Getting Started with RansNet Gateways

1. About RansNet mbox product family (HSG, CMG, HSA, MAP)

RansNet end-to-end Wi-Fi hotspot solution consists of three product families:

  • mbox product family includes all the hardware required to provide reliable end-to-end wireless Internet access to end users, including mbox Access Points (MAP), HotSpot Gateway (HSG) and Cloud Managed Gateway (CMG). HSG is used if captive portal feature is required, else CMG (lower cost) will be used. Different models are available depending on size of the network and no. of users etc.

  • mfusion cloud platform helps administrators or service providers remotely monitor and manage massive mbox appliances. mfusion delivers centralised orchestration, patch management, fault/threshold alerting and real-time/scheduled reporting etc.

  • mlog security logger, is an optional but highly needed appliance. It collects user access logs, alarms for anomalies, and stores logs for long-term retention and security audit compliance.

mbox - Powerful cloud manageable appliance

mbox is a high performance network appliance designed for serious enterprises, fully featured with all the advanced networking & security technologies, such as ethernet switching, TCP/IP routing, virtual private networking, stateful firewall inspection and user access control etc. Running on hardened Linux kernel and installed with a series of proprietary applications, mBox produces extremely high performance, manageability, reliability and security, all packed in a purpose-built industrial grade computing platform.

In the mbox product family, there are three series of offerings:

    • Cloud Managed Gateway (CMG). CMG is meant to be deployed as an integrated gateway/CPE appliance, with router & firewall & Proxy/Caching all in one device, saving costs for additional router and firewall, while enjoying maximum performance and reducing point of failures. Refer to datasheet for hardware details.

    • HotSpot Gateway (HSG). HSG is designed to allow businesses to provide internet access for their customers. Designed with customizable login portals (or captive portals) and a variety of deployment options, mbox HSG series allows enterprise to offer flexible and differentiated Internet access for guests, VIP members or visitors. Refer to datasheet for hardware details.

    • HotSpot Access (HSA). HSA is designed to be an all-in-one access gateway for smaller network environment, providing router, firewall, wireless and hotspot access control features in a single cost-effective box. Refer to datasheet for hardware details.

    • mbox Access Point (MAP) are powerful enterprise grade Wi-Fi 6 wireless access points, supporting the latest wireless technologies.

As a technology vendor of strong networking fundamentals, RansNet has developed mbox with robust networking and security features, being a perfect gateway appliance for any sizes of enterprise networks.

Below are the integrated networking functionalities for mbox HSG, making mbox as an ideal Internet gateway or Customer Premise Equipment (CPE).

    • Support 3G/4G/NGBN/Ethernet DSL/PPPoE WAN connectivity

    • Multiple GE Ports, high performance, up to 6 Gbps throughput (depending on model)

    • Support IPv4, IPv6, Static route, OSPF/BGP.

    • Integrated stateful firewall inspection for perimeter security

    • Support Virtual Private Network (VPN) protocols, such as IPSec, SSL, GRE, L2TPv3.

    • Support redundancy or High Availability using VRRP protocol

    • Supports policy-based routing and multiple WAN link balancing (outbound)

    • HotSpot access controller, captive portal and AAA

    • Seamless integration with mfusion for plug-and-play deployment and cloud management & monitoring

NOTE:

    1. when mbox is deployed at the Internet edge, it is not necessary to have another Internet router for WAN connectivity, since mbox itself is a very efficient and powerful router; and because mbox also performs stateful firewall inspection, it is optional to have another firewall, unless some other specific firewall features are needed. mbox performs a lot better throughput than many other peering security products.

    2. mbox HSA and MAP only has HotSpot Access Controller, but no builtin captive portal and AAA server. Need to work with external/cloud HSG for captive portal and AAA.

mbox Access Point (MAP)

MAP is the latest addition to RansNet mbox product family. Below are brief list of MAP advanced features:

  • Dual-radio, dual-band, supporting multiple spatial streams (various models available) and the latest OFDMA, MU-MIMO and BSS technology. Enterprise-grade hardware. High performance and reliable. All support PoE LAN switches.

  • Wi-Fi Alliance certified. Support all standard WFA security, EAP, WPA, WPA2/3-PSK, WPA2/3-EAP/dot1x

  • Support advanced wireless security, such as client isolation, rogue AP detection, wireless intrusion detection, per device rate limiting, etc.

  • Support up to 1024 devices (for MAP-820), multiple 16 SSID per AP. Each SSID can be configured either in bridge mode (map to a VLAN) or nat mode (functions like a router). This flexibility makes MAP ideal for both large WLAN networks (bridge) or small F&B outlets (nat).

  • By working with MACC (a WLAN controller module inside HSG), MAP supports adaptive radio management, mobile access, QoS, seamless roaming, load balancing, and many other Wi-Fi optimisations.

  • MAP also comes with a built-in HotSpot Access Controller to redirect user traffic to external captive portals for guest Wi-Fi access and Wi-Fi monetization.

All MAPs are built with the latest wireless technologies and all features are fully available upon purchase of the hardware. No separate license is required for different wireless features. Other than warranty costs, there’s no yearly software or cloud subscription costs. MACC comes as a default module of HSG and there’s no licensing limit for the no. of MAP to manage, except there are certain guidelines for different HSG based on hardware resource availability.

mfusion

RansNet mfusion platform is a multi-tenant and customizable cloud platform that provides proactive monitoring on all critical components of the IP network devices to detect and alert faults/errors in accordance to the pre-defined thresholds, and escalate for prompt resolution. At the same time it provides orchestration, patch/firmware management and service provisioning for mbox.

The mfusion also comes with SD-WAN orchestrator module to auto provision SD-WAN configurations for massive remote/edge SD-WAN routers (CMG/HSA) and provides real-time visibility on SD-WAN topology status/changes, VPN tunneling performance and dynamic routing status etc.

2. Access mbox via command line interface (CLI)

For advanced engineers, you may want to access to mbox Command Line Interface (CLI) to configure advanced features for complex deployment scenarios, or to perform in-depth troubleshooting.

mbox Command Line Interface (CLI) provides an intuitive way to manage mbox configurations. There are 4 main modes:

    1. unprivileged (ready-only) mode. This is the default mode upon initial login (eg. login with support, through console or SSH)

    2. privileged (enabled) model. Under read-only mode, enter "enable", followed by enable password to enter enable mode.

    3. Configure mode. This is where we start our configuration. Type "configure" under enable mode.

    4. Context mode. This is where you configure individual parameters for each configs, eg. interface settings, dhcp scope, etc.

To access mbox CLI, you can use serial console with DB9 female connector or access using SSH

  • Console access. Use serial console cable with DB9 female connector with Baud rate: 19200 (Note: for HSA, it's 115200, for MAP, it's 9600).

  • SSH Access. Connect to mbox ETH2 using a UTP cross/straight cable. ETH2 is pre-configured with IP address 10.10.10.1/24, from here you can ccess mbox using SSH. (For HSA, you can connect to any of LAN port, the default IP is 192.168.1.1/24). SSH to mbox with support/Letmein99.

mbox CLI shortcuts

There're some interesting short-cut handy keys you can use to make your working with mBox CLI extremely easy and fast.

Handy CLI Keys Description----------------------------------------------------------------------------------------------------------------------------Ctrl + A Move to Beginning of the LineCtrl + E Move to End of the LineCtrl + C Clear current lineCtrl + D Delete Character on the right of cursorCtrl + K Delete everything on the right of cursorCtrl + U Delete everything on the left of cursorCtrl + W Delete Words on the left of cursor? shows list of available commandstab/space Auto completes current command (enter enough charater to make it unique)no to remove existing commands *

3. Bootstrap CMG/HSG/HSA/MAP

When we do initial bootstraps, or for whatever reasons, you may want to reset your devices to factory defaults. Follow below guide to perform factory resets. (NOTE: this will erase all local data!!!. Make sure you have backups if you want to restore back your existing data. Follow this guide to backup your existing data.).

3.1 Reset HSG/CMG/HSA to factory default setting (write erase)

Just console/SSH into mbox, under enable mode, type "write erase".

mbox# write erase Erase current config and revert start-up config to default "y" or "n": yRemove local captive portal contents. Remove all "y" or "n": yRemove mbox portal user files (e.g. Historical Reports). Remove all "y" or "n": yDo you want to reset all databases "y" or "n": yInfo: mysql is stopped.Info: gracefully deleting all current databases...Info: loading default databases...Info: mysql is running.restoring default radius...restoring default Syslog...restoring default mboxadmin...restoring default zabbix...restoring default macc2...initializing all databases...Current Version: 201608010100Installing Version: 201706031500stop mysql eventsinit DB mboxadmininit DB syslogSyslog data range: -- LOG not running. Drop events sysloginit DB radiusRadius data range: -- RADIUS not running. Drop events radiusstart mysql eventsrestart apache2Do you want to erase MAP statistics "y" or "n": yexception: connect failedINFO: Please restart mbox to apply the default config.mbox#

After "write erase" is done, the box will be pre-loaded with a default set of configuration. If you want to have a complete empty start-up config so that you can start from scratch to configure the box, just type "write erase all".

Use "show startup-config" to verify the default configs.

!hostname mbox!interface eth0 description "Connection to WAN" enable ip address dhcp!interface eth1 description "Connection to LAN" enable ip address 192.168.8.1/22 dhcp-server dns 8.8.8.8 8.8.4.4 range 192.168.8.100 192.168.11.254!interface eth2 description OOB-Mgmt enable ip address 10.10.10.1/24 dhcp-server dns 8.8.8.8 8.8.4.4 range 10.10.10.10 10.10.10.20!interface eth3!interface loopback enable ip address 2.1.2.1/32!ip dhcp-server start!ip name-server 8.8.8.8 8.8.4.4ip host macc.ransnet.com 2.1.2.1 rewriteip host mail 127.0.0.1ip host mysqldb 127.0.0.1ip host splash.ransnet.com 2.1.2.1 rewrite!ip ntp-server 203.211.159.1 62.201.225.9!firewall-input 20 permit all tcp dport 80 src 10.0.0.0/8 admin remark "web mgmt"firewall-input 21 permit all tcp dport 22 src 10.0.0.0/8 remark "SSH from OOB"!firewall-access 10 permit outbound eth0!firewall-snat 10 overload outbound eth0!

The last step is to reboot (make sure you don't type "write memory" before reboot else you will save back current config again instead of reboot with the default config).

NOTE:

  • the default startup-config allows basic Internet connection through eth0 and LAN connection over eth1. Management of the device is only allowed through port eth2.

  • sometimes you may just want to reset the database only, and still keep the CLI/network configurations, in each of the prompted step, only enter "y" for Do you want to reset all databases "y" or "n": y, and answer "n" for all other steps.

3.2 Troubleshooting HSG SQL problems

Sometimes you may experience problems to load default databases, because the current system maybe busy with SQL processing, and you may get errors below:


info: loading default databases...taking longer. please wait...Info: mysql is stopped.Info: mysql is stopped.Error: MySQL is not running. Can't restore databases.initializing all databases...Current Version: 201608010100Installing Version: 201706031500stop mysql eventsERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)ERROR 2003 (HY000): Can't connect to MySQL server on 'mysqldb' (111)ERROR 2003 (HY000): Can't connect to MySQL server on 'mysqldb' (111)Error: mbox mysql user not permitted to mboxadmin.init DB mboxadminERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)mysqlshow: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)upgrade DB mboxadminERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)

Don't panic, after the last step is completed, restart your mbox (it should boot up with a basic default config without any SQL running), then do another "write erase". Most of the time, you should be able to reset your mbox completely. However, if it still doesn't work, it might be due to SQL dynamic pass generation issue, do below pass-reset

mbox# mbox# configure mbox(config)# mfusion mysql-server mbox(config-mysql)# pass-reset............[info] mysql DB pass normalized successfully.mbox(config-mysql)# enddev# write erase

3.3 Reset MAP to factory default setting (delete config.text)

1. console to MAP console port (using baud rate 9600), login with admin and enable password admin

2. delete existing config (in case MAP is ever used elsewhere). under enable mode, delete config.text, reload, to reboot MAP.

NOTE: If there's a need to set static IP for MAP, just configure under "interface bvi 1" to set static IP. In this case, it's necessary to set default route also.

Bootstraping of MAP depends on the deployment/design scenarios. For a brief overview of the possible topologies, you can refer to this video guide here.

3.4 Register MAP with MACC (WLAN Controller)

Scenario 1: register MAP with RansNet cloud MACC

RansNet hosts cloud HSG/MACC with publicly accessible URL (macc.ransnet.com). By default, you don't need to do anything on a fresh RansNet MAP. Just power it up and once MAP gets DHCP IP address from a management VLAN with direct Internet access, it will look for RansNet cloud MACC.

But for some legacy reason,You can simply bootstrap your the MAP with below configs.

NOTE: below is also the default config after you do factory reset of the MAP (or fresh install), which means, if the default config is not like below, just paste below config to MAP console.

!cwmp acs url https://macc.ransnet.com:8443/service/tr069servlet cpe inform interval 300 no cpe back-up!log_mng set uu http://macc.ransnet.com:8080/macclog/log/uploadlog_mng set upd 300!interface BVI 1 ip address dhcp!

Scenario 2: register MAP with on-premise HSG (local MACC)

In this case, HSG will issue DHCP IP to MAP from management VLAN.

Add below configure to HSG to rewrite MAP DNS requests, so that when MAP tries to register with macc.ransnet.com from its default configs, the actual request goes to local HSG/MACC loopback interface IP instead.

In this case, bootstrap your MAP with default configs as in Scenario #1, then configure below related commands on HSG.

!interface eth1 description "trunk to LAN" enable ip address 192.168.8.1/22 dhcp-server description "Management VLAN DHCP scope" dns 8.8.8.8 8.8.4.4 range 192.168.8.10 192.168.11.254 enable!interface loopback enable ip address 2.1.2.1/32!ip dhcp-server start!ip host macc.ransnet.com 2.1.2.1 rewrite!macc start!firewall-dnat 20 redirect all udp dport 53 src 192.168.8.0/22!firewall-input 20 permit all udp dport 53 src 192.168.8.0/22!

Scenario 3: register with private cloud MACC

When customers or partners may want to host their own private cloud HSG/MACC to manage many remote MAPs, just make sure the central/cloud HSG is accessible by all remote MAPs with a static IP address. There're two options to bootstrap MAP:

  • If Local gateway is HSG/CMG/HSG, on your gateway set DNS rewrite macc.ransnet.com to your own cloud MACC IP, eg.

ip host macc.ransnet.com <your-macc-ip> rewrite

Then all the MAP behind this gateway will auto register with <your-macc-ip>.

  • If local gateway is third-party router, we need to explicitly tell MAP IP address of MACC. On each MAP, load in below default cwmp configs (replace the IP here with your actual cloud MACC IP)

! cwmp acs url https://<your-macc-ip>:8443/service/tr069servlet cpe inform interval 300 no cpe back-up!log_mng set up HTTPlog_mng set uu http://<your-macc-ip>:8080/macclog/log/uploadlog_mng set upd 300!!interface BVI 1 ip address dhcp!

3.5 Upgrade mbox firmware

There are a few upgrade options for upgrading mbox. Please connect to mbox CLI via SSH or console:

1. check your current version

mbox#show version

NOTE: Sometimes if the current version is not desirable for you, you can roll back to earlier version.

2. check available repository version

mbox#upgrade list <---checks available versions20160505-233020160506-2338

3. upgrade/download to your desired version

mbox#upgrade 20160505-2330 <---Specify target version here. you can roll back to earlier version or upgrade to the latest version.

NOTE:

  1. sometimes when mysql is running, the upgrade can be slow or even fail. So if mbox is running as MACC, HSG or LOG, it's recommended to stop all processes that require MySQL (eg. macc, radius, hotspot, log-server), save the config (with all processes stopped) and reboot, then proceed to upgrade (check "show mfusion mysql", make sure it's stopped. After upgrade complete successfully, you can start the respective processes again.

  2. it is recommended to reboot mbox after upgrade/downgrade.

VERSION NOTES

Each version notes starts with prefix of RC, BETA, or STABLE

BETA: this version is for internal testing only. DO NOT use it for production

RC: this version is release candidate for coming major release. Can try out the new feature with some risk. Use in a controlled enviornment

STABLE: this version is thoroughly tested and recommended for production use.

Upgrade from old legacy boxes

Sometimes we may want to upgrade your legacy mbox to the latest version, particularly to include new default profiles and GUI changes etc, and it may be necessary to reset the legacy database and start from scratch to get a fresh new box with the latest features.

Please follow below steps:

1. reset your current RADIUS database using CLI, "configure" --> "security radius-server" --> "data-reset"

2. upgrade your mbox to the latest version

- upgrade <version1> . Chose the 2nd latest version. Reboot after upgrade.

- upgrade <version2>. Chose the latest version. Reboot after upgrade.

NOTE: in step 1, data-reset will erase all existing RADIUS data, including both user accounts, custom profiles (if any) and user access records. If legacy data is important to you, please skip step #1.

4. Quick mbox deployment

The easiest way to deploy mbox HotSpot Gateway (HSG) or HotSpot Access (HSA) is to restore sample configs from our online documentation. Choose the nearest senario that matches your requirement, restore its sample config and make small setting changes from there (eg. IP address changes etc).

  1. follow this video guide to deploy HSG by restoring from sample config

  2. follow this video guide to deploy HSA by restoring from sample config

5. Quick references for hotspot deployment (HSG)

https://youtu.be/yrjAkt8XkT8 (create captive portal using CMS)

https://youtu.be/_tUi5Atwi-c (enable email OTP login)

https://youtu.be/NhtW8838_QA (enable social media login)

https://youtu.be/zdFZ3Hj7KW0 (enable SMS OTP login)

https://youtu.be/H-9uOZJUTgs (user access control)

https://youtu.be/xot1xt-PqGA (monetize Wi-Fi with landing page ads)

https://youtu.be/iFoPUsO4TII (monetize Wi-Fi with in-session ads)

https://youtu.be/JbTxkfwMUIY (monetize Wi-Fi with user engagement)

https://youtu.be/IMI_OriwZdo (mfusion cloud management)

https://youtu.be/d6gO2ZDvfws (mbox disaster recovery management)

6 Basic sample configuration

Mostly mbox is deployed as a gateway appliance with minimum router & firewall functions. A working mbox must have the following parts configured:

    • Interface IP addresses for both WAN and LAN interfaces

    • Default IP gateway route and name-server (optional if WAN is DHCP)

    • DHCP address assignment for LAN users

    • Basic firewall access rules and address translation rules

CONFIGURATION STEPS

    • enable & configure WAN (eth0) interface IP

    • enable & configure LAN (eth1) interface (assume there’s another LAN switch to connect internal PC)

    • enable DHCP server on LAN (eth1) to assign DHCP IP addresses to internal users

    • configure default gateway and name-server (not needed if WAN is on DHCP)

    • configure firewall rules to permit outbound Internet access and Port Address Translation to hide internal private IP addresses

Below is a sample config for above simple scenario. It is the default startup-config after mbox bootstrap (or write erase).

!hostname mbox!interface eth0 description "Connection to WAN" enable ip address dhcp!interface eth1 description "Connection to LAN" enable ip address 192.168.8.1/22 dhcp-server dns 8.8.8.8 8.8.4.4 range 192.168.8.100 192.168.11.254 enable!interface eth2 description OOB-Mgmt enable ip address 10.10.10.1/24 dhcp-server dns 8.8.8.8 8.8.4.4 range 10.10.10.10 10.10.10.20 enable!interface eth3!interface loopback enable ip address 2.1.2.1/32!ip dhcp-server start!ip name-server 8.8.8.8 8.8.4.4ip host macc.ransnet.com 2.1.2.1 rewriteip host mail 127.0.0.1ip host mysqldb 127.0.0.1ip host splash.ransnet.com 2.1.2.1 rewrite!ip ntp-server 203.211.159.1 62.201.225.9!firewall-input 20 permit all tcp dport 80 src 10.0.0.0/8 admin remark "web mgmt"firewall-input 21 permit all tcp dport 22 src 10.0.0.0/8 remark "SSH from OOB"!firewall-access 10 permit outbound eth0!firewall-snat 10 overload outbound eth0!