At a Glance | |
---|---|
Product | Anyfi.net [Website] |
Summary | Free Wi-Fi mobility platform that lets you securely connect to your home network from anywhere |
Pros | • Free • Easy to use • No end device software needed |
Cons | • Can’t reliably handle double NAT • Throughput limited |
Introduction
Updated 9/2/2013 – Added throughput test information
Updated 8/28/2013 – Incorporated clarifications & corrections from Anyfi
This review is about a wireless software platform called Anyfi.net, developed by Swedish company Anyfi Networks AB. Anyfi.net, billed as “The Open Wi-Fi Mobility Platform,” is software that can be integrated into wireless routers and access points that simplifies connecting to remote Wi-Fi networks.
Here’s the concept. Let’s say you’ve got Wi-Fi at home configured and running with your own SSID and password. However, when you take your Wi-Fi device (laptop, smartphone, tablet,…) elsewhere, you have to connect to a different SSID and enter a new password to get on line. Imagine a world where when you leave home, you connect to Wi-Fi securely and automatically without having to enter new passwords! That’s Anyfi.net’s goal.
How does it work?
To start, you need Anyfi.net software loaded on your home wireless router or access point. At the end of this review, I’ll discuss how you get Anyfi.net on a wireless router or access point.
As an end user with an Anyfi.net enabled wireless router or access point, you simply setup your Wi-Fi SSID and password as you normally would. You then connect your devices to your home network with your Wi-Fi password. You’re now able to access your home network and surf the Internet over your home Wi-Fi as normal.
In the background, when an Anyfi.net enabled home wireless router or access point comes on line, it registers with Anyfi.net’s Mobility Control Server, as depicted below. This is similar to VoIP technology where a VoIP device registers with a SIP server. The Anyfi.net registration message contains your wireless router or access point’s IP address and your SSID.
Registration
Once your Wi-Fi device authenticates with your Anyfi.net-enabled home wireless router or access point, your wireless router or access point sends a message to the Anyfi.net Mobility Control Server, depicted below. This message binds the MAC address of your Wi-Fi device (laptop, smartphone, etc..) to the previously described registration record on the Mobility Control Server. At this point, you are connected to your home wireless network as expected and prepared to go to other Anyfi.net networks.
Device Identification
Now, let’s say you visit a friend who is also using an Anyfi.net enabled wireless router or access point. Let’s say you want to use your Wi-Fi device(s) at your friend’s place. Normally, you’d have to ask your friend for their password to get on their Wi-Fi network. Not with Anyfi.net.
When your Wi-Fi device attempts to get on line, your friend’s Anyfi.net wireless router or access point will see your device’s MAC address and send a message to the Anyfi.net Mobility Control Server. The Mobility Control Server will reply to your friend’s wireless router or access point with the IP address of your home Anyfi.net wireless router or access point and the SSID used by your home Anyfi.net wireless router or access point.
Your friend’s wireless router or access point will then transmit your home SSID to only your device. At the same time, your friend’s wireless router or access point will set up a secure tunnel (called a Wi-Fi tunnel) to your home wireless router or access point, depicted below. Your laptop, smartphone, or tablet will then authenticate against your home network, using whatever Wi-Fi security protocol you have configured and you’ll be allowed to surf the Internet at your friend’s house. Your passphrase or other credentials always stay where they are and encryption keys are derived only in your own device and in your own home router.
Wi-Fi Tunnel
The end result is you’re on line and can surf, you didn’t have to enter a new password, and you have remote access to your home network. Further, your friend didn’t have to give you her Wi-Fi password, thus maintaining network security.
Configuration
A beauty of the Anyfi.net solution is that no software or configuration is required on your laptop, smartphone, tablet, or other Wi-Fi device. The Anyfi.net magic is entirely in the software loaded on the wireless routers and access points, along with the Anyfi.net Mobility Control Server. Thus, Anyfi.net can work automatically on Windows, Mac, Linux PCs; iPhones and iPads; Android smartphones and tablets and virtually any Wi-Fi enabled end device!
Anyfi.net sent three pre-configured Wi-Fi network devices with Anyfi.net software: a TP-Link TL-WR2543ND wireless router; Inteno VG50A wireless router and a Ubiquiti NanoStation loco access point. All three devices were preconfigured with different SSIDs and wireless passwords and all had Anyfi.net enabled. Anyfi.net gave me the Wi-Fi password for only the TP-Link, intending that I use the TP-Link as my home router. Thus, I used the Inteno and Ubiquiti for testing Anyfi.net remotely.
The only configuration option I could see for Anyfi.net in the TP-Link GUI was a check box to turn it on or off, shown below. Other than that, there were no configurable options or status screens. At minimum, I think Anyfi.net should add a screen to display the number of clients connected over an Anyfi.net tunnel, both on the remote and home wireless router or access point. Reports on number of clients and bandwidth utilization from Anyfi.net clients might also be useful.
Enabling Anyfi.net
Anyfi.net’s website provides detailed documentation on the ins and outs of Anyfi.net’s technology. This documentation not only describes the technology, but also provides guidance for vendors interested in integrating Anyfi.net software into their wireless routers or access points.
In Use
A requirement of Anyfi.net is you have to keep your home Anyfi.net wireless router or access point powered on and connected to the Internet. This makes sense, as the remote Anyfi.net wireless router or access point needs to tunnel your traffic back to your home Anyfi.net wireless router or access point, as shown below.
Using wireshark, it looks like Anyfi.net devices send small UDP messages to the Anyfi.net network every 60 seconds, as shown below. Anyfi says these keep-alive messages meant to keep the communication channel through the NAT open. The Anyfi.net device in the below packet capture is 192.168.199.124 and the Anyfi.net mobility server is 199.38.181.37.
Registration Packets
I experienced inconsistent results remotely connecting my Windows 8 laptop and iPhone via Anyfi.net. In some tests, my laptop and iPhone immediately were able to connect to my home network. This is when the value of Anyfi.net was apparent. I was able to connect to my home Wi-Fi network even though I wasn’t at home. I didn’t have to enter a new Wi-Fi password or pay to join a hotspot, I was online without any configurations on my part!
In other tests, my laptop and/or iPhone intermittently could not see my home SSID, and thus could not connect to my home network. I contacted Anyfi.net about this issue, they reported it was likely a “NAT issue… ‘disappearing SSID’ is typically what happens when the visited AP fails to reach the home router.”
In other words, my inconsistent results were likely due to my home firewall. I had installed the TP-Link behind my home router (a Linksys WRT310N), so the TP-Link was sitting behind another NAT (network address translations) router. For a remote Anyfi.net wireless router or access point to set up a tunnel to your home Anyfi.net wireless router or access point, an end to end connection must be setup between the remote Anyfi.net and home Anyfi.net wireless router/access point. Thus, a firewall between two Anyfi.net devices can interfere with the connection. Without a firewall between the remote Anyfi.net and the TP-Link, I had consistent connectivity to my home network with both my laptop and iPhone.
Depending on how you deploy Anyfi.net, a firewall may not be an issue. If you deploy an Anyfi.net-enabled wireless router directly connected to the Internet, remote wireless routers or access points should have no problem connecting to it. On the other hand, if you deploy a wireless router or access point behind a firewall as I did, that firewall can interfere with Anyfi.net connectivity. Anyfi.net is working on a solution they call their “supernode feature” that routes Wi-Fi tunnel traffic through a server with a public IP, which can possibly overcome firewall issues.
Wi-Fi Tunnel
An interesting aspect of Anyfi.net is the Wi-Fi tunnel to your home network. Your Wi-Fi device gets an IP address from your home network and you have access to everything on your home network. Essentially, it works like a VPN tunnel. The security isn’t as tight as an IPSec VPN tunnel, as it uses Wi-Fi encryption, but it is a simple means of connectivity to your home network.
I see pros and cons to this Wi-Fi tunnel. A pro is you have an easy tunnel to your home network without VPN hardware, software or configurations. Another pro is the remote network you are visiting stays secure. Remote networks allowing Anyfi.net connections are safe from those visiting clients, as those visiting clients only have access to their Wi-Fi tunnel.
The biggest con I see to the Wi-Fi tunnel is bandwidth. When connected to your home network, all your traffic goes through the Wi-Fi tunnel to your home network. When surfing the Internet while visiting another network, your Internet traffic is going through the tunnel to your home network. That means the web pages you download are first being downloaded to your home network, then uploaded from your home network to the tunnel, then downloaded by your laptop, smartphone, or tablet. The bottom line is the fastest you’ll be able to surf while roaming is limited to the upload speed of your home network. In my case, I have DSL with 12 Mbps download and 600 Kbps upload. Thus, the fastest I am able to remotely surf via Anyfi.net is about 600 Kbps.
If you’re deploying Anyfi.net on an access point, there are configurable Quality of Service settings to minimum and maximum bandwidth limits from mobile users for Anyfi.net access points, shown below. However, these QoS options don’t exist on Anyfi.net wireless routers, which seems a bit odd. The TP-Link router I tested with Anyfi.net software did not have these options.
QoS
Out of curiosity, I measured throughput over an Anyfi.net Wi-Fi tunnel. I used my usual throughput measuring tool, iperf with default TCP settings. I ran iperf on two PCs running 64-bit Windows 7 with their software firewall disabled. My Anyfi.net Wi-Fi tunnel was between the Ubiquiti AP and the TP-Link wireless router, both connected to the same wired LAN as shown in the diagram below.
Updated 9/2/2013
Anyfi.net tunnel throughput test setup
The best TCP throughput I measured in this optimal condition was 2.47 Mbps in either direction, shown in the screenshot below. 2.47 Mbps is not great, but it is fine for general web surfing.
Throughput
[Note, running a simple iperf throughput test between two PCs uses the command iperf -s on one PC and iperf -c (ip) on the other PC. Note also, the PC connected via Anyfi.net Wi-Fi was about three feet from the AP.]
To put this measurement into perspective, I also ran a reference wireless performance check and measured around 22 Mbps from the wireless client to wired client on the LAN. Wired throughput between the two machines used when both were connected to the Gigabit Ethernet switch was 359 Mbps.
Referrence Wi-Fi throughput test setup
Security
I had the benefit of communicating with Björn Smedman, the CEO and Co-founder of Anyfi.net., who filled me in on Anyfi.net’s security. Anyfi.net supports Open, WPA, WPA2 and EAP/RADIUS Wi-Fi security. Anyfi.net doesn’t support WEP because they feel it’s not sufficiently secure.
Open networks are allowed only on Anyfi.net carrier tunnel termination gateways, not on normal Anyfi.net wireless routers or access points. Encryption over the Wi-Fi tunnel utilizes the 802.11 AES (or TKIP) encryption, all the way from the mobile device to the home wireless router or access point.
Further, Anyfi.net’s Mobility Control Server does not know your home Wi-Fi password, only your SSID and the MACs of devices that have already accessed your network. Thus, even if Anyfi.net’s servers were compromised, there isn’t any information in them that has the password to your Wi-Fi network.
Conclusion
I have two concerns with Anyfi.net related to the Wi-Fi tunnel. One, the issue with firewalls could be a concern if you’re using a wireless router or access point behind another NAT/firewall as the home Wi-Fi device. Based on my tests, I recommend that your home Anyfi.net wireless router or access point(s) are not behind NAT/firewalls.
Two, Anyfi.net performance through a Wi-Fi tunnel isn’t blazing fast. It can be sufficient for Internet surfing, but remember an Internet connection with a slow uplink can impact Anyfi.net download performance. Anyfi says it has a solution for the uplink limiting problem for service providers. When they integrate Anyfi.net software in residential gateways, the ISP can install a 1U rack mount box (the Optimizer) that can open Wi-Fi tunnels and break out Internet-bound traffic centrally.
There are multiple options on how to get a wireless router or access point with Anyfi.net software. If you want to purchase a router preloaded with Anyfi.net, Inteno offers the VG50 and DG301. Anyfi.net is working with Inteno on including their software in more models and is in discussion with other Wi-Fi vendors to include Anyfi.net.
Anyfi.net welcomes other vendors to integrate their software as well. According to Anyfi.net’s website, Anyfi.net software is “available to all (wireless router and access point) vendors under a no-charge royalty-free license”. Vendors are invited to follow Anyfi.net’s step-by-step integration guide at http://anyfi.net/integration. Anyfi.net engineers are available to work with integration and licensing as needed.
Anyfi.net software is also integrated into CarrierWrt firmware. CarrierWrt bills itself as a stable version of OpenWrt firmware. The TP-Link wireless router I tested is an 802.11n Wi-Fi gateway router, loaded with CarrierWrt software based on OpenWrt 12.09. There are versions of CarrierWrt for other makes and models of wireless routers and access points available for free download on CarrierWrt’s download page.
Even with my two concerns stated above, I like Anyfi.net’s notion of having your “home Wi-Fi everywhere.” I would love to not pay for both home Internet and a data plan on my smartphone. If Anyfi.net can increase the availability of Wi-Fi and drive down the cost of Internet/data access, I’m all for it!