What is the Vodacom network doing ?

Dolby

Dolby

Honorary Master
Joined
Jan 31, 2005
Messages
39,122
Reaction score
6,138
A few months back I bought a Rain Bird irrigation controller, that I log back into from anywhere in the world and check status / start watering plan etc. I tried on my Huawei P9, Mate 10 Pro and Mate 20 Pro with no success. The Mate 20 Pro is not even running Vodacom FW - but it still fails. At first, I thought the issue was the Huaweis and have been working with them ... but after a while, it emerged this is the network.

What could Vodacom be running on their network that blocks this ?

I've now bought a Telkom SIM and use that for data because - aside from being cheaper - I can actually access my irrigation.
 
Looks like an APN (Access Point Name). Vodacom by default uses a " Restricted APN" = User Unauthorised Incoming Packets are blocked. You have to request an "Unrestricted APN" from Vodacom in writing accepting the risks.
Do NOT ASK ANY SHOP ASSISTANT FOR HELP WITH THIS, they will not be able to assist.
Send a email to [email protected] requesting an Unrestricted APN in that particular SIM, that should fix your issue.
 
Ah thanks Ivan.

I'll test this out - but as I have the Telkom SIM already, I may as well test.

That unrestricted APN a safety issue ?
Is that why they do it?
 
Last edited:
Ivanr said:
Looks like an APN (Access Point Name). Vodacom by default uses a " Restricted APN" = User Unauthorised Incoming Packets are blocked. You have to request an "Unrestricted APN" from Vodacom in writing accepting the risks.
Do NOT ASK ANY SHOP ASSISTANT FOR HELP WITH THIS, they will not be able to assist.
Send a email to [email protected] requesting an Unrestricted APN in that particular SIM, that should fix your issue.
Click to expand...
Unrestricted APN may (not really) help, it is not needed in first place. Vodacom should definitely look at. I was assisting @Dolby in testing the access to the controller from my cellular connections, so I am familiar with the matter. I can tell you from the beginning that Rainbird conroller do not need unrestricted APN to work. So why the client should be on unrestricted APN? Confused? Read on, it is a different case.

How it works. Rainbird controller software is establishing secure connection to the Rainbird server. Client software (running on the phone) is also connecting to the server that is exchanging packets with the Rainbird controller. There is no "Unauthorised Incoming Packets" in such method of communication.

Packets flow: cllient <-> server <-> controller

Problem is descrided as follows. Client software is able to establish secure connection to the controller, but connection breaks very soon, it always happens on the third request to the controller. Now is the most importand finding: Such client is subsequently blocked from accessing Rainbird server for the next couple hours. I repeat: This is outgoing connection to the server blacklisted. It is either Vodacom is blocking outgoing connection or the Rainbird server is detecting serious security violation in the protocol which happens during MITM attacs.

When one client (it happens only on the Vodacom network) lose its access to the Rainbird server, the client running on the other network can still access the controller, which indicate that controller software still works and is online.

The above is an indicative of serious missconfiguration of Vodacom gateways or a presence of RICA (or other MITM agent) intercepting our secure communication.
 
@sajunky what port is the connection being made on?

Could it maybe be one known to be used by other normally malicious origins and their packet inspection is just a bit stupid?

However if Rainbird is blacklisting it then it tells me the port works and the origin IP address could be the issue? Maybe it's not Vodacom that is the problem at all but rather Rainbird being overzealous?
 
SauRoNZA said:
@sajunky what port is the connection being made on?

Could it maybe be one known to be used by other normally malicious origins and their packet inspection is just a bit stupid?

However if Rainbird is blacklisting it then it tells me the port works and the origin IP address could be the issue? Maybe it's not Vodacom that is the problem at all but rather Rainbird being overzealous?
Click to expand...
According to the Rainbird documentation:
Some IQ TM Network Communication Cartridges (NCC-EN, NCC-WF, NCC-3G) require router Port Forwarding setup to allow communication between your computer and the controller.
Click to expand...
I am not familar with @Dolby configuration, only modules listed above require port forwarding. It is TCP port 50005. In such case open a port on the router (on the LAN where controller is situated, fiber in this case). Refer to: https://www.google.co.za/url?q=http...qA6sQFggYMAE&usg=AOvVaw23PqEoLKIz1-In_3g3tf4i

If it was a problem with port fowarding on the controller, it would affect all Internet clients, not only Vodacom.

As for the client app connection I don't see any opening ports requirements.

Other malicious origins? Not in my opinion, see comment below.

As for the blacklisting question, I can't say for sure it is made on Vodacom or Rainbird servers and the nature (spying or a defense agains MITM). No. IP address is not blacklisted. Switch off/on the phone, you get different IP address, but you remain blacklisted. Blacklisting is based on your ID. It is either your SIM authentication on the Vodacom network or your app ID is blacklisted on Rainbird servers. Which one, I am unable to say...

ADDED: I think I made such test and I posted result in another thread. If I remember correctly, once client is blacklisted on Vodacom, it remains blacklisted on Telkom SIM. So I think I made such conclusion that blacklisting is made on Ranbird servers. Can RICA spy network do the same?
 
Last edited:
sajunky said:
According to the Rainbird documentation:
I am not familar with @Dolby configuration, only modules listed above require port forwarding. It is TCP port 50005. In such case open a port on the router (on the LAN where controller is situated, fiber in this case). Refer to: https://www.google.co.za/url?q=http...qA6sQFggYMAE&usg=AOvVaw23PqEoLKIz1-In_3g3tf4i

If it was a problem with port fowarding on the controller, it would affect all Internet clients, not only Vodacom.

As for the client app connection I don't see any opening ports requirements.

Other malicious origins? Not in my opinion, see comment below.

As for the blacklisting question, I can't say for sure it is made on Vodacom or Rainbird servers and the nature (spying or a defense agains MITM). No. IP address is not blacklisted. Switch off/on the phone, you get different IP address, but you remain blacklisted. Blacklisting is based on your ID. It is either your SIM authentication on the Vodacom network or your app ID is blacklisted on Rainbird servers. Which one, I am unable to say...
Click to expand...

But you need the Unrestricted APN specifically for Port Forwarding.

So then it sounds to be like the APN is indeed the problem after all?
 
SauRoNZA said:
But you need the Unrestricted APN specifically for Port Forwarding.

So then it sounds to be like the APN is indeed the problem after all?
Click to expand...
It applies to the server (called a Controller) and specific functionality (some modules).
Do not apply to the client. It would affect all Internet clients, not only clients on Vodacom network.

I wrote it before, not going to repeat again.
 
sajunky said:
It applies to the server (called a Controller) and specific functionality (some modules).
Do not apply to the client. It would affect all Internet clients, not only clients on Vodacom network.

I wrote it before, not going to repeat again.
Click to expand...

Fair enough.

And I’m guessing the controller is on a normal terrestrial network only the client being mobile having the issue.

Could still very well be that the port in use is restricted on Vodacom’s default network for whatever reason and the unrestricted APN solves it.

Would be worth trying.
 
Unrestricted APN (even it helps) has some penalty. When you are being bombarded from outside, you are getting billed for these unwanted packets. Restricted APN helps keeping your bill sane.

Vodacom should solve this problem on the normal APN.
 
SauRoNZA said:
@sajunkyMaybe it's not Vodacom that is the problem at all but rather Rainbird being overzealous?
Click to expand...

I don't understand all the technical jargon ... but it is definitely a Vodacom issue. What? I have no idea :/

I haven't been able to access the Rainbird controller (off LAN) since I bought it, as all my contracts were Vodacom. I got others to test on my behalf with other networks, with no issue. The Huawei guys could replicate the issue (only via Vodacom) - but all other networks worked. SAJunky and others on the forum tried for me as well (I could send invites for 48hrs).

The *only* anomaly is that iPhone/Vodacom seemed to work - but not a single Android/Vodacom combination ever worked.
 
Dolby said:
I don't understand all the technical jargon ... but it is definitely a Vodacom issue. What? I have no idea :/

I haven't been able to access the Rainbird controller (off LAN) since I bought it, as all my contracts were Vodacom. I got others to test on my behalf with other networks, with no issue. The Huawei guys could replicate the issue (only via Vodacom) - but all other networks worked. SAJunky and others on the forum tried for me as well (I could send invites for 48hrs).

The *only* anomaly is that iPhone/Vodacom seemed to work - but not a single Android/Vodacom combination ever worked.
Click to expand...

Aha, that is more than likely because Apple forces them to use "common" ports and more than likely encrypted secure ones and not just willy nilly whatever they fancy like Android would do.

I bet getting the Unrestricted APN setup for your Vodacom SIM will sort your problem out regardless of what sajunky thinks.

It's a port access issue.

*****

You could try using something like Tunnelbear on your client device, or any other VPN so you come from a different connection/ip, but your phone might still go around this with an odd port.
 
sajunky said:
Unrestricted APN (even it helps) has some penalty. When you are being bombarded from outside, you are getting billed for these unwanted packets. Restricted APN helps keeping your bill sane.

Vodacom should solve this problem on the normal APN.
Click to expand...

Very very small amount of data would be lost to that.

It's really not a big deal, unless someone makes a connection through that is.

But I bet the problem is that the Restricted APN is actually blocking OUTGOING ports and limiting them to very standard approved ports and blocks everything else. It's in the name of the thing after all "restricted" meaning not fully open and available.

Also the Unrestricted APN uses some kind of VPN setup as I recall to restrict something or another but I don't recall the details.
 
SauRoNZA said:
But I bet the problem is that the Restricted APN is actually blocking OUTGOING ports and limiting them to very standard approved ports and blocks everything else. It's in the name of the thing after all "restricted" meaning not fully open and available.
Click to expand...
Once again, open port is only needed for some modules on the Controller, not a client. So forget about blocking ports. Connection between Controller and Rainbird server is not on Vodacom network and is not affected, it works for all other clients. Client software use a pure TCP connection to the Rainbird server initiated by the client, there is no requirement for opening ports.

Secondly, when port is restricted, connection fails from the beginning. Here connection is established, access to the controller is made, it works during two first requests, then the client is blacklisted on the third request. Take Telkom SIM, client is still blacklisted. Normally when connection is broken, client will try to re-establish connection, it is completely transparent to the user. Blacklisting is an indication that there is an agent on the Vodacom network that keeps connection active with Rainbird server. It is why Rainbird server refuses another connection from the same client.

Unrestricted APN will not help, unless RICA/Vodacom spyware is not active on 'unrestricted' which I doubt. Suggestion for using VPN is correct, as it moves all spyware to the VPN exit point. Good for testing. However it seems ridiculous to suggest VPN as a solution. Problem is at Vodacom and should be fixed there.
 
sajunky said:
Once again, open port is only needed for some modules on the Controller, not a client. So forget about blocking ports. Connection between Controller and Rainbird server is not on Vodacom network and is not affected, it works for all other clients. Client software use a pure TCP connection to the Rainbird server initiated by the client, there is no requirement for opening ports.

Secondly, when port is restricted, connection fails from the beginning. Here connection is established, access to the controller is made, it works during two first requests, then the client is blacklisted on the third request. Take Telkom SIM, client is still blacklisted. Normally when connection is broken, client will try to re-establish connection, it is completely transparent to the user. Blacklisting is an indication that there is an agent on the Vodacom network that keeps connection active with Rainbird server. It is why Rainbird server refuses another connection from the same client.

Unrestricted APN will not help, unless RICA/Vodacom spyware is not active on 'unrestricted' which I doubt. Suggestion for using VPN is correct, as it moves all spyware to the VPN exit point. Good for testing. However it seems ridiculous to suggest VPN as a solution. Problem is at Vodacom and should be fixed there.
Click to expand...
I suggest a VPN as a solution as it requires you to use authentication details to get access to the network, seems a lot safer than opening ports.
 
The easiest way to solve the issue was buy a Telkom prepaid SIM and run all data through it :)

A bonus of this is cheaper data too ... So I can actually reduce my Vodacom plan going forward (again, cheaper)

Vodacom to want to charge me a R1.6k penalty for reducing my plan 2 weeks early though (on a R499.00pm plan) ... So I have to wait until mid November. Stupid and probably against CPA - but again, easiest way rather than fight with them
 
I have spent a *LOT* of time on this. I bought a Telkom prepaid SIM which certainly solved the main issue. Having said that, connectivity is still very scrappy and at my location I am dependent on Telkom roaming via MTN. Telkom will be switching to Vodacom for roaming as from 1 December, so I don't know how it's going to work then.

Ok, although the main problem is solved using Telkom, I don't agree that the problem is with Vodacom alone. There is some sort of compatibility issue which also explains why many people in the US have the same problem. To prove this, I bought some Sonoff Home Automation Wi-Fi switches which essentially use the same end-to-end connectivity as does the Rainbird controller. I have connected them to the same router and I can operate them via Vodacom absolutely flawlessly. I have tested a Sonoff switch 40m from the router, through 4 double walls, and not had a single problem or miss. My Rainbird controller is only 5m from the router and in line of sight and the feedback I get from Rainbird is to move it closer to the router.

Had I known about the Sonoff switches before, I would never have purchased the Rainbird. A dual Sonoff switch costs about R195. You can add a 220v relay to pass 24v AC to the solenoids or you can add a 220/24v transformer to each switch to operate the solenoids, or you can buy the switch that has a relay to switch a single 24v transformer for all zones. . Either way, you are looking at under R200 per irrigation zone with incredible programming and deployment flexibility (the eWeLink app is really good and adding a switch couldn't be simpler); many options to turn a zone on or off, including with pocket remote buttons; locating individual switches nearer to where you need them; being able to add unlimited zones at any time without having to change what you already have; replace only what is broken in the event of a failure or lightning strike and much more.
 
Last edited:
I'm terrified of the Telkom and Vodacom roaming agreement too. I've only just realised the benefit of dual SIM, cheap data and my Rainbird now works correctly.

I'd hate to go back
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X