eHouse Intelligent Building – router configuration and exit to the world
eHouse is a smart home system
,building management which can be fully operated from the outside ( the Internet ).
Full support of the system ( send commands and receive the status of the drivers uses TCP/IP ).
Additionally, on LAN, Intranet, WiFi it is possible to receive controllers statuses via UDP.
To make eHouse system was reachable from the Internet it is necessary to fulfill several conditions .
1 . Internet access provider must allow the passage of data from outside the local network (no firewall – at least one TCP port).
2 . Internet connection must have a fixed IP address, alternatively, the router may allow the use DDNS or similar allowing for unambiguous identification of the network without a fixed IP address. The router connecting the LAN to the Internet must support DDNS or similar service ( if there is no fixed IP address ). It is necessary to create a DDNS account and properly configured router ( enter address , user name and password ) and all transmitting devices ( typing an Internet address ) .
4 . It is necessary to provide the local firewall ports (services) used by the eHouse home automation system allow for data output to the outside and the inside.
5 . It is necessary to set the NAT (Network Address Translation) assigning external ports (internet side), ports and internal IP address of the target device (eg . CommManager, eHouse Server, eHouse.Pro Server) .
6 . If you wish to receive broadcasts UDP status of the drivers also need to configure a VPN ( virtual private network ) to form a connection tunneled through available Internet connection.
Due to the low quality of Internet connections and the lack of confirmation , error handling and security mechanisms UDP protocol may prove to be a futile effort.
AD 1 . Select Good and fast Internet provider who not block TCP/IP ports on his side or allows you to create own firewall rules by passing ports to handle eHouse system via TCP/IP and connectivity to the outside.
AD 2 . Fixed IP address is reachable only on the part of providers and you have to pay extra for the annual subscription of about 40 Euro. It is the best and safest solution because it guarantee, that all services will be available in contrast, some ISPs offer dynamically allocated shared web address among many users. Additionally, we have direct connectivity P2P ( Peer To Peer ) Host to Host .
AD 3 . In some cases, it is able to communicate with the eHouse system using DDNS or similar service. It consists in that access to the Internet router on the LAN running DDNS client informs the DDNS server, what address has at the moment an external interface links.
Some services works on the principle of the proxy-server. Using a combination of the “proxy server” can significantly slow data transmission, in which case, as the data passes through the server, which may be, for example, in other continent.
Select the server lying as close to your location in order to reduce response times of devices .
AD 4 . To access eHouse system by TCP/IP from internet side requires access to outbound port on the outside ( by default 9876 ) or adding a firewall exception rule (TCP).
For sharing status of controllers by UDP ( default port – 6789) for binary status of CommManager, eHouse.exe, eHouse.PRO Server and 6788 for text status from eHouse.exe application. It should be used to add firewall ports (for UDP) .
AD 5 . Address Translation NAT is required for the data coming from the outside port, and redirect to specific device ip and port inside LAN. You need at least redirect TCP port for two-way communication with the outside (the default TCP port 9876 ) .
AD 6 . Properly configured VPN in general require a fixed IP address. Some Internet service providers despite the fee for fixed IP, treats VPN as an additional VIP service, and expect additional compensation, for its activation mostly in the form of subscription.
Due to the principle of the UDP protocol (no confirmation, acknowledge, error correction) may be inadequate over the Internet and VPN lines and not worth to fight for.
In the case of the Internet , you can actually opt out of this step , leaving a much more reliable TCP connection. In principle, the use of UDP broadcasts can be implemented outside the LAN to DMZ or Intranet within and across a distributed network in the building . The decision of leaving active service status of the UDP broadcast over the internet or intranet should be followed by practical tests .
Initial Setup of the router.
Present an example configuration based on the well-known WiFi router Linksys WRT – 54GL .
It is a WiFi router based on Linux allows third-party firmware upload to the functions that we needed ( VPN , VoIP , etc. ) .
Due to the full support VPN was necessary to install the firmware dd-wrt recognized for best WiFi routers installed on default.
Set the Internet connection in our case, a fixed IP address. Important here is the DNS address and gateway.
Enabling DHCP for local network devices. For the basic operation of internet and LAN .
Choosing DDNS or similar – if you do not have a fixed IP address , or if you want to address the network by name instead of IP address. These services are generally free.
In the case of a fixed IP address configuration better than the IP address of the DDNS name due to several seconds faster response .
DDNS configuration or similar – When registering, choose a unique address in the domain DDNS . This address is associated with a user name and password and is registered to the DDNS .
Next we move to integrate the firewall that will protect our network from the outside and block output information from the inside .
If we use a VPN must unlock special rules for the VPN firewall .
Then go to Settings NAT (Network Address Translation) or assign ports on the external interface of the device ports on the LAN . It is necessary to activate nat for eHouse service ( default port 9876 ) TCP .
Vpn services and vpn2 may be required on some routers to VPN to work properly and at the other should be removed .
Services ” eHouse UDP xx ” – You can enable or disable if it is required for our router – are generally not necessary because we send only data outside .
If you intend to use the data service outside still below the present configuration of the VPN for this purpose .
We use for this purpose PPTP ( peer to peer transfer protocol ) , that is the simplest and available at the largest amount of mobile devices without any additional installation and configuration .
Just turn on the PPTP server with broadcasts.
VPN link should be tested if it is efficient enough , because in some versions of operating systems for mobile platforms , Speed can be insufficient and very unstable.
We give the address of the server ( virtual LAN ) .
Additionally, in the CHAP – Secrets give the user name and password as shown as the picture .
During router settings for eHouse system it is worth looking into WiFi settings .
Very good protection against burglary WiFi network from the outside is only unlocked own MAC addresses of network adapters that have WiFi.
This means blocking all the cards, and to exclude our devices by MAC addresses of all devices with a WiFi card.
Unknown devices are never admitted to our network, even if the key has been made public WiFi hotspot or they know secret key.
Securing your WiFi network is best to choose WPA2Personal + TKIP and very long key, eg 64 characters making it impossible to scan all combinations by WiFi networks scanners in the neighbourhood. This key can be saved in a text file and does not need to be remembered.
Additionally, you should lock possibility remote configuration of router ( with the WiFi and the Internet ).