Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 41 subscribers
  • Views 8652 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TP-Link Kasa Smart Plugs and XG

Daniel Bingham

Hi,

 

I run TP-Link Kasa Smart Plugs in my house. I have noticed that when trying to control remotely, they grey out on either iOS or Android. If I connect to the local network, the plug displays "Local Only". According to TP-Link this message indicates that remote access is not enabled on the plug but when I look into the settings it is.

 

TP-Link doesn't give much assistance with their devices but I found a website which says that the plugs use Ports:

  • 80 TCP
  • 9999 TCP
  • 1040 UDP

So I reserved their IP's and created two new firewall rule as follows:

Group: Smart Switches

Firewall 29: Kasa Services

Source Zones: LAN

Source Networks and devices: "My two devices"

Destination Zones: WAN

Destination Networks: Any

Services: Kasa Ports which is a port group TCP Source: 1:65535 > 80 | TCP Source: 1:65535 > 9999 | UDP Source: 1:65535 > 1040

No Scan HTTP, HTTPS, Block Google, Scan FTP

No IPS, Traffic Shaping, Web Policy, App Control

Firewall 30: Smart Switches

Source Zones: LAN

Source Networks and devices: "My two devices"

Destination Zones: WAN

Destination Networks: Any

Services: Any

No Scan HTTP, HTTPS, Block Google, Scan FTP

No IPS, Traffic Shaping, App Control

Web Policy: All All

 

I can see traffic going out as "Allowed" in logging and all looks fine from the XG side, but the switches are still inaccessible.

Why I think it's the XG... If I remove the XG from my network and plug in my D-Link DIR850L Router, I can access the smart switches remotely with no problem.

 

Thank you in advance.



This thread was automatically locked due to age.
  • 0 in reply to rfcat_vk

    rfcat_vk said:
    you do not need fancy rules, just a normal firewall rule and MASQ in the NAT.

     

    Hi Ian, can you elaborate a little more so I can understand exactly what you think is required?

  • 0 in reply to Daniel Bingham

    Hi Daniel,

    I have a number IoT devices and the only rules after checking all the ports they require as I advised earlier are

    source LAN -> IoT device addresses or network -> Destination WAN -> any -> services (as you find them) -> allow always -> log -> NAT -> MASQ (no web proxy, but I do use IPS to try an classify the traffic for reporting, doesn't work).

     

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v20.0.2 MR-2

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    source LAN -> IoT device addresses or network -> Destination WAN -> any -> services (as you find them) -> allow always -> log -> NAT -> MASQ (no web proxy, but I do use IPS to try an classify the traffic for reporting, doesn't work).

    Do you mean like this?

     

    If so, that is how I originally had it (for weeks) with no joy on having it work correctly.

  • 0 in reply to Daniel Bingham

    Pleas try with just the network in lieu of the individual device addresses. I have some bad experiences recently where changing to network and changing back fixed the issue, I don't understand.

    Then review the logviewer for  the associated device IP addresses looking for connection ports and denied access.

    Further as Prism said your router will pass uPNP whereas there XG will not. One of my IoT devices I was trying out for home management would only work with uPNP enabled and I consider that protocol a security risk, so the device is in the e-recycle bin.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v20.0.2 MR-2

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Understood. I created a new rule at the very top to the network and still the problem persists.

  • 0 in reply to Daniel Bingham

    Hi Daniel,

    the aim of this test was to collect data in logviewer. Did you review logviewer searching on each IP address of your devices and what did you find in successful and denied connections in the various reports?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v20.0.2 MR-2

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    All actions were allowed, and the following services from the smart switches:

    8443

    123

    3475

    53

     

Unfiltered HTML