Updating Firmware on devices remote site

Updating Firmware on devices remote site
Updating Firmware on devices remote site
2022-04-05 15:53:02 - last edited 2022-04-06 04:30:34
Hardware Version: V5
Firmware Version: 5.2.4

I discovered to my great surprise that tp-link has started using ports 8043 and 443 to update devices instead of 29813, this is the same port used to manage the Omada SDN V5 controller,

For security reasons I have always had these ports closed, but I suddenly had problems updating devices on the remote site and had to open 8043, now my controller is open to everyone and in my opinion a big security problem, many of my remote site have dynamic ip and therefore must open up to everything. it is also not possible to approve on FQDN. so my question is, is it possible to block controller management or do you have to have a controller for each site to solve this.
It's a little scary that something so simple is so poorly thought out.


https://www.tp-link.com/no/support/faq/3281/

0
0
#1
Options
4 Reply
Re:Updating Firmware on devices remote site
2022-04-06 06:32:08 - last edited 2022-04-06 06:47:10

  @shberge 

Is that possible for you to change port 8043 to another port to avoid your security concerns? It's the HTTPS connection. Will changing this port number make a difference for your firmware upgrade? I know that port is under the Controller settings and is possible to be changed.

I remember ACL applies to WAN>LAN. Create an ACL to stop others from accessing your network? https://www.tp-link.com/us/support/faq/2026/

0
0
#2
Options
Re:Updating Firmware on devices remote site
2022-04-06 09:25:40 - last edited 2022-04-06 09:27:03

  @John1234 

 

yes I changed the port and disabled NAT rule, (but then firmware update also use the new port)
I open NAT only when I need to do firmware updates on the remote site.

but for coves little thoughtful to do it this way.

it does not help to block since the remote site has dynamic IP, if I could use FQDN in the NAT rule it would have been fixed.

It is also not possible to block WAN to LAN in the router, it is only in stand alone mode you can do this.

 

 

0
0
#3
Options
Re:Updating Firmware on devices remote site
2022-04-07 05:10:19

  @shberge 

I remember that there is a default rule for the Controller ACL, something like all IPs? If not, you can try and create a group with 0.0.0.0/0.0.0.0 and this means IP addresses. Will this resolve the issue you have?

0
0
#4
Options
Re:Updating Firmware on devices remote site
2022-04-07 06:13:23

  @John1234 

 

You can create rules from LAN to WAN but not from WAN to LAN, but anyway such rules will not work when the remote site has dynamic IP. What's the point of making a NAT rule that allow all ip and then blocking the whole world afterwards smiley

I have solved it for now with deactivating NAT rule, now I know about the new port so then I activate it when a remote device ned Firmware update..

0
0
#5
Options