At long last, I started taking network security a bit more seriously at home and started restricting access to the Internet to some of my dubious IoT devices.
To improve the security of the home network, the first step was creating VLAN setups – I now have one trusted VLAN and one untrusted VLAN. All my IoT devices are in the untrusted VLAN and my main devices are in the trusted VLAN. The firewall rules are setup so that traffic from trusted VLAN to untrusted VLAN is allowed, return traffic from untrusted VLAN to trusted VLAN is allowed. Any other traffic from untrusted VLAN to trusted VLAN is not allowed.
In addition, while I like the TP-Link Kasa devices as they are trouble-free and work quite well for their stated purpose, I wanted to cut off their Internet access. So I put them in a group and created a firewall policy that prevents all Internet access to the devices in that group.
The net effect of all of this is the following:
- When I use a device like my phone or tablet (which is on the trusted VLAN), I can no longer see or control the Kasa devices using the Kasa app.
By itself, this is not a big deal – I mostly control them from Alexa (which is in the untrusted VLAN) or Home Assistant, which also is in the untrusted VLAN. However, it is nice to be able to connect to these devices from the app from time to time. If you have a similar setup and you want to be able to connect to these devices from the Kasa app, you have three choices:
- Allow Internet connectivity to the Kasa devices. The devices phone home (to AWS) and the app seems to be able to pick them up via the AWS phone home route.
- Connect your device with the app to the same network/VLAN as the Kasa devices. Local discovery works via UDP broadcast (which is different from mDNS, so enabling that in your router/firewall doesn’t help here).
- Setup a UDP broadcast relay between the two VLANs and also allow reverse UDP traffic from the devices from specific ports in the untrusted VLAN.
I decided to setup the third option – here’s how you can do it:
- Have a Linux machine that can connect to both VLANs. eth0 and mgmt are the interfaces it uses to connect to the VLANs.
- Install udpbroadcastrelay on this machine (download the Makefile, .c file, run make and make install as root).
- Create two instances of udpbroadcastrelay that listens and forwards broadcasts to ports 9999 and 20002 from trusted VLAN to untrusted VLAN. Command line for running these instances:
udpbroadcastrelay --id 1 --port 9999 --dev mgmt --dev eth0
udpbroadcastrelay --id 2 --port 20002 --dev mgmt --dev eth0- Now, open the Kasa app on your device in the trusted VLAN and you should be able to see and control your Kasa devices.
- You should create systemd control units to start these services automatically – here’s what they look like (put them in /etc/systemd/system/kasa-9999.service for example):
[Unit]
Description=Kasa UDP Relay Port 9999
Wants=network-online.target
After=network-online.target
[Service]
# ID 1 for port 9999
ExecStartPre=/usr/lib/systemd/systemd-networkd-wait-online --interface=eth0 --interface=mgmt --operational-state=routable
ExecStart=/usr/local/sbin/udpbroadcastrelay --id 1 --port 9999 --dev mgmt --dev eth0
Restart=always
RestartSec=5s
User=root
[Install]
WantedBy=multi-user.target
1 Reply to “Local control of TP-Link Kasa switches from Kasa app across VLANs”