HA app banning my IP address

I have a recurring issue with my mobile IP addresses getting blocked by IP ban. The scenario is the following:

  • i login into the HA Mobile Companion app in my home network, and everything is working fine
  • however when i move away from my home network (either on mobile data or connecting to some other Wifi APs) my app refuses to connect and i HA shows a persistent notification on IP ban.
  • the same happens on my wife’s phone
  • the ban is never caused by an incorrect login attempt where i would be entering my password into the app. The app is just trying to communicate with HA, should have a valid auth token but for some reason the HA server decides to ban it.

Here is an exceprt from my config.yaml. Note that i have added the cors section in an attempt to solve this issue, but it did not help. The problem appeared approx. a month ago and i am not aware of any configuration changes on my side that would have caused it. It seems like something on the way the app tries to renew the auth token changed.

I am accessing HA via my own domain with nginx reverse proxy and i don’t use HA cloud.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.50.10
    - 172.18.0.0/24
  cors_allowed_origins:
    - https://homeassistant.****.***
    - https://192.168.50.10
    - http://192.168.50.10
  ip_ban_enabled: true
  login_attempts_threshold: 5

I am not sure it will help at all, but my observations on this issue are as follows…

When our family was on Verizon I could not use ip banning because of this very problem. To make it even more of a pain, 90% of the time I could not connect if on mobile service at all. It seemed to me that if I was in my “home” cell, within a few miles of my house it would work much more often. I could trick it into working by connecting with wireguard and then disconnecting wireguard and cell would work for a while.

All of the crap ended when I moved my kids to ATT wireless, well ended for them and location updates became much more regular as well as sensor updates when on cell. In short, my wife and I switched to ATT as well and all of the problems are now gone. I now have ip ban running and have not seen the HA Companion app fail to connect in weeks!

This problem had plagued me for years! Over several phones and fresh installs of HA and Companion. I do not know what Verizon was doing to the data, but it was seriously broken.

I think using a domain like https://homeassistant.malicious.com can exploit that allowed origin as
https://homeassistant.*.

I’m not sure, any others got an opinion on this?

1 Like

This definitely looks fishy. Wildcards should be used for subdomains but not lile that. Not sure what @molnart is trying to achieve here

i am not using any wildcards in my domain name, *****.*** is replaced with my actual domain name in the yaml file, i am just not wanting to share it.
anyhow the problem somehow solved itself with some updates

I just started having this problem after switching to a new ISP. I haven’t been able to get my NGINX Proxy Manager working, so I’m unable to access HA outside my network. My access works fine until I leave the network and come back and then it’s banned me… This sounds similar to the behavior you noted above. All you did to resolve it was updated the app? If so, that’s unfortunate, as I’m already on the latest version.