Absolutely can not figure out how to connect to Hass.io externally

A little back story. So I use Comcast as my internet provider and recently upgraded my router from a DOSSIS 3.0 Comcast issued modem combined with an Asus RT-AC68U router to a DOCSIS 3.1 Netgear X4S C7800. Prior to the switch, I had no problems with port forwarding and accessing my devices (which at the time were mainly ip cameras, SABnzbd devices, etc) using my dynamic IP address which I’ve had for years through NOIP.com. After getting the new new modem/router, I used it but never reintegrated the devices since I was going to be moving. After I moved just a few months ago and I am just now trying to get everything back up and running; or at least trying to.

Fast forward to a couple of weeks ago. I decided to use the spare ASUS as a wired AP so I’ve run a LAN cable from the Netgear to the ASUS and set up a different SSID on it. So far, so good; all seemed to be working good. NOTE: All that follows is set up through the Netgear; The mention of the ASUS is just for reference.

So I order my kit for the HA system and while waiting for it to come in, I try setting up one of my ip cameras. I set up a static IP in my router config and assigned the port forwarding. It was then that I noticed that I had no remote access and get this, I had to use my dynamic DNS:port to access the camera on my local network. I found though, that if I turned on uPNP on the camera and deleted the static address and port forward, all was good again. I could access the camera via ip:port locally and via noip:port externally. Good 'nuff.

So now I’m moving on to the HA install, Again, I found that if I set a static IP for the Hassio/Rpi3B AND forwarded the port, I not only could not access it externally, I had to use noip:port to access locally. I lost access locally via the ip:port (and/or the http://hassio.local:port). For the life of me, I couldn’t figure out why but assumed (at the time) that it had something to do with setting up a static IP through the router config but I thought that since uPNP worked for the camera, Id try that for the Rpi3. I attempted to use the uPNP command in the configuration.yaml but no love. Nothing I tried worked; though admittedly, I’m not really clear on how to use the command properly.

Hmm, so maybe the problem was using a static IP through the router config. So I went through the trouble of setting up a static ip by modifying the resinOS resin-sample file as follows

[ipv4]
address1=192.168.X.ABC/24,192.168.X.Y
dns=192.168.X.Y
dns-search=
method=manual

This worked and I got my static IP without having to set it through the router config. But I STILL was having the problem. From what I can determine, its the port forwarding that causing the problem. When I take out the forwarding, I can use IP:port locally for any device I need locally but once I forward any needed port, I loose local access with IP:port and have to use noip:port locally and NO access externally. The Dynamic DNS is set up and working in my router config, so I’m truly at a loss.

Below is my config under http in the configuration.yaml but I’ve tried all kinds variations (leaving the port off the “base_url”, adding/removing “http://” prefix, tried adding letsencrypt SSL, etc). but nothing works. Note that I CAN access my router config remotely using my noip:port, I just can’t access any devices setup ON the router remotely using it. UGH!

  # Secrets are defined in the file secrets.yaml
  # api_password: !secret http_password
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  # base_url: example.duckdns.org:8123
  api_password: Secret_Password"
  server_port: 8123
  base_url: XXXXXXXXXX.ddns.net:8123
  # ssl_certificate: /ssl/fullchain.pem
  # ssl_key: /ssl/privkey.pem
  ip_ban_enabled: True
  login_attempts_threshold: 10

Any ideas here? Probably something stupid I’m missing in the router settings or something super obvious because, you know, that’s the way my life works, but any ideas would be helpful

Ok, so it sounds like your Netgear isn’t doing NAT reflection. Check that you’ve got the most current firmware and check the settings.

You should still be able to access it with HTTPS internally, it’ll just give you an error.

Alternatively, set up a reverse proxy (such as NGINX) and move the SSL config there.

Unfortunately since this is a Comcast gateway, I have no way to update the firmware. It actually has to be pushed to the modem by Comcast. Right now I have SSL disabled because I couldn’t get it working. Think it was related to the issue at hand but I’m not certain. I guess that begs the question though; Will Hassio even let you connect via http (vs https, security issues aside)? I’m assuming so, based on the things I’ve read but haven’t run across anything explicitly saying you can or can’t.

The settings for this gateway are woefully lacking. I was using Merlin Firmware on the Asus and got spoiled. I’ll research NAT reflection and see what that is. When I was trying to lookup stuff on this issue I was coming across NAT loopback but that doesn’t seem to be it since that still allows connection via IP:port.

EDIT: Disregard my comments on NAT loopback. Looks like the same thing as NAT reflection.

You can replace it with your own unit - you don’t have to keep using theirs (a quick Google search will get you lots more). Then you get full control and away from the double NAT situation.

You can use HTTP remotely if you want, but obviously that’s a very bad idea.

Assuming you’re talking about the modem but this is one that I purchased (you can check out the link to it in the original post). It’s not Comcast equipment. For whatever reason though, Netgear will not allow firmware updates by the consumer. They have to be pushed by the ISP. I’m starting to regret spending that much money on a modem/router combo. Should have just bought them separately. Was more of a “OMG THAT"S SO COOL!” purchase.

Can you put it into bridge mode?

I have a business class Comcast connection. I had been renting their equipment for 24/7 service. When I stopped that, I got a simple cable modem and added my own router and WiFi equipment. I have a spare modem, should one fail.
The Motorola Surfboard is so simple, there is nothing to configure or change. No login either.

The Netgear? No, strictly a cable modem and wireless AC router. The ASUS is configurable like that but since the Netgear is the gateway, I don’t think that will help me. I just don’t understand why it even has port forwarding if I cant access those ports off network.

Is the Asus connected to the Netgear through the WAN port? or LAN port?

LAN. And I had also disconnected it at several points during the troubleshooting process to rule it out. Here’s one thing I’ve noticed though; none of the ports I’ve forwarded are showing up externally. What’s strange though is that the remote access ports for the Netgear are, thereby allowing me to access the router setup. Those are set up on the remote access config page and not the port forward/port triggering page.

And this might be a coincidence or not, but my prior DHCP range was 192.168.3.100 to 254. I recently changed that to 192.168.3.5-254. 192.168.3.1 has always been the gateway but I wanted to give the ASUS 168.3.2, the Rpi, 3.3, etc but outside of the range of range of the DHCP server. Im wondering if somehow changing that DHCP range screwed something up. As I continued to mess around with it, and since I was able to set static on both the ASUS (via reserved on the Netgear), and HA through resinOS, I again changed my DHCP range to 192.168.3.2-254. I wonder if changing it around like that caused my self assigned ports to stop forwarding causing the problem with the ip camera and now HA. The port forwards have been deleted and recreate several times and not just edited so I can rule trying that out (deleting and recreating the entries). I would really prefer avoiding a factory reset though if there’s ANY possibility of it being something else. The behavior I’m seeing is just bizarre and I’m feeling that I may end up having to go that route.

It is likely something simple that you have missed or some incompatibility. I get out the whiteboard and draw things out. Make sure you know and understand the packet paths through your network. When things don’t work, I work through each step one at a time, checking each step as I go. Since every router OEM may have different terminology or procedures, I consult the manual os I go when using something I don’t use every day.