IoT Hue Lightbulb needs UPnP???

[Zonkd]

I own an AC86U router and I want UPnP disabled. Unfortunately I've been told UPnP must be enabled for my mates new internet-of-things Phillips Hue lightbulb to work properly.

So I gotta ask, is UPnP essential for controlling the Hue lightbulb over the internet using the phone app or an Amazon Echo?

Now that he has enabled UPnP I see him controlling it with his phone app and Amazon Echo. He hasn't mentioned the specific problem he saw when UPnP was off. Unfortunately I'm unable to troubleshoot unless he gives me access to his hue/phone/echo. That is unlikely to happen.

 

[Hawk]

I own an AC86U router and I want UPnP disabled. Unfortunately I've been told UPnP must be enabled for my mates new internet-of-things Phillips Hue lightbulb to work properly.

So I gotta ask, is UPnP essential for controlling the Hue lightbulb over the internet using the phone app or an Amazon Echo?

Now that he has enabled UPnP I see him controlling it with his phone app and Amazon Echo. He hasn't mentioned the specific problem he saw when UPnP was off. Unfortunately I'm unable to troubleshoot unless he gives me access to his hue/phone/echo. That is unlikely to happen.

Why don't you try both ways, upnp is used when you need to open ports for service or program. I will leave it disabled if possible.

 

[Keenan]

Why is access to his equipment unlikely to happen? Just switch off UPnP in the AC86U until he agrees to troubleshoot the problem with you.

 

[bluzfanmr1]

You could check the port forwarding tab with upnp on and see what is on that page, then manually enter them and turn off upnp.

 

[Zonkd]

You could check the port forwarding tab with upnp on and see what is on that page, then manually enter them and turn off upnp.

Thanks I didn't see the System Log / Port Forwarding tab. I will keep an eye on it.

 

[Zonkd]

Why don't you try both ways, upnp is used when you need to open ports for service or program. I will leave it disabled if possible.

Try both ways? Well I suppose we've done that because UPnP was off to begin with. He connected the Hue via WiFi on his own. It didn't work as he expected. I'm guessing he read some instructions online. He then insisted on enabling UPnP. I was busy and didn't have time to help nor argue about it, so I let him enable it, and it fixed whatever his problem was. I'd be an unpopular person to disable UPnP without having another solution to offer up.

 

[skeal]

Try both ways? Well I suppose we've done that because UPnP was off to begin with. He connected the Hue via WiFi on his own. It didn't work as he expected. I'm guessing he read some instructions online. He then insisted on enabling UPnP. I was busy and didn't have time to help nor argue about it, so I let him enable it, and it fixed whatever his problem was. I'd be an unpopular person to disable UPnP without having another solution to offer up.

Ok, let me get this straight, you are going to relax security on your entire network because buddy has a neat light bulb.

 

[Zonkd]

I would think that UPnP would be safe for intranet use. I would not enable it for WAN. You can check for WAN exposure using the following link: https://www.grc.com/x/ne.dll?bh0bkyd2

Doesn't enabling UPnP always allow clients to open ports to WAN? UPnP is for getting through the firewall...

 

[Zonkd]

Ok, let me get this straight, you are going to relax security on your entire network because buddy has a neat light bulb.

Definitely... not. But you gotta be seen as reasonable by everyone else you live with and not be seen as the dude who crashes parties by preventing people living life using their fancy new party lights which they already paid hundreds of dollars for.

Once I'm confident I've found the solution UPnP will be disabled by me.

 

[ColinTaylor]

I would think that UPnP would be safe for intranet use. I would not enable it for WAN. You can check for WAN exposure using the following link: https://www.grc.com/x/ne.dll?bh0bkyd2

Doesn't enabling UPnP always allow clients to open ports to WAN? UPnP is for getting through the firewall...

Indeed. ChatmanR's statement make no sense. The grc link refers to something completely different.

Thanks I didn't see the System Log / Port Forwarding tab. I will keep an eye on it.

This. Hopefully it always uses the same port so that you can manually forward it.

 

[Zonkd]

This. Hopefully it always uses the same port so that you can manually forward it.

Errrrgh, gross, so basically you're saying I'll need to port foward this lightbulb to be permanently exposed to the entire internet making it vulnerable 24/7 to hack attempts? Why on earth is that necessary? I don't get it.

Synology has a remote access solution for their NAS products that doesn't require port forwarding. It's called QuickConnect. The NAS sends a heartbeat to Synology servers which then handle negotiating remote access sessions between the NAS and any remote clients outside the LAN. They could have done the same thing for these damn lightbulbs?

 

[skeal]

Errrrgh, gross, so basically you're saying I'll need to port foward this lightbulb to be permanently exposed to the entire internet making it vulnerable 24/7 to hack attempts? Why on earth is that necessary? I don't get it.

Synology has a remote access solution for their NAS products that doesn't require port forwarding. It's called QuickConnect. The NAS sends a heartbeat to Synology servers which then handle negotiating remote access sessions between the NAS and any remote clients outside the LAN. They could have done the same thing for these damn lightbulbs?

Keep the bulb's access at the local level, and use a VPN to access your network, and thus control the bulb safely without it having WAN access.

 

[Zonkd]

Keep the bulb's access at the local level, and use a VPN to access your network, and thus control the bulb safely without it having WAN access.

Too complicated for my room-mates. I'd rather not be kicked out for being a network nazi. I'll let their lightbulb get hacked.

 

[Jack Yaz]

Too complicated for my room-mates. I'd rather not be kicked out for being a network nazi. I'll let their lightbulb get hacked.

The implication being that said "hacked lightbulb" is then on your LAN, on the nicer side of your firewall ;-)

 

[HuskyHerder]

Since you posted the topic I have checked my logs a few times a day and there is no UPNP connection from my Hue. at least nothing shown up in those logs. Unless they are released very quickly and I fail to notice. I did have other connections, that I did not know about, due to a new app install. They were remedied last night, and not related to your topic.

I have the Hue Hub setup for remote access and also working with an Apple TV as a HomeKit Hub. This was the only thing to show up in the list of connections.. I have UPNP and secure UPNP enabled.

Tcp > NAT address > NAT port > Destination IP > port > State = tcp > 10.x.x.1 > 44863 > 104.155.18.91 > 443 > Established

Not sure if this help you, or is even relevant?

 

[ColinTaylor]

Errrrgh, gross, so basically you're saying I'll need to port foward this lightbulb to be permanently exposed to the entire internet making it vulnerable 24/7 to hack attempts? Why on earth is that necessary?

Don't ask me, I have no idea how it works. Ask the manufacturer of the lightbulb.

 

[^Tripper^]

I have upnp disabled and my hue works perfectly via local control and cloud. Not using alexa, just the standard hue app.

 

[XIII]

I have upnp disabled and my hue works perfectly via local control and cloud. Not using alexa, just the standard hue app.

Same here, though I mostly use HomeKit Apps instead of the Philips Hue App.

Works great, no UPnP needed.

 

[unsynaps]

Same here, though I mostly use HomeKit Apps instead of the Philips Hue App.

Works great, no UPnP needed.

Not a solution if you dont have useless devices for one purpose like an AppleTV or a new enough iPad sitting at home.

 

[^Tripper^]

Not a solution if you dont have useless devices for one purpose like an AppleTV or a new enough iPad sitting at home.

HomeKit works fine without needing any “useless” apple devices except for out of home control.

But yeah, if you need that feature, HomeKit does require a “useless” device like an Appletv or a new enough iPad to act as a hub. Because Apple.