Https works from outside the lan but not from inside

penright · December 14, 2017, 2:24pm

In my search I found some threads that sounded like this issue, but they were trying to connect to the api. Still maybe related, but the topic moved and they are old, so I started this one.

I can connect from outside to HA (https://xxxx.duckdns.org:8123) but the same URL on a browser on the local does not.
When I was trying to get SSL working there was a post that mention ports 8123 and 108123 and why. I wonder if that has something to do with my issue, but I can’t find it now.
It may be hard to make out the columns for the port forwarding, 443 is linked to 443 and 8123 is linked to 8123.
Not sure if it is related. I am on hass.io, and used the add-on installer to install duckdns and letsencrypt. As part of getting HTTPS up, I read if you have duckdns on hass.io do not install letsencrypt, so I shut down it’s service. Did I mess something up doing that?

My configurations

http:
  api_password: !secret http_password
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Server Name	External Port Start	External Port End	Protocol	Internal Port Start	Internal Port End	Server IP Address	WAN Interface	Remove
Home Automation SSL	443	443	TCP	443	443	192.168.1.160	veip0.1	
Home Automation SSL	8123	8123	TCP	8123	8123	192.168.1.160	veip0.1

mattlward · December 14, 2017, 2:39pm

It sounds to me like your router is not redirecting to the external address. I have seen this issue, please try to connect to: https://local ip address:8123. You may get a cert error since the cert is not registered to the ip address, but you should be able to add an exception to your browser and it will work. The other option is a static route to the outside world in your router.

doubleUS · December 14, 2017, 3:01pm

You are probably looking for Hairpin NAT. Enable hairpin NAT (also known as “NAT loopback” or “NAT reflection”).

Enable this on your router.

touliloup · December 14, 2017, 3:16pm

I had the same problem, restarting the router solved the issue (don’t ask me why ^^)

penright · December 14, 2017, 3:20pm

@doubleUS thanks for the term, that sound like it . I have an Adtran 424rg, I need to ask them . I don’t remember seeing anything like that .
I will report back when I have something .

DavidK2016 · December 14, 2017, 3:32pm

I had the same issue and my crappy isp provided router barely lets me login let alone make a lot of changes. I just put an entry in my host file to access internally.
that pointed homeassistant.local back to the IP directly works no problem for me.

My work provided laptop blocks anything going to duckdns anyway so this also get me around that when I am at home.

hijinx · December 14, 2017, 4:06pm

This is almost certainly the reason.
Not all routers support though.

penright · December 14, 2017, 5:15pm

Worked for me too.
To be clear for future, any device connecting from the local lan need to hack the hosts conf file and add the ip and the dns name.

Thanks again to all who responded.

DavidK2016 · December 14, 2017, 5:29pm

I got to check when I get home but I think my android phone on wifi works internally as a side note. I use the same icon for internal and ext. Glad your working I fought with that for a bit before saying screw it and doing a host file.

penright · December 14, 2017, 6:39pm

Now that you say that, I don’t think mine did work last night. I will have to retry it.
Time to google to see if Android has a host conf that un-rooted can get to. I doubt it very seriously.
We are currently porting some Win CE apps to an Android at work. It has been a transitions to how sandbox Android OS is.

DavidK2016 · December 14, 2017, 7:43pm

I just checked my router actually does have nat loopback that is why my Android phone can can use my duckdns address. now thinking back I had to host file it to get around my works restrictions on Duckdns :). But glad it worked for you as well.

penright · December 15, 2017, 3:39am

Tested phone and it does not work. If I turn off WIFI, let it switch to cell, then it does. Looking at my router if does not support NAT Loopback.
I got confused for a second, I was getting a log on page. I started wondering if the page was cache, so after some searching I found the only way to clear is use a incognito tab. Then I got a connect refused message. Short of a rooted phone, there is no fixed. This worries me when I try to mess with tablets since they are Andriod.

DavidK2016 · December 15, 2017, 5:22pm

What about an internal dns server? that you can create a manual entry in. Doesn’t HA have a dns addon that you can turn into your internal dns. I think it does but never used it. Might inject a bit of slowness resolving external though. But might get around the lack of loopback nat and would eliminate host files.

maybe???

github.com

home-assistant/hassio-addons/blob/master/dnsmasq/README.md

# Home Assistant Add-on: Dnsmasq

A simple DNS server.

![Supports aarch64 Architecture][aarch64-shield] ![Supports amd64 Architecture][amd64-shield] ![Supports armhf Architecture][armhf-shield] ![Supports armv7 Architecture][armv7-shield] ![Supports i386 Architecture][i386-shield]

## About

Setup and manage a Dnsmasq DNS server. This allows you to manipulate DNS
requests. For example, you can have your Home Assistant domain resolve with
an internal address inside your network.

[aarch64-shield]: https://img.shields.io/badge/aarch64-yes-green.svg
[amd64-shield]: https://img.shields.io/badge/amd64-yes-green.svg
[armhf-shield]: https://img.shields.io/badge/armhf-yes-green.svg
[armv7-shield]: https://img.shields.io/badge/armv7-yes-green.svg
[i386-shield]: https://img.shields.io/badge/i386-yes-green.svg

penright · December 16, 2017, 1:32am

Think I found an answer. It could come in handy in the long run for other things.
The hass.io addon at https://github.com/bestlibre/hassio-addons has two addons …

Nginx Proxy
Nginx proxy with multiple vhosts and optional ssl
Certbot
Ssl certificate creation/renewal with let’s encrypt

Using these instead of the built in version let you specify a list host. So my.ddns.net 443 and 80 gets proxy to 8123. That leaves 8123 open for local access. The Certbot builds certs from a list of domains and puts one in each directory that you specify in the Nginx configurations.
I think you can actually let it authenticate with a name and password. Just starting to play with that.

Also, if i read it right, you can proxy to a different IP.

I hope that as long as I see the lock I am good.

towme · December 22, 2017, 8:56am

Ok I am not familiar with hass.io, because I am running HA on a ubuntu machine, but there is no need to set up different ways of access from internal and external networks.
In my understanding nginx proxying is used for “hiding” 8123 port (or what ever port your HA instance is using), this gives a little extra security, against hacking your HA instance, because for first look you can not determine what is running on port 443, but if you open up port 8123 to the whole world, then it is obvious that you are running HA.
Also with geoip rules you can configure nginx to allow certain countries only.
But first of all and most importantly you should read up on DNS name resolution and/or bind9 …

cheers
tom

gohassgo · December 23, 2017, 2:44am

I’ve tried dnsmasq and pointed a few mobile devices to it. Lookups work with 8.8.8.8, but the hosts entry with my hass.io ip doesn’t work.

{
  "defaults": [
    "8.8.8.8",
    "8.8.4.4"
  ],
  "forwards": [],
  "hosts": [
    {
      "host": "mydomain.duckdns.org",
      "ip": "192.168.1.100"
    }
  ]
}

smizles · November 20, 2021, 12:52am

Sorry for making this a zombie thread, but I am having the exact same issue. Did you ever figure out how to get homeassistant.local to resolve to your home assistant’s local IP after setting up the dnsmasq add-on?