Does the ZBT-2 Antenna allow connected Matter/Thread devices to access the wider internet / WAN

Hi, my question is in the title.

To elaborate, I recently purchased a Home Assistant Connect ZBT-2 Antenna and a couple (IKEA) Matter devices I found at a good price. I originally had gone in under the assumption that Thread was similar to Zigbee, and I am starting to see more Matter devices being sold on the market. However, after reading some threads about the tech, I am concerned that I have purchased into an ecosystem that will be sending telemetry.

The worry is born from seeing other people say the devices get provisioned on the manufacturers servers before being able to be used in Home Assistant. Is this true, or is it FUD? I prefer to have my devices fully isolated from any WAN/Outgoing connections as I don’t feel I genuinely own the device if I can’t use it without it being on the wider internet.

Ideally, I’m hoping to hear that because what I have purchased is an official Home Assistant product (The ZBT-2 antenna), I will not have to worry about the devices connecting to it phoning home, but after searching through the forum I could not find a straight “Yes, some matter/thread devices will send telemetry” or “No, no matter/thread devices will send telemetry” answer. Mostly just people either talking about the Matter spec. or third party Matter hubs and not much real world examples of the ZBT-2.

I would appreciate an answer to this question with some sort of citation if possible. (Citation meaning, if the devices can connect to a manufacturer server, I’d like to see a link to the ZBT-2 hardware docs or source code that specifies that it allows Matter devices to connect to the wider internet / WAN via Home Assistants host machine.) Not a necessity but I am worried about misinformation.

I’d even be happy hearing that if it is something that can happen, that I can just somehow turn off WAN capability for the antenna somehow. Otherwise I may have to end up returning everything I just bought.

Thanks in advance,
Liftoff1862

ZBT-2 is just an antenna, so it is not that part that does it.

In order to answer your question there need to be explained a few things.

First Matter server could probably send information back to vendors, which is not unlike the Zigbee or Z-wave server built into HA, so it is a question if you trust HA and not really about the device vendors on this level.

Secondly Matter is a modular protocol, where the communication part is separated from the transport. In Zigbee and Z-wave these are a locked together.
This means Matter can use both WiFi, Thread and Bluetooth to transport its data around.

The problem here is that a device with a WiFi connection can choose to send something to the Matter server, but it might also choose to send something to the internet directly.
Thread is really no different here, other than it is IPv6 based.

The Matter protocol has an opening in the standard that allow telemetry and even optional cloud services.
The Matter protocol however also has listed mandatory local functions that needs to work without internet access, which is the typical functions for the device types, like on/off for a switch, brightnesss, color and the like for a bulb and so on.
A weather station can have wind speed, wind direction, temperature, lux and so on locally, but provide a weather forecast as an optional cloud service.
The Matter certification process ensures that these things as followed.

If you want to avoid the telemetry and cloud services, then it must be possible to block internet access completely to the devices, according to the Matter standard.
Matter over WiFi devices needs to be blocked in the firewall and probably both for IPv4 and IPv6, if IPv6 is using a global IPv6 address.
If you are using the OpenThread Border Router (OTBR) with an internet connection without a global IPv6 address, then the only way devices can “phone home” is by enabling the NAT64 feature.
If you are running the OTBR in IPv6 or a IPv6/IPv4 network with a global IPv6 network, then disabling the NAT64 feature will prevent IPv6 traffic from jumping to IPv4 and go out and the IPv6 traffic needs to be blocked specifically by device then, but that goes for every IPv6 device.

IPv6 is made to allow every single device a direct access to the internet, so you need to make sure your firewall handle that or make sure that all the IPv6 addresses on your devices start with an f, which indicate a local IPv6 address.
If it starts with 2 instead, then it is most likely a global one and needs to handled in the firewall.

The OTBR might need access to the internet to access the CSA DCL, which is where it checks if a device is using a certified Matter firmware.
If you do not trust the OTBR app, then this could probably be limited to just the CSA website in the firewall.

What it really comes down to is what parts of the string of software and hardware you trust and that goes for Zigbee, Z-Wave, ESPHome, Tuya or anything else for that matter.

Some are worried about missing functionality when there is no internet connection allowed, but a Matter device that is not connected to their vendors own ecosystem will typically just have the basic functionality that is always available.
I run Eve and Onvis smart plugs, ZemiSmart blinds and a set of different Aqara devices as MoT on my HA server with the Matter server and OTBR addons connected to a ZBT-2 as the only controlling parts and totally blocked internet access and I have no issues.

If you start to incorporate other vendors Matter hubs into your system, then these might “phone home”, which can also be used in a good way in that Google/Apple/Alexa can share a Matter network with HA and then HA can emulate its devices as Matter devices, so the other ecosystems can see them. Because Matter does not need opening up ports in the firewall and router, then this setup can allow a more secure integration of these ecosystem.

Hi Wally, Thank you for the in-depth explanation! I have a few follow-up questions if you are able to answer them.

To start, I was not aware Zigbee or Z-Wave could send information back to vendors through Home Assistant. Is this something that happens often and is there a way to stop it? I use both Z-Wave and Zigbee, and I prefer not to have the devices sending telemetry if possible. I use ZwaveJS2MQTT connected to Home Assistant, and the built-in Zigbee manager in Home Assistant.

Regarding how I am using the devices, I believe I am in the last category you explained, as my devices are connecting via Thread, and not Wifi (Is my understanding, I may be misunderstanding how Matter works entirely). I’m using OTBR with IPv4 and global IPv6. I don’t entirely understand the IPv6 protocol as well as I understand IPv4, so excuse my ignorance if something I say here sounds wrong. I use OpenWrt on my router, and Home Assistant is running in a Virtual Machine connected to the internet via macvtap. I have IPv6 disabled for the virtual machine running Home Assistant, but I do not have it disabled for the entire OpenWrt interface Home Assistant is a part of as it is necessary for one of the services I am running. Would Home Assistant at this point need its own interface with IPv6 disabled, or is disabling IPv6 for just the Home Assistant virtual machine good enough to stop OTBR from communicating with IPv6? Furthermore, you mention disabling NAT64 to prevent IPv6 traffic from jumping to IPv4. Is that something I need to do on OpenWrt, or is that something that needs to be done in the virtual machine? As it stands, the virtual machine can not ping an IPv6 address.

Can you provide the IPs/Domains for the CSA website that OTBR needs?

As far as trust goes, I trust that the Home Assistant developers are not selling my data for advertising money (or at the very least, I am hoping they don’t.) I try not to use anything in my stack that needs an internet connection to function. I am not super concerned about losing functionality if a device is not connected to the internet, as long as it has some sort of functionality in Home Assistant. I don’t plan to incorporate any other hubs, due to my system being set up to value privacy above convenience.

Looking forward to your response, thanks for the help so far!

They can not themself.
What I said is that the server/hub software can on their behalf, so it is a question if you trust the server/hub software.
The Zigbee and Z-wave server/hub software in HA is made by the HA devs, so if you trust them, then you can trust the software. The same goes for the Matter server/hub software in HA.

Matter needs IPv6 to function, so it needs to be enabled on the HA machine, but it does not have to be a global IPv6 address and you need it for the Matter over WiFi devices also, if you get such ones.
I would say it is the wrong place you set in. It should not be on the HA hardware, but on your perimeter hardware, ie. your router/firewall.
Remember that IPv6 is made to avoid the need for NAT, so if you are not blocking a global IPv6 address, then it has access to the internet. There is no portforwarding needed for this to happen.
If you do not understand IPv6 well enough, then I suggest you look into disable it on the router/firewall, so there is no global IPv6 addresses being used on the internal network. Just make sure you do not configure your router/firewall to pass packets internally with a local IPv6 address.

It is a configuration setting on the OTBR app in HA. It is disabled by default, so it probably still is in your setup.

The website is located here: Distributed Compliance Ledger (DCL) - CSA-IOT
I mainly use it to access the DCL WebUI to look up firmware versions.
I do not block the OTBR, because I trust them as much as I trust the HA devs.

I’ve been thinking about this and the limited experimenting I’ve done with couple matter/thread devices suggests this has to be true:

I have 2 ikea Alpstugas and 2 Inovelli fan swtiches, all thread via zbt-2. Both report firmware version, and that it’s current: How did it validate the version being current? Both alpstugas offered updates of their firmware when first connected and I did that… same question.

So to your point, it’s likely that the device told thread, thread to matter, matter talked with vendor across the internet. End-to-end, that actually happens. And for me that’s a good thing.

I’ve seen it being said elsewhere that users don’t want end thread/matter devices talking to the internet. I’m glad that devices don’t need internet for day-to-day automations and an internet outage can’t affect my automations directly.

However blocking that should be thought through carefully… For me it’s lighting. The matter/thread protocol enhancements for scene lighting are not out of design yet, how will devices get these updates when released if not via the internet? No native scenes means thread lighting is at a dead stop for me until that’s reality, and I have 2 eve switches to install and update when native matter/thread scenes are released into the wild.

Same question for mfg bug fixes and matter/thread updates and security fixes

If you use HA’s Matter server, then it talks to the CSA DCL.
The CSA DCL is a blockchain and that can also be hosted by other provider, but only CSA has the key to make changes to it.
You would actually be able to host it yourself, if you bothered with finding out how to set up a server.

Exactly and I prefer to actually get updates, instead of just leaving teh device with potential security issues, because some Chinese manufacturer decided to sell a device and deliver no after-sale support.

Okay, so I just want to make sure I am understanding correctly, forgive me if this is getting tedious.

Does Home Assistant / The Home Assistant Developers develop the software in such a way that prevents telemetry? I will define telemetry as any given device connected to Home Assistant sending information such as when a device has been interacted with, sensor readings, or pings to let the manufacturer/vendor/third party know the device is online. My understanding was that Z-Wave and Zigbee (utilizing USB antennas hooked into Home Assistant without any third party hubs) does not send telemetry (Unless you consent in the configuartion.yaml file, which allows Home Assistant to take anonymized telemetry to Improve Home Assistant). Is that understanding correct or am I misinformed?

Further, does this understanding (A USB Antenna, in this case being the ZBT-2, hooked directly to Home Assistant not sending Telemetry) extend to Matter/Thread?

I trust the Home Assistant developers if they say they say that there is no telemetry (as defined) being sent, and I am on the same page about getting updates. I do not want weak points in my network if it can be helped. The core of what I want to know is if Home Assistant says it sends telemetry to third parties when you utilize these tools.

After re-reading my first response, I realize I may have been a bit vague about what I meant I did. I have the MAC address for the machine Home Assistant is using blocked from registering a gloval IPv6 address on the router. I believe I also had passed the kernel parameter on the VM to disable IPv6 but am not positive I did. If I did pass the kernel param, should I remove it? I think you answered the original question but I want to double check myself;

Home Assistant needs to have IPv6 support enabled on the host machine, but if I block IPv6 from the machine at the router level (Which is what I have done, I blocked it from registering a global IPv6 via the machines MAC address) then connected Matter devices can not directly communicate to the web. The Matter devices will have link-local IPv6 addresses, but can’t register public IPv6s. This is where I was saying I was confused and didn’t entirely understand IPv6. I was thinking that if each Matter device has it’s own MAC address, there was a possibility they could register global IPv6 addresses at the router level. Is that a concern I need to have if the host machine MAC address is blocked from IPv6? (I do not want to disable global IPv6 on the router as I utilize it)

If all of the above is correct, then the OTBR server will provide updates via the CSA DCL to Matter devices without them connecting to the global internet.

Again, Thank you for taking the time Wally, it is greatly appreciated.

I am pretty sure that is a big NO.
The slogan for Home Assistant is “privacy - choice - sustainability”, which says it all.

The question is a bit harder to answer.
You see the antenna as a device, but it is just an antenna.
It is the Access Point for a Thread network and it works just like an Access Point in a WiFi network.
The OBTR and Thread can work without Matter. It is just a transport layer, just like WiFi and Ethernet.
Thread is also used by HomeKit and there might be other protocols using it too.

If you ask the same question with WiFi instead, then you see the mistake in the question.
“Do a WiFi access point/router that do not send telemetry extend to the WiFi devices?”

Matter requires IPv6, so yes.

That is the tricky one.
You have probably blocked the physical MAC address, but with virtualization you may have several virtual NICs and they all have a virtual MAC address that can get an IP address.

Your approach on the router/firewall should be by default deny all incoming connections and then allow the ones that need access. This will be equal to the IPv4 NAT’ing/portforward.
Like with IPv4, where you block the devices’ outgoing connections, if you do not want to have them phone home, you need to do the same for IPv6.

If they only have local IPv6 addresses (there are two types: Link Local Addresses (LLA) and Local Unique Adrresses (LUA)), then you are safe. These addresses will be blocked on every internet router, so even if you misconfigure your own router and allow these to be forwarded somehow, then the next hop will drop the packets.

If you internet router publish a Router Announcement with a global prefix, then yes they can.
Again think of it like WiFi.

I think you should try to study this page and the following 4.
https://openthread.io/guides/thread-primer