Setting up remote access for Loxone Intercom

[Simon Still]

I've been fiddling with remote access today.  I've got Loxone working remotely now but just stuck on how the intercom video working remotely.

I've set up a dynamic dns service so i should now be able to point at XXXXX.ddns.net 

The Loxone instructions show https://www.loxone.com/enen/kb/intercom-intercom-xl/ in the config

host for video steam (external) : Clouddns:8090

i've set

host for video stream as mydnsservice:8090

but i''m not sure how to configure the port forwarding

The Loxone instructions say:

"

• Ensure that you have port forwarded on the router for the video module
• The external port can be anything greater than 7000, but smaller than 65534. (i've used 8090 as above)
• Internal port is locked to 80 so your rule must accommodate for that"

What does that mean "accomodate for that".  I've set the start port and finish port in port forwarding to 8090 but that's not working.

[Duncan]

your port forwarding of your router connects 8090 on the outside and forwards tcp/udp to port 80 and IP address of your intercom on the inside of your network, so that:

then in your loxone config file you use the external video address of http://myaddress.ddns.org:8090/video.cgi or whatever url the video is inside of your network

[Arnaud]

Hi,

the NAT rules needed on the router are : 

External port : 8090

Internal port : 80

Protocol : as needed (TCP, UDP or both), if you router don't permit BOTH for protocols, you need to create tow rules, one for TCP, one for UDP, with same ports & addresse.

Internal Address : ip address of your intercom.

[Simon Still]

On Friday, 29 June 2018 07:49:44 UTC+1, Arnaud wrote:

the NAT rules needed on the router are : 

External port : 8090

Internal port : 80

Ok, this is where I'm having trouble.  That's what I assumed it should be but my router interface is proving the issue (or my reading of it).

First I have to set up a 'service' but the only fields are

Name - intercome

Type - tcp/udp

Start Port 

Finish Port

Its not possible to set the finish port lower than the start port - it seems to be setting a range of ports rather than port a into port b.  what am i misunderstanding?

[Simon Still]

So i have a Sky router.  searching online i find this 

"That's is correct about redirecting the port from 443 to 8123. This fuctioanility is know as port mapping, which the Sky routers do not support. You would need to change the port number on the RPi and that depends on the applicaton itself, so it doesn't need to map the port but accept a direct forwarding of it."

It seems I can open a port but not map one external port to a different one internally.

The Loxone intercom external access instructions say 

"The external port can be anything greater than 7000, but smaller than 65534.

• Internal port is locked to 80 so your rule must accommodate for that"

since i can't change the external intercom port to be the same as the internal i don't think i can make this work without changing my router can i?

[Duncan]

You have to choose carefully regarding your choice of router for sky fibre, only a few models support their odd way of authentication. I know the current Asus ones work.

[Simon Still]

On Friday, 29 June 2018 11:51:12 UTC+1, Duncan wrote:

You have to choose carefully regarding your choice of router for sky fibre, only a few models support their odd way of authentication. I know the current Asus ones work.

I'm not sure what question that answered - is there a workaround or do i need to buy a different router and choose carefully?  I'm using the standard (Q hub) Sky router at the moment (as router/modem only - have Cisco WAPs)

[Duncan]

You need a different router, one that's compatible with sky MER authentication

you can do it one of 2 ways :

1) keep the sky router and set up another one behind it - easy to do but can result in some problems with double NAT

2) replace the router with one that supports MER / DHCP option 61 -

https://www.avforums.com/threads/how-to-replace-sky-sr102-with-another-router-sky-fibre.1939217/

[Arnaud]

hi,

as Ducan say, you need a different router.

(i don't know specific Sky routers)

for his option 1 (the more flexible in my opinion), by what you want, connect it on the actual router (you will need another switch to if your actual router operate as switch because if you add a second router, the sky router is considerate as external of your lan).

And finally, on the sky router, if you can, configure the new router as DMZ host, if not, redirect ports from 1 to 65534 (well know ports) to the new router.

like this, you can manage every ports mapping on you new router.

br.

Le jeudi 28 juin 2018 20:14:59 UTC+2, Simon Still a écrit :

[Del]

Did you get this working i have a loxone intercom working on a sky router

[Simon Still]

On Thursday, 5 July 2018 17:50:13 UTC+1, Del wrote:

Did you get this working i have a loxone intercom working on a sky router

No, I didn't.  The view in more than one place was that the Sky Q hub I have (and previous routers) does not support port mapping so there is no way to map a high numbered external port (eg) 8090 to internal port 80 to enable video.  (i have the audio working).

If there's a workaround (that doesn't involve a new or second router) that would be great news.  Otherwise advice on a low cost modem/router (wireless not important as have separated WAPs) - I don't really want to spend c£100 just to get remote video (which i've not missed that much over the last 3 years).

[sk]

I wouldn't pick the lower range ports as others could find them.  There is no SSL when logging into the intercom so its best to pick ports that are really high or obscure.  I chose something in the 63,000 range for video for the intercom.  (Not on a sky router though).  Likewise for Loxone's remote access port.   Its not that leaving ports open is unsafe its just that the service behind it may not be secure enough as such making it harder to detect the open ports by putting something well out of range adds a small amount of obfuscation. 

I still have it on my list of things to do to create an apache SSL server on a raspberry pi that can sit in DMZ and forward the traffic to loxone miniserver - will add intercom to that too though not sure if the app will support SSL for the video stream. 

[sk]

PS.  I use a https://www.ubnt.com/unifi-routing/usg/  ~ £100.

Pros:

- You get some decent software that will monitor you connection.

- You can setup a VPN relatively easily. VPNs allow your devices to remote connect back to home and act as though they are on the home wifi (connection speed dependent)

- You can setup a DMZ

- if you expand your network at home, the management software can manage the switches and other devices if they are from the same company.

Cons:

- You need a Pi or something else to run their software. You can buy their USB key to run the software too.

- lock in once you buy one product you will probably end up buying their other stuff to make life easy.

[Gregor Rebolj]

As an alternative you can try Voxior Remote access product (https://www.voxior.com/remote-access) which solves the same problem without router modification or port forwarding.

Disclosure - I work for Voxior and Voxior Remote access is a commercial product. Voxior is an IT company innovating in the smart home space.

We would love to get feedback from more advanced users such as people in this group.

This product was developed in cooperation with some of the biggest professional installers. Installers particularly love this product because it’s super sumple to use, they don’t need to be bothered with router, IPv6, mobile internet or ISP specifics. You also don’t need to visit the customer in case they replace router/ISP, it just keeps working.

How it works:

Voxior box detects the devices in the network and enables the installer/user to easily set up remote access for Loxone Miniserver, cameras/intercoms, KNX interfaces and other networked devices. Installer can chose between two remote access types:

- end to end encryption through VPN. The setup was made extremely simple, just enable VPN access and send the configuration to the right phone/computer. VPN on Demand is used on all Apple devices making it completely transparent for the user.

- direct tunnel with a secure URL. Voxior generates a though to guess URL (e.g. HS90645348D13A.vxrlink.de:20334) for simple access without any software or VPN required.

Simply enable remote access for your Miniserver or camera and copy/paste the URL into Config/mobile app for remote access.

Even the initial setup can be done remotely. The box is shipped to the client and installer can configure it remotely as soon as it gets online.

We know these issues were solved with port forwarding in the past. But now with IPv6, ISP forced networking changes and increased risk of hacker attacks we think it needed a better solution.

Let me know what you think. 

Gregor Rebolj, CEO and Founder, Voxior Inc.

Voxior - Voice control for KNX and Loxone Smart Homes

5 min setup without any additional hardware required - Start your free 7-day trial by logging into Voxior

--
You received this message because you are subscribed to the Google Groups "Loxone English" group.
To unsubscribe from this group and stop receiving emails from it, send an email to loxone-englis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/loxone-english/836d39e4-c958-430e-a6b7-28bd65517884%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Simon Still]

On Sunday, 8 July 2018 13:52:52 UTC+1, Gregor Rebolj wrote:

As an alternative you can try Voxior Remote access product (https://www.voxior.com/remote-access) which solves the same problem without router modification or port forwarding.

Disclosure - I work for Voxior and Voxior Remote access is a commercial product. Voxior is an IT company innovating in the smart home space.

We would love to get feedback from more advanced users such as people in this group.

That does sound a useful and interesting product.  No problem with you posting that as a commercial response on here 

However, I need to know the price.  I don't seem to be able to get a price without 'applying for an invoice' and the 'free trial' requires me to set up an account before it will tell me how it works (not clear given there seems to be a hardware requirement).

 

[Gregor Rebolj]

End user price is 74.5 EUR/year. Contact us to get discounts on multiyear licences and bulk purchases for installers. You can also assemble your own hardware: https://www.voxior.com/voxior-link

This service will evolve into a product intended to enable modern assistance for the modern day smart home owners. The goal is to enable remote monitoring and management of your customers smart homes to enhance your customer service, proactively prevent issues, increase efficiency and save time by reducing the need for onsite visits. More on this at:  https://www.voxior.com/partners

For Loxone we plan to automatically backup config files, trigger alerts on low battery levels or other issues found in the home to help you offer a complete service to your customers.

Let me know what you think.

Contact me if you would like to join the beta program and get access to unreleased features.

best,

gregor

--
You received this message because you are subscribed to the Google Groups "Loxone English" group.
To unsubscribe from this group and stop receiving emails from it, send an email to loxone-englis...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/loxone-english/b21caa24-b6a6-4d34-a8e5-f43da3f248a7%40googlegroups.com.

[Simon Still]

So,  new TP-link VR600 router now installed.  Very easy to set up on Sky - 

You just need to select the correct option on the router and put in a dummy login and password - https://kevq.uk/how-to-use-a-tp-link-router-with-sky-fibre-optic/

Port 8090 externally set up to forward to port 80.  However, I'm still not getting any video. 

How do I troubleshoot this to find out where the issue is?

Just  checking that the setting below should be XXXXX.ddns.net:8090 (ie my dynamic dns address, port 8090).  How can I check that the dynamic address is actually working?

On Thursday, 28 June 2018 19:14:59 UTC+1, Simon Still wrote: 

[Duncan]

point a browser to that address from outside of your network - it should respond if things are getting through

[Simon Still]

On Wednesday, 11 July 2018 16:26:30 UTC+1, Duncan wrote:

point a browser to that address from outside of your network - it should respond if things are getting through

Still getting no response on the browser but I've now got the router to successfully link to the DDNS service and its' working.  

Odd that it wasn't before as noip were showing the correct IP.  

Yay.  Finally.  

 

[Simon Still]

Spoke too soon. Worked once, now not working again.

I dont get any response when i point a browser at my No-IP address. What should i get? There’s no webserver on the end of it

[Duncan]

if you point at http://domain you probably wont get a response because this is your router facing the internet.

if you point at http://domain:8090 you are effectively pointing your browser at the http (port 80) address of the intercom, so you should get the same response you would get if you point your brower at the intercom from inside your network (assuming your port-forwarding is working correctly)

[Simon Still]

 
On Thursday, 12 July 2018 11:06:00 UTC+1, Duncan wrote:

if you point at http://domain you probably wont get a response because this is your router facing the internet.

if you point at http://domain:8090 you are effectively pointing your browser at the http (port 80) address of the intercom, so you should get the same response you would get if you point your brower at the intercom from inside your network (assuming your port-forwarding is working correctly)

What sort of response?  Browser gives "too long to respond".   Do i need to have the miniserver on something other than port 80 if the webcam is on 80? 

(sorry for my ignorance, it's the first time I've tried playing with this stuff so all new to me). 

[Duncan]

what happens inside your network? point your browser to the ip address of the camera part of the intercom - you should get an interface asking you to log in, or just an image

this is the response that you are looking to replicate from outside using the port forwarding.

[Simon Still]

On Thursday, 12 July 2018 22:46:38 UTC+1, Duncan wrote:

what happens inside your network? point your browser to the ip address of the camera part of the intercom - you should get an interface asking you to log in, or just an image

this is the response that you are looking to replicate from outside using the port forwarding. 

Ok - inside the network I get the login page.  Camera/intercom work fine inside my network.   

[Duncan]

so if your port forwarding is set up and working correctly, you should get the same reponse from outside of your home network using http://mydnsname:8090, which should redirect the web request from the router to the intercom at port 80

[Simon Still]

Thanks for your help and  patience on this!

So presumably if it take my dynamic IP address from my router I can take the noIP service out of the equation as well?

Definitely looks as if they issue is the router settings.  It seems every manufacturer calls the settings subtly different things. 

The TP Link Archer has, in advanced settings under the heading NAT Forwarding

- "virtual servers" where i've mapped the external ports, linked to internal IP address and port.

Also in that category -

Application Layer Gateways (all enabled except RTSP ALG)

There is also something called "port triggering" and "DMZ", 

Under the top heading 'network' there is an 'advanced routing' under which can set 'static routing'

Do any of these sound like settings I would need to configure for the intercom?

[Simon Still]

I finally talked to Loxone support on this and it seems you just use their CloudDNS service (as for remote access on the miniserver) and it works.  No need for a third party DynDNS service and must be some incompatibility if you try to use one.