Home Assistant and Fritz!Box, wrong IPv6 in HA network settings, temporary GUA instead of public GUA

Hi everyone!

I’ve been fighting this for hours now!

This is my setup:

I’m using a Fritz!Box 5530 Fiber and a Dell Optiplex with Home Assistant OS 16 (15.2 up until 3 hours ago).

I’m using “myFritz sharing” for that device on my network to get a custom subdomain on the myFritz service, which always points to my public IPv4 as well as the IPv6 of the Dell Optiplex.
I’ve also forwarded Ports 80, 443 and 853 to the Optiplex.

Then I’ve created a CNAME record from homeassistant.mydomain.tld and adguard.mydomain.tld to that homeassistant.privatewhatever.myFritz subdomain. Works beautifully!
Now I can access Home Assistant and AdGuard using my own domains.

In Home Assistant I’ve installed and enabled the following addons:

• NGINX Proxy Manager
• AdGuard Home

I’ve configured NGINX Proxy Manager to proxy homeassistant.mydomain.tld with Let’s Encrypt to http://homeassistant.local:8123 to access the interface using SSL and without having to append the port. Works beautifully!
I’ve also configured the encryption settings in AdGuard Home so that I can use Private DNS settings on my Android phone using adguard.mydomain.tld, thanks to the forwarded port 853.

However, there is just one small problem:
It only works beautifully via IPv4!

Home Assistant gets the wrong IPv6. Only when I enter the correct one statically in the Home Assistant network settings, then IPv6 works as well, but since my provider rotates the IPs several times a day it’ll only ever work for a few minutes to a few hours. But once I enter the correct one, it’ll work INSTANTLY.

Here’s the details:

In my Fritz!Box I can see seven IPv6 for that device.
They are called:

1. IPv6-LLA-Temporary (1)
2. IPv6-LLA-Temporary (2)
3. IPv6-ULA-Temporary
4. IPv6-GUA-Temporary
5. IPv6-ULA
6. IPv6-LLA-Temporary (3)
7. IPv6-GUA

The one the myFritz subdomain points to and the one that works is the IPv6-GUA (No. 7). The one that Home Assistant receives and displays in the network settings is the IPv6-GUA-Temporary (No. 4).

I’ve already used sysctl to set temp_addr=0 on all network devices and set ipv6.addr-gen-mode to eui64 on all network devices using nmcli but It did not change anything.

Please help me. I’m at a loss.

I’ve considered to listening to the IP change and using a script to update the static IP, though that seems more like a bandaid than a solution.

I don’t have a FritzBox system, so I don’t really know, but thought I would try to help…

I believe the IPv6 feature of interest here is called IPv6 Privacy Extension.
Try cat /proc/sys/net/ipv6/conf/enp1s0/use_tempaddr (or whatever your HA interface name is ). The output should be 0. BTW I check my HAOS 16 and it is indeed 0.

If it is not 0, then check and see what the nmcli settings ipv6.ip6-privacy is for that connection profile. Setting this to 0 is suppose to disable temporary addresses.
BTW my HAOS has this set to -1 which as I understand means it gets its value from /proc/sys/net/ipv6/conf/default/use_tempaddr and in my case it is also 0.

Thanks so much for your answer!

I’ve already set everything concerning privacy and tempaddr to 0 whereever I could.

I now checked all of the interfaces in /proc/sys/net/ipv6/conf/* for use_tempaddr and all of them are 0.

I’ve also used nmcli to set ipv6.ip6-privacy to 0 for both eno1 and lo again, even though I already did that.

I’ve rebooted both HA as well as the Fritz!Box but it doesn’t work.

I’m considering disabling IPv6 entirely at this point. Don’t think I’ll lose much. What do you think? Is it worth it to lose another few hours over this?

I’m wondering if the Fritzbox is assigning these temp addresses to HA instead of HA deriving them?

I can’t think of a particular reason to keep IPv6 from your service provider/Fritzbox.
You may want to keep IPv6 enable in HA in case you ever want to use Matter as Matter requires IPv6 (but this can be from a private address space)

This is what I’ve ended up doing for now.

I’ve also disabled the myFritz sharing, which always has an AAAA record, and use plain old IPv4 dynDNS with port forwarding.

My brother was using a FritzBox in a similar fashion (before he switched to a VPS) and he didn’t have these issues. He didn’t use HAOS but nginx on proxmox instead, so my guess is that HAOS and FritzBox and the whole privacy extensions and temporary addresses somehow don’t mix well. I’ve read about other people having the same issues and nobody had a solution ready.

I’m thinking about doing the whole containering myself in the future as well, maybe it’ll work then.

For now I’m content.

Thanks for your help!

For future reference if anyone stumbles over this:

I never got it working properly.

I’ve since switched to Proxmox and installed Home Assistant OS in a VM.

I did not install NGINX Proxy Manager inside of Home Assistant, but as a separate LXC and now everything works flawlessly.

The NGINX Proxy Manager gets its own IPs from the FritzBox and I can do proper port forwarding with IPv4 and IPv6 without issues and reverse proxy that to Home Assistant.

So it is like I suspected: HAOS is just not built for that, which I could have guessed.

So in short: If you don’t care about IPv6 then HAOS on bare metal works fine. If you do though and (at least if you use a FritzBox) then you should use a proxy manager in front of, rather than inside of, HAOS.

Cheers!

Out of curiosity, does HA still have those temporary IPv6 addresses?

Or maybe better question, is NGINX port forwarding to HA to one of HA’s IPv6 addresses and if yes, I presume it is one that is one of those addresses that is either your #5 or #6 above?

It now has two temporary IPv6s. I did not change any network settings after the reinstall except for trusted_proxies. Rest is stock/auto.

The proxy manager, which is actually Caddy now, does not have any temporary IPv6s.

Caddy is the one with port forwarding and it always reverse proxies to the IPv4 address of HA. The myFritz Subdomain always points to the correct GUA address.

That was not possible before, as in my previous setup NPM was running as an add-on inside of HA and therefore inherited the issues I had with HA and the FritzBox.

Everything works beautifully now.