External access to the EIBPORT (access via the internet)

There are different options enabling external access to the EIBPORT.

• Access via VPN solutions

• Access via port forwarding

Important note: From a security point of view, a VPN should always be preferred over simple port forwarding.

Dynamic DNS and changing IP addresses

If your internet provider has not assigned you a fixed IP address, you should set up a so-called dynamic DNS service for access. Your constantly changing IP address thus gets a fixed domain name enabling you to always access your router from outside without knowing the actual IP address. The choice of the "DynDNS" provider depends on the router manufacturer. Many routers support one or several providers and report a new IP address to the responsible DynDNS provider.

Access via port forwarding

Important note: For security reasons, external access to the gateway should not take place via port forwarding in the router.
Instead, it is recommended to use secure remote access via VPN or a certified remote service (e.g. HOOC or other VPN solutions) to ensure IT security.

To access the EIBPORT from outside via port forwarding, the following port numbers must be used:

For CONTROL L / CUBEVISION only:

For configuration (Editor / System) and Java Visualisation:

For ETS (KNXnet/IP tunnelling):

Important Security Notice:

For security reasons, port 3671 (KNXnet/IP) must never be exposed to the internet via port forwarding.

Unprotected access to this port poses serious security risks and may allow unauthorized access to your KNX installation. Always use secure VPN connections or dedicated remote access services for external access.

Please note that the port numbers can be re-set in EIBPORT. Verify the settings under "System" > "Configuration" > "Extended EIB (yabus) settings". Also see chapter “Advance (yabus) Settings”.

Specifically, this means that, on the configured port, all requests to your router will be forwarded directly to the same port of the EIBPORT (they will be forwarded and not redirected). The specific port forwarding settings depend on the router used.

Note: Please make sure that the standard gateway address entered in the network settings is correct.

Access via VPN (virtual private network)

VPN stands for "Virtual Private Network" and means a specially secured connection between server and client. A virtual, individual (private) network is established between the communication partners which cannot be accessed by third parties. Server and client use this network to communicate in such a way as if they were in the same network. From a security point of view, a VPN should always be preferred over simple port forwarding.

HOOC – Plug & Play VPN solution in the EIBPORT

The integrated VPN solution eliminates the need to purchase and install costly additional hardware. The HOOC CONNECT E Gateway in the EIBPORT V3 connects to the HOOC Cloud via an encrypted and secured VPN connection. It forms the heart of the HOOC VPN solution and offers a comprehensive user administration as well as many additional features such as a KNX bus monitor or alarm messages with push function.

The EIBPORT HOOC Gateway Manager Configuration menu is located on the EIBPORT web interface under the SYSTEM/REMOTE ACCESS menu.

Further instructions on setting up, configuring and using the Plug & Play VPN solution can be found in the separate document: "EIBPORT-Documentation-HOOC".

More information at https://bab-technologie.com/hooc/?lang=en

VPN solutions in the EIBPORT

EIBPORT offers two different VPN solutions: "VPN PPTP" and "VPN SSL".

VPN PPTP (see chapter VPN SSL)

• Automatic configuration on client side

• Solution for iOS devices

• Server functionality only

• No longer meets current security standards.

VPN SSL (see chapter VPN SSL)

• Based on OpenVPN

• Server and client functionality (BAB SECURELINK)

• Very secure

• Not possible with iOS

To be able to establish the VPN connection, port forwarding in the local firewall is required as well.

The relevant chapters (VPN SSL and VPN SSL) describe how to establish the connection.

VPN using the router

Many modern routers offer the possibility to set up a VPN access. In this way, you have external access to your entire local network including the EIBPORT.