Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 41 subscribers
  • Views 8655 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TP-Link Kasa Smart Plugs and XG

Daniel Bingham

Hi,

 

I run TP-Link Kasa Smart Plugs in my house. I have noticed that when trying to control remotely, they grey out on either iOS or Android. If I connect to the local network, the plug displays "Local Only". According to TP-Link this message indicates that remote access is not enabled on the plug but when I look into the settings it is.

 

TP-Link doesn't give much assistance with their devices but I found a website which says that the plugs use Ports:

  • 80 TCP
  • 9999 TCP
  • 1040 UDP

So I reserved their IP's and created two new firewall rule as follows:

Group: Smart Switches

Firewall 29: Kasa Services

Source Zones: LAN

Source Networks and devices: "My two devices"

Destination Zones: WAN

Destination Networks: Any

Services: Kasa Ports which is a port group TCP Source: 1:65535 > 80 | TCP Source: 1:65535 > 9999 | UDP Source: 1:65535 > 1040

No Scan HTTP, HTTPS, Block Google, Scan FTP

No IPS, Traffic Shaping, Web Policy, App Control

Firewall 30: Smart Switches

Source Zones: LAN

Source Networks and devices: "My two devices"

Destination Zones: WAN

Destination Networks: Any

Services: Any

No Scan HTTP, HTTPS, Block Google, Scan FTP

No IPS, Traffic Shaping, App Control

Web Policy: All All

 

I can see traffic going out as "Allowed" in logging and all looks fine from the XG side, but the switches are still inaccessible.

Why I think it's the XG... If I remove the XG from my network and plug in my D-Link DIR850L Router, I can access the smart switches remotely with no problem.

 

Thank you in advance.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Two things that can be happening:

    1) It's using other's ports to communicate, probably to a cloud service, can you check the Logs and filter just for the device on it? Also can you set Firewall 29 Services as ANY to confirm this?

    Or

    2) As much I hate to know some IoT devices needs this (There should be no need for this.), Doesn't this IoT device requires port forwarding, for remote access? Since It works with your D-Link router - It must be using UPnP for port forwarding, something that XG doesn't support.

    Looking at your Device I've found:

    80/tcp HTTP
    9999/tcp TP-Link Smart Home Protocol
    1040/udp TP-Link Device Debug Protocol (TDDP)

    The 80/TCP is a web server that always returns 200 OK, no matter what you send to it, so there's no need to port forward it, 1040 is just for debug, so your left with 9999/TCP.

    If your sure It needs port forwarding, then - Can you create a DNAT Rule with port 9999/TCP for the IoT Device?

    You can follow here, on how to create it.

     

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 EAP @ Home

    Sophos ZTNA (KVM) @ Home

  • 0 in reply to Prism

    1) It's using other's ports to communicate, probably to a cloud service, can you check the Logs and filter just for the device on it? Also can you set Firewall 29 Services as ANY to confirm this?

     

     

    I can only see it communicating on 443 and 53

Reply Children
Unfiltered HTML