Skip to main content

Hello!

Not sure if someone has asked this before but my Dutch skills are very poor and couldn't find any similar question even after searching with Google Translate.

I have a couple of smart plugs which connect to the power outlet and can be used to switch on/off the devices plugged into it, using its smartphone app. It is connected to the Wifi using KPN Box 12.

The problem is that I am able to control the device even when I am not connected to the Wifi. Since there is no port-forwarding configured, this should be some sort of a relay over the outbound connection.

I am not sure if I am happy knowing that someone could potentially hack some relay server of the manufacturer and send messages to the plug to turn the devices ON/OFF.

Whereas I am investigating about how the device works and whether I would be able to control the device within the LAN with no Internet connection, I wanted to know if there is a setting in KPN  to potentially set some firewall rules to disable all outbound traffic 0.0.0.0/0 from these devices and only allow inbound from the LAN network probably on ports 80/443? Also can I configure some way to get all outbound traffic logs from these devices? If not, Is there a way to edit the route table somehow for these devices to add an extra hop to one of my other devices to log all traffic from there?

Any other suggestions also welcome.

Although everything you are looking for should be easily doable on a modem router device unfortunately the configurable options in the software of the KPN V12 are very limited and aimed on average usage.

To be able to have blocking features the  V12 device needs to be exchanged by a privately owned device with the more possibilities.


Be advised that various smartdevices need the connection to the servers from the manufacturer to operate. Usually the companioning smartphone app connects to the same servers and that way te smartplugs are operated within and outside of the own network. 

It could be that when you kill the outbound connection you disable the plugs all together.

 


Be advised that various smartdevices need the connection to the servers from the manufacturer to operate. Usually the companioning smartphone app connects to the same servers and that way te smartplugs are operated within and outside of the own network. 

It could be that when you kill the outbound connection you disable the plugs all together.

 

Yeah, I am using Meross mss210 smart plugs and this is indeed the case with the default configuration. I did find some promising reddit and GitHub threads that showed options to self host an MQTT server and force the device to work within the local network (although the smartphone app will no longer work and I would have to use custom tool or a self hosted home assistant server)

Another option I read was to use restricted mode in HomeKit which should allow for it to be controlled locally, although there was apparently still some background data transfer which they couldn't confirm.

I think I will keep it in the default config for now, and experiment with Home Assistant once I increase my fleet of smart devices. Seems to be an overkill to do it for just 2 smart plugs.

 

For me an ideal solution would have been a script that will update firewall rules on the modem (using some API from the router?) so that I can disable the smart plug internet access by default, and when I want to turn it ON/OFF I would run a parallel script to re-enable traffic and work with the smartphone app, and then disable traffic again. I could write a widget on my home screen that would run these scripts so that I am in control of when and how the network is open and I can still use the smartphone app.

I realize that the KPN modem 12 is very limited on this regard. I do have a spare TP Link Archer router. Will try to see if I can setup a separate Wireless AP with TP Link connected to the KPN modem. Basically I can then see if I can programmatically disable the connection between TP link and KPN so that the devices connected to this second AP will not have internet access. Seems to be an overkill, but since the smartplugs are not open-source I am not sure if I would be comfortable knowing that they can push an update that would give them reverse tunnel access to my local network 

 

 

 


Dont worry, the smart home virus will get you soon enough.

It started with me when i lost the remote of a couple of klikaan-klikuit devices… the replacement i bought wasnt directly compatible anymore so i bought me a raspberry pi and started my first home automation project to make the remote work,

Since then every bulb and switch i bought was smart (without needing a internet connection) and now the lights automatically turn on when its dark enough and people are at home etc etc etc


Quick solution: setup your smart wifi plugs using the second (guest) SSID, once connected you can operate them from your smartphone over your normal wifi or 4G/5G.

Long term solution: stay far from wifi enabled plugs. Protocols like zigbee (Philips hue, Ikea tradfir, Klik aan klik uit, etc) or Matter (very very new successor of zigbee) operate from a local hub and don't require a working internet connection. You've got full control and everything remains local. Integration with home assistant is flawless too.

Like Vulpen said: smart home integrations are addictive, you'd better start with decent equipment and form a solid base on which you can build for many years.

Imagine having 25 wifi enabled devices (which isn't that much in a smart home), that would stress out your experia box and you'll end up buying a router. Save that investment and buy a NUC with zigbee dongle, then you're good to go with home assistant and have many years of fun with it. 

 


You can try to set up rules for the devices using parenteral control (ouderlijk toezicht), preventing them from connecting outside the local lan?
 


If you are willing to use a more professional router you would be able to setup firewall rules blocking these devices from outbound communication.

I use an EdgeRouter 4 and there I can easily create such rules.

For example the rule below blocks a device from communicating over UDP port 5060 to the SIP server of KPN.

Â