www.homeseer.com    
 

Go Back   HomeSeer Message Board > HomeSeer Products & Services > HomeSeer Software > MyHS Remote Access Service

MyHS Remote Access Service Discussions regarding myHomeSeer Remote Access Service

Reply
 
Thread Tools Display Modes
  #21  
Old November 21st, 2017, 04:15 PM
Kerat Kerat is offline
Seer Master
 
Join Date: May 2016
Location: Colorado USA
Posts: 719
Quote:
Originally Posted by jonjonbear View Post
I've attached a screen shot of my security settings to see if anyone can see something wrong with them.



Thanks,



John

What happens when you uncheck the "filter anonymous Internet requests"? Linksys support says that this setting denies echo (ping) requests.



Sent from my iPhone using Tapatalk
Reply With Quote
  #22  
Old November 21st, 2017, 04:35 PM
Kerat Kerat is offline
Seer Master
 
Join Date: May 2016
Location: Colorado USA
Posts: 719
Do I need to port forward?

It might be time to put the HS3 server in the DMZ and run a packet capture. I can run one when I get home too. It should be pretty easy to add an inbound rule that allows the MYHS traffic from the MYHS IP address to your HS3 server. Hard part will be piecing together if there are multiple sources for MYHS and if they use a large block of ports to communicate back with the HS3 server on.


Sent from my iPhone using Tapatalk
Reply With Quote
  #23  
Old November 21st, 2017, 04:39 PM
jonjonbear jonjonbear is offline
Seer Deluxe
 
Join Date: Jan 2002
Location: Bastrop, Texas
Posts: 286
Quote:
Originally Posted by Kerat View Post
What happens when you uncheck the "filter anonymous Internet requests"? Linksys support says that this setting denies echo (ping) requests.



Sent from my iPhone using Tapatalk
Tried that, didn't affect it. I've posted on the Linksys forum too so we'll see if they know anything that might help.
Reply With Quote
  #24  
Old November 21st, 2017, 04:40 PM
jonjonbear jonjonbear is offline
Seer Deluxe
 
Join Date: Jan 2002
Location: Bastrop, Texas
Posts: 286
Quote:
Originally Posted by Kerat View Post
It might be time to put the HS3 server in the DMZ and run a packet capture. I can run one when I get home too. It should be pretty easy to add an inbound rule that allows the MYHS traffic from the MYHS IP address.


Sent from my iPhone using Tapatalk
Ooops..Now you went over my head :-(
Reply With Quote
  #25  
Old November 21st, 2017, 04:54 PM
zwolfpack zwolfpack is offline
Seer Master
 
Join Date: Sep 2015
Location: Orange County, California, USA
Posts: 910
Did you try unchecking the VPN Passthrough options? Just a WAG; I'm just not clear on what those do or how they might affect the MyHS tunnel.

BTW, an inbound rule isn't going to fix this; there is no inbound connections involved in the MyHS protocol.
Reply With Quote
  #26  
Old November 22nd, 2017, 01:28 PM
jonjonbear jonjonbear is offline
Seer Deluxe
 
Join Date: Jan 2002
Location: Bastrop, Texas
Posts: 286
Well I have it settled down. After some emails back and forth with the Linksys forum, the guy had me port forward to the HS box, and I un-checked "Filter anonymous internet requests".
He wanted me to do a port reservation but it has a static IP address.
It still disconnects every so often and re-connects, but appears so far to stay on most of the time. Hopefully it will stay this way. So far it's let me log on every time.

Thanks for all the brainstorming guys!

John
Reply With Quote
  #27  
Old November 22nd, 2017, 01:53 PM
lveatch lveatch is offline
Seer Deluxe
 
Join Date: Dec 2012
Location: USA - Illinois
Posts: 177
Quote:
Originally Posted by jonjonbear View Post
.... After some emails back and forth with the Linksys forum, the guy had me port forward to the HS box, ...
I hope you understand that the port forward means that either (depending what what port is forwarded) your HS web interface or your HSTouch port is exposed to the entire internet; same as putting your HS server in a DMZ.

Which is what MyHS is designed to prevent.
__________________
Len


HomeSeer Version: HS3 Pro Edition 3.0.0.368
Linux version: Linux homeseer Ubuntu 16.04 x86_64
Number of Devices: 555
Number of Events: 750
Available Threads: 600

Enabled Plug-Ins
2.0.49.0: BLBackup
2.0.38.0: BLLAN
3.0.0.40: EasyTrigger
30.0.0.36: RFXCOM
3.0.0.76: weatherXML
3.0.1.130: Z-Wave
Reply With Quote
  #28  
Old November 22nd, 2017, 02:00 PM
jonjonbear jonjonbear is offline
Seer Deluxe
 
Join Date: Jan 2002
Location: Bastrop, Texas
Posts: 286
Quote:
Originally Posted by lveatch View Post
I hope you understand that the port forward means that either (depending what what port is forwarded) your HS web interface or your HSTouch port is exposed to the entire internet; same as putting your HS server in a DMZ.

Which is what MyHS is designed to prevent.
Hi Len,
It's port 88. Yeah I figured that was likely the case, but it's the only way I can get it to work.I might try taking it back out and see what happens. I tried this yesterday and it made no difference. Maybe there was some other issue that cleared itself. I'll give it a try. Can always put it back.
Reply With Quote
  #29  
Old November 22nd, 2017, 02:07 PM
Kerat Kerat is offline
Seer Master
 
Join Date: May 2016
Location: Colorado USA
Posts: 719
Do I need to port forward?

What port are you running your HS3 management interface on? Also, are you running the management interface SSL Encrypted (I hear this is possible in windows installs). Have you enabled anti-hack in HS3?


Sent from my iPhone using Tapatalk
Reply With Quote
  #30  
Old November 22nd, 2017, 02:08 PM
jonjonbear jonjonbear is offline
Seer Deluxe
 
Join Date: Jan 2002
Location: Bastrop, Texas
Posts: 286
Quote:
Originally Posted by Kerat View Post
What port are you running your HS3 management interface on?


Sent from my iPhone using Tapatalk
Port 88
Reply With Quote
  #31  
Old November 22nd, 2017, 02:11 PM
Kerat Kerat is offline
Seer Master
 
Join Date: May 2016
Location: Colorado USA
Posts: 719
Do I need to port forward?

Ther is some risk in doing this. It is important to understand the difference between, explicitly allowing traffic to/from a given public a port to a device on your internal networ, port forwarding, and putting a device in the DMZ.
1. the DMZ opens the entire surface area of a network node to the Internet. This bypasses the firewall's normal function.
2. A port forward opens a port and forwards it to a network node. This bypasses the firewall's normal function.
3. Allowing/denying traffic by type allows the firewall to continue normal function

Having your management interface publicly accessible means that any user on the public Internet can access your HS3 management interface.

At minimum I would recommend SSL encrypting the page, forcing all logons to use a password, binding myhs to a non-admin account, and setting up anti-hack features in your HS3 install.

I would still recommend we identify the traffic for myhs and see if it is possible to tell your firewall to allow the traffic.

Sent from my iPhone using Tapatalk
Reply With Quote
  #32  
Old November 22nd, 2017, 02:48 PM
lveatch lveatch is offline
Seer Deluxe
 
Join Date: Dec 2012
Location: USA - Illinois
Posts: 177
Quote:
Originally Posted by Kerat View Post
1. the DMZ opens the entire surface area of a network node to the Internet. This bypasses the firewall's normal function.
I disagree with this statement.

Only individual ports should be open on the firewall from the WAN to your DMZ interface.

A DMZ is an isolated network allowing no access or better control of what internal servers the DMZ hosted servers can communication with. Yes, there is higher risk exposing ports to the internet. However, all ports on all DMZ hosted servers should not exposed to the internet simply by putting a server in the DMZ.

If you port forward (and firewall allow) from the internet to your internal non-DMZ servers, then if the exposed service is compromised, then your internal non-DMZ network is compromised. Placing your internet accessible servers in the DMZ and blocking all DMZ to LAN/WLAN ports prevents your internal network from being compromised.

IMO, if you do not have a firewall appliance/device then you should not port forward.
Reply With Quote
  #33  
Old November 22nd, 2017, 02:59 PM
Kerat Kerat is offline
Seer Master
 
Join Date: May 2016
Location: Colorado USA
Posts: 719
Quote:
Originally Posted by lveatch View Post
I disagree with this statement.



Only individual ports should be open on the firewall from the WAN to your DMZ interface.



A DMZ is an isolated network allowing no access or better control of what internal servers the DMZ hosted servers can communication with. Yes, there is higher risk exposing ports to the internet. However, all ports on all DMZ hosted servers should not exposed to the internet simply by putting a server in the DMZ.



If you port forward (and firewall allow) from the internet to your internal non-DMZ servers, then if the exposed service is compromised, then your internal non-DMZ network is compromised. Placing your internet accessible servers in the DMZ and blocking all DMZ to LAN/WLAN ports prevents your internal network from being compromised.



IMO, if you do not have a firewall appliance/device then you should not port forward.


What you are describing is a conventional DMZ hosted in a firewall sandwich (firewall from public Internet and firewall from the rest of the Internal network. Only specific inbound/outbound traffic on specific ports would be allowed in or out from the public Internet or the internal network. The problem is that in home router environments DMZ is described as follows:

"a feature that allows only one (1) local user to be exposed to the Internet for special purposes like Internet gaming or video conferencing." - https://www.linksys.com/us/support-a...icleNum=140747

There is no mention of only allowing inbound/outbound traffic on a specific port.


Sent from my iPhone using Tapatalk
Reply With Quote
  #34  
Old November 22nd, 2017, 03:06 PM
lveatch lveatch is offline
Seer Deluxe
 
Join Date: Dec 2012
Location: USA - Illinois
Posts: 177
Quote:
Originally Posted by Kerat View Post
What you are describing is a conventional DMZ hosted in a firewall sandwich (firewall from public Internet and firewall from the rest of the Internal network.
Hence my last statement.
Reply With Quote
  #35  
Old November 22nd, 2017, 03:12 PM
Kerat Kerat is offline
Seer Master
 
Join Date: May 2016
Location: Colorado USA
Posts: 719
Do I need to port forward?

I agreed that a conventional firewall sandwich is a better DMZ design, The description I provided is inline with the description linksys provides on their DMZ feature.


Sent from my iPhone using Tapatalk
Reply With Quote
  #36  
Old November 27th, 2017, 01:31 PM
jonjonbear jonjonbear is offline
Seer Deluxe
 
Join Date: Jan 2002
Location: Bastrop, Texas
Posts: 286
Hey guys,
Think we found the problem..The dang router died! Brand new router and it kept doing all sorts of strange things. All my security cameras quit working, then I did a simple restart/reboot on the router and it set itself back to defaults! I popped my old Netgear router in place and everything works. Getting an exchange from Amazon. Just wanted to let you guys know what I found.

Cheers,

John
Reply With Quote
  #37  
Old November 27th, 2017, 03:29 PM
Kerat Kerat is offline
Seer Master
 
Join Date: May 2016
Location: Colorado USA
Posts: 719
Glad to hear you got it working.


Sent from my iPhone using Tapatalk
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
which ports to port forward diitto MyHS Remote Access Service 5 February 25th, 2016 05:49 PM
Open port - solved Uncle Michael Programming with HomeSeer 1 January 21st, 2016 12:26 PM
AC TI 103 Installation/Config Comm Port - Solved! ChrisD Lighting & Primary Technology Discussion 3 June 11th, 2013 11:37 AM
HSPro migration / COM port error - Solved! cd-card-biz HS2 / HSPRO 3 December 2nd, 2012 07:16 PM
CM15A Plug-in Unable to open COM1 Port - Solved! Rolin Server Plug-in 15 January 9th, 2012 12:00 AM


All times are GMT -4. The time now is 10:35 PM.


Copyright HomeSeer Technologies, LLC