Securing your SMLIGHT MR device and OTBR

Some easy and quick tips
Securing your SMLIGHT MR device and OTBR

Securing the SMLIGHT MR device

First thing to do is head over to the web interface of your SMLIGHT device and set up a user password and limit the devices that can connect to the socket. I have my Unraid machine on a fixed IP 192.168.1.250 so i whitelisted that IP address and set and Admin password.

Clean Shot 2026 02 11 at 09.09.31@2x

Another thing is to keep your firmware up to date and when not used keep the WiFi turned of. Besides that it saves resources it also reduces the attack surface on the device and most people won't need it since you probably bought an SMLIGHT device to connect it via POE anyway.

Securing OTBR container

As mentioned in the docs of the bnutzer/docker-otbr-tcp we need to tighten up the security a bit:

The upstream OpenThread Border Router is a reference implementation and not originally intended to be run on production installations unchanged. However, the public community (we!) use it for that purpose.<br>The otbr API is not authenticated. If any device has access to your physical network, it may be able to re-configure your thread network and gain access to your IoT devices, including ones that might pose security risks such as smart locks. It is strongly advisable to restrict access to the container, e.g., by setting the listen address to 127.0.0.1, setting up firewalls, etc.

To do this head over to the Docker container and add the variable "OTBR_REST_LISTEN_ADDRESS" with a value "127.0.0.1". 

Clean Shot 2026 02 11 at 09.10.13@2x

If you had the web interface enabled on the OTBR container you should disable it when you're done, OTBR_WEB_ENABLE should be at 0 (default setting) 

Above should be "enough" to secure your Matter-over-Thread setup a bit against the most common attacks since we run this locally within our own managed network.