Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TP-Link Kasa Smart Plugs and XG

Hi,

 

I run TP-Link Kasa Smart Plugs in my house. I have noticed that when trying to control remotely, they grey out on either iOS or Android. If I connect to the local network, the plug displays "Local Only". According to TP-Link this message indicates that remote access is not enabled on the plug but when I look into the settings it is.

 

TP-Link doesn't give much assistance with their devices but I found a website which says that the plugs use Ports:

  • 80 TCP
  • 9999 TCP
  • 1040 UDP

So I reserved their IP's and created two new firewall rule as follows:

Group: Smart Switches

Firewall 29: Kasa Services

Source Zones: LAN

Source Networks and devices: "My two devices"

Destination Zones: WAN

Destination Networks: Any

Services: Kasa Ports which is a port group TCP Source: 1:65535 > 80 | TCP Source: 1:65535 > 9999 | UDP Source: 1:65535 > 1040

No Scan HTTP, HTTPS, Block Google, Scan FTP

No IPS, Traffic Shaping, Web Policy, App Control

Firewall 30: Smart Switches

Source Zones: LAN

Source Networks and devices: "My two devices"

Destination Zones: WAN

Destination Networks: Any

Services: Any

No Scan HTTP, HTTPS, Block Google, Scan FTP

No IPS, Traffic Shaping, App Control

Web Policy: All All

 

I can see traffic going out as "Allowed" in logging and all looks fine from the XG side, but the switches are still inaccessible.

Why I think it's the XG... If I remove the XG from my network and plug in my D-Link DIR850L Router, I can access the smart switches remotely with no problem.

 

Thank you in advance.



This thread was automatically locked due to age.
  • Hi,

     as suggested way of finding out what ports the devices use is to create firewall rule at the top for your devices with an any service then check the logs to see which ports are actually used.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    Two things that can be happening:

    1) It's using other's ports to communicate, probably to a cloud service, can you check the Logs and filter just for the device on it? Also can you set Firewall 29 Services as ANY to confirm this?

    Or

    2) As much I hate to know some IoT devices needs this (There should be no need for this.), Doesn't this IoT device requires port forwarding, for remote access? Since It works with your D-Link router - It must be using UPnP for port forwarding, something that XG doesn't support.

    Looking at your Device I've found:

    80/tcp HTTP
    9999/tcp TP-Link Smart Home Protocol
    1040/udp TP-Link Device Debug Protocol (TDDP)

    The 80/TCP is a web server that always returns 200 OK, no matter what you send to it, so there's no need to port forward it, 1040 is just for debug, so your left with 9999/TCP.

    If your sure It needs port forwarding, then - Can you create a DNAT Rule with port 9999/TCP for the IoT Device?

    You can follow here, on how to create it.

     

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • Thank you, I can do this, but I have more than one smart device. How will I port forward to multiple devices?

     

  • Hi,

    First, can you confirm If 1) or 2) solved your first issue?

    Looking at tp-link website, there should be a central management for the devices, It's better to know first why their not available for the WAN right now with XG, then we can look at the rest.

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • 1) It's using other's ports to communicate, probably to a cloud service, can you check the Logs and filter just for the device on it? Also can you set Firewall 29 Services as ANY to confirm this?

     

     

    I can only see it communicating on 443 and 53

  • First, can you confirm If 1) or 2) solved your first issue?

     

    Thanks, I created a DNAT rule just on the one switch and no joy.

     

    Also, no logging to that particular ID thus far

     

  • Hi,

    Can you send the logs of: Firewall 29: Kasa Services.

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • Thanks, nothing is being logged there. 0/0 traffic to the rule.

     

     

  • EDIT: Sorry, I was being too quick for the device!

     

  • Hi,

    you do not need fancy rules, just a normal firewall rule and MASQ in the NAT.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.