HA Remote Access via IPv6

pezubi · November 23, 2024, 6:12pm

Hi there,
I am trying to expose my HA on a RP4.
As I use a ISP without personal IPv4 I can’t use DynDNS as I would like to use ist, I rather have to use IPv6, which makes things complicated…
I have my own domain xxx.de to which I want to connect my HomeAssistant instance.
The domain is bought of IONOS, a german domain provider.
Here are the most important steps I alredy took:

Static IPv6 Address: I’ve assigned a static IPv6 address to my Home Assistant device, ensuring it remains consistent for external access.
AAAA DNS Record: I created an AAAA record for my domain (xxx.de) at IONOS, pointing to the IPv6 address of your Home Assistant device.
Port Forwarding on FritzBox: Ports for HTTP (8123) have been forwarded on your FritzBox for IPv6, allowing external traffic to reach Home Assistant.
Home Assistant Network Binding: Home Assistant is configured to listen on all interfaces, meaning it’s accessible via both IPv4 and IPv6. (IPv4 is not used though)

I can:

nslookup/DNScheck → AAAA record is set right, IPv6 of HA gets printed

I can NOT:

ping my HA
connect to it in any way ecept locally

I am happy to any help

wmaker · November 24, 2024, 10:37pm

I don’t have any experience with FritzBox, nor your telecom carrier, but one question comes to mind, is your HA static IPv6 a global IPv6 address? If not, then your Fritzbox may be doing NAT and you will need to have your AAAA record point to the FritzBox’s global WAN IPv6 address.

pezubi · November 25, 2024, 6:03pm

It’s the HA’s global static IP address.
I can ping from outside of my home network, which proofs, that the IP is the right one.
It might change over time, so not very static, but I just wanted to try things first, before concerning with the altering IP.
As of my research/attempts the issue seems to be at the HA’s firewall or so, as I could see the incoming ping/request in my router (investigated in wireshark) which makes me believe that there ought to be some settings on the HA side to allow access.
As of now I haven’t found any way to alter any settings concerning a firewall at the HA.
Even when I tried to go to the host’s settings (Raspberry Pi 4) the iptables seemed to allow all incoming traffic.

# iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 339K   57M DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0
 339K   57M DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0
 9886 4724K ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0
11361 1815K ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
 314K   50M ACCEPT     0    --  *      hassio  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 2362  156K DOCKER     0    --  *      hassio  0.0.0.0/0            0.0.0.0/0
 1304  107K ACCEPT     0    --  hassio !hassio  0.0.0.0/0            0.0.0.0/0
 2362  156K ACCEPT     0    --  hassio hassio  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     6    --  !hassio hassio  0.0.0.0/0            172.30.32.6          tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
11361 1815K DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
 1304  107K DOCKER-ISOLATION-STAGE-2  0    --  hassio !hassio  0.0.0.0/0            0.0.0.0/0
 339K   57M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      hassio  0.0.0.0/0            0.0.0.0/0
12665 1922K RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 339K   57M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0
#

# ip6tables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:8123
    0     0 DOCKER-USER  0    --  *      *       ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER-ISOLATION-STAGE-1 (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  ::/0                 ::/0
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  hassio !hassio  ::/0                 ::/0
    0     0 RETURN     0    --  *      *       ::/0                 ::/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      docker0  ::/0                 ::/0
    0     0 DROP       0    --  *      hassio  ::/0                 ::/0
    0     0 RETURN     0    --  *      *       ::/0                 ::/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     0    --  *      *       ::/0                 ::/0
#

As you can see here, HA should be open to accept all incoming traffic, as it trusts all proxies.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
    - "::/0"

Thanks for any help you can provide

wmaker · November 25, 2024, 6:26pm

From your local network can you get access to your HA using
https://HA-GLOBALv6-STATIC:8123 (your browser will complain about the certificate, but if your browser will let you ignore this, then ignore it.)

I am doubtful that HA is not preventing access to its webserver.

From outside your home, are you pinging HA’s globalv6 static address?
My thinking is that the Fritzbox should actually be blocking incoming pings from the outside world to an inside world address unless there is a firewall rule in Fritzbox that allows for it.

pezubi · November 25, 2024, 8:21pm

I tried it and as a matter of fact I can access my HA instance from my local network.

At first I tried to use portforwarding, but I wasn’t sure if there were maybe some differences to IPv4 portforwarding so I completely exposed my HA for testing purposes only.