Duck DNS Error

My Duck DNS has been set up for a while now (4+ years)

Everything is working OK… IOS app is fine, local access is fine and remote access is fine.

But I’m getting aiohttp errors randomly from time to time and I have this curious message on my System Network screen

Invalid local network URL
You have configured an HTTPS certificate in Home Assistant. This means that your internal URL needs to be set to a domain covered by the certficate.”
(complete with the spelling error)

external port 8123 is port forwarded to 8123 and external 443 is forwarded to 8123.

How do I make HA happy with my network access?

I have already tried installing NGINX no change and I have tried uninstalling DuckDNS and reinstalling no change.

I don’t see a spelling error?

You only need one of those. You have doubled your attack surface for no added benefit.

You do what the error tells you to and set your internal URL to the domain covered by your certificate (your DuckDNS domain).

See: https://www.home-assistant.io/docs/configuration/basic/#internal_url

Certficate needs an extra i like this this
Certificate…

OK, I set my internal url to the external url (the one provided by Duck DNS) and the error is gone.

Not sure that is what you were recommending, but the error is gone… Lets hope the AIOHTTP errors are gone too.

You are then routing your traffic to the DuckDNS url, which might mean you are sending all your HA traffic out on the internet and back again.
The traffic should be secured by the encryption with the certificate, so the problem is not a security issue, but if it is going out on the internet and back, then it will be counted as traffic by your ISP and if your connection is a metered one, then it might be expensive.
Traffic doing a round trip to the internet will also put a load on your router and internet connection, so you might experience bandwidth issues too.

1 Like

Most routers have NAT loopback.

True, but that only works if the public IP is on the routers WAN port.
If there are CGNAT or other layers in the ISP network, then the public IP, that DuckDNS points to, might be further out in the chain.

And NAT Loopback/Hairpin NAT are often not enabled by default, so if it is not manually enabled and it still works, then it might be an indication that traffic is taking a bigger ruond trip, than just the WAN port.

DuckDNS does not work if the ISP uses CGNAT.

It does.
CGNAT can have forwarding set up just like normal NAT.
My old ISP was using CGNAT, but just made the IP I used static to my router and then made a source/destination NAT rule on the CGNAT router.

Wow. My old ISP just moved me back to their dynamic pool of addresses (for free) when I contacted them about the change to CGNAT causing issues for me.

My new ISP has free static addresses, but I’m paying for Nabu Casa to support HA so just use that.

Interesting. So I just checked my main Router (Asus AX88U) and ironically it defaults with NAT Loopback on.

Since my son is a gamer I have a huge pipe to the internet so bandwidth is not an issue and my link is not metered .

So if I understand this right… without the NAT and with my internal HA URL set to my DuckDNS domain my Motioneye camera feeds go out to the internet to get a certificate and then return to my dashboard?

That is a lot of data going out to the world.

Ironically one of the main sources of AIOHTTP errors were the webhooks that MotionEye automatically generated.

Well in the last 24 hrs (or so) my HA has generated zero network errors.
I’m not sure if it is fixed or if I made a total mess. Regardless, thanks for the help and the suggestions.

Yeah. You need that NAT loopback on.

Do I need to configure NAT with a port Trigger?

Sorry for the Noob questions… I worked in IT for over 30 years but I had network engineers take care of stuff like this.,

No. Your router will recognise that your DuckDNS URL actually points to a location in your own network and will redirect the packets there automatically.

2 Likes

Somewhere in your router your public/WAN IP address will be shown.
Check that this is the same as seen on https://www.myip.com

If it is, then your NAT loopback will keep the traffic inside your network.
The traffic will put an extra load on your router, which might otherwise have just been handled by the switch.
If the router is underpowered, and many ISP routers are, then the extra load from many different devices can mean a lot of extra state connection to handle.

If your Public/WAN IP address in the router is not the same as the one seen on https://www.myip.com, then you have extra layers on the ISP side and your traffic will take a trip around their network.

1 Like