This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm that you accept these cookies being set.

Problem with remote KNX programming on port 3671
#1
Hello,

I try to reach a Wiser for KNX in ETS but I can't.

I opened port 3671 TCP/UDP on router and 443, on https no problem but ETS cannot reach (not even with NAT mode activated).

I asked the ISP to see if they block something but they confirmed that they don't.

What could it be? Any ideas?  Confused
Reply
#2
This is blocked for security. In LM we have Zerotier which lets you connect securely. Contact SE support directly.
------------------------------
Ctrl+F5
Reply
#3
Check the official communication from KNX Assosiation later today.. Then you know why we closed it ..
Reply
#4
I understand the problem, and I'm aware of the KNX secure process etc etc, but I have an old installation without a VPN and I have to reach it, is there a way?
Reply
#5
If you use VPN then you don't need NAT. Only public IPs are blocked. When you are on VPN then you use local IPs,
------------------------------
Ctrl+F5
Reply
#6
Yes, I know it, but I didn't have a VPN there, is it possible to reach the bus via ETS in that case?

Thank you
Reply
#7
Via LM yes, Wiser NO
------------------------------
Ctrl+F5
Reply
#8
For those who have missed the news article of knx.org: https://www.knx.org/knx-en/for-professio.../index.php

What is missing in this message is what the hackers are doing at this moment, and why it is so critical to close port 3671 for public access.

Currently hackers are scanning for open ports to unprotected KNX installations and when found they scan for all the bus devices from any brand/manufacturer and delete the programming of the device, next to that they enable the BCU password on the affected devices and make it impossible to re-program the device. In theory this means the device is locked and must be replaced.

As you understand this brings high costs for labor and hardware and the original latest programming must be available. Last week there are several cases i have heared of in different countries and different product ranges/manufacturers.

This is why we keep pushing for avoiding open ports as this is a quick and dirty approach and put you and your customers at high risk for these threats.

For remote access use appropiate measurements like VPN and KNX IP secure and move away from the dangerous port forwarding method!
Reply
#9
(10.11.2021, 14:12)Erwin van der Zwart Wrote: For those who have missed the news article of knx.org: https://www.knx.org/knx-en/for-professio.../index.php

What is missing in this message is what the hackers are doing at this moment, and why it is so critical to close port 3671 for public access.

Currently hackers are scanning for open ports to unprotected KNX installations and when found they scan for all the bus devices from any brand/manufacturer and delete the programming of the device, next to that they enable the BCU password on the affected devices and make it impossible to re-program the device. In theory this means the device is locked and must be replaced.

As you understand this brings high costs for labor and hardware and the original latest programming must be available. Last week there are several cases i have heared of in different countries and different product ranges/manufacturers.

This is why we keep pushing for avoiding open ports as this is a quick and dirty approach and put you and your customers at high risk for these threats.

For remote access use appropiate measurements like VPN and KNX IP secure and move away from the dangerous port forwarding method!

Confirmed..... Avoid the opening of the port 3671 on the client router. It is very dangerous.
Reply
#10
Hi,
I have LM in local network behind the firewall and I made a custom port with restricted source IP that redirects to LM 3671.
However it does not work - my i3pro application does not work from outside the network even the fw shows all redirects are working properly.
What could cause a problem? is there any way to check LM logs for KNX connections?
thanks
Reply
#11
Did you enabled "NAT mode" in the ETS connection settings?
Reply
#12
(22.11.2021, 15:21)Erwin van der Zwart Wrote: Did you enabled "NAT mode" in the ETS connection settings?

I have enable but not work..
Reply
#13
Hello, in LM devices with old Firmware, would it be enough to uncheck the option of 'KNX IP Features'? so the access would be blocked by the 3671?
Reply
#14
Yes, disabling IP features is enough
Reply
#15
Only if you use TP-UART mode, If Routing is selected then this is still enabled.
------------------------------
Ctrl+F5
Reply
#16
(09.11.2021, 11:20)Daniel Wrote: This is blocked for security. In LM we have Zerotier which lets you connect securely. Contact SE support directly.

Even if LM is on DynDNS 3671 is blocked?
Reply
#17
Dynamic DNS does not provide any kind of protection. It does not matter if it's a domain name or an IP address. Opening port 3671 is a security issue in a any case.
Reply
#18
There is no other way to connect to port 3671 other than via VPN, otherwise it is not possible?
I have a problem on my computer with an L2TP connection, it is disabled by WIN-10. I've already gone through what, no change in settings has helped, not even in the registers.
Reply
#19
Have you tried ZeroTier? It is not VPN strictly speaking.
------------------------------
Ctrl+F5
Reply
#20
I haven't tried zero tier, there is a guaranteed guide somewhere, I would not like to go to LM at the customer's

Daniel,
Thanks for the advice, ZT works.
Reply


Forum Jump: