Internet access

[NJBILLT]

Do I understand that in order to access my home from outside my home I need to pay a fee?  Or buy an app?  I am currently using Homeseer and wanting to make a change, but this is a deal breaker if true.  There's no reason this can't have dynamic web pages served right from the box like HS.  

[paulbates]

Hi and welcome to the udi forums!

You can, free of charge, open a port I your firewall and access the ISYs web pages and admin console over the internet. These pages are basic and many people opt for an additional charge app of which there are a number of choices.

I migrated from homeseer 4 years ago. 

Paul

[NJBILLT]

Just now, paulbates said:

Hi and welcome to the udi forums!

You can, free of charge, open a port I your firewall and access the ISYs web pages and admin console over the internet. These pages are basic and many people opt for an additional charge app of which there are a number of choices.

I migrated from homeseer 4 years ago. 

Paul

Thank you.  I don't need anything fancy but I want to at least see status and be able to trigger events if I want to

[simplextech]

4 minutes ago, NJBILLT said:

Do I understand that in order to access my home from outside my home I need to pay a fee?  Or buy an app?  I am currently using Homeseer and wanting to make a change, but this is a deal breaker if true.  There's no reason this can't have dynamic web pages served right from the box like HS.  

HomeSeer provides access for one user to one HS3 server with limited bandwidth for free.  This is included with the HS3 license purchase.  There is an annual fee for increased bandwidth and multiple users/systems through the MyHS service.  

With the ISY there is the ISY Portal which has an annual fee that is not very expensive.  The ISY does not have a web based GUI like HS3 but a more simplified control GUI.  I've heard this may change in the future but the current administrative interface is the Java Admin Console.  There are several 3rd party mobile apps that are available and many use.  Since they are 3rd party they do have a cost associated with them the same as how plugins for HS3 are developed by 3rd parties and there is a fee.

The ISY is a great controller and can be paired with HS3 as well with the ISYInsteon plugin.  So if remote access is the critical concern you can still utilize HS3 remote access simply to control your ISY devices

 

[NJBILLT]

1 minute ago, simplextech said:

HomeSeer provides access for one user to one HS3 server with limited bandwidth for free.  This is included with the HS3 license purchase.  There is an annual fee for increased bandwidth and multiple users/systems through the MyHS service.  

 

I am not using HS3 for one, I'm still on HS2 but I find it hard to believe they took away access direct thru my IP.  That's what I'm asking about.  I don't pay anything to HS nor do I use their bandwidth.  I connect directly to my IP

[simplextech]

4 minutes ago, NJBILLT said:

  I connect directly to my IP

So you are doing port forwarding through your own firewall.  That is still possible with HS3 and with ISY.  I personally don't advise it with any system.

[NJBILLT]

1 minute ago, simplextech said:

So you are doing port forwarding through your own firewall.  That is still possible with HS3 and with ISY.  I personally don't advise it with any system.

If you don't recommend it then you're as much as saying their server is not secure even with a PW.  If it's not secure with a PW then it's not secure at all.  

[simplextech]

Just now, NJBILLT said:

If you don't recommend it then you're as much as saying their server is not secure even with a PW.  If it's not secure with a PW then it's not secure at all.  

I don't recommend "port forwarding" of internal systems in general from consumer routers.  The HS3 method uses the MyHS service not port forwarding.  The ISY uses the ISY Portal method.  However with any system you are still free to do port forwarding if you choose.

[paulbates]

FWIW, I migrated to the ISY for similar reasons. It turned out to be less work for me to migrate from hs2 to the ISY from hs2 to hs3.

The ISY thinks differently.. there’s pluses and minuses. This is only one of a list of things to consider.

Paul

[NJBILLT]

Thank you Paul.  Your answer is what I was looking for.  I'm not expecting an elegant interface, and it sounds like I'll be able to do at least what I can with HS2 remotely.  I plan on switching soon.  I'm sure you realize since I didn't upgrade to HS3, I have so much vested in it, it wasn't worth it as I'm not happy with HS anyway.  Been using it since version 1.5 BTW.  The only thing I may lose is interaction with my RS485 serial thermostats, but they're old tech anyway.  Thanks again for the reply.  I'm not afraid to open a port on my router for free access once in a while when I'm on vacation or traveling.  

[paulbates]

Glad I could help. I had 2 different RCS x10 stats that I had to replace ?

check things out and if you decide to migrate, do a little at a time, room/function as opposed to Big Bang, as the isy has its own way of thinking. But once I got it down, functions are implemented relatively quickly.

Paul

[MWareman]

If it's not secure with a PW then it's not secure at all.  

 

It’s not as black and white as that. It’s as secure as your username/password is.

 

Use a strong, high entropy password and it’s very secure and safe to expose. Most don’t want to do that (prefer the convenience of a shorter or easier to remember password) and against this no system is secure.

 

Use the same password as any other password you ever used on other sites, then it’s possibly compromised if that other site gets compromised.

 

The other element to consider - exposing directly allows remote users to try to access the device. Without authentication it will fail - but all those attempts show up in the error log.

 

 

[lilyoyo1]

57 minutes ago, NJBILLT said:

Do I understand that in order to access my home from outside my home I need to pay a fee?  Or buy an app?  I am currently using Homeseer and wanting to make a change, but this is a deal breaker if true.  There's no reason this can't have dynamic web pages served right from the box like HS.  

When it comes to the ISY, you don't have to pay for any service that they provide. The system.itslef is open enough that anything they have a subscription for can be done on by yourself for free.. With that said, it is on you to set up your system on your own for outside access. 

Personally, UDI's portal price is extremely low that it's worth the cost vs the hassle of port forwarding

[apostolakisl]

The portal, at least last I checked is like $12/year.  So it is hard to not buy that considering how nicely it gives you access to your ISY without opening any ports.  Alternatively, should you want to keep ports closed but have remote access and not use the portal, you can set up a vpn router.  I have done both.  The portal has many other advantages as well, particularly the integration with amazon alexa and google home.  Ubiquiti sells a really nice router (usg) that makes vpn a snap for $129 (b and h).

[larryllix]

I am not one to subscribe to ongoing payment for anything but the small price of the ISY Portal has been well worth it. It does so much for me and avoid the port forwarding complexity.

I had a router supplied freebie DDNS  service quit on me when I was away for a month, and there was nothing I could do about it. With ISY Portal it isn't needed anymore.

[NJBILLT]

22 hours ago, larryllix said:

I am not one to subscribe to ongoing payment for anything but the small price of the ISY Portal has been well worth it. It does so much for me and avoid the port forwarding complexity.

I had a router supplied freebie DDNS  service quit on me when I was away for a month, and there was nothing I could do about it. With ISY Portal it isn't needed anymore.

Thanks.  I just ordered a ISY994i and a 2413S.  I'll decide later about remote access, but I have a free DNS service too from my Asus router, and it's been bulletproof for 3 years, and I use it regularly with my security cams and Homeseer.  I do appreciate the help here for this newbie to ISY.  Been running Homeseer since version 1.5.  I think the transition will be easy.  Thanks again.  

[larryllix]

5 hours ago, NJBILLT said:

Thanks.  I just ordered a ISY994i and a 2413S.  I'll decide later about remote access, but I have a free DNS service too from my Asus router, and it's been bulletproof for 3 years, and I use it regularly with my security cams and Homeseer.  I do appreciate the help here for this newbie to ISY.  Been running Homeseer since version 1.5.  I think the transition will be easy.  Thanks again.  

Asus. That will be the one. Mine worked for about two years and then they sent some notice about subscription and I couldn't respond. I figured it would wait a few weeks but they didn't.

DDNS just opens up your network to somebody else that you are supposed to trust.

After that I wrote a simple python program that stuffs four ISY variables with my ISP IP provided IP address and ISY notifies me each day of vacation, or if the IP ever changes,  what the latest IP address is. Now I use ISY Portal. It isn't a fancy GUI but it gives me access to every ISY element I have. I prefer HA but remote control is needed occasionally.

[simplextech]

4 hours ago, Liam said:

What options do you use for yourself and for what purpose?

With HomeSeer I use their MyHS service.  It works well enough and is as secure as your password is for standard remote access.  I use tokens for app/script based access for plugins so I don't have id/password floating around in scripts or on 3rd party systems.

With my ISY units I use the ISY Portal service.  This works very nicely for me.  It allows the same secure remote access to my system for status/control when I'm remote and they provide tokens for third party integrations as well.

With all of the options for network equipment and built in VPN functionality I can VPN directly from my phone so I find limited reason to use port forwarding except for poking the hole for the VPN.

[apostolakisl]

16 hours ago, NJBILLT said:

Thanks.  I just ordered a ISY994i and a 2413S.  I'll decide later about remote access, but I have a free DNS service too from my Asus router, and it's been bulletproof for 3 years, and I use it regularly with my security cams and Homeseer.  I do appreciate the help here for this newbie to ISY.  Been running Homeseer since version 1.5.  I think the transition will be easy.  Thanks again.  

You should consider getting away from opening all those ports for your cameras and whatnot.  DDNS is nice, especially if your ISP changes up your IP, and it easier to remember than some random set of numbers.  However, using DDNS or just your plain ip address to connect to your home requires opening ports.   The more devices you have open to the internet via open ports, the more avenues of attack you open.  If one of those devices has a security flaw, then someone could potentially crack open your whole network.  This has happened with some popular IP cams in the past.  The portal eliminates opening ports by maintaining a tunnel between your ISY and UD's server.  This tunnel is initiated from your ISY, so there is no open port.  When you want to access your ISY, you go to UD's server and open another tunnel between you and them (you log in via https).  The session is then linked between your home and you through UD's server, all secure tunnels, no open ports.

Alternatively, you can get a vpn router for your home and make a single connection to your router which then opens you whole network to you, again, with no open ports aside from the VPN port which the router manages (UDP 500 is the only open port detected from outside my network using Ubiquiti USG).  This is going to be the only way to view your IP cameras without opening ports for all of them.  Nobody does portals for video feeds, presumably because of the high bandwidth.  I suppose you could live stream to youtube, which in essence is a video portal of sorts.  But I don't think youtube just lets you live stream forever, but I could be wrong.

[NJBILLT]

I'll probably subscribe but it's important to note that even with my HS, I only open the port when I go on vacation and might need remote access to check on things.  I automate, not remotely control.  I rarely touch a light switch at home, why would I want to from afar?  Anyway, I see log-in attempts in the HS log all the time from Chinese and Russian IP addresses.  They always fail.  

[NJBILLT]

On 7/1/2019 at 5:40 PM, MWareman said:

 

It’s not as black and white as that. It’s as secure as your username/password is.Use a strong, high entropy password and it’s very secure and safe to expose. Most don’t want to do that (prefer the convenience of a shorter or easier to remember password) and against this no system is secure.Use the same password as any other password you ever used on other sites, then it’s possibly compromised if that other site gets compromised.The other element to consider - exposing directly allows remote users to try to access the device. Without authentication it will fail - but all those attempts show up in the error log.

 

 

Same as Homeseer then, and yes I do use strong UN/PW and yes, attempts do show up in the log once in a while.  But Homeseer also has IP hack blocking.   I've always felt secure with it, even seeing attempts, I know they're just trying a brute force attack by the UN/PW combos they try.  Usually from Chinese or Russian IPs by the way. 

 

Enable IP Hack Blocking:				YesNo	Time to block triggered IP addresses (minutes):
Invalid access 'hits' before block imposed:					Time between 'hits' to count toward block being imposed (seconds):

[mwester]

There are many ways to attack a system, and username/password is only one means of doing so.

I am sure I am about to enrage some of the forum members here, but I mean no disrespect to UDI -- merely stating the truth, and that is that it is not known how the ISY's protocol stack will stand up to attacks compared to (for example) the Windows or Linux stacks.  The latter two have been heavily tested by many researchers, with numerous tools ranging from static code analysis through protocol fuzzing.  And, we're *STILL* finding bugs and issues in those stacks.  My point is that it seem probable that there are unknown issues in whatever code is running in the ISY, and for that reason, fronting the ISY with something like the UDI Portal makes a lot of sense - far, far more sense than opening up whatever that protocol stack is to the internet.

So, while we're on the topic, one of the other reasons I'm looking forward to the Polisy (gah, that spelling makes me crazy!) is that it'll be running a codebase that while not as common as Windows or Linux, is still known to be one of the best and most robust network stacks out there.  I'd be willing to expose a Polisy port to the internet - but given the lack of knowledge out there about the code running on the ISY, I'd never expose an ISY port to the internet.

Again, it's not about password or user ids... there are MANY other ways to attack a remote system.