Cannot access HA from WAN when running on non-default port

Let me first explain my network setup:

Internet ------ Modem/Router ------- Mesh Router ------- all my wifi/wired clients
                TV Decoder

The WAN side of the Modem/Router has a DHCP address assigned by the provider that never changes, so no need for DDNS solutions (yay).

The Modem/Router is provided by the ISP (mandatory) and the TV Decoder box (also provided by ISP) is directly connected to the Modem/Router. The decoder HAS to be connected DIRECTLY to the Modem/Router for additional functions like tv-guide to work. This has been extensively documented on local forums and has been repeatedly confirmed by the ISP. No way around it.

Because the ISP’s Modem/Router has limited functions and can only be configured using the ISP’s portal, I have my own Mesh router to provide a WiFi signal to my home.

How do I have it configured:

Modem/router:

• Modem/Router WAN: Public IP (consider this static)
• Modem/Router LAN: 192.168.0.1, with DHCP active for the 192.168.0.2 → 192.168.0.100 range
• Port forwarding: 8123->8123 to 192.168.0.205

Mesh router

• Mesh router: 192.168.0.205 static, with DHCP active for the 192.168.68.x range (255.255.255.0)
• Port forwarding: 8123->8123 to RPI

This works great when I run HA on port 8123 on the RPI.
However, my company network blocks outgoing 8123, so I cannot acces my HA from work.Would be fixed if I could use port 80 WAN-side of the Modem/Router

I tried two this, both of them unsuccesfull:

• Change the port forwarding on the Modem/Router to 80->8123
• Run HA on the PI on port 80, change port forwarding on Router/Modem and Mesh Router so it’s all port 80 from start to end.

Both scenario’s cause the infamous “invalid client id or redirect uri”-error. It also throws “Login attempt or request with invalid authentication from 192.168.0.1” on HA.
So everything works fine when using port 8123 end-to-end, but not when using port mapping or when running HA on port 80.
Tried with different browsers and even systems, without success. In both scenario’s I can access HA from the local network.

System Health

arch	armv7l
chassis
dev	false
docker	true
docker_version	19.03.12
hassio	true
host_os	Raspbian GNU/Linux 10 (buster)
installation_type	Home Assistant Supervised
os_name	Linux
os_version	4.19.118-v7l+
python_version	3.7.7
supervisor	228
timezone	Europe/Brussels
version	0.111.4
virtualenv	false

Are you using http over the internet to access home assistant?

That’s incredibly insecure.

Yes I am. I’m quite a fan of increasing complexity. First getting it to run (in this example: accessing from other port than 8123), and then making it more secure.
There is currently no data on the RPI’s HDD and in this phase HA is just logging things.

If you are forwarding port 80 (WAN) to 8123 (internal) , don’t run home assistant on port 80, leave it as 8123.

Hi tom_l, thanks for your feedback.

I just tried this:

• Modem/Router 8123->8123
• Mesh router 8123->8123
• HA running on 8123

Works fine as expected, local and remote.

I then changed Modem/Router to 80->8123

• Local works fine
• Remote I get the HA-page throwing “invalid client id or redirect uri”

Your router might block access to incoming port 80 as that would be where a remote web interface for the router would be (if it was enabled, which hopefully it isn’t!).

HA is in fact serving a page, however with the mentioned error.
If I change the forwarding on the mesh router to, ie the ip address of my solar convertor with built-in webserver on port 80, everything works fine. Issue rally seems with HA

I dunno.

All I can say is, save yourself some pain and jump to installing duckDNS (which includes let’s encrypt) so you can use https, and forward port 443 to 8123.

Using let’s encrypt on its own isn’t an option because even though you have a static ip you do not have a domain and that is what the certificates are valid for.