Remote Access into Heating Control

Our village hall has got to the commissioning stage of their new heating control.
I received a query from one of the engineers today regarding the hall's internet.
We have a BT Business ADSL service with a Business Smart Hub and a static IP address.
The engineer from his office cannot ping the BT hub and nor can I from home. Looking on-line it seems that BT have not enabled ping and there does not seem to be a way to enable? However, my concern is not whether the hub is "pingable", but whether there will be problems trying to set up the remote access.

Thinking about it, there must be many, many BT residential customers who use a Hive or similar central heating thermostat with remote access. However I believe Hive works via a central system, in a similar many to virtual meeting software.

To put it another way, if you wanted, from a smart phone to access your pc, what would you need to do on a BT Hub?

Thanks.

Cheers!

NOTHING !


Previously I have had various BT Business Smart Hubs - on FTTC and then on FTTP always with static IP. They are fine without any additional set up - TBBs BQM works fine, my alarm is fully accessible and controlable, lights, and my network gateway.

Have you tried running BQM to see what happens there? Both IP4 and IP6.

As MHC as said nothing.

All the things you have mentioned apart from being able to ping the router connect out to a server to establish whatever remote access is needed.

Thanks
Dan

As said many, if not most mainstream “home automation” apps and devices are designed out of box to not require any user (re)configuration of their network for normal operation and remote access.

This is because they are designed as “cloud aware” infrastructure from the outset - they typically create their own seamless secure tunnels for comms back to their remote servers and for your remote access, usually overcoming network obstacles and obstructions like for example of your were using wireless 3G/4G/5G broadband then the carrier grade NAT malarkey that comes with that territory.

Therefore, as said, there should be nothing you need to specifically change for this to work . Although I don’t run Hive for CH and HW - I use Nest (historically) and now a mix of Tado and Viesmann ViCare, all of them work in the same seamless manner.

Remote access to your own network and devices including laptops and PCs is an altogether different affair, but I won’t confuse matters more by delving onto that now! 😀

I see a number of people have said there is nothing to do but I don't think you actually said what heating control system it is. If it connects to a central service then the others are likely correct. If the heating control is on the local network and requires remote devices to connect to it directly then it would need appropriate port forwarding to be configured on the router.

Believe it’s Hive as noted in Mariners opening post. I recall he’s posted about the same topic in the past.

I’m not a hive user, but it is known to work with 4G based broadband solutions, so will have no issues with regular DSL or FTTC based connections either. No need for any fixed IP or any port forwarding etc for remote access.

They just work (as long as the internet connection is OK)

Edited by Pheasant (Tue 15-Jun-21 17:54:39)

It wasn't clear from the OP as Hive was being used as an example but using it as an example may mean it is the system in use.

I know our system at work (somewhat larger sites) is a proprietary building management system that is on the internal network and does not talk to any external cloud services.

In reply to a post by ian72:

It wasn't clear from the OP as Hive was being used as an example but using it as an example may mean it is the system in use.

I know our system at work (somewhat larger sites) is a proprietary building management system that is on the internal network and does not talk to any external cloud services.

There will doubtless be special ‘gateways’ and similar that the commercial systems will use to justify additional system cost for remote monitoring or cloud operation dare I say.

Mass market / resi / consumer grade systems have been tending towards having this capability rolled into the base product now for quite a few years. I know my old Nest system was doing this back in 2013 so yeah quite a while.

Hi Ian
Looking at my OP I can see that I did not make it very clear what the hall has.
It is a Building Management System based on a Siemens PXC4 Controller and a PXM30 Display.

It resides on the halls network connected to a port on the BT Hub. besides the PXM30 display, it can also be controlled by the Office PC.

The aim is for "trusted" users to have external access such as myself and the Manager.

In this respect, the BT Hub is not user friendly. From Google the Hub cannot be set for pinging and surprisingly(?) ThinkBroadband's BQM has the BT Home Hub& Smart Hub as being unsupported.

I am guessing/assuming that the ability to accept and reply to a Ping Request is not in itself a requirement (I hope not) in order for an external device to be able to access the Siemens kit. At least I have a static IP address, so I hope that this will enable me to have access from home. Not so sure about our manager, since she may rely on a smart phone...

When I was thinking about Hive etc (I don't have one or similar) I had not initially realised that you communicate through a "central office" I had been wondering since a friend of mind has either Hive or Nest and is with BT Internet.

Initially the system provider just needed a static IP address, which we have, so any pointers as to suggestions in our case would be appreciated.

Cheers!

To be blunt, the provider should be telling you exactly what they need fit internet connectivity and especially for remote access.

Unless you happen across a Siemens PXC4 bms guru in the wild here, we’ll all be stabbing in the dark somewhat.

For example they may simply use their own cloud connectivity, as explained above - in which case nothing really for you to do, other than provide a working internet connection.

Otherwise if they’re doing it the traditional / old fashioned way, you may need to open ports on the firewall in the SH and redirect traffic to either the Siemens controller or the host PC you mentioned. In which case any remote access would be via the static IP address of the BT connection. Or actually a remote VPN in this situation would be a more preferable, secure method of remote access - but I digress - see opening statement above about network requirements from the heating bms installer.

Edited by Pheasant (Tue 15-Jun-21 22:42:28)

What I am looking for by way of "pointers" is by what means to owners of say, CCTV systems where they can access the recorder remotely to see what has been going on. The one I have (although not used as such remotely) allows access direct and not via a central office etc. Obviously where the recorder is on a local network connected to a BT Business HUB.

Cheers!

Clive, as a wider more general question, than specifically remote access for heating controls…the answer, as with alot of things, is it really depends!

If you’re looking at “general” means of secure remote access, say for all devices on a network, as if you were locally connected, then the answer is to use a VPN client on the device your using to access and run a VPN server on the local network (as you can do with your Draytek)

If on the other hand it is specific accesss to certain ‘appliances’ that perhaps have their own apps for local and remote access, that requires nothing more than straightforward internet access and letting the devices securely connect to their “cloud” and you connect to the same cloud. I think this is what you mean when you say ‘central office’. To you it is seamless and there is nothing to configure or run, just open the specific app and it figures out how to connect. It’s really the default way of things now.

Personally I use both methods. I have probably 30 or 35 apps for ‘home systems’ access and control. All but one (Rako) will allow remote connection/control using their own cloud connection capability. Most things that plug into a power socket (and plenty that don’t) these days are ‘internet of things’ enabled out of the box.

This is a BQM graph from a BT Business Smart hub - literally out of the box. I have used many BT Smart Hubs on FTTC and FTTP and have never had to configure any of them - probably 10 or more in the past 12 months.

My Broadband Ping


I don't know what te Smart hub is listed as incompatible as both business and residential both work.

The BT Smart Hub 2 (latest iteration for home use) does not have any option to turn on the ICMP response and so cannot be configured with a BQM. The only way you could do it would be to have an internal device and port forward the pings to it so that the internal device does the ICMP response.

It is as I suspected then and not the consumer offerings that were being discussed.

This sounds similar to what we use. I suspect the "server" runs internally on the network and so you would need the details from Siemens (or the installers) as to what ports it requires and then forward those on the router to the IP address of the system controller/server. It may be as simple as requiring port 443 forwarded but it also could be much more complex.

I don't know anything about the Siemens system but a quick google suggests you might need the "Desigo Control Point" management station to allow IP access. There is a manual for this here which section 2.6 has information about enabling secure HTTP connection. With this configured it should be possible to use router port forwarding to allow it in - however, this depends on how trusted the device might be as if the firmware is poor from a security perspective it could end up being a route into the network from outside in which case a VPN would be the more secure option. Of course you should also ensure any passwords (especially admin) are changed from the default.

Your installer should really be able to advise on all of this.

It is Business Hub and they are not the SH2 variant.

An update!

Well, the heating controller engineer attended and despite what I had read about BT's Hub, found a menu which enabled the router to be pinged. In fact I have just pinged it from home. So please accept my apologies MHC for my doubts.


The router is described as a BT BHub6-C7M8 Note that this is on ADSL, not FTTC

The controller is a Siemens. He opened up the Router's Firewall and from home I can access the Siemens log-in screen via the above Router. Problem is keying in the same username and password which I use when using a PC connected to the BT BHub6 where all works well and I get a msg that the User Name and/or Password are incorrect.

The controller eng left scratching his head.

So thinking whether there is something that the BHub6 does not like etc, it may be worth trying another router. ISTR reading that with BT BB you don't need a username/password as you do with other ISPs, do I leave those fields blank or do I need to input something else?

Also any ideas re the Firewall? Could it be as simple as it wanting to know the IP address of authorised users (such as myself) in advance?

Many thanks.

Cheers!

You do need a user name however it can be the the "default" for a business hub which is [email protected] and pwd zer0touch

Firewall - try creating a rule that allow your home static IP through.


However, if you can see the login screen already then there must be some "corruption" of what you are inputting. Not necessarily a mistake on your part but a real oddity.

Can you change te Siemens logon to sometghing quite simple? ABCabc and 987xyz as pwd, savve in your PCs browser then immediately go home and try again calling up the "saved ID".

The login screen might be the remote administration login for the router. The router may well default to this on the standard 80/443 ports. If that is the case then it either needs a different port to be forwarded or for the remote administration to be disabled to allow those ports to be used.

In reply to a post by ian72:

The login screen might be the remote administration login for the router. The router may well default to this on the standard 80/443 ports. If that is the case then it either needs a different port to be forwarded or for the remote administration to be disabled to allow those ports to be used.

This!

Even if this is not the problem; it is still good administrative practice and ‘hygiene’, when accessing other system portals via remote access to NOT use the default ports on the external side of the port forward rule, to avoid any other possible “clashes” as your effectively accessing them via the same (external) IP address. It also helps slightly with network security, as default ports are usually the first ones port scanned. Randomise and put them way high up in the port numbering.

I don't have access (as yet) to change the Siemens login/PW but the login/PW I am attempting to use is the same as I have written down, so unlikely to my keying error.

The Siemens unit is simply plugged into a router network port, the PC there no being part of the system (other that to access the Siemens. Or to put it another way, the PC could be switched off)

We thought we had it working while using a laptop via wifi there, but of course then that did not involve the internet. One option for testing purposes I think is to access via the BT Guest which has a different IP and hope that the route between will be external...

Cheers!

I think I understand what you are saying in the first sentence. (My IT before I retired was more RS232 and proprietary control systems.) My limit seems to be setting up VoIP ATAs. Firewalls are above my paygrade!

I guess that the finer points in the setting up of this system, once found will be very straight forward, but the Siemens documentation is not written for the novice.

Cheers!

It's the router not the Siemen's system. You don't need to change anything on the Siemen's system as that is working correctly.

Do you know the username/password for the router admin pages? I am assuming you do. If so then try entering those on the login page you are getting when accessing externally - my guess is you will then log in to the router interface. If so, then you should be able to turn off the remote administration for the router somewhere in the router options - unless you really need it then this would be good practice any way in order to avoid potential security breaches of the router itself.

Once disabled your port forwarding rules (assuming you set them up for the Siemen's kit) will hopefully start working.

The alternative in the port forwarding rules that are setup for the Siemen's is to change the incoming port to something other than 443. Then you can access the pages using the different port. For example, you could change the port to 8443 and then access it by going to https://myurl:8443 (the :8443 switches it from the default port to the one you are using). This again is better security as standard ports are much more likely to be scanned for vulnerabilities by attackers.

Interesting.

Just to clarify, the Login Screen that I land on from IPaddress:2031 is the same Siemens one as when I log in locally.

In the Siemens manual, they give ports to be opened for remote access as:-

Incoming Connections

TCP / 80 http (general access)
TCP / 443 https (secured access)
UDP / 30000 S1 Discovery
UDP / 30001 S1 Discovery
UDP / 47808 BACnet (changes depending on configuration)
UDP / 47874 BACnet (changes depending on configuration)
UDP / 68 DHCP

Outgoing connections

TCP / 443 Desigo Control Point communicates on a regular basis with skyfoundry.com, current at 208.74.84.249 to check licensing and security.
Note: A connection to skyfoundry.com is not required for Desigo Control Point to operate.

The above is the total info for setting up remote access. The manual being downloadable on the Siemens website.

Quite where the :2031 port comes from I don't know.

I am waiting in for a boiler service, once done will call in and get the username/pw for the BT router.

(I have come across ports before, a network to RS232 device I have, gave a port in its manual, but when speaking with their tech help was advised to ignore it and use another. It worked then! Why the manual PDF had not been edited to correct, I don't know!
Otherwise, I tend to think of ports as either where a ship goes, or nice red stuff in a bottle - which luckily corresponds in colour to the port side of a ship....)

Cheers!

In reply to a post by Ancient_Mariner:

... nice red stuff in a bottle - which luckily corresponds in colour to the port side of a ship....)

Cheers!

What colour is Starboard?

According to Quady it is Red too.

OK, so as you are definitely hitting the Siemens then that blows my theory.

My guess is one of those non-standard ports may be involved in authentication and therefore could be causing the issue. I would also say that with those ports that are required I would guess it was never really designed for Internet based access as if it was they would probably have done everything over HTTPS without the additional ports - do Siemens actually support accessing the software over the Internet?

You certainly shouldn't need the DHCP port opened on the Internet. If Siemens don't provide info on which ports are specifically required for Internet connectivity rather than just internal connectivity then I would say it is not designed to be managed remotely.

EDIT : Just thinking after hitting save. The fact they ask for DHCP incoming is incredibly weird as you would not expect the Siemens device to act as a DHCP server and if it is then it would confuse the hell out of networks as devices could randomly use different DHCP servers which could cause issues. I wouldn't be surprised if they are using the usual DHCP port for a completely different function.

Edited by ian72 (Wed 28-Jul-21 12:04:54)

See page 10 (section 2 overview). That's not the error that your seeing is it?

https://www.downloads.siemens.com/download-center/Do...

The system appears to be intended for external access:
https://www.downloads.siemens.com/download-center/Do...

A bit of Googling also found https://www.youtube.com/watch?v=gga72BRx3Lw entitled "Desigo CC How to access remotely" If it is within, it's well hidden!

But annoyingly they don't have much of a support department. Basically referring to UK installers, which indeed lists the one fitting ours!

One other thing. The IP address that I have used to attempt access is the static IP of the BT router, ie I can ping it without any problem. So, I'm guessing that what "steers" me via my web browser to the Siemens kit, is the :2031 port at the end of the address?

Cheers!

Not quite, but very similar.

What I am getting (from my home pc) in the "red" box is: Wrong user name or password

Going back to day one when access was available through the office pc plugged into the BT router along with the Siemens kit, but access not available through a smartphone on 4G, nor on my pc when I got home, my first thought was whether the office pc was still logged in or not, so I went back and it was not.

As far as I am aware, at home I am using the same User Name and Password as their engineer used (not good practice, I know). Thus I currently should have the same user rights as the installer. Looking at the Siemens' literature, beside remote operation, remote software update etc is possible.

I think it is going to be something as simple as the page you linked to.

Cheers!

I had a look at the BT Router earlier.
Made no changes, but noticed that static IP was set to off. With the suggestion that I could order a static IP from BT. We have a static IP paid for from BT. Although how the router would know this I dont know. Maybe an idea for me to set it to static.

I remember the installer mentioning this, yet the IP is certainly static.

Looking at the Firewall - well out of my comfort zone here, noticed that from the list I posted earlier, all were listed along with 2031

What I need is the 'idiot's guide to port forwarding'. Seems I am not alone since Google just found me this: https://stevessmarthomeguide.com/understanding-port-...

Cheers!

Leave the Static IP setting alone - that is for when you have multiple allocated. If you have the normal single one, it will always be there.

In reply to a post by Ancient_Mariner:

I think it is going to be something as simple as the page you linked to.

The fact that your hitting the login page of the Siemens unit, but are getting a login/password type error suggest you don't have a networking issue.

If your home PC was a laptop it would be a good idea to see if it can connect locally at the village hall.

An update. First rather embarrassingly, found that I had incorrectly written down the password when I was given it! BUT even with the correct password there is one section of the system that neither I nor the installer can get into. Simply put, we can change the zone setpoints, but cannot view or set the on/off times. Sounds crazy.

The installers thoughts based on previous installations is that it is router related; either firewall or port forwarding settings.

Since there is only a single pc on the router and the Siemens controller, have disabled the router's firewall (the pc has Kaspersky set up and in any event currently switched off). This made no difference to access!

So that seems to leave port forwarding or a hidden "feature" somewhere...

Also since I have a spare modem/router at home, a Draytek; am thinking this could also be used for elimination.

Thing is, our BT Business Broadband is an ADSL service and so far have not found the correct settings for a third party router. Plus the fact that BT say their help desk does not support third party routers does not help.

Any ideas much appreciated!

Cheers!

Remind support that you only need the username and password for the account and you are not asking for any support.


The username will be something like [email protected] yes btclick.

Possibly requires one or more off the ports to be opened/forwarded on the firewall from that noted above from Siemens. Possibly.

Personally I’d setup a little VPN from the hall network and securely VPN into that. Bit more work up front. But then again you don’t have to worry about forwarding/opening firewall ports - which lets face it isn’t really kosher, security wise, in the big bad world of 2021. I know it’s ‘only’ the village hall but still….you should see how many “random” attacks I log on our firewalls from all over the globe. It’s nuts.

In reply to a post by Pheasant:

I know it’s ‘only’ the village hall but still….you should see how many “random” attacks I log on our firewalls from all over the globe. It’s nuts.

Seconded the old "internet background radiation" has increased dramatically in the last 5 to 10 years.

In reply to a post by Ancient_Mariner:

…even with the correct password there is one section of the system that neither I nor the installer can get into. Simply put, we can change the zone setpoints, but cannot view or set the on/off times. Sounds crazy.
…
Since there is only a single pc on the router and the Siemens controller, have disabled the router's firewall (the pc has Kaspersky set up and in any event currently switched off). This made no difference to access!
…

Can you check using the Windows Resource Monitor (resmon.exe) the TCP connections and ports that are being listened to on the PC at the village hall whilst it’s communicating with the Siemens controller? You can drill down to the individual running program / process to see what it’s using. Compare output to your own machine doing the same thing remotely.

Also if it’s at all possible, you may wish to take your home PC and connect it directly on the network at the hall, just to make sure there is not something else (other than remote networking / firewall etc) on your machine getting in the way from it working.

Edited by Pheasant (Fri 06-Aug-21 07:21:38)

Thanks for your post.

I have never used resmon.exe so will need to have a play first.

My pc is too awkward to transport to the hall unfortunately. I do have an ancient notebook pc, a Toshiba NB100 running WinXp not used since circa 2014, with a dud cmos battery.... But it booted up ok, but will not access the hall's heating system, although it will ping the hall's router ok. I also tried my Flintshire County Council issued iPad and that too does not like the hall's IP due security. Likewise our Secretaries Win10 pc with Norton AV.

My next move, I think, is to try a different router at the hall.

Cheers!