This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm that you accept these cookies being set.

Port 3671 is blocked from any public IP address
#1
Hello,
I used to have remote program on demand for my customer. I press a button wich open 3671 port temporely, then program, then push off the buton with a script. I also have a script wich close it at 24h00 just in case of forgot.

My Problem, is that, since 2.6.1 firmware on SL/HL, they put security update:

security: disallow KNX/IP Tunneling connections from external IPs (Port 3671 is blocked from any public IP address)

I did'nt understand why it was'nt working anymore, but it was the explanation.

My question, is there a way to allow it, or at least allow my office IP ...


ANy help, would be precious.
Best regards
-----------
FRANCE SMARTHOME & SMARTBUILDING INTEGRATION
SE ECO EXPERT
Reply
#2
Hello, We also blocked this functionality on LM. We scanned the network and we found nearly 2000 devices with permanently opened KNX port. Unfortunately people are not responsible and anybody now can take control of such project. For LM this is not a problem as we can now use ZeriTier for secure remote connection, also ETS download. Unfortunately SE does not provide this solution yet. From fw 2.6.1 every firmware. package has to be signed by SE, due to this we no longer can provide direct software update for SE customers.
We provided to SE package which will allow you to specify an external IP which will allow the connection. It is now up to them to deliver this to you.
------------------------------
Ctrl+F5
Reply
#3
I already discussed this with our team and they are aware, so Daniel you will get some feedback on it (:

From my point of view we need an option to open it by a menu command and it closes after x period again to make it at least possible, current situation will give lots of questions like above as everyone is using the controller as a remote accesspoint...

TBC..

Edit: I see that we get the option to enter a external IP, that will work for me, but auto closing after xx period would be even more secure..
Reply
#4
Erwin, you will be able to open it only for a specific external IP.
------------------------------
Ctrl+F5
Reply
#5
(12.05.2021, 09:25)Daniel. Wrote: Erwin, you will be able to open it only for a specific external IP.

Yes perfect, i already edit my previous post (:
Reply
#6
(12.05.2021, 09:04)Daniel. Wrote: Hello, We also blocked this functionality on LM. We scanned the network and we found nearly 2000 devices with permanently opened KNX port. Unfortunately people are not responsible and anybody now can take control of such project. For LM this is not a problem as we can now use ZeriTier for secure remote connection, also ETS download. Unfortunately SE does not provide this solution yet.  From fw 2.6.1 every firmware. package has to be signed by SE, due to this we no longer can provide direct software update for SE customers.
We provided to SE package which will allow you to specify an external IP which will allow the connection. It is now up to them to deliver this to you.

ok great, the problem is known and people react Big Grin 

Of course I know people are not aware about security, but as you said, other do stuff well.

I guess we need to be able to put a Ip adress OR a DNS alias also. Some customer should have dynamic address and use service like dyndns...
Thank all for your feedback
-----------
FRANCE SMARTHOME & SMARTBUILDING INTEGRATION
SE ECO EXPERT
Reply
#7
Hi Erwin,
where I can found the package for LSS100100 ?

BR
KNX Advanced Partner + Tutor
Reply
#8
+1
we are waiting for it Big Grin
-----------
FRANCE SMARTHOME & SMARTBUILDING INTEGRATION
SE ECO EXPERT
Reply
#9
Not released yet as far as i know, will ask the guys for an eta..
Reply
#10
Any news ?
KNX Advanced Partner + Tutor
Reply
#11
(02.09.2021, 09:34)toujour Wrote: Any news ?

no news also...
I still use the 2.6.0 version since no patch... But this version has difficult issu to program spacelogic Schneider product (programing stop before the end)? I don't have the issue with 2.5.0 firmware. Strange.

I also see a 2.6.2 
--> system config: add CORS origin settings for the HTTP server

but don't think it s the patch
-----------
FRANCE SMARTHOME & SMARTBUILDING INTEGRATION
SE ECO EXPERT
Reply
#12
It is included in 2.6.2
------------------------------
Ctrl+F5
Reply
#13
what do you mean.
Where do we put our Ip adress or hostname ? it s this CORS functionnality or other setup?
-----------
FRANCE SMARTHOME & SMARTBUILDING INTEGRATION
SE ECO EXPERT
Reply
#14
You need a Script to run for the KNX IP will send you PM. The CORS is something what most likely nobody will need but you will find it under HTTP servers in Services.
------------------------------
Ctrl+F5
Reply
#15
(02.09.2021, 10:11)Daniel Wrote: You need a Script to run for the KNX IP will send you PM.  The CORS is something what most likely nobody will need but you will find it under HTTP servers in Services.

Hello Daniel,

Please, can you explain how to remotely access port 3671 of the wiser??
Thank you very much in advance.
Best Regards.
Jose
Reply
#16
(25.03.2022, 10:01)Jose Wrote:
(02.09.2021, 10:11)Daniel Wrote: You need a Script to run for the KNX IP will send you PM.  The CORS is something what most likely nobody will need but you will find it under HTTP servers in Services.

Hello Daniel,

Please, can you explain how to remotely access port 3671 of the wiser??
Thank you very much in advance.
Best Regards.
Jose

You cant, in LM we have solution, wiser does not. You can create VPN network on site.
------------------------------
Ctrl+F5
Reply
#17
Is this an issue with local IP addresses as well? I can use 3671 locally if I set the IP to the standard factory one, but if I change the internal IP to 172.10.11.10 I can't reach it through ETS.

No ports are open to the internet, this is locally only.

Wiser with 2.7.0.
Reply
#18
Class B range is 172.16.0.0 - 172.31.255.255, 172.10.11.10 is a public IP address.
Reply
#19
Ok - thanks. It is a managed network, so I'll contact the admin.
Reply


Forum Jump: