Not allowed to management Deco M9 plus remotely

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Not allowed to management Deco M9 plus remotely

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Not allowed to management Deco M9 plus remotely
Not allowed to management Deco M9 plus remotely
2019-08-21 14:24:33 - last edited 2019-08-26 06:02:25
Model: Deco M9 Plus  
Hardware Version:
Firmware Version:

I am using Deco M9 plus currently. Would like to prohibit the internet connection to manage Deco devices thru APP.

Can you guide me how to configure to allow the internat connection to management Deco only? Thanks.


 
  0      
  0      
#1
Options
1 Accepted Solution
Re:Re:Re:Not allowed to management Deco M9 plus remotely-Solution
2019-08-23 01:09:25 - last edited 2019-08-26 06:02:25

@Prince.Chiu 

 

Hello, thanks for your reply, while sorry to tell you  that there is no option to disable remote management on the Deco; cause the TP-Link ID is necessary to configure the Deco mesh network, inevitably, we can use it to manage it both locally and remotely. 

 

While please be assured of it, first, we’ve banned SSH login on Decos, and blocked the function of tying in command line, so there is no security problem; second, SSH function on Deco can only server for Deco, and does not support SSH clients to login.

 

Besides, TP-Link ID is needed to manage the device remotely; others without permission( do not know that) won't be able to login to the Deco app to manage your network. 

 

Best regards. 

 

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer AX55V2 Supports WireGuard VPN, EasyMesh Ethernet Backhaul, IoT Network, Speed Limit,and More If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
Recommended Solution
  0  
  0  
#4
Options
12 Reply
Re:Not allowed to management Deco M9 plus remotely
2019-08-22 04:01:54

@Prince.Chiu 

 

Once you setup Deco mesh system well, you can use the Deco app to manage it with your TP-Link ID, both locally and remotely.

 

Good day. 

 

 

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer AX55V2 Supports WireGuard VPN, EasyMesh Ethernet Backhaul, IoT Network, Speed Limit,and More If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
  0  
  0  
#2
Options
Re:Re:Not allowed to management Deco M9 plus remotely
2019-08-22 23:20:16

Dear sir, Thanks for your message. But, I want to disable the “remote” control capability. Would you please tell me how to configure it. Thanks.

  0  
  0  
#3
Options
Re:Re:Re:Not allowed to management Deco M9 plus remotely-Solution
2019-08-23 01:09:25 - last edited 2019-08-26 06:02:25

@Prince.Chiu 

 

Hello, thanks for your reply, while sorry to tell you  that there is no option to disable remote management on the Deco; cause the TP-Link ID is necessary to configure the Deco mesh network, inevitably, we can use it to manage it both locally and remotely. 

 

While please be assured of it, first, we’ve banned SSH login on Decos, and blocked the function of tying in command line, so there is no security problem; second, SSH function on Deco can only server for Deco, and does not support SSH clients to login.

 

Besides, TP-Link ID is needed to manage the device remotely; others without permission( do not know that) won't be able to login to the Deco app to manage your network. 

 

Best regards. 

 

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer AX55V2 Supports WireGuard VPN, EasyMesh Ethernet Backhaul, IoT Network, Speed Limit,and More If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
Recommended Solution
  0  
  0  
#4
Options
Re:Re:Re:Re:Not allowed to management Deco M9 plus remotely
2019-08-23 11:26:41

Dear sir, Thanks for your reply.

  0  
  0  
#5
Options
Re:Re:Re:Re:Re:Not allowed to management Deco M9 plus remotely
2019-08-26 06:01:37

@Prince.Chiu 

 

You are most welcome.

 

If need more help, do not hesitate to contact us.

 

Good day. 

 

 

Nice to Meet You in Our TP-Link Community. Check Out the Latest Posts: Connect TP-Link Archer BE550 to Germany's DS-Lite (Dual Stack Lite) Internet via WAN Archer GE550 - BE9300 Tri-Band Wi-Fi 7 Gaming Router EasyMesh Is Available When Wi-Fi Routers Work in AP Mode as A Controller. Archer AX55V2 Supports WireGuard VPN, EasyMesh Ethernet Backhaul, IoT Network, Speed Limit,and More If you found a post or response helpful, please click Helpful (arrow pointing upward icon). If you are the author of a topic, remember to mark a helpful reply as the "Recommended Solution" (star icon) so that others can benefit from it.
  0  
  0  
#6
Options
Re:Re:Re:Not allowed to management Deco M9 plus remotely
2020-02-12 19:47:39

@Kevin_Z Sorry, I'm not happy with your answer.

 

Such forced access means that I have to fully trust TP-link, while I had to accept all kinds of conditions I did not have time to read (and else I would not be able to use the device).

 

Stating there is no security issue because "SSH is blocked for clients" is misleading. You obfuscated SSH-commands (if I understand correctly), but it still runs an (altered) SSH-server which can have old security flaws.

  0  
  0  
#7
Options
Re:Not allowed to management Deco M9 plus remotely
2020-02-26 14:27:56 - last edited 2020-02-26 14:31:18

I also share the concerns about the cloud control. I'd prefer to have the full control to my routers, otherwise I cannot be sure that these routers don't send tracking metrics to tp-link even when it is configured in ap mode. I'm thinking about to return this router back to the shop.

 

Another annoying thing. If I reboot my dedicated router, tp-link in ap mode takes the DHCP role and routes the traffic through the primary deco. From my point of view this is inacceptable. In certain cases it also gives its own default ip subnet 192.168.68.0/24, when my local network doesn't use this.

  0  
  0  
#8
Options
Re:Not allowed to management Deco M9 plus remotely
2020-03-27 20:39:41 - last edited 2020-03-27 20:43:52

Yup, also going to send back the Deco and warn others for this stupid security design flaw.

 

Some links around security problems:

 

  0  
  0  
#9
Options
Re:Not allowed to management Deco M9 plus remotely
2020-04-03 06:37:27

I'm not at all happy with this crap "management in the cloud" bull... I have no control of what goes back and forth between my network and TP-Link. For goods sake, make it optional for those who for some reason has a need to remotely manage their Deco.

 

One of these days I might spend some time on checking on the traffic by running wireshark on it in order to see where it communicates to and with what protocols.

 

What I have done is that I'm running my Deco e4's in AP mode and simply denied internet access to the Decos by not giving them an gateway from the DHCP. They complain that there is no internet, but this is no issue as such. I can still "manage" them through the not so great Android app. It's also possible to log in to them through the http:// interface.

 

In case there is a firmware upgrade, then I can give the Decos a gateway IP and let them grab the firmware over the internet or just download it and do the upgrade over the web interface.

  0  
  0  
#10
Options
Re:Not allowed to management Deco M9 plus remotely
2020-04-04 10:19:10 - last edited 2020-04-06 06:12:15

The management didn't work correctly without "internet", the minimum requirement seem's to be that DNS servers are reachable, the e4's are now happy after I gave them access to the DNS servers.

 

Edit 1: This is my final setup for the Decos with blocked "cloud management".

 - Running in AP mode.

 - Access to any NTP server on the internet, as the Decos doesn't honor the NTP servers  provided by DHCP.

 - Access to my DNS servers.

 - Blocked all other internet access. Most important is to block outboud traffic on tcp port 443.

  1  
  1  
#11
Options