Good day one and all.
I need to write a sketch that will allow me to control a servo and pump situated in my holiday home in France whilst I’m at home in England. I thought the ESP32 would be the right way to go but a couple of YouTube tutorials seem to say that this will only work if the ESP32 is on the same network as the computer used to communicate with it.
Is this the case or have I misunderstood?
Any advice would be most welcome.
If you have the ESP32 run a webserver on the local network and set up your router to allow external access to that network then you can control the ESP32 remotely
I will leave others to give opinions as to whether opening holes in the router firewall is a good idea
The standard method is to use an external IoT service. Both the ESP32 system and the client PC can connect to the service website. The ESP32 sends data to the service and also accepts commands from it. The PC can view the data on dashboards and send commands.
An example free one is the Adafruit iot system.
As @UKHeliBob says, poking holes into your private home network is an option and can work. The question you need to ask yourself is what bad thing can happen if a hacker/robot finds that backdoor?
A more protected way is to have a VPN and establish a tunnel between wherever you are and your home in France.
An alternative is to have your ESP check in a known internet location for commands to execute as @cedarlakeinstruments suggests.
Yes, it's true, but you are the one determining the network to use, NOT the esp32. Bottom line is use the esp32, it is already in use doing exactly what you want for many thousands of home owners
you could implement your own TCP/IP protocol
run a TCP or UDP server on the remote ESP32 and transmit commands using your local laptop or smartphone using a TCP or UDP client (Implemented in C++, C#, Java, Python, etc)
the remote ESP32 could transmit status information
your need to open the corresponding TCP or UDP port in the remote firewall - could do this a specified times of the day?
alternatively run a TCP or UDP server on you local machine and have the remote ESP32 connect to it (opening the local firewall)
Personally I would probably do this using MQTT and a publically available broker
I would do it using HomeKit and let Apple be the middleman
I’ve never found a good answer to this. What could it be, besides: the hacker figures out, by trial and error, the HTTP request parameters that control the servo and pump?
I've corrected that for you:
The question you need to ask yourself is what bad thing can happen if when a hacker/robot finds that backdoor?
The danger is not so much the danger of a hacker controlling your pump system, the danger is if they can hack the ESP32 and load their own code onto it, then use it to sniff the data on your local network or as a gateway into whatever else you have on the network. There are various methods suggested above that don't require a port to be forwarded on your router, probably wise to use one. Personally I'd go with a VPN between the two routers.
Automated bots continuously scan the internet for open ports,. If the ESP32 firmware has a vulnerability, it could be taken over remotely.
Then the compromised ESP32 is in your LAN and can be used to spy on data, control connected hardware, or act as a foothold to scan and attack other devices on the local network.
I had another Idea, if you use a router capable of creating separate VLANs then you could have a VLAN just for the ESP32 and forward a port to it, which would be isolated from everything else on the router.
I understand that most basic consumer routers just do a “guest network,” a simple type of VLAN.
If I set up an ESP32 with my router’s guest SSID and password, and “uncheck” the “allow guests to access my local network” (which isolates the bad guys from the rest of my LAN), then I can’t do OTA updates. The only way to do OTA updates is to allow guests access to my local network[*]
Would that also be a problem with routers or switches that do “real” VLANs? E.g., if the computer with the Arduino IDE is on a different VLAN than the ESP32, could they communicate?
.
.
.
[*] Since it doesn’t take long to do an OTA update, I figure the risk of getting hacked during that short lapse in security is low. But I wonder if there is a way to configure the Arduino IDE so that it can access guests…and vice versa, without checking the router’s “allow guests access to my LAN” box. It may be possible to do OTA via web-based interface, without allowing guests to access my LAN…haven’t tried that yet.
PS: also, if an ESP32 or ESP8266 is configured to do OTA updates and is accessible to the world via an open port, ArduinoOTA.setPasswordHash() should be used to prevent an unauthorized easy upload.
Someone said MQTT is the way to go.
I would do it with a Telegram bot.
Choose the one that suits you best.
Personally I would look at home assistant with MQTT packets from esp. Will open your world to home automation and future expansion with your esp32. Safe and reliable. Good luck
The whole point of a VLAN is separation, you can't get from one to another. For that reason updates across 2 VLANs won't work unless the router has a setting to allow it.
You should also have the option of joining your development PC temporarily to the guest network for this. That is, if the nodes in the guest network are allowed to talk to each other.
In my set up, I have defined a special VLAN for untrusted IOT devices where the guests can't talk to each other and have only restricted access to the internet, that is NTP for the clocks and one or two specific hosts for other services. I don't, however, use over the air update.
It was, however, quite complicated to set up with another router down stream of my service providers router.
I don't have a service provider provided router, I use a Draytek router of my own. I use a small, local SP, not one of the big, well known SPs.
Yes, that’s another way to do it, thanks. My router does have the option to allow guests to talk to each other, and my development PC happens to be a mini PC that connects to my LAN via wifi, so it’s not hard to temporarily join the guest network.
Gentlemen
Thank you all for your help and suggestions.
It has helped me realise that my level of understanding really does not go far past basic programming skills and many of the terms and abbreviations used the responses are new to me.
So ….. my solution is to revert to a simple non-remote system that triggers on time intervals and meanwhile to try and learn enough to at least get a simplified system going via the AdaFruit IoT cloud.
Thank you all for your help. This forum is an extraordinary resource.