Q: I want to use my Smart Lock only local with the MQTT API or Matter integration and do not want it to connect to the internet. What options do i have?
When an internet connection is available the Smart Lock tries to establish a secure, encrypted connection to Nuki servers for automatically downloading the latest firmware updates and updating its time. Without adding additional users with remote access or activating Nuki Web, the server connection can not be used to retrieve the Smart Locks status or to send lock commands. We therefore strongly recommend do not disable this connection.
If you still want to isolate the lock from the internet you have the following options:
-
Connect the lock to a Thread capable Matter hub that supports remote access via NAT64 and disable remote access for the Nuki app with the “Remote Access” flag on the Matter settings page. You can still use the MQTT API and the Matter integration, but the Smart Lock will not establish a connection to the Nuki servers. If your Lock supports WiFi, make sure that you disable WiFi in the Smart Locks settings in order to prevent a fallback to WiFi. List of compatible hubs.
-
Connect the lock to your WiFi network and to your Smart Home hub via MQTT. Block in your firewall DNS requests for your lock. This is usually UDP/TCP traffic on port 53. You can also block DNS requests to “*-smartlock.nuki.io” in your DNS server, but this might also result in your Nuki app malfunctioning (e.g. invite creation not working).
-
Connect the lock to your WiFi network and to your Smart Home hub via MQTT and block outgoing traffic from the Smart Lock to port 443. Smart Locks 4th Gen and Ultra require that the firewall "DROP"s packets while Smart Lock 3rd Gen require packets to be “REJECTED-TCP” (Firewall sends TCP RESET back). If this is not taken care of, the Smart Lock might log on/off the WiFi network (and also disconnect MQTT) frequently!
You can find the IP address of your Smart Lock in the WIFI expert settings of the Nuki App.