I think there’s a pretty significant security benefit to that model. But yes, if you want purely local control only with no cloud involved (which is why a lot of people choose HA in the first place I assume?) then you’re only option I think is opening a port and connecting directly to your instance.
Just as an aside for anyone else who might in the same boat as me, I’m experimenting with using Apple’s HomeKit integration and using that as a “frontend” for HA and remote access. So I keep HA locked down and only accessible locally in my LAN, but if I’m away from home I can control switches, lights, alarm, etc, using the “Home” app on my iPhone. So far I’m amazed at how well it’s working, and I’m using it for presence detection too which is slick.
As I said (implied) I’m not an expert in area, but I believe with that model your router opens a port automatically.
I could be wrong.
And creating an account on “some webpage” wasn’t much of a deal for me either a few years ago but then you start noticing what the level of questions are on web developers on stack overflow.
You get questions on how to store plain text passwords in text files.
Or how you use old functions that prone with security flaws.
And it’s not an one off thing. It happens pretty much daily.
And then there is big companies such as a German post company, but let’s not name them name shall we?
You register on their customer page and you get an email back with the login details in plain text.
I got completely stunned and actually called them and the guy who was some security boss did not understand and refused to listen.
Off course I have higher views on nabu casa.
I honestly do believe they know what they are doing. But the amount of garbage out there is insane.
If I’m presented with “create an account” I generally back out the same way I got there unless I really really need the service.
“As I said (implied) I’m not an expert in area, but I believe with that model your router opens a port automatically.
I could be wrong.”
Believe me I’m nothing even close to an expert with security or networking either. However, using the SmartThings example I can tell you that you absolutely do not need any ports open yet you can still remotely control devices in your home, etc. I think the distinction is: the SmartThings hub will initiate it’s own https connection to the ST cloud service (outbound), and once that connection is established it is used to communicate back and forth between the cloud and the hub in your house. But that only works because a device on the inside of your LAN initiated the connection. The reverse scenario, where you want to initiate the connection from the outside internet into your LAN (ingress) requires a port to be open on your router. That’s probably not a great explanation, but I think that’s the general idea.
Back to HA, I’m not sure with Nabu Casa if it follows that scenario, or if Nabu Casa simply proxies a secure connection into your HA instance. It sounds like the latter to me based on what everyone else has said, but I might be misunderstanding.
Yes, you’re wrong. Opening (forwarding) ports on your router can only be done by:
You (on the router/firewall).
Upnp, a protocol that does it on your router on behalf of a device or application.
But, since most of the routers are not enable for upnp by default this will not work well.
In addition, there is 1 port open in nabucasa, which is 443, the default for https traffic. Based on the host header (url) they forward the traffic to the proper instance of the user.
Probably a vpn/secure tunnel will be setup from a homeassistant instance to nabucasa and used for forwarding.
This way there is thus no need for an open port on any ones router. Being relatively safe.
But since the original homeassistant interface is simply presented via nabucasa to the client (via the tunnel and 443) and without any additional security measures in nabucasa (ip reputation, geo-ip, rate limiting, DOS, APT, etc.) It is both equally safe…
Ok, I thought about this and realize now how wrong it was. I was trying to provide a direct correlation between the two options and went completely wrong trying to stick to the same framework.
With an IP all of the positions don’t always exist and not all of them can be 9 (really 10) possible values. I knew it wasn’t going to be 100% technically correct but didn’t realize how wrong it was at the time.
Are you sure you just haven’t forgotten that you did the port forwarding?
I can’t really see any way that any given router would just let smartthings through just because…
I did some reading and Samsung has a help section named port forwarding, and this thread talks about it and upnp.
But sure, I don’t own a smartthings and probably never will.
I just base this on my Google skills.
@Hellis81 Positive, 100% I was not forwarding any ports. Go re-read my earlier post about how devices like SmartThings work when connections are initiated from inside your LAN. In fact, if you read the rest of what you just posted, you’ll see a developer literally said that port-forwarding is not required, nor is upnp.
absolutely do not need any ports open yet you can still remotely control devices in your home, etc
Was interpreted by me as remotely control meaning that you are on a remote area trying to control your home.
Meaning you are outside and controlling the inside.
Ok…
But that was not really the discussion. If you want to be outside and control the inside then you must open some ports, right?
So then smartthings have the same “issue” that HA does?
If you open the ports to smartthings then a wild guess at your IP and a correct password and I would be in? Or?
@Hellis81 No you interpreted what I said correctly - you CAN control your SmartThings devices when you are away from home, and you do NOT need ports opened. I’m not sure how else to explain this to you, so I’m giving up now.
In that case something is wrong because the whole point upnp is to open port 1900.
You do not see that it’s open in port forwarding, but that is the port that opens when you enable upnp.
You can argue against however much you want but upnp is opening a port, that is a fact.
For the record the random URL/random guessing doesn’t provide much protection. Because the connections are secured/HTTPS the URL’s Nabu Casa generate are all publicly published. HTTPS encryption on the web – Google Transparency Report
