TP Link HS 110 Power Switch not blocked



  • Hello,

    I have a XG7100 Desktop for testing/learning purposes. My wife is, apart from me, the only end user.

    I still have some work to do, but I have my basic configuration wishes just about done. However, I am now running into a strange thing. It probably has to do with me being a noob.

    I have configured pfSense with a few vlans:

    4090 - WAN
    333 - LAN
    444 - SmartDevs

    Just to be sure, I have configured a (at the bottom) 'drop all'-rule on all interfaces. When I run an external port-scan, no ports are open.

    IPv4+6 * * * * * * none

    SmartDevs van has no other rules configured besides the 'drop all' rule. The DHCP server is running on the SmartDevs interface.

    I have a ethernet-over-power connection from a switch to my shed. It is connected to the SmartDevs-vlan. In my shed, the ethernet-over-power-unit (TP-Link AV500) sends out a Wifi-signal. Connected to that wifi point is my TP Link HS 110 Power Switch. I can operate the device through a app called 'Kasa'.

    Like I said before I have no rules to allow any kind of traffic. But for some reason I can still operate the device from a 4g internet connection with the Rasa app.

    Am I doing something terribly wrong? Does anybody have an explanation why I am still able to operate the device while having no allow-rules?


  • Rebel Alliance Global Moderator

    Post your rules on the vlan this device is connected too - lets see them.. You have not floating rules?

    Keep in mind these devices phone home, and get their commands from this connection that they create - has nothing to do with unsolicated inbound traffic..

    Also any of your other vlans - unless specifically blocked would be able to create unsolicited traffic into your restricted vlan.. And the state would allow return traffic.

    There is zero reason to create a specific block rule on any interface since default is deny that is not shown.. Only reason to create specific block would be to filter on some traffic or log specific blocks while not logging the default deny, etc. Or not log something that is blocked, etc. etc..

    Please post up the rules and we can discuss what is actually going on.

    BTW I have some HS110's and use kasa... The devices phone home... I can show you the connections they make because I log their traffic.

    Oh my HS110 are not online currently - I use those for my xmas lights have not set them up this year yet.. But I have a HS105 mini which is same thing.. Here you can see one its phone home connections
    192.168.4.211:60606 -> 52.203.66.124:443 ESTABLISHED:ESTABLISHED 239 / 122 17 KiB / 16 KiB
    That dest IP is owned by amazon...



  • @johnpoz said in TP Link HS 110 Power Switch not blocked:

    Keep in mind these devices phone home, and get their commands from this connection that they create - has nothing to do with unsolicated inbound traffic..

    Hello John,

    Just a quick reply for now (I have an exam coming up so my available time is limited), but I just want to thank you for your answer and your effort. Especially for making me realizing this: 'Keep in mind these devices phone home, and get their commands from this connection that they create - has nothing to do with unsolicated inbound traffic'.

    and

    'Also any of your other vlans - unless specifically blocked would be able to create unsolicited traffic into your restricted vlan.. And the state would allow return traffic.'

    I think I have to first analyze the other vlans

    Especially cool that you have such devices yourself! :) I have found this website where they speak of port 9999 and 1040 that is being used.

    https://www.softscheck.com/en/reverse-engineering-tp-link-hs110/

    Well I have to stop for now, but I will post more information when I have it.


  • Rebel Alliance Global Moderator

    Yes the 9999 can be used for local control... But that is NOT how you would control it when you were on some other internet connection.. The 4g one.. Unless you were also on your local wifi network at the same time?

    if your kasa app was on the same network as your HS110, then what the rules are on pfsense have nothing to do with same network connectivity..