Cannot access HA UI, following change of ISP (and new router)

Morning guys - I would be really grateful for some advice with this problem (apologies if it is in not the most appropriate forum - feel free to move it if necessary).

Ultimately, I have followed this guy’s really great video to set up remote access:

Home Assistant Remote Access for FREE - DuckDNS + LetsEncrypt + Single URL - YouTube

and my server has been running absolutely perfectly for months.

However, my broadband contract (with Plusnet) was coming to and end and I decided to switch to NowTV, who were offering me a better deal.

Unfortunately, things have gone wrong when it came to swapping over the routers.

I plugged everything into the new Hub2 router, set up port forwarding, but now I cannot access HA from my browser i.e. when I type https://name.duckdns.org.

I can however, access HA via SSH, which gives me some hope.

Any advice on where to start would be much appreciated as I am pretty stuck.

Are there any basic steps that you need to take, when switching IP provider and router, that I may have overlooked?

Thanks very much.

Can you reach your home assistant server at https://<ip_address>:8123 ?

You will have to allow a security exception in your web browser (the SSL certificate is for duckdns not the ip address).

1 Like

Have a look at what IP the new router assigned to the HA server.
Probably not the same as the previous router.
Make sure this matches the port forwarding

1 Like

Thanks guys.

Have indeed made sure that I have reassigned the same static IP address, with the new router, for my HA Server.

I then tried https://<ip_address>:8123 and that works, which is a big relief (as mentioned, I had to allow the security exception).

At least I have access to the UI,now, which is definitely a start in the right direction - thanks very much much.

I had another look at that video and I tried the website canyouseeme.org. 8123 was fine but 443 said connection refused - could this be part of the problem?

Which ports did you forward?

1 Like

I set up two (both linked to the HA Server IP address).

One was 8123 to 8123 and the other was 443 to 8123.

You can’t do that, you can’t forward 2 external ports to the same internal port on the same IP address.
You should either be forwarding 443 external to 8123 internal. Or if you have Nginx Proxy setup then you should be forwarding 443 to 443. and 80 to 80 (because 80 is needed for LetsEncrypt to renew certificates)

EDIT:
I like Lewis and he makes very good and useful videos, but I disagree strongly with exposing Home Assistant directly to the internet. That is why the Nginx Proxy Add on is in the official store. The Nginx Proxy handles SSL and communication to Home Assistant.
Home Assistant itself remains listening on port 8123, with NO SSL.

Additionally while he mentions having good passwords, he fails to mention that you should also enable 2 Factor Authentication.

However none of this relates to your issue - which is likely as mentioned in the video, ISP routers don’t typically handle NAT Loopback.

3 Likes

Thanks ever so much for this.

I have to say that whilst I am OK with general computing, networking really confuses the heck out of me.

I followed the video exactly, with my old router, and ported both 8123 to 8123 and 443 to 8123 and it just worked, so I was a little bit surprised that the same thing did not work with the new router. That being said, the Plusnet Hub One is probably a better router to begin with - lots of the reviews I have read, about the NowTV Hub2, is that it is a pile of pants.

So you reckon that I need to follow the last third of the video to get things working?

Or, do you I should start again and go down the Nginx Proxy route instead?

EDIT:

I would just say that I also followed this hack:

Alexa with Home Assistant Local for FREE Without Subscription - YouTube

to get Alexa to work with HA. Thought I would just mention in case it is relevant (I seem to recall from the first video that port 443 is important in getting Alexa and HA to communicate).

Before looking into dnsmasq or Nginx Proxy Manager or NGINX Home Assistant SSL proxy (yes they are different things) …

First step is to check whether DuckDNS working properly:

  1. Check your router and see what kind of WAN IP you are getting.
  2. Don’t tell us (or anyone) your public IP, but… is your new ISP running CGNAT??
  3. Search google “what is my ip” and see what kind of public IP Google is seeing from you
  4. I hope #1 and #3 match.
  5. In your web browser, log into your DuckDNS account, and see what it says about your public IP
  6. I hope this matches also.

And then check your DuckDNS config, log, restart, etc.

The next step is to check whether your ISP blocking port 443 and 8123, etc., to begin with

1 Like

Thanks k8gg.

I have had a look at how to check whether CGNAT is running and confirm that my provider is not running it.

I then managed to check my IP address in Google and DuckDns and they are indeed the same.

The only other thing is my WAN IP. I cannot specifically find anything called this.

However, I have found a page that lists all the various connections (which I have pasted with the codes removed). Are any of these another name for the WAN IP?

Broadband Port

MAC Address

IPv4 Address

Network Type

IPv4 Subnet Mask

Gateway IPv4 Address

IPv4 Domain Name Server

Gateway IPv6 Address

IPv6 Domain Name Server

IPv6 Global Address

IPv6 Link Local Address

IPv6 Delegated Prefix

That is your WAN IP Address

1 Like

Thanks for that - I checked the IPv4 Address and that matches up as well (so everything was working as far as far as DuckDNS goes).

I then had a bit of a chat on the Sky forum about the NowTV Hub2 - this is exactly the same model that Sky provide its customers with (just renamed the ER110).

Apparently, you cannot do a port redirection from 443 to 8123 - i.e. only direct mapping is possible from 443 to 443 and 8123 to 8123.

This has really messed my set up as I need the 443 to 8123 to get the Alexa hack to work.

This might be a stupid question but would changing Home Assistant’s default port from 8123 to 443 get round this?

Bit of an update - despite my best efforts, it just seems that NowTV does not work well with my particular set up.

Have gone back to my previous ISP provider (as am still within the cooling off period).

Thanks for everyone’s help on this.

Right let me provide some answers here.

  1. If you had just used the Nginx add-on you would only need to port forward 443 to 443. Nginx will receive the connection and proxy it locally to port 8123. And Alexa would work fine.

  2. You don’t have to the use the router that your ISP provides, you can get your own better router and use that instead - there is normally nothing special about their router that means only it can be used. The only important part is knowing what you need.

If you have FTTC (Fibre to the cabinet) then you need a Modem Router that woks with fibre broadband.
If you have FTTP (Fibre to the premises) then you probably have a separate modem already - that the ISP router plugs in to - in this case you only need a router.
If you still have ADSL broadband, then you need a Modem Router that supports ADSL (most are Fibre these days).

1 Like

Thanks Andrew, for your further response.

I spent so long trying to get it to work that I gave up - no matter what I tried, 443 to 443 would not work. There was some suggestion on the NowTV forum, that they do not allow you messing with this particular port.

Also, I was told that it was part of the T&C’s of my contract that I had to use the provided hub and nothing else. There are lots of people that ignore this and use their own but I was warned that if something goes wrong and you need help, the ISP won’t help if they detect you are using your own router.

I may well have a go with Nginx anyway, once my new ISP kicks in.

The NAT Loopback is probably still the biggest problem, the router won’t let you go out to the internet and then back in to your internal network. So it probably was the fault of the router rather than any instructions you followed, especially if it was working correctly previously. Yes, they can refuse to help if you change out the router, but only really because they can no longer guarantee anything with regards to your service once they are no longer in charge of ALL the equipment from them right to your house. This isn’t a problem though, because you don’t throw their router away, you keep it handy so that if you do have an issue you can first try swapping back to their router and see if the problem still exists, and then if it does - you are using their equipment and they will help you.

I really don’t think you want to run HA on 443. You’ll get scan bots scrapping this and putting into databases very easily. You really need to stay on non-standard obscure ports if you choose to expose HA to the internet.