• • Cloud Managed Gateway (CMG). CMG is meant to be deployed as an integrated gateway/CPE appliance, with router & firewall & Proxy/Caching all in one device, saving costs for additional router and firewall, while enjoying maximum performance and reducing point of failures. Refer to datasheet for hardware details.

  • HotSpot Gateway (HSG). HSG is designed to allow businesses to provide internet access for their customers. Designed with customizable login portals (or captive portals) and a variety of deployment options, mbox HSG series allows enterprise to offer flexible and differentiated Internet access for guests, VIP members or visitors. Refer to datasheet for hardware details.

  • HotSpot Access (HSA). HSA is designed to be an all-in-one access gateway that combines 4G and fixed WAN access for smaller network environment, providing router, firewall, wireless and hotspot access control features in a single cost-effective box.

  • Universal Access (UA). UA combines 4G/5G/Wi-Fi and fixed WAN access for branch networks, IoT deployments, and miss-critical industrial applications.

As a technology vendor of strong networking fundamentals, RansNet has developed mbox with robust networking and security features, being a perfect gateway appliance for any sizes of enterprise networks.

Below are the integrated networking functionalities for mbox HSG, making mbox as an ideal Internet gateway or Customer Premise Equipment (CPE).

• • Support 3G/4G/NGBN/Ethernet DSL/PPPoE WAN connectivity

  • Multiple GE Ports, high performance, up to 6 Gbps throughput (depending on model)

  • Support IPv4, IPv6, Static route, OSPF/BGP.

  • Integrated stateful firewall inspection for perimeter security

  • Support Virtual Private Network (VPN) protocols, such as IPSec, SSL, GRE, L2TPv3.

  • Support redundancy or High Availability using VRRP protocol

  • Supports policy-based routing and multiple WAN link balancing (outbound)

  • HotSpot access controller, captive portal and AAA

  • Seamless integration with mfusion for plug-and-play deployment and cloud management & monitoring

NOTE:

• 1. HSA/UA series have HotSpot Access Controller, but no builtin captive portal and AAA server. They need to work with external/cloud HSG for captive portal and AAA.

mfusion

RansNet mfusion platform is a multi-tenant and customizable central platform that provides proactive monitoring on all critical components of the IP network devices to detect and alert faults/errors in accordance to the pre-defined thresholds, and escalate for prompt resolution. 

mfusion automates devices configuration and SD-WAN provisioning for massive remote RansNet SD-WAN appliances(CMG/HSA/UA), with real-time visibility on SD-WAN topology status/changes, VPN tunneling performance and dynamic routing status etc.

RansNet has a cloud hosted mfusion platform shared for all customers and partners to manage RansNet appliances with valid support licenses. However, some customers or partners my prefer to host their dedicated private/on-premise mfusion deployment. The dedicated mfusion can be deployed as hardware appliance or virtual machine (support VMWare hypervisor, AWS, AZure, KVM, etc).

mbox supports Zero-Touch-Provisioning (ZTP). Once the device is online (either WAN port is connected to a DHCP-based Internet connection or a SIM card is slotted into SIM1 slot), the device will automatically "call-home" to mfusion, where you can provision the devices and configure settings via an intuitive dashboard.

However, if the WAN connection is using static IP address, you will need to configure the basic WAN IP address and default route via CLI. For advanced engineers, you may also want to access to mbox Command Line Interface to perform in-depth troubleshooting.

To access mbox CLI, you can use serial console with DB9 female connector or access using SSH

• Console access. Use serial console cable with DB9 female connector with Baud rate: 19200 (Note: for HSA, it's 115200, for MAP, it's 9600).

• SSH Access. Connect to mbox ETH2 using a UTP cross/straight cable. ETH2 is pre-configured with IP address 10.10.10.1/24, from here you can ccess mbox using SSH. (For HSA, you can connect to any of LAN port, the default IP is 192.168.1.1/24). SSH to mbox with support/Letmein99.

mbox Command Line Interface (CLI) provides an intuitive way to manage mbox configurations. There are 4 main modes:

• 1. unprivileged (ready-only) mode. This is the default mode upon initial login (eg. login with support, through console or SSH)

  2. privileged (enabled) model. Under read-only mode, enter "enable", followed by enable password to enter enable mode.

  3. Configure mode. This is where we start our configuration. Type "configure" under enable mode.

  4. Context mode. This is where you configure individual parameters for each configs, eg. interface settings, dhcp scope, etc.

mbox CLI shortcuts

There're some interesting short-cut handy keys you can use to make your working with mBox CLI extremely easy and fast.

When we do initial bootstraps, or for whatever reasons, you may want to reset your devices to factory defaults. Follow below guide to perform factory resets. (NOTE: this will erase all local data!!!. Make sure you have backups if you want to restore back your existing data. Follow this guide to backup your existing data.). 

Just console/SSH into mbox, under enable mode, type "write erase". 

After "write erase" is done, the box will be pre-loaded with a default set of configuration. If you want to have a complete empty start-up config so that you can start from scratch to configure the box, just type "write erase all". 

Use "show startup-config" to verify the default configs.

The last step is to reboot (make sure you don't type "write memory" before reboot else you will save back current config again instead of reboot with the default config).

NOTE: 

• the default startup-config allows basic Internet connection through eth0 and LAN connection over eth1. Management of the device is only allowed through port eth2.

• sometimes you may just want to reset the database only, and still keep the CLI/network configurations, in each of the prompted step, only enter "y" for Do you want to reset all databases "y" or "n": y, and answer "n" for all other steps.

Sometimes you may experience problems to load default databases, because the current system maybe busy with SQL processing, and you may get errors below:

Don't panic, after the last step is completed, restart your mbox (it should boot up with a basic default config without any SQL running), then do another "write erase". Most of the time, you should be able to reset your mbox completely. However, if it still doesn't work, it might be due to SQL dynamic pass generation issue, do below pass-reset

1. console to MAP console port (using baud rate 9600), login with admin and enable password admin

2. delete existing config (in case MAP is ever used elsewhere). under enable mode, delete config.text, reload, to reboot MAP.

NOTE: If there's a need to set static IP for MAP, just configure under "interface bvi 1" to set static IP. In this case, it's necessary to set default route also.

Bootstraping of MAP depends on the deployment/design scenarios. For a brief overview of the possible topologies, you can refer to this video guide here.

Scenario 1: register MAP with RansNet cloud MACC

RansNet hosts cloud HSG/MACC with publicly accessible URL (macc.ransnet.com). By default, you don't need to do anything on a fresh RansNet MAP. Just power it up and once MAP gets DHCP IP address from a management VLAN with direct Internet access, it will look for RansNet cloud MACC.

But for some legacy reason,You can simply bootstrap your the MAP with below configs.

NOTE: below is also the default config after you do factory reset of the MAP (or fresh install), which means, if the default config is not like below, just paste below config to MAP console.

Scenario 2: register MAP with on-premise HSG (local MACC)

In this case, HSG will issue DHCP IP to MAP from management VLAN. 

Add below configure to HSG to rewrite MAP DNS requests, so that when MAP tries to register with macc.ransnet.com from its default configs, the actual request goes to local HSG/MACC loopback interface IP instead.

In this case, bootstrap your MAP with default configs as in Scenario #1, then configure below related commands on HSG.

Scenario 3: register with private cloud MACC

When customers or partners may want to host their own private cloud HSG/MACC to manage many remote MAPs, just make sure the central/cloud HSG is accessible by all remote MAPs with a static IP address.  There're two options to bootstrap MAP:

• If Local gateway is HSG/CMG/HSG, on your gateway set DNS rewrite macc.ransnet.com to your own cloud MACC IP, eg. 

ip host macc.ransnet.com <your-macc-ip> rewrite

Then all the MAP behind this gateway will auto register with <your-macc-ip>.

• If local gateway is third-party router, we need to explicitly tell MAP IP address of MACC. On each MAP, load in below default cwmp configs (replace the IP here with your actual cloud MACC IP)

There are a few upgrade options for upgrading mbox.  Please connect to mbox CLI via SSH or console:

1. check your current version

NOTE: Sometimes if the current version is not desirable for you, you can roll back to earlier version.

2. check available repository version

3. upgrade/download to your desired version

NOTE: 

1. sometimes when mysql is running, the upgrade can be slow or even fail. So if mbox is running as MACC, HSG or LOG, it's recommended to stop all processes that require MySQL (eg. macc, radius, hotspot, log-server), save the config (with all processes stopped) and reboot, then proceed to upgrade (check "show mfusion mysql", make sure it's stopped. After upgrade complete successfully, you can start the respective processes again.

2. it is recommended to reboot mbox after upgrade/downgrade.

VERSION NOTES

Each version notes starts with prefix of RC, BETA, or STABLE

BETA: this version is for internal testing only. DO NOT use it for production

RC: this version is release candidate for coming major release. Can try out the new feature with some risk. Use in a controlled enviornment

STABLE: this version is thoroughly tested and recommended for production use.

Upgrade from old legacy boxes

Sometimes we may want to upgrade your legacy mbox to the latest version, particularly to include new default profiles and GUI changes etc, and it may be necessary to reset the legacy database and start from scratch to get a fresh new box with the latest features. 

Please follow below steps:

1. reset your current RADIUS database using CLI, "configure" --> "security radius-server" --> "data-reset"

2. upgrade your mbox to the latest version

- upgrade <version1> . Chose the 2nd latest version. Reboot after upgrade.

- upgrade <version2>. Chose the latest version. Reboot after upgrade.

NOTE: in step 1, data-reset will erase all existing RADIUS data, including both user accounts, custom profiles (if any) and user access records. If legacy data is important to you, please skip step #1.

https://youtu.be/yrjAkt8XkT8 (create captive portal using CMS)

https://youtu.be/_tUi5Atwi-c (enable email OTP login)

https://youtu.be/NhtW8838_QA (enable social media login)

https://youtu.be/zdFZ3Hj7KW0 (enable SMS OTP login)

https://youtu.be/H-9uOZJUTgs (user access control)

https://youtu.be/xot1xt-PqGA (monetize Wi-Fi with landing page ads)

https://youtu.be/iFoPUsO4TII (monetize Wi-Fi with in-session ads)

https://youtu.be/JbTxkfwMUIY (monetize Wi-Fi with user engagement)

https://youtu.be/IMI_OriwZdo (mfusion cloud management)

https://youtu.be/d6gO2ZDvfws (mbox disaster recovery management)

Mostly mbox is deployed as a gateway appliance with minimum router & firewall functions. A working mbox must have the following parts configured:

• • Interface IP addresses for both WAN and LAN interfaces

  • Default IP gateway route and name-server (optional if WAN is DHCP)

  • DHCP address assignment for LAN users

  • Basic firewall access rules and address translation rules

CONFIGURATION STEPS

• • enable & configure WAN (eth0) interface IP

  • enable & configure LAN (eth1) interface (assume there’s another LAN switch to connect internal PC)

  • enable DHCP server on LAN (eth1) to assign DHCP IP addresses to internal users

  • configure default gateway and name-server (not needed if WAN is on DHCP)

  • configure firewall rules to permit outbound Internet access and Port Address Translation to hide internal private IP addresses

Below is a sample config for above simple scenario. It is the default startup-config after mbox bootstrap (or write erase).