Menu
What's new
By:
Filters Better Search

Open ports? Newbie question

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

C

Chippy_boy

Regular Contributor
Hi folks

I must confess, although computer savvy, I am not very clued up on networking.

I want my home network to be as secure as possible, so I think I have all my ports closed and I am not port-forwarding anything.

Screenshot 2022-07-05 091856.png


My question is this: How can e.g. Philips Hue and Tado control my lights and my central heating remotely? How can these services access devices in my network (which they both do quite happily) if my network is locked down? I am really confused how this is possible without open ports and port forwarding to the respective devices. So how does this work?

And Is it a (albeit small) possible security risk?

If anyone could explain, I'd be very grateful.

Thanks
 
Last edited:
Beware that Shields Up (like most other similar online tools) only tests for TCP ports, NOT UDP.

Many such devices do NOT need to initiate connections inbound (i.e., rely on port forwarding). They can simply "phone home" to their servers(s) for instructions. IOW, when you buy into these devices, you're implicitly buying into a service to manage it. If in fact they need to initiate connections inbound, it's a simple matter to configure a site-to-site tunnel, using something like OpenVPN or SSH. This is exactly how my OOMA (VOIP) phone adapter works. In order for their service to inform me of an incoming call, they create an OpenVPN connection from behind my firewall (the client) to their OpenVPN server, from which they can initiate connections back through my firewall.

It's something employers have to deal w/ all the time. Their admins actively seek out such traffic, just in case employees are punching holes in their firewall and creating security risks.

That's why *anything* behind your own firewall is a potential security risk. You just have to decide who and what you're willing to trust.
 
Last edited:
eibgrad said:
Beware that Shields Up (like most other similar online tools) only tests for TCP ports, NOT udp.

Many such devices do NOT need to initiate connections inbound (i.e., rely on port forwarding). They can simply "phone home" to their servers(s) for instructions. IOW, when you buy into these devices, you're implicitly buying into a service to manage it. If in fact they need to initiate connections inbound, it's a simple matter to configure a site-to-site tunnel, using something like OpenVPN or SSH. This is exactly how my OOMA (VOIP) phone adapter works. In order for their service to inform me of an incoming call, they create an OpenVPN connection from behind my firewall (the client) to their OpenVPN server, from which they can initiate connections back through my firewall.

It's something employers have to deal w/ all the time. Their admins actively seek out such traffic, just in case employees are punching holes in their firewall and creating security risks.

That's why *anything* behind your own firewall is a potential security risk. You just have to decide who and what you're willing to trust.
Click to expand...
Thanks for this. So presumably my Tado and Philips Hue are constantly (periodically?) polling, checking the respective servers to see if there's any new instructions?
 
Chippy_boy said:
Thanks for this. So presumably my Tado and Philips Hue are constantly (periodically?) polling, checking the respective servers to see if there's any new instructions?
Click to expand...

Most likely. Polling is very common. But when things need to be initiated from the server to the client (e.g., a phone call is coming in over VOIP), that's when you see the tunneling.

Whether it's constant or periodic polling is just going to depend on the nature of the device. Whatever it needs to get the job done.

That's why you might want to consider gaining some experience w/ a tools like tcpdump and WireShark so you can snoop on what these devices are doing.
 
eibgrad said:
This is exactly how my OOMA (VOIP) phone adapter works. In order for their service to inform me of an incoming call, they create an OpenVPN connection from behind my firewall (the client) to their OpenVPN server, from which they can initiate connections back through my firewall.
Click to expand...

I thought they turned away from OVPN some time back (like 2010...) - If I recall, they're using SSL/TLS these days that supported the mobile application...
 
sfx2000 said:
I thought they turned away from OVPN some time back (like 2010...) - If I recall, they're using SSL/TLS these days that supported the mobile application...
Click to expand...

I can't speak to what they use today. I have the original OOMA Hub VOIP adapter, purchased back in 2009 for $160. Hasn't cost be a penny since then for service. Still going strong. I only noticed it was using OpenVPN by accident while monitoring other traffic for other purposes.
 
You must log in or register to reply here.

Similar threads

R
Exposed ports on WAN - why?
Replies
5
Views
703
ColinTaylor
C
Neo-ST
[RT-AX86U] Can't open ports
Replies
2
Views
963
Neo-ST
Neo-ST
brentil
RT-AX88U Pro Port Forwarding not working
Replies
1
Views
127
brentil
brentil
John Tetreault
How to open ipv6 firewall to a port on the router?
Replies
7
Views
2K
viwrtuser
V
P
firewall, inbound firewall rules and port forwarding (on RT-AX58U) clarification
Replies
5
Views
1K
eibgrad
eibgrad
Similar threads
Thread starter Title Forum Replies Date
G Multiple tries needed to open windows share Other LAN and WAN 0

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 660 (members: 15, guests: 645)
Top