The notion of price don't exist in provisioning profile.
Your 500M will work the same as every other 500M out there.

I am just a routing guy.
If you don't have dedicated security team, then NGFW is fine.
For places with dedicated security team, like really big ass security team, they will all use NetFlow + SIEM.
This also means Cisco switch / router is standard because no other vendor can provide full flow at wirespeed.
Then the flow will feed into IBM QRadar or some other SIEM tool.

The SIEM will have some kind of machine learning that learn about your past 1 month worth of data and warn you about anomalies. This is the automated stuff.

You then do BGP peering with all your edges so the software can respond automatically to blackhole attack in real-time. This way, there's no choke point. Think about Cloudflare DDoS protection at a smaller scale.

Then there's the advanced stuff which is threat hunting. They have a dashboard where you can do all sort of queries to hunt for APT. I strongly believe it is this capability that lead to the detection of China APT by the Singapore government recently.

Lastly, perimeter security is kind of outdated. It is all zero-trust now.

Congestion at the international gateway is a daily occurrence now.
Anything that touches USA, congestion says Hi.

You can just speedtest MyIX using any DNS server. It won't affect the speed.
Cloudflare wise then maybe the DNS will affect it. But it seems you are connect to KUL, the same as me.

Interesting. I am connected to KUL regardless of IPv4 or IPv6. What DNS server are you using? I am using Google DNS.
IPv4:


IPv6:

All these firewall talk reminds of of this case where attacker physically planted a 4G equipped Raspberry Pi inside a bank network.

UNC2891 Bank Heist: Physical ATM Backdoor & Linux Forensic Evasion Evasion
https://www.group-ib.com/blog/unc2891-bank-heist/

In this kind of case, the only way to successfully threat hunt is to have Netflow data of every single port, on every single switch / router at the edge.

This is how organization identify if their VPN or firewall appliances has been compromised. Netflow data from adjacent device recorded the flow in SIEM.

There is no way a firewall at the perimeter is going to detect a 4G modem inside a secure network transmitting data. IDS / IPS or any software that requires port mirroring to work won't be able to detect these kind of risk reliably as well. The reason being there are too many ports to mirror. It is impossible to scope up traffic that move laterally, aka traffic that don't go out the uplink.

Just like I don't believe AI will replace software engineer or network engineers, I do not believe some off the shelf product will replace security engineer or even the Security Operation Center. Just like Network Operation Center still exist.

There are many nuances, troubleshooting, debugging, diagnostic that AI cannot do, especially when they combine skills from multiple domain + intimate knowledge of your setup / environment.

Also note that APT and some of the more advanced attacker are security / network / software engineer themselves. There surely have a lot of experience working in SOC / NOC and know how all these SIEM SOAR EDR works.

If your goal of buying NGFW is to tick a checkbox with auditor such as PCI-DSS, then it is fine. If you think it is going to catch bad guy, think again.
You need a hacker to catch another hacker.
NGFW is only going to catch some kiddies.

I think it's a Cloudflare behavior. They are the only CDN to steer people towards random nearby server within 50ms.
At least AWS and Google don't do this.

I speedtest off KUL server but this forum consistently connect to SG. I test using Celcom and it goes to SG for speedtest as well.

Actually I am not so sure which physical location did TM peer with Cloudflare. The latency seems a bit high. Could be Johor, could be Singapore.

Another story of perimeter security failure.
This organization requires MFA if they are physically outside the office. However, no MFA is required if they are in office.

Russia APT then hack their neighbors, just so they can hack their WiFi, bypass MFA and they are in.

The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
https://www.volexity.com/blog/2024/11/22/th...-covert-access/

So how do you know if your security product is good? You don't. It's the hardest product to evaluate unless they have track record of catching real hackers.

Take a picture of the repaired fiber?
It is common to just cut the fiber and then install a quick disconnect at both end to connect them again.
You will see some laser losses but it will still operates.



It could be fusion splicing as well.

Watch the first minute of this video. They probably went look for the tool or someone to identify the actual location of the fiber cut.

TM uses fiber with multiple strand inside. There are are cables from 2 strands up to 200+ strands per cable.

If the cable is not cut in half, there is a high chance some other stands are usable.
They just go back and connect different strand to see which one works.

Some simple testing on which cloudflare speedtest server.

IPv4:



IPv6:




IPv6 will use the closest POP all the time. IPv4 will pick between KUL, JHB, SIN.

But for forum.lowyat.net, 100% of the IPv4 and IPv6 goes to SIN.

Actually how long you have you been on this TM infra? The chance of them happening is quite rare.
You will only be immune if you taman have those special underground cable run which is fully covered.

I am sure there will still be hole big enough somewhere for rat to go in but the holes are only big enough for baby rat.

Also want to add-on.
Outsider don't have access to the OLT.
There is no way for them to connect the good strand to the OLT even if they can identify where is the physical damage.

They must either fusion splice it in place or use the quick disconnect repair method.
For armored cable, this is going to be fun.

Construction mostly are gone case for fiber cable.
Other than that fiber cable normally have a lifespan of around 50 years, which gives telco a significant cost advantage once the ODN is built

See your luck. All outdoor fiber cable has a metal strengthener inside. Whether they are able to hold or not depends on how much slack are there and how heavy is the pole.

I think the person you were talking to don't know shit. If the ONU lose power, it will send a dying gasp to the OLT. The OLT Manager will know it is your ONU that loses power.
If a branch on the optical spliter is cut, all ONUs from that branch will lose sync simultaneously. The operator can see a bunch of ONUs going offline at the exact same time, all without dying gasp.

Becoming your own ISP at home.
I don't think you can do this in Malaysia due to all the "gatekeeping". Hence why Internet here is generally expensive.

ZTE F620.
A lot more customizable.

I don't know how to answer your question. You cannot explain away 2 traceroute screenshot with BGP best path.

BGP works the same for all implementation, at least the path vectoring, which in computer science term is Greedy Algorithm.

You can quickly see its limitations by going to leetcode and do Greedy Algorithm question. The best time to buy-sell stock is enough to get the gist of it.

Now TM naturally is a lot more difficult to optimize for, due to their peering with a lot more IX. There's a lot of duplicated AS in everyone of these IX.

In this situation, you cannot simply peer with the Route Server because then you will hit the Greedy problem.

This is where the AS Path to all of these AS is the same to BGP best path, but in reality, one can be in MyIX, another could be in London.

In the real world, light need more time to go to LON than KUL. Hence the more complex the network, the more role BGP Optimization software matter.

What it does is basically change a few parameter that affects how traffic egress.

For ingress, prepending can be used to steer traffic away from border router.

None of these works that well since TM is pretty much an eye-ball network. It's a different story for cloud provider and CDN who can do edge processing. For TM, there's no edge computing, all traffic must reach your house to be useful.

EDIT:
The leetcode question
https://leetcode.com/problems/best-time-to-...and-sell-stock/

This post has been edited by kwss: Aug 19 2025, 10:54 PM

The problem is two fold:
1. Cloudflare KUL is still broken
2. Cloudflare SIN do not have direct peering with TM. IPv4 via Equinix SG. IPv6 via Telstra Global

Then there is the congestion in the evening. Anything that don't have direct peering will get slapped with congestion due to TM prioritizing shareholder value over technical excellence or customer satisfaction. Not surprising considering TM majority shareholder is government coffer.

You can think about it as TM is milking you, or the Malaysia government is milking you.

Oh, not I say. This is literally how TM operates.