I thought that HA didn’t need internet access, but it seems that when I block it, the docker dies and fails to respond. I’ve got to re-open it on the firewall before it will start up again.
Grateful for advice and thoughts please.
Adding to this - I’m running it on a Pi and I think this may be a Debian/Pi thing rather than a HA thing… but I’m not sure at this point.
Raspis do not have a RTC, so HA tries to connect to the internet for time syncs.
There might be other stuff too, but I do not know if they are needed as such.
I know it connects to GitHub to look for updates.
Time, I can understand. I have a rule that allows all out on UDP 123, but anything else shouldn’t actually stop it from functioning though, surely?
I’ve got another rule specifically to let the Pi out on all ports, to all IP’s, but there’s nothing being logged by the firewall rule that lets it out… so I’m starting to wonder if I’ve got a separate problem with the docker jamming and the network might be a red herring.
Need to get it back up long enough to set up SSH so I can see what’s going on.
If you have any cloud services, then they might go bananas if you cut the internet connection.
You should look at the logs when you cut it and see what goes on.
There aren’t any. It’s a basic installation. I had given up on it and gone to bed, but got up this morning and it’s responding again. I’ve got SSH running but it looks like the usual log files aren’t where I’d usually find them so I’m not sure how to troubleshoot this.
The only thing that appears to be consistent is that when I disable the firewall rule that allows it to talk to anything, anywhere… “Connection lost. Reconnecting…” and it dies. Even SSH session stops responding. This is most odd.
On the firewall side, there are already a series of rules that allow connection to a list of countries from all internal IP’s, on a range of services. The household systems, browsing, etc. are all working fine… the “allow to anywhere” rule is coming after all those, so it’s going beyond what I’ve got programmed generally. I’m going to have to allow it to do what it wants and collect IPs and see what it’s doing. But this appears to be most strange.
I’m at a loss. It’s just got Zigbee2MQTT and Mosquito Broker installed (and now the SSH) and the firewall shows no usage against that rule… but the moment I disable it, I get “Connection lost. Reconnecting…” from the HA session even though I’m on the same home network and thus, subnet. SSH also dies but the command prompt at the ha console itself on the KVM directly attached to the Pi is still functioning.
I’m assuming that the docker is dying outright once it loses that connection… a connection which the firewall logs say it isn’t even trying to use.
This makes no sense.
I’ve narrowed it to port 443, HTTPS, at least. Allow it unfettered access to 443, and it works again (presuming there’s a watchdog bringing the docker back up) - but kill that rule and it dies.
I’m going to try a new installation on a new hard drive. This is making no sense.
OK - here’s my latest theory. In the network configuration, when the change is made from DHCP to static, everything is populated, gateway, IP, DNS servers… except the subnet mask which is /32 instead of picking up the /24. I’m going to try getting on to the original installation I made, and try changing that subnet and see if that solves it
On the face of it… it looks like that’s solved it. The subnet was wrong and thus going to the gateway for everything… and the gateway also being the firewall, nerfed everything.
For the moment, it seems stable with just the standard firewall rules that I run. Cross fingers.
/32 is not a possible subnet mask.
I agree, however that’s what was populated (255.255.255.255) in the subnet mask when changing from DHCP to static in the network interface page.
With a /32 you can not have a gateway or a broadcast address, so it should not work.
But you found the error.