What's your experience with Cipherwave HomeConnect

[steel_dog]

Hi guys,
Would be keen to hear of experiences with Cipherwave HomeConnect.
They have a very well priced uncapped 20/20mpbs offering (unshaped, unthrottled) - R588p/m.
I've heard that it's mandatory to use their own modem. Are there drawbacks to this?
For context - I currently serve up my VDSL connection using a Billion 8800NXL modem (which happens to be fibre ready) to an AC ASUS router. Works perfectly for me.
Thanks.

 

[agentrfr]

Stay away. All your traffic is passed through a vpn, everything you do is logged, you can't set up any form of Port forwarding, and they are technically man-in-the-middle for all your traffic and could decode anything you try to do securely, like online banking.

Avoid.

 

[gripen]

Is this your assumption based on the device they provide? Well, it's a basic Mikrotik router. I have replaced the router for someone else and it works just fine, no VPN. If that's your worry then it would be the same with any ISP service anywhere. The ISP can ALWAYS see all your unencrypted traffic. Online banking is by its nature encrypted so there is no way any man-in-the-middle can see any of that traffic.

If you use your own mikrotik (it's a R400 router) you can do any port forwarding or VPN stuff that you need to.

 

[Zook]

Stay away. All your traffic is passed through a vpn, everything you do is logged, you can't set up any form of Port forwarding, and they are technically man-in-the-middle for all your traffic and could decode anything you try to do securely, like online banking.

Avoid.

How do they see your banking traffic? Your browser will connect to the bank website via SSL and will report any issues with the certificate. VPN or not, they can't read what you exchange with a secure service.

 

[agentrfr]

How do they see your banking traffic? Your browser will connect to the bank website via SSL and will report any issues with the certificate. VPN or not, they can't read what you exchange with a secure service.

Your browser will connect to the website using the IP provided by the DNS with the certificate from the same internet connection going through the same vpn. It is essentially a man-in-the-middle setup. Whether they do or don't operate it that way isn't the issue - it's that they can and you'll never know about out.

Besides, giving anyone the ability willy nilly to snoop your traffic whether or not it is encrypted is a misguided decision at best.

 

[agentrfr]

Is this your assumption based on the device they provide? Well, it's a basic Mikrotik router. I have replaced the router for someone else and it works just fine, no VPN. If that's your worry then it would be the same with any ISP service anywhere. The ISP can ALWAYS see all your unencrypted traffic. Online banking is by its nature encrypted so there is no way any man-in-the-middle can see any of that traffic.

If you use your own mikrotik (it's a R400 router) you can do any port forwarding or VPN stuff that you need to.

No, they're rep was on here and said all traffic goes through their vpn so they can "better optimise everyone's service".

 

[Zook]

Your browser will connect to the website using the IP provided by the DNS with the certificate from the same internet connection going through the same vpn. It is essentially a man-in-the-middle setup. Whether they do or don't operate it that way isn't the issue - it's that they can and you'll never know about out.

Besides, giving anyone the ability willy nilly to snoop your traffic whether or not it is encrypted is a misguided decision at best.

We're always running over others' networks, so every network is equally vulnerable. You're not "giving anyone the ability to snoop", they'd already see your traffic because you're going over their network (albeit encrypted or not). HTTPS (since you mentioned banking websites) relies on a certificate authority to provide identity of the server cert so a VPN isn't able to magically inject one unless it's also able to fool the browser into accepting a different cert that it can use for a MITM attack. Browsers trust cert authorities (and store their certs locally so aren't trusting the network), so certs signed by those CA's are trusted. You can get a dodgy bank certificate over a dodgy network, but your browser won't trust it because it's not signed by a trusted authority.

An attacking network would have to do a lot of work to break just one HTTPS-protected site, never mind all traffic to all destinations.

 

[steel_dog]

No, they're rep was on here and said all traffic goes through their vpn so they can "better optimise everyone's service".

That's very very odd indeed. Haven't heard of any major ISP running things through a VPN to "better optimize everyone's service".
The deviation from the norm raises concern.

Is this your assumption based on the device they provide? Well, it's a basic Mikrotik router. I have replaced the router for someone else and it works just fine, no VPN.

I read on another post that they don't share the router userid/password so any config would need to be passed through to them. The user in question had to sign a (security) waiver before they enabled passthrough of all ports. Just unusual so I'm keen to understand the implications - if any.

 

[h00va]

I use them, and have had no issues thus far. I have them forward all traffic to my own firewall/router. No issue besides their downtime for maintenance. Their core seems solid, as they were a corporate ISP/MPLS provider first.

A man in the middle attack would be a little difficult with SSL, even with network device like Riverbeds, Citrix devices, etc... To decode traffic, you need the Private Key to match the Public Key, failing that you would need a pretty powerful machine to crack the encryption, and have it mean anything to anyone.

The VPN they do is to better manage the traffic over their core, otherwise they need to use the fibre providers infrastructure, which although very capable, would be off limits to them, and offers less optimisation than if they can control the traffic.

I do port forwarding from my own router/firewall, and can do everything I would have done on other ISP's or ADSL. No issues with their setup. FYI.... You also get a static IP.

 

[steel_dog]

@h00va - Thanks for the insights. Can you share what you needed to setup / request from them to ensure your router becomes the 'master'. How are your speeds? especially international. Any issues experienced so far? How's their support been?
Thx SD.

 

[h00va]

@SD - Before they came out to install their router, I requested that when onsite, they must disable the wifi on their router, and then forward all ports on their router to my router. The technician, then setup a static DHCP address on their router, so that my router always got the same IP on their private LAN. They do ask you to sign a waiver, but that is a technicality. (I still need to do that)

Effectively, the setup is : ONT --> Mikrotik (HC Router) --> Your Router --> LAN/WiFi

You then set your router to provide DHCP as per normal, and not forward their DHCP traffic. This is the norm for most routers, as you would plug the WAN Ethernet port of your Router/Firewall, into their router. Then everything is the same as when you were on DSL or other medium. As all ports from the public interface of the HC router are forwarded to your router, you can configure port forwarding and NAT'ing on your router as per normal. You will just need to get the external IP of their router, which can be done by going to http://www.whatsmyip.org/

The guy that setup my router, said that is my IP, and will never change, and is statically applied to the router.

I have the 20/20 service, and get anything between 19.15 Mbps and 19.7 Mbps up and down. My line is never idle, hence the fluctuation. (This is local speed tests)

I need to do a proper international test, but I do stream regularly, and have yet to have an issue. Due ot work, I do pull file from International locations, and get full speed from my line.

Let me know if you need more details.

 

[steel_dog]

....
Let me know if you need more details.

Thanks buddy. That was very informative. The setup insights in particular are greatly appreciated. Will keep that in mind. Let us know what your international speedtests reveal.

Would be great if you could check speeds on the following when you have some time. Will help to compare my current setup
beta.speedtest.com - site: Towerstream, New York and site: Vodafone, London. VDSL is maxing out at 14mbps. Before ASSIA - 18mbps.
speedtest.vudu.com - video streaming. VDSL maxes out at 10mbps. Before ASSIA - 16mbps.
Thx!!

 

[gripen]

No, they're rep was on here and said all traffic goes through their vpn so they can "better optimise everyone's service".

Oh really... Sounds like someone doesn't know what they are talking about or even what a VPN is. It works just fine with no VPN. Maybe what they were saying is it runs on their own network (like every other ISP) and is not just resold service?

That's very very odd indeed. Haven't heard of any major ISP running things through a VPN to "better optimize everyone's service".
The deviation from the norm raises concern.


I read on another post that they don't share the router userid/password so any config would need to be passed through to them. The user in question had to sign a (security) waiver before they enabled passthrough of all ports. Just unusual so I'm keen to understand the implications - if any.

This is correct. We tried to get them to help and/or give us a login on the router. No luck. Not sure what they are trying to hide since there is not much happening on the router - but perhaps they want to be able to manage mikrotik software versions or maintain CPE consistency which is fair enough.
There is certainly no VPN in play. We just swopped out the Mikrotik for an identical model of our own - used the same MAC address and kept the hostname the same. Works fine. If there are any issues we can unplug the new Mikrotik and replace it with the old one. Though then we would lose a lot of capabilities which the Mikrotik provides (custom DHCP server, choice of SSID, choice of IP range, incoming VPN server, own firewall rules, DynDNS updates for cosmetic reasons etc).

@SD - Before they came out to install their router, I requested that when onsite, they must disable the wifi on their router, and then forward all ports on their router to my router.

That's quite a mission. For all that you don't gain that much flexibility, some security perhaps. Also you need to be clear and careful about "all ports". You still need to open tickets if you want to change something. I guess it is somewhat better than the default scenario.

I'm not advocating cutting out the provided solution - just that there is a way to gain more functionality which in fairness is more for the "power user". Their prices are competitive - part of which is because they don't want excessive "I broke my router" tickets being logged. So it does make sense. I think it's pretty neat to be able to use your own Mikrotik actually - I would support them just for this ironically enough. Now if they actually do force everyone to use a VPN (entirely possible and actually what I expected with seeing a Mikrotik) then I will retract what I say...

 

[h00va]

Originally Posted by gripen

Maybe what they were saying is it runs on their own network (like every other ISP) and is not just resold service?

I tried not using the Mikrotik they supply, and I get a completely different IP address range, and I cannot get full speed on my line. I am throttled to about 8-9Mbps. It also fluctuates and seems to be a contended service.

From what I understand, this is what new users get while awaiting installation of the router. Once the Mikrotik was installed, I got full capacity.

They may very well be using a VPN to route the traffic onto their MPLS core. As you said gripen, where they use their network.

It would make sense, considering they do have an established MPLS/national network.

 

[gripen]

I tried not using the Mikrotik they supply, and I get a completely different IP address range, and I cannot get full speed on my line. I am throttled to about 8-9Mbps. It also fluctuates and seems to be a contended service.

From what I understand, this is what new users get while awaiting installation of the router. Once the Mikrotik was installed, I got full capacity.

They may very well be using a VPN to route the traffic onto their MPLS core. As you said gripen, where they use their network.

It would make sense, considering they do have an established MPLS/national network.

With respect, don't talk about MPLS if you don't know what it is or if it's not relevant :crylaugh:which to the end user is the case here. That just confuses things. They may or may not be using MPLS but it's totally irrelevant. There is no VPN involved here. End of story.

You are correct, you won't get the same IP as your MAC address is not "authorised" (yet) so you will hit the portal if a new subscriber or if you change device you will hit a walled/open garden scenario and be null routed or rate limited as you say. All you need to do is plug the mikrotik into your laptop, run wireshark and get the MAC address of the LAN port facing the optical/copper media converter box on the wall. Note that down. Change your MAC address to that value on your other device (not always possible, but dead easy with a mikrotik) and you are good to go. The ISP is none the wiser on Vumatel. It's very basic MAC based authentication (or authorisation actually).

Basically once your MAC is authenticated by the Vuma portal, your physical port is assigned to your ISP (changed on the network side). Then, you reboot or renew your DHCP and you get given an IP address based on your MAC. Once your MAC is "stored" by the ISP, they provide you an associated level of service. Since you arrive on a "known" port but using an anonymous MAC, you hit some kind of secondary catch-all portal. Change the MAC to the "stored" one and you are all set.

 

[h00va]

@gripen Fair points, and I agree with you. I fight networks, etc enough at work, and I just want as little hassle at home as possible. With respect, I do know what MPLS is, and have worked extensively building corporate WAN's and worked internally at an ISP/network provider on their PE routers. Yes, it is irrelevant to end users.

I will try what you suggested with the MAC addresses at some point, as I know Vumatel do MAC authentication. I just have not had the time or inclination to dig deeper/tinker at this point.

 

[gripen]

@gripen Fair points, and I agree with you. I fight networks, etc enough at work, and I just want as little hassle at home as possible. With respect, I do know what MPLS is, and have worked extensively building corporate WAN's and worked internally at an ISP/network provider on their PE routers. Yes, it is irrelevant to end users.

I will try what you suggested with the MAC addresses at some point, as I know Vumatel do MAC authentication. I just have not had the time or inclination to dig deeper/tinker at this point.

I gathered as much and for what it's worth I actually don't think Cipherwave even has an MPLS network - they are a tiny ISP - of if they do, they wouldn't use it for Vumatel - then again, they say they have been around for many years so who knows.

It's worth the effort to spend the R300-R400 to get a Mikrotik (they use a MikroTik RB9412nD hAP lite SOHO 2GHz WiFi Router) set it up once and then you have ALL the functionality you need. I guess I'm one of those people who needs the extra bells and whistles, I also can't stand locked down boxes when they don't need to be locked down....

 

[h00va]

Thanks buddy. That was very informative. The setup insights in particular are greatly appreciated. Will keep that in mind. Let us know what your international speedtests reveal.

Would be great if you could check speeds on the following when you have some time. Will help to compare my current setup
beta.speedtest.com - site: Towerstream, New York and site: Vodafone, London. VDSL is maxing out at 14mbps. Before ASSIA - 18mbps.
speedtest.vudu.com - video streaming. VDSL maxes out at 10mbps. Before ASSIA - 16mbps.
Thx!!

Hi SD.... I haven't forgotten the tests.... I will run them tonight. Been away from home.

 

[h00va]

Thanks buddy. That was very informative. The setup insights in particular are greatly appreciated. Will keep that in mind. Let us know what your international speedtests reveal.

Would be great if you could check speeds on the following when you have some time. Will help to compare my current setup
beta.speedtest.com - site: Towerstream, New York and site: Vodafone, London. VDSL is maxing out at 14mbps. Before ASSIA - 18mbps.
speedtest.vudu.com - video streaming. VDSL maxes out at 10mbps. Before ASSIA - 16mbps.
Thx!!

Hi SD.... Here are the test below. I was a bit disappointed with the VUDU test.

I did a few other local tests, and they were all very much the same ball park.

Hope this helps your decision.

 

[richjdavies]

Hope this helps your decision.

Is it still going well... wondering whether to leap on the Cipherwave band-wagon, they seem quite well priced.