Hello, good time of the day. Not long ago, I started learning the Home Assistant system. Two weeks ago, I managed to set up remote access to HA using DUCKDNS and NGINX, but something broke, and now I don’t have access via https://.duckdns.org. I started to restore the system using backups, but it didn’t help either.
Now, I’ve come to the conclusion that the problem might be in three things:
Routing
SSL certificate
Provider
At the moment, I have this routing scheme. How should I redesign it?
Duck and Nginx are already complicated enough… Why are we double NATting?
(why are you going through two routers to get to HA?)
Basically you didn’t explain Why the complex setup. Francis’ question is basically the same and my default will be get rid of the second router unless you have a good reason?
The complex setup is due to the fact that the second network was deployed closer to the smart devices that require Wi-Fi. I manage them through the local network of the second router (devices lose signal when connected to the network of the first router). Both devices are configured as access points.
You can exactly as Francis states, config that device to be a wifi access point only and not route through it that dumps one entire layer out of this. (basically don’t use the WAN port use a LAN port on the ‘internal’ device or put it in bridge mode)
Honestly, I’d strongly advise fixing THAT, (move ha to your .0 network, and collapse the second router) update the IP and routing strategy accordingly THEN takle fixing your issue because best I can tell fixing it will require re-iping either the HA box or your entire 0 network (re ip HA is much easier but that potentially breaks anything already deployed on HA) and those need to be solid before playing with reverse proxies and SSL
I’ve already set up this system, and it worked for some time. I’m just trying to pinpoint where the error might be. I’ll consider redesigning the system, but at the moment, it’s not feasible(
We can go down the path to figure out what’s wrong with your Nginx or duck setups (probably duck, just guessing from the sudden increase in im using duck and can’t questions on the forum in the last two months - depending on the issue there’s lots outside of your control here)
But at the end of the day you’re fixing a bad design (sorry.) if it didn’t matter to duck or Nginx then that’s one thing - but network topology is fundamental to both here and it’s simply not worth bothering with either unless the network is solid. If you were a multinational with big routing issues that required a week and $20kusd to fix, I would and have given the same advice. (this is a weekend)
Its already down and has been for xxx time? You then apparently don’t need it that badly - this is a bigger fish to fry long term. Wait on fixing this and unwind the network first. THEN build it on solid ground once.
Without knowing what else is on your network you’re asking people to guess what you should do.
The previous suggestions are correct, do it right. Would take an hour tops.
Easiest way, change the second router to AP only, meaning turn off it’s DHCP server, change it’s address to 192.168.1.50, and don’t use the WAN port.
Then change the first routers LAN to 192.168.1.1.
Reboot everything. Won’t need to change HA’s IP at all.
Hello Artem - I did double NAT a couple of years ago, and it took me weeks (maybe months) trying to figure out why, and I couldn’t, and then out of no where everything is suddenly good again, and then after another maybe 3 weeks it broke again.
So my recommendation is don’t waste time like I did, and (if there is no good reason for double NAT) keep everything in the same 192.168.0.x IP range, with just one DHCP in your LAN.
… just like every one else here recommended so far.
Throwing my 2c behind what’s already been said: I too had a double NAT setup once and it was a pain to say the least. There was always something not quite working. Double NAT is considered a bad practice.
One thing you can consider is to bridge the two routers (that was my fix at the time), but I’m not prepared to go deeper than this, because I’m not a network expert (decent working knowledge though, I’d say) and one needs to understand a lot about the equipment involved and existing configuration.
Thank you for your advice. I’m not very knowledgeable about routing, but some of the answers helped me understand how to set up router connections and routing. I got rid of double NATting by disabling DHCP on the second router. Now I can see all devices (including those from the second router) in the interface of the first router.
Next, I set a static internal IP address and configured port forwarding for it (443 → 8123 and 8123 → 8123). I’m also attaching settings for DUCKDNS and NGINX below.
No, I only have access through http homeassistant.local:8123, and there’s still no access via https. When loading https://.duckdns.org/, it shows the ‘Loading data’ screen, after which I receive an ERR_FAILED error. Here are the console logs from this page.
VM5:647 Uncaught TypeError: Cannot read properties of null (reading 'classList')
at HTMLDocument.onDocumentLoad (VM5:647:19)
onDocumentLoad @ VM5:647
[NEW] Explain Console errors by using Copilot in Edge: click
to explain an error.
Learn more
Don't show again
The FetchEvent for "https://<domen>.duckdns.org/manifest.json" resulted in a network error response: the promise was resolved with an error response object.
Promise.then (async)
(anonymous) @ service_worker.js:1
The FetchEvent for "https://<domen>.duckdns.org/auth/authorize?response_type=code&redirect_uri=https%3A%2F%2F<domen>.duckdns.org%2F%3Fauth_callback%3D1&client_id=https%3A%2F%2F<domen>.duckdns.org%2F&state=eyJoYXNzVXJsIjoiaHR0cHM6Ly9za3ktYm9uLmR1Y2tkbnMub3JnIiwiY2xpZW50SWQiOiJodHRwczovL3NreS1ib24uZHVja2Rucy5vcmcvIn0%3D" resulted in a network error response: the promise was resolved with an error response object.
Promise.then (async)
(anonymous) @ service_worker.js:1
Turn off udp port forwarding on both rules (HTTPS is a TCP service UDP won’t help) and turn off :8123 inbound from the WAN interface (opens you to unsecured comms to HA from the Internet.)
This says when duck tries to read the contents of //.duckdns.org/manifest.json (your external) and pull manifest.json, it can and then it tries to read the key: ‘classlist’ and fails - nothing there. (unsure why this seems unique to duck and indicates your network config is good.)
What happens if you ping (by name) your duck DNS external address for HA.