TP-Link Kasa Smart Plugs and XG

Hi,

Two things that can be happening:

1) It's using other's ports to communicate, probably to a cloud service, can you check the Logs and filter just for the device on it? Also can you set Firewall 29 Services as ANY to confirm this?

Or

2) As much I hate to know some IoT devices needs this (There should be no need for this.), Doesn't this IoT device requires port forwarding, for remote access? Since It works with your D-Link router - It must be using UPnP for port forwarding, something that XG doesn't support.

Looking at your Device I've found:

The 80/TCP is a web server that always returns 200 OK, no matter what you send to it, so there's no need to port forward it, 1040 is just for debug, so your left with 9999/TCP.

If your sure It needs port forwarding, then - Can you create a DNAT Rule with port 9999/TCP for the IoT Device?

You can follow here, on how to create it.

Thanks!

Thank you, I can do this, but I have more than one smart device. How will I port forward to multiple devices?

Hi,

First, can you confirm If 1) or 2) solved your first issue?

Looking at tp-link website, there should be a central management for the devices, It's better to know first why their not available for the WAN right now with XG, then we can look at the rest.

Thanks!

First, can you confirm If 1) or 2) solved your first issue?

Thanks, I created a DNAT rule just on the one switch and no joy.

Also, no logging to that particular ID thus far

Hi,

you do not need fancy rules, just a normal firewall rule and MASQ in the NAT.

Ian

rfcat_vk said:

you do not need fancy rules, just a normal firewall rule and MASQ in the NAT.

Hi Ian, can you elaborate a little more so I can understand exactly what you think is required?

Hi Daniel,

I have a number IoT devices and the only rules after checking all the ports they require as I advised earlier are

source LAN -> IoT device addresses or network -> Destination WAN -> any -> services (as you find them) -> allow always -> log -> NAT -> MASQ (no web proxy, but I do use IPS to try an classify the traffic for reporting, doesn't work).

Ian

source LAN -> IoT device addresses or network -> Destination WAN -> any -> services (as you find them) -> allow always -> log -> NAT -> MASQ (no web proxy, but I do use IPS to try an classify the traffic for reporting, doesn't work).

Do you mean like this?

If so, that is how I originally had it (for weeks) with no joy on having it work correctly.

Pleas try with just the network in lieu of the individual device addresses. I have some bad experiences recently where changing to network and changing back fixed the issue, I don't understand.

Then review the logviewer for  the associated device IP addresses looking for connection ports and denied access.

Further as Prism said your router will pass uPNP whereas there XG will not. One of my IoT devices I was trying out for home management would only work with uPNP enabled and I consider that protocol a security risk, so the device is in the e-recycle bin.

Ian

Pleas try with just the network in lieu of the individual device addresses. I have some bad experiences recently where changing to network and changing back fixed the issue, I don't understand.

Then review the logviewer for  the associated device IP addresses looking for connection ports and denied access.

Further as Prism said your router will pass uPNP whereas there XG will not. One of my IoT devices I was trying out for home management would only work with uPNP enabled and I consider that protocol a security risk, so the device is in the e-recycle bin.

Ian

Understood. I created a new rule at the very top to the network and still the problem persists.

Hi Daniel,

the aim of this test was to collect data in logviewer. Did you review logviewer searching on each IP address of your devices and what did you find in successful and denied connections in the various reports?

Ian

All actions were allowed, and the following services from the smart switches:

8443

123

3475

53