Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Battery/gateway and Internet comms

This site may earn commission on affiliate links.
zƬesla

zƬesla

Member
Apr 16, 2020
649
329
US-NH
#1
Hoping to install (2) PW2 with gateway in the near future and trying to figure out how to have them securely interconnect with the home network.

Do the PWs and GW call out only or do they need to accept incoming connections from the Internet?

If they are setup in a guest WiFi network, do they need to communicate with each other over the network, or are their comms direct wired between the devices? Is it only the gateway that connects for reporting? What ports?

Trying to avoid having to connect with the internal home office network and keep them relegated to the IoT guest WiFi network. However this is outbound only with no inter-device connectivity.
 
#2
zƬesla said:
Hoping to install (2) PW2 with gateway in the near future and trying to figure out how to have them securely interconnect with the home network.

Do the PWs and GW call out only or do they need to accept incoming connections from the Internet?

If they are setup in a guest WiFi network, do they need to communicate with each other over the network, or are their comms direct wired between the devices? Is it only the gateway that connects for reporting? What ports?

Trying to avoid having to connect with the internal home office network and keep them relegated to the IoT guest WiFi network. However this is outbound only with no inter-device connectivity.
Click to expand...

If this is where your concerns are, why not skip the home networking portion of it in full and just let it communicate via its built in cellular network only? Have tesla activate both wifi and cellular network on install, then once they are done with it, turn off the wifi and have it communicate with only cellular.

I dont have your concerns so have the powerwalls hardwired to my network (because I wanted the fast status changes that seems to provide, when I manually change modes). I didnt look into whether they need inbound communication but I would think they do, since they have to receive settings from "tesla" when you change settings in the app.

(note, this is the gateway I am talking about... I believe the powerwalls themselves only communicate with the gateway via some hard wired connection that is run during install but am not 100% on that).
 
#3
IMO a separate network is overkill for the PW gateway, but to each their own.

The gateway only needs to reach the Tesla servers via the internet so outbound only should be fine. I read previously that OTA updates can only be done over wifi or ethernet and not cell though I can't find that documentation now so perhaps it's been changed.

I personally ran ethernet to the Powerwall as the wifi and cell connections were super flaky in my experience. I also query the gateway directly to pull data and integrate with my home automation system so keeping it on the private network works best.
 
  • Like
Reactions: jboy210
#5
Powerwalls need home internet about the same way Tesla cars need the internet

mostly outbound to talk to the "mother ship"
a little bit of inbound traffic to control them and change backup modes (but this is all done over the comm channel from the mother ship).

also having them on your home internet will allow you to connect to the directly via your web browser and monitor status locally - a feature I find sometimes useful when the Tesla "mothership" is being less responsive or off line for some reason.
 
#6
dortor4ev said:
Powerwalls need home internet about the same way Tesla cars need the internet

mostly outbound to talk to the "mother ship"
a little bit of inbound traffic to control them and change backup modes (but this is all done over the comm channel from the mother ship).

also having them on your home internet will allow you to connect to the directly via your web browser and monitor status locally - a feature I find sometimes useful when the Tesla "mothership" is being less responsive or off line for some reason.
Click to expand...

In the context of an internet connected device just because something receives data does not mean it needs inbound connections. Firewalls are typically set up by the device initiating the connection. In that sense, Tesla's severs never "reach out" to your Gateway for things like updates but rather your Gateway reaches out (outbound) to the sever, makes the query, and gets data.

For this purpose allowing only outbound connections and not inbound would allow it to operate correctly even when receiving updates.
 
  • Like
Reactions: dortor4ev
#7
My PW Gateway is connected via wired Ethernet, with WiFi backup. Since my network is secured with a strong password, the WiFi connection is as secure as any...

The wired Ethernet connection means it will be connected to your main network, unless you use a second router to create a separate domain.
 
#8
I think that zTesla is using a router that supports multiple wireless connections, maybe with virtual LAN's (VLAN's) to allow separation of network traffic.

@zTesla: Note that even though the Powerwalls don't need local connectivity, for some home automation tasks (e.g., detecting whether the grid is down), it may be advantageous to be able to connect to the Gateway over the LAN. If you never plan to do anything like that, putting the Gateway on the IoT network should be fine. The only other wildcard may be the car/Powerwall charging integration. At this point it is unknown how the car and Powerwall will communicate. It is conceivable they may want to do it over the LAN (although I think it more likely they'll do it through Tesla's servers instead).
 
#9
First, the PowerWalls communicate directly with the Gateway over wired connections - not over a network.

The Gateway requires a connection to the Internet, which can be done over hardwired-ethernet, WiFI and/or cellular.

If the Gateway is located outside, the wired ethernet connection is a security risk, since anyone who was aware of that feature could open the Gateway panel, disconnect the wired ethernet connection from the Gateway and then connect a device directly to your local area network.

If the Gateway is located inside a locked garage, there's less risk - unless someone breaks into your garage - in which case, they likely would also have access to the house.

WiFi is more secure because of WiFi security. However, even though our Gateway is sitting outside with two WiFi mesh routers about a room width apart from the Gateway, the WiFi signal to the Gateway is not as stable, likely because it is mounted around many metal panels with high power cables. I ran some tests comparing our WiFi and ethernet connections - and the hardwired ethernet connection is much better. WiFi devices on the inside of the garage (two Tesla vehicles, smart sprinkler, solar panel monitor) don't have any issues with WiFi.

The cellular connection is the most secure - because it goes onto the cellular network. It is a slower connection, which takes longer for the Gateway to download updates - plus if you want to access the Gateway's web interface, it's not as easy as doing it on your local network.

After installing the Gateway, I realized the potential security risk of the wired connection - and decided it was a relatively low risk. Even if someone did connect to our wired network, all of our computers have username/password protection, so I'm not too concerned someone could access those systems. The rest of the devices are a printer and various IoT devices - which aren't a major risk.

Based on the WiFi performance I saw during testing, I recommend using a wired connection if possible. Since access to the inside of the Gateway panel probably isn't needed much (if any), it is possible to provide some physical security by putting a zip tie or something else to make it more difficult to get inside the panel.
 
#10
Thanks all. One of the hats I wear is as a cybergeek, thus the eternal paranoia of inserting a new device into the trusted network, especially if it can be directly connected to from outside. As @cwied surmised, my WiFi router is setup with a guest network and multiple private networks. The WiFi router is also only a few feet from where I expect the gateway to be installed in the basement addressing some of what @bob_p brought up.

Interestingly, I had a follow-up call from Tesla last night (after requesting it over a month ago), and took the opportunity to ask about inbound connections. The agent indicated that it was required for updates as they're pushed out and not polled/pulled. Not sure this is accurate, as it would require opening up firewall ports, and am hoping the third-party installer has a better idea. If anyone knows of any docs addressing this, please post.
 
#11
zƬesla said:
Interestingly, I had a follow-up call from Tesla last night (after requesting it over a month ago), and took the opportunity to ask about inbound connections. The agent indicated that it was required for updates as they're pushed out and not polled/pulled. Not sure this is accurate, as it would require opening up firewall ports, and am hoping the third-party installer has a better idea. If anyone knows of any docs addressing this, please post.
Click to expand...

If it were true that they require an incoming connection then part of the setup would involve setting up port forwarding or UPnP on your router. If it does not, then it is a client initiated outgoing connection that regularly checks in for new incoming data.
 
#12
bob_p said:
First, the PowerWalls communicate directly with the Gateway over wired connections - not over a network.

The Gateway requires a connection to the Internet, which can be done over hardwired-ethernet, WiFI and/or cellular.

If the Gateway is located outside, the wired ethernet connection is a security risk, since anyone who was aware of that feature could open the Gateway panel, disconnect the wired ethernet connection from the Gateway and then connect a device directly to your local area network.

If the Gateway is located inside a locked garage, there's less risk - unless someone breaks into your garage - in which case, they likely would also have access to the house.

WiFi is more secure because of WiFi security. However, even though our Gateway is sitting outside with two WiFi mesh routers about a room width apart from the Gateway, the WiFi signal to the Gateway is not as stable, likely because it is mounted around many metal panels with high power cables. I ran some tests comparing our WiFi and ethernet connections - and the hardwired ethernet connection is much better. WiFi devices on the inside of the garage (two Tesla vehicles, smart sprinkler, solar panel monitor) don't have any issues with WiFi.

The cellular connection is the most secure - because it goes onto the cellular network. It is a slower connection, which takes longer for the Gateway to download updates - plus if you want to access the Gateway's web interface, it's not as easy as doing it on your local network.

After installing the Gateway, I realized the potential security risk of the wired connection - and decided it was a relatively low risk. Even if someone did connect to our wired network, all of our computers have username/password protection, so I'm not too concerned someone could access those systems. The rest of the devices are a printer and various IoT devices - which aren't a major risk.

Based on the WiFi performance I saw during testing, I recommend using a wired connection if possible. Since access to the inside of the Gateway panel probably isn't needed much (if any), it is possible to provide some physical security by putting a zip tie or something else to make it more difficult to get inside the panel.
Click to expand...

The wired ethernet risks can also be mitigated by setting up separate VLANs for exterior ports/devices. I have 4x IP cameras and my TEG on a protected VLAN. That VLAN also has a MAC whitelist though that offers only minimal protection as MAC addresses can easily be spoofed.
 
#14
I think the Tesla tech's answer was based on the common misunderstanding that outbound connections somehow have data flowing only one way. I do not have any port forwarding and do not have UPnP enabled on my router and the TEG gets updates just fine. It is true that the updates are initiated from the server side, but as far as I can tell the "push" is implemented by the TEG polling for updates.

You can reconfigure the settings by connecting to the TEG's wifi network (Connecting to Tesla Gateway | Tesla Support).

Note that in my experience, Powerwall support will answer questions beyond their level of expertise to close a call. I would take any answer you get from Tier 1 with a grain of salt.
 
#16
zƬesla said:
How easy is it to reconfigure the PW/GW network settings post installation? Can I do it on my own or does it need to be done by installer?
Click to expand...
The only network setting that you can control is the IP address, which is normally done by your router via DHCP. If you switch to a different router/subnet, you may have to reboot the GW so it will find and connect to the proper net.

I only remember that I had a bit of a time trying to assign an IP address, and finally gave up and let DHCP do its thing.
 
#18
dortor4ev said:
also you can “lock” the gateway cabinet cover with a simple padlock - so there is some mild physical security that will make it slightly harder to connect via ethernet - but yeah it’s a risk.
Click to expand...

Sorry to revive and old thread, but I"m trying to locate a padlock that will secure my gateway boxes and not having any luck. Got a couple small ones, and they aren't able to be threaded through the holes due to how the securing mechanism is located on the side and close to the actual cabinet wall.

Tried a larger one, still no good.

Do you have a suggestions for locks that will actually fit?
 
#19
fritter63 said:
Sorry to revive and old thread, but I"m trying to locate a padlock that will secure my gateway boxes and not having any luck. Got a couple small ones, and they aren't able to be threaded through the holes due to how the securing mechanism is located on the side and close to the actual cabinet wall.

Tried a larger one, still no good.

Do you have a suggestions for locks that will actually fit?
Click to expand...

Alright, NEVERMIND. Found that the medium sized ones will work if and only if you thread them through upside down from the bottom to stat.

Now I feel like I just took a Mensa test.
 
You must log in or register to reply here.

Similar threads

Silent Ludicrosy
Weird Gateway issues
Replies
4
Views
385
Tesla Energy
Silent Ludicrosy
Silent Ludicrosy
A
unusual message on gateway local access
Replies
1
Views
425
Tesla Energy
jgleigh
jgleigh
J
Thanks for all the help - here are my off grid plans!
Replies
1
Views
412
Tesla Energy
GregBallantyne
GregBallantyne
H
  • Article
Toolbox 3 setting up computer before starting subscription
Replies
25
Views
5K
Model S
Durzel
Durzel
f-stop
  • Article
Will Netflix password crackdown break streaming in Tesla?
Replies
16
Views
5K
Software: Firmware Updates, Features, Tesla App
ken830
ken830
Top
Back
Blog
New
Forum list
Marketplace
Menu