When you add devices to your private home network, Wirelessly & Wired, the router will add them as part of your home network devices. This allows all home devices to request access to the internet without being blocked or configured further.

* Exception: *Network Configurations & Network Security Devices can add devices with limited access to the local network and internet resources.*

Internet of Things (IoT) use this default behavior to create very simple products that can quickly and automatically connect with their online services. Once connected to your home network, it requests to open a line between the device and their cloud service that gets approved by default behavior in home routers. Now that it’s connected, these devices can provide a number of services, plus update in real time.

Depending on the device, you might also notice an online registration or user setup on a phone. This process helps ensure your installed device is attached to your account correctly. This helps ensure all your personalized settings and local details will be provided correctly.

When it comes to devices from the internet trying to access your home devices. By default your router will not allow it.

Part of being in a connected world is knowing that security is always evolving to fight new threats online. Live updating allows your devices to be secure from new threats as soon as possible, and that’s something we can all agree is a good thing.

Most connections have a default allow-out.

So long as those devices are the ones initiating the connection going out, your router/firewall/whatever will allow it, and any related reply packets, back into the network and route them properly.

At the other end is a server that has an “allow-in” rule for that particular type of traffic.

This works absolutely fine for 99.9999% of protocols. The ones it doesn’t (SIP, FTP, etc.) are where an arbitrary outsider has to be able to talk directly to a particular device on your network (which your firewall should refuse, and for which NAT will mean it won’t know how to talk to that particular device inside your network anyway), so you have to “punch holes” (open a port) for it.

You have absolutely zero requirement, as an ordinary consumer, to open ports on your network. Any gaming that requires arbitrary communication will use a matchmaking server (which means you’re initiating a connection going out to that server, as are millions of other people, and it is “open” and joins the dots so you can talk with others). Opening a port is for running a server *inside* the boundaries of your network, and exposes you to a potential attack (it also permanently ties up that port as that port can now only go to the device you specify inside your network).

Note that this means that *any* software or device on your network can be talking out and you know nothing about it. You don’t need to open a port to have such a device talking home and both sending data and receiving commands from a remote server.

There’s a reason that many businesses do *not* have default allow-all-out rules, and why they disable UPnP on the router.

(Some idiot invented UPnP which lets any program, on any device, inside your network, ask your router to set up a permanent port-forward with no authentication whatsoever, and it’s a piece of junk and a security nightmare and you should never use it. It’s totally 100% unnecessary for anything you’re ever going to run.)

Same way you can access a web browser or use an online chat without configuring your router for it. They communicate with a server instead of acting as a server themselves, and that typically does not require any pre-configured ports on the NAT.

Unless you deliberately stop it, any communication started from the inside is allowed. So your IoT device can connect as long as it places the “call”. If this concerns you, you can set up a white list of devices allowed to initiate connections with the outside, and the ports they are allowed to use, by default however, they will be allowed.

A simple example is a printer – I have a printer that I can send print jobs to from the Internet. How does that work if my printer is behind a firewall? The answer: every once in a while, my printer connects to HP and says “hey, has some guy sent me anything to print?” And HP responds by sending what I requested be printed.