Looks like man In the middle, but only on Cambium Wifi?

I am not getting anywhere support.

So let’s try it here.

At home… I am running 2XV2-2s as I try to get proficiency with Cambium.

I have hit a problem that if I saw it in the field… My first thought would be: “man in the middle.”

First the problem.
I have noticed a few problems on my network when trying to use my Roku Video Streamers.

When I open the Vudu app… It takes a while. Appears to hang for a bit then loads. If I select a video that I OWN… And try to play it. It fails 9 out of 10 times. And displays the error screen attached.

When I open Amazon Video… It really hangs for a while. Then an error screen flashes in German for a few seconds. Then it loads the video selections and works REALLY SLOWLY. Nothing fails to play… But it is noticable.

I have also noticed my son’s Roku TV showing an IP address outside the scope of my dhcp-server. (In CN Maestro)

This reminds me of an old hack I saw on routers back in 2019.

The hijacker had set up the routers to use him as their DNS service. And send it’s traffic over his network.

He also had “fake error screens” for anything that involves a password. So you try to go to Amazon… Get an error. Try to log back in… He has your user and password. Netflix… Same thing. Not sure how many other sites… Once I identified it… I submitted it to the manufacturer and it was patched.

Now in my case here…
The cambium XV2-2 s are set up as wireless APs only. They have the EXACT SETTINGS AS MY OTHER ACCESS POINTS. Right down to the channels and widths used.

I have access points from Mikrotik and Ruckus sitting right next to the XV2-2 s.

I log into the switch and select which units get power. All the wireless devices in my home instantly jump between when powered up.

With either the Ruckus or the Mikrotik… These problems do not occur.

I could trouble shoot a wireless issue… But that German Screen and the fact that Vudu doesn’t work, seems strange.

I have tested this about 20 times at this point, and it is absolutely repeatable.

I have turned off the Cambium units for now as I don’t trust them. I have dug through my router and switches looking for anything like a man in the middle hack. Can’t find anything.

As stated… I opened a case with Support. They asked for a support file and Super Admin access to my CN Maestro. I provided this and support confirmed that the Roku wasn’t disconnecting. But they didn’t tell me that they found something in my config yet.

Confirmation Bias, is the death of proper investigation. So I don’t wanna assume it’s something without actual evidence. But I am “kind of stuck” at the moment.

Will turn the Xv2-2s back on today, and jump on the wifi. Need to “start small” and try some trace routes.

So anyone here got any ideas?

PXL_20220302_0110411711920×1446 102 KB

PXL_20220306_1528071831920×1446 167 KB

Do you get the same problem if you access the services from a PC, or is it restricted to the Roku devices?

Appears to be restricted to the Roku when it comes to Vudu.

Amazon also works right away on my phone.

I assume you’ve updated the XV-2’s to the latest firmware?
You’ve updated the Roku’s to the newest firmware?
Have you tried maybe forcing the Roku’s to use 5GHz or 2.4GHz to see if it makes a difference?

I had some very strange problems like what you’re describing with and after a lot of troubleshooting and testing I discovered it was my router, and I swapped that out and my problems went away.

@Eric_Ozrelic
Tried the most up to date firmware. Rolled back to the recommended firmware… Problem remains.

Router and switches do not change. I actually plugged the WAPs into the same wire to swap them. (They were side by side and I would only power on one port on the switch for one BRAND of wireless at a time.)

The Roku Ultra is 11 feet from the access point. Channel is 149 and width is set to 80.

Ruckus and Mikrotik in the same spot do not have the issue.

PXL_20220115_2026400351920×2560 218 KB

We have to perform a step by step troubleshooting to nail down the issue.
Please answer below questions,
As you mentioned in the post than the radio settings remains same for XV2 and Ruckus devices,

• Please confirm the configuration is also same ( make sure the basic wireless and network settings are same with both devices)

• is the network infrastructure is same when using both the devices ? means , DHCP/ DNS/Default gateway etc.

• Does all the sites are blocked/not accessible when XV2-2 is used or only specific sites are inaccessible

• is there any response from the DNS server when accessing the failed websites ? ( packet capture on the laptop will show this details)

• Please confirm there isn’t any DNS ACL in the XV2-2 to block specific traffic.

• Please do a nslookup for the inaccessible websites/url from the laptop and check whether you are getting a response or not. Please ping IP address of amazon prime and verify the response.

Regards
Anand

I have been working on this for a few days… let me see what I can answer here.

1. The wireless settings are about as close to the same as I can get them. As I stated. When I power down any manufacture’s WAP… all devices in my home disconnect. Power up ANY of the manufacture’s WAP… everything instantly connects. Confirmed this about 60 times now.

2.The only change between using the WAPs from each manufacture… is which one is powered up. To eliminate something on my switch… I PHYSICALLY SWAPPED ACCESS POINTS ON THE SAME WIRE. I had been toggling switch ports on and off to make quick changes. But the physical swap ruled that out.

3. It is specific APPs that have to reach SERVICES, that fail.

4. Yes. I have opened Torch (Mikrotik live view of packets) and watched as the Roku made a connection to Limelight (Where the movie was streaming from). Took a screen shot of it. Swapped wireless and saw the Roku try to connect to the same IP from limelight and nothing came back. Then the error screen shows up.

5. I did not put any ACLs on the XV2-2. I have had support look over my config and support file and neither pointed to an ACL.

6. I can use my phone or computer to reach these services and they work. Even on wireless

I am hoping someone from support can arrange a call with me. I will set them up with a DIRECT CONNECTION TO THE XV2-2. Then we can try these things in live time.

Would probably get us to a solution a lot quicker.

Could this be an MTU problem? Can you tell what the MTU settings are on each of your APs?

eg.

Actual MTU at the Switch port shows as 1500.

I don’t fully understand your network layout - when you were looking at the live traffic and could see the Roku attempting to connect to Limelight, was that after it had left the cnPilot? If so, then I think you need to compare those packets with the equivalent ones when using a different AP top see what is different.

In Mikrotik I opened the interface for the bridge. The bridge contains the ports that my switch is connected too.

Since I know the IP address of the Roku… I can set torch to show me the connections from an IP to an IP. So what I did was check the traffic from the Roku to the interwebz when it was working. Which looks like
source : 172.16.14.204:56247 dst : 69.28.187.168:80

This looked the same no matter what wireless I used. However… packets actually move at about 11 Megs per second when its actually working.

Are you able to get a .pcap packet capture that you could open in Wireshark that shows a successful connection, and another one with an unsuccessful connection?

Ohh it gets worse… some movies from Vudu actually play.
Spaceballs works!
As Good as it Gets, doesn’t.

Maybe the XV-2 doesn’t like your taste in movies?

But the Amazon thing coming up in German, is the “WTF” that is gonna have a client tell me that it has to leave NOW!

Just for laughs… was Playing As Good as it Gets from the Ruckus Wireless. Unplugged the Ruckus Mid Movie… swapped to XV2-2s… movie is still playing.

@Simon_King
Talk with Gary. we got a lot of data today

And for anyone keeping score…

IT HAD NOTHING TO DO WITH MY CONFIGURATION!

Or my taste in movies @Eric_Ozrelic

So do tell… what’s the resolution?

@Eric_Ozrelic
Beats the s–t out of me.

But turn on air cleaner or whatever it was, gave us a whole new problem.

So it’s back to engineering for now.