I’ve been fighting this issue for a while, and am posting here as I’m out of options and must be doing something wrong.
TLDR: I use Chrome on Windows to access HA using my DDNS domain so that the URL matches my Let’s Encrypt certificate. But randomly the HA UI will not completely load. It spins and does the retry countdown but just will not come up.
History: Once upon a time, I had set up port forwarding and all was well. But I tired of fighting the hackers trying to get in. So I now only open a VPN port (and that, thanks to HA, only that when I’m not home). But then came Chrome secure DNS and ever since, it’s been a mess. This applied not just to HA but some other services (e.g. Synology DSM).
If I turn off the secure DNS setting in Chrome, it will work…for a while. I end up having to toggle on and off to get it to work again (thanks, Google). I’ve had to do this a dozen times a day at times. I don’t know what causes it to stop working, but it’s aggravating. There was a Chrome flag that fixed this for a while, but a recent update to Chrome has removed that.
I’ve tried to make it work “right”. I set up Adguard Home with secure DNS, and do a DNS rewrite rule of the domain to the local IP. Still, Chrome was fussy. Maybe because the certificate is not an (expensive) paid one?
Next, I opened the port forwards again but set up packet rules to drop external traffic. Now everything works great…except HA. It used to be if I tried DSM while HA was spinning it would also not load, but now it’s just HA spinning (or losing connection if open). I have to toggle the secure DNS setting to get it to work again. Is there some other port involved for HA other than 8123?
I can discuss more details, but I’m trying to keep this as short as possible to start. I am double NATTed which might be adding to the issue.
Why are you rewriting DNS instead of having a static entry in your DNS records? just curious.
8123 is the only port used by HA. Nothing on chrome should be having any effect on your setup unless you’ve got something reconfigured in another service that impacts requests for the HA page.
As far as I know that’s the only way using Adguard Home. (Previously I used Synology DNS with static entries, but it does not support secure DNS)
Honestly I have not tried a lot with the current settings. I’ve tried Opera, and it does have similar issues. Edge, I can’t get HA to load at the moment, it does go to the loading data spinner but then Edge redirects out with the following (redacted)
Hmmm… can’t reach this page
It looks like the webpage at https://{domain}:8123/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2F{domain}%3A8123%2Flovelace%2Fdefault_view%3Fauth_callback%3D1&client_id=https%3A%2F%2F{domain}%3A8123%2F&state={long random string} might be having issues, or it may have moved permanently to a new web address.
Ping by name returns the internal IP and works fine:
Ping statistics for {local ip}:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 33ms, Average = 17ms
Pinging by the IP:
Ping statistics for {local ip}:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
Tracert shows it resolving from Adguard
Tracing route to {domain} [{local ip}]
over a maximum of 30 hops:
1 2 ms 2 ms 2 ms {adguard}
Trace complete.
Also, on the double NATT – my router (Unifi USG 3p) is connected to AT&T’s router. I now have the Port Forwarding on AT&T to my router, as well as the packet filtering rules. My router then has the ports forwarded to my NAS (without restrictions).
I suspect you are right. I have been hesitant to because of reports that it slows down the connection, and also supposed security benefits of having AT&T in the middle (are there really any)?
Bridge mode would actually speed things up because…
It removes the entire firewall component and feeds the raw internet to your chosen endpoint.
So technically does it make it ‘less secure’ debatable because right behind it you put a UniFi Gateway (which IMHO is an order of magnitude better than generic vendor provided router but that’s not based on any verifiable fact). My daily driver is a UDMProSE
As long as you don’t plug other devices in to the segment between your att box and the router (you should not - everything behind the firewall unless you have a specific reason) the UniFi box has your firewall covered by itself without the double NAT.
So I believe the problem occurs for me mostly when “roaming”. That is, when I dock or undock my machine (going to/from ethernet to Wifi) or move to/from the living room to the bedroom (which would switch from one AP to another). It doesn’t matter if I launch HA right after entering the room or after waiting a while.
So this weekend, I put the AT&T router into “IP Passthrough” mode (which from research, is the closest it has to bridge mode). The packet filters are disabled on the AT&T side. I have port forwards on the Unifi side, and created Firewall Rules so that access to those ports from external IPs is dropped. No other changes were made.
So far, it is working…better but not perfect. Without roaming, HA loads immediately. But when I docked this morning and attempted to access HA, I thought the issue was recurring. I got the “Loading Data” spinner and then the “retry” link, but this time clicking that (without toggling secure DNS) HA loaded…partially. I.e. not all the dashboard items loaded. I refreshed the browser, and all has been fine after. I’m so confused…
Id be interested to know if you remove the wired connection out of the equation what happens.
This could be an issue with DHCP leases and things just having to catch up. Who knows though.
Personally, I’ve run a port forward since day 2, and LetsEncrypt since they first offered certs. DDNS through afraid.org and PiHole.
Everything just works. I use the same internal/external URL with SSL and nothing has issues. I just migrated from bare metal to Docker (rebuilding so much was a pain) and it still, just works.
There has to be a setting or a config somewhere that’s causing your issue. If I had to guess, I’d point fingers at your DNS.
It’s actually been working perfectly since I made my previous post. Maybe it was some fluke, or just needing to catch up like you said. I’m tempted to take Adguard out of the mix, but so long as it’s working I probably won’t stir it up anymore.
