Home assistant on UBUNTU SERVER 20.04

Based on the command, you’re attempting to install Home Assistant Supervised into a Ubuntu OS (which will run Docker). If your Ubuntu installation itself is running under Virtualbox, then you have a relatively complex setup. You’ll have to troubleshoot Ubuntu running in VirtualBox and THEN troubleshoot the docker implementation on Ubuntu. I’d look first at VirtualBox and ensure that Ubuntu itself is getting an IPv4 address and working properly.

Also, you should know this is an unsupported installation of Home Assistant, as the only supported Supervised installation is on Debian 10. You’ll run into issues where HA Core arbitrarily states your installation is “unhealthy” at which point you’ll be prevented from upgrading (as counter-intuitive as that is).

And to my point, I am feeling for him. Why would you want to architect your home automation system like this? Seems very complex and fragile.

So, you have devices inside your private network that have IPV6 enabled? and you allow/trust your firewall to let these devices connect to the internet? Wow, that is pretty scary. You might want to read some of the writing of the folks that understand IPV6 and it implementation, it is really not reassuring for IoT devices and home automation especially.

And just on a practical level, you type IPV6 addresses vs. IPV4 in your everyday life?

If he’s actively managing the access control of that, there’s no reason it’s scary to have IPv6 enabled.
The manufacturers that build their routers to automatically route all IPv6 devices externally, now THATS scary!

Yes I have devices with IPv6 available on my LAN. None of them are accessible via the internet because my router isn’t opening any port on them (except Home Assistant server on a non-standard port). Good luck stumbling over that on the internet. What is it 65000 years to scan for it? Don’t be so alarmist.
On a practical level I don’t type any IP addresses of any kind on my LAN… dns seems to take care of them and I use IPv4 internally anyway.
Why do you think IPv4 with port forwarding is more secure that IPv6 with a port exposed? It’s also behind a reverse proxy…

Maybe just to try it out before buying a device to run HA? maybe… I hope so

That’s like going to a new car dealer and asking them to take the tires off the car before the test drive. In these wonderful times of giving a USD 35 raspberry pi to our kids, why do we suffer complexity so? Your house, where you spend a majority of your happiest times, and may well (hopefully?) die in, spend smart.

As I said, I am far from an expert in the areas of network engineering. So I hope I am wrong. That said, when you write the words ‘router isn’t opening any port’ in the context of IPV6, I worry. And I agree with you should ideally have NO IPV4 port forwarding enabled on your internet firewall device. As I said, please do read some of the experts writing on the state of IPV6, how we got to it and whether where we are with it is a good place. However based on my reading of this and experience, I still recommend disabling all IPV6 access to and from the internet at your firewall device. And if you find a need for IPV6 use only with in your private network, well I am really impressed by that network!

Please stop with the FUD. In Australia, ISP’s are already using CGNAT and IPv6 because there are no more IPv4 addresses available and that situation is not going to improve anywhere in the world.
I don’t know why you worry… do you know of some magical way someone can access my server with no opened port?

You are wrong so stop the FUD.

Since you start fresh, my recommendation is to replace ubuntu with Debian 10 in which will allow you to get support should something broken with supervised version.

Hello,

Thank you all for your replies. I’m new to home assistant, no worries for me to replace my installation with a Debian 10 installation (also using virtual box and bridged mode).
Should I use this tutorial

Installing Home Assistant Supervised on Debian 10 - Community Guides - Home Assistant Community (home-assistant.io) ?

Well thanks for your opinion and comments. I’m not sure what you believe I am wrong about. As I said I am not a network expert, and know less about IPV6 than I do about IPV4 within my wheelhouse. So again, based on input from people I consulted that are more knowledgeable:

Disable IPV6 access for your private LAN on your ISP’s router/gateway/bridge device
If this is not possible, get a different ISP or place a router/gateway device between your ISP’s hardware and your private LAN that does disable IPV6 access from within your private LAN.

Try these tests from machines on your private LAN
# ping google's second dns server
ping6 2001:4860:4860::8844

# open google home page
http://[2607:f8b0:4007:802::1010]

# telnet v6 test
telnet 2a02:898:17:8000::42
# to see via v4
telnet towel.blinkenlights.nl
# <ctrl> ] to exit, cause I know you are telnet expert

https://ipv6-test.com/

If these show IPV6 access, and you should ask why this is necessary.

I know I could not pass this, u?
https://ipv6.he.net/certification/

Some thoughtful writing to read:
https://teknikaldomain.me/post/ipv6-is-a-total-nightmare/
https://www.darkreading.com/researchers-seek-out-ways-to-search-ipv6-space/d/d-id/1334213

That is abundantly clear.

Just more FUD from you.

(Sorry bout the offtopic IP stuff, I shouldn’t have contributed to that in the first place)

That should be a good guide for setting up the Debian VM, so you can do a setup from there and it should work pretty comfortably.

If you do happen to have something like a NUC or a Pi 4 spare, it would be more ideal to work with, since it will give a lot more power to your instance and it will handle better when you are using more devices with it, if you end up with lots. If you don’t have a tonne of devices you plan to connect to it though, a VM will be fine (depending how powerful the host computer is of course).
It is possible to migrate from a VM to a dedicated computer later on, generally, so you can change your mind later if you need to

I’m not sure why you would do this… If you install Debian then you can just install Supervised and get addons etc. If you want to use a VM then why not install Proxmox instead of Debain? I’m confused as to what you actually mean and wonder if what you mean is different to the description you are providing.

I would expect ALL of those to show IPv6 access as they are ALL outgoing connections. A firewall typically blocks INCOMING connections not outgoing. There would be no point using IPv6 at all if it can’t connect to anything.

As a matter of fact I not only passed it, I wrote a blog post in detail showing you how you can pass it.
You shouldn’t criticize a technology you know nothing about. I agree with @DavidFW1960 that you really shouldn’t panic other people, when you yourself cannot explain the reason.

There is nothing wrong with IPv6 and in fact, we’ll all be running it in a few years, because as David pointed out, there are no more IPv4 addresses.

My network passes ALL of those tests, because I consciously set it up to work on IPv6. Just like I consciously set up my network to do IPv4. Further, any decent firewall blocks BOTH incoming and outgoing connections. You’re required to configure NAT, DHCP, and port forwards yourself. Anyone typing IP addresses (either v4 or v6 / internally or externally) shouldn’t be passing along advice on networking.

My router won’t (so far as I know) filter outgoing but definitely stops incoming connections I have not explicitly allowed IPv4 AND IPv6. With my HA server, it allows incoming on 2 ports one of which maps to HA via a reverse proxy, the login of which is protected by 2FA as well. The other port will fall foul of 5 incorrect login attempts via fail2ban. Quite apart from the fact that the domain has no way of being contacted externally over IPv4 and uses high non-standard ports I would rate the ‘risk’ I am taking as far less than someone using Duckdns with IPv4 is taking.

David, what are you using as a firewall? Just curious. I’m running pfSense and it most definitely blocks incoming and outgoing.

As for everything else, agreed. All you have to do is run a Shodan search and you can find hundreds of HA installations open on the Internet. Bad mojo there and having a Nabu Casa or DuckDNS proxy doesn’t help. That’s why I run a automation to explicitly disable my Nabu Casa remote access if I’m at home.

Rob I use the firewall in my Fritz!Box. It lets me just open up a port to HA machine but so far as I know it doesn’t filter anything outgoing. I have never seen my system on Shodan. Also when I have viewed the Caddy logs I have not seen any attempted hacks…