14

I understand how a router uses NAT/NAPT to enable a client on my home network to request a packet from an external server, and hence how the router knows to which client to send the packet that is returned by the external server.

But if I open the app on my phone (when away from home), how does it make a connection to the aircon controller on my home network (and what stops anything out there on the internet making connection with my aircon controller - or in fact any other device on my home network)?

Improve this question
3
  • Frank, I may misunderstand but that has nothing to do with "tunneling". Both devices are just using (almost certainly) aws or pubnub to independently connect to the internet. Say you and I (happened to be in) the same house, and you sent me a "tweet" on twitter or a message on line/etc. "How did the two phones do that" - it has nothing at all to do with punchthrough.
    – Fattie
    Commented Jul 27, 2023 at 11:44
  • 1
    @Fattie, I'm afraid your definition of tunneling is too rigid to be accurate for all situations/uses. Tunneling can be used to describe a connection through which other connections flow (like VPN, SSH, which is what I believe you are thinking of), but TCP connections are a tunnel for data the apps want to send/receive, and is also used to describe passing traffic through a firewall or NAT wall that would not be accepted otherwise. analogous to digging a tunnel under a castle's walls to get in when the gate is closed. this is a RA scenario, so not really like tweeting at all.
    – Frank Thomas
    Commented Jul 27, 2023 at 18:23
  • Frank - I may misunderstand you but twitter precisely "tunnels", in your definition or broad description of "tunneling".
    – Fattie
    Commented Jul 28, 2023 at 0:16

2 Answers 2

Reset to default
27

Many smart home devices make their own outgoing connection to a server run by the vendor, and the vendor's smartphone app also logs into your account on the vendor's server, and the server takes care of relaying communications between the app's connection to the server and the pre-established connection from the smart home device to the server.

The authentication the app does to log you into the server is what hopefully keeps just anyone from being able to connect to your smart home device.

Protocols do exist to allow devices such as smart home devices to tell their network's NA[P]T gateway to open a port mapping (port forwarding rule) to let connections come in from the public Internet to that device. The Port Control Protocol, its predecessor the NAT Port Mapping Protocol (NATPMP) and certain provisions of the Universal Plug and Play "Internet Gateway Device" profile (UPnP IGD) are a few examples. However, devices can't rely on every NAT gateway to support this, so smart home device vendors always have to set up some kind of publicly-reachable server to do what I previously described, in order to build a reliable product.

Improve this answer
7
  • Yeah, for years I had a gateway that wouldn't do UPnP, so I had to be careful which devices I chose, to work around it.
    – Tetsujin
    Commented Jul 26, 2023 at 10:25
  • When I use the smartphone app via 4G connection, it takes up to about a minute for the a/c to get the update, so my guess is that it's polling some remote server instead of maintaining a connection and getting push updates. My wired PC is also subject to this delay when using the web-based portal, including when on the same LAN as the a/c. But somehow it works instantaneously when I use the smartphone app on the local WiFi, I wonder how that works...?
    – Jeremy Hunt
    Commented Jul 26, 2023 at 21:11
  • 1
    @JeremyHunt it could be that the App is using a secondary local channel to communicate with the appliance (like Bluetooth or Wifi-Direct) when the appliance is close enough and uses the server as a fallback.
    – Falco
    Commented Jul 27, 2023 at 8:32
  • 1
    "to a server run by the vendor" that would be like saying "When you email Fattie, your email connects to an email server run by Fattie". In maybe 1990? that would be a reasonable description :)
    – Fattie
    Commented Jul 27, 2023 at 11:46
  • 1
    Falco - there's all but no chance of that. As in my example above, the OP here is the same as asking ... Say you and I (happened to be in) the same house, and you sent me a "tweet" on twitter or a message on line/etc. "How did the two phones do that?"
    – Fattie
    Commented Jul 27, 2023 at 11:47
10

Without going into technical detail - which a) I'm not very good at & b) is likely to be different depending on app & IOT device…

Both connect to a 'central server' out there on the interwebz, which relays your commands & the device's responses. Each connection is outbound, so your firewall or NAT doesn't get in the way & NAT enables the responses to be directed to the correct device inside your building.

This is very similar to how such as TeamViewer work. You don't have to try to punch your way into the device through a router, it helpfully contacts somewhere outside that everyone can reach.

Communications are, of course, encrypted so random bad actors can't just join in.

Improve this answer
3
  • 9
    "of course encrypted" is an overstatement. It may or may not be encrypted.
    – fraxinus
    Commented Jul 27, 2023 at 13:55
  • IDK about TeamViewer specifically but a lot of remote admin tools like that do try to achieve TCP and/or UDP hole-punching before relying on a vendor server to relay all the traffic. A vendor server is still required to facilitate hole-punching in the first place but then it doesn't have the burden of handling all of that video traffic to relay when the session is in progress. That said for IOT where bandwidth is lower and "session" is less well defined hole-punching is probably not that useful.
    – Rodney
    Commented Jul 28, 2023 at 10:02
  • 1
    "Of course encryped"... coughankercough
    – ScottishTapWater
    Commented Jul 28, 2023 at 11:51

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .