HTTP component IP filtering will block bruteforce attempts by banning after attempt limits.
Great I thought, I’ll add it into my HA.
But occationally there is invalid login message. Looking around, it seems normal. So it’s okay. Not okay, however, when somehow my router address got banned. Considering I always use external address, access on ALL devices has been banned.
So I would like to whitelist my router address, ensuring when access from home Wifi, when I need HA the most and most likely to generate false-invalid login attempts, it never gets banned.
But looking at trusted networks configuration options, I see it will not only whitelist the IP against bans, it will also remove the need to log-in via password! Way too much power is handed to this network.
Unless I’ve missed something: There doesn’t appear to be any middle ground between IP banning and a completely trusted network.
Yes, Home Wifi is a trusted network. But I don’t trust it so much I want to remove any form of authentication, even for guest users.
In another words, IP filtering whitelisting appears to be missing.
Sorry for the bad news but you are better off getting a dedicated firewall appliance and separate your networks. Manage your routing via the network appliance and control who can see what via physical LAN and VLAN separations.
You don’t need expensive, just a decent router supported by something like openwrt or tomato firmwares.
this is what use_x_forward_for does
passes the ip through router so HA can see source IP address and not just see router
must be careful with this else you provide access by mistake
you must also setup trusted_proxies
this is just an IP you know is on your network that devices show originating from. If you have docker you must set this.
Ultimately, you should not be banned on all device because (1) device banned.
Again. Must be careful with these settings else set some external IP as trusted but your current IPs look OK.
EDIT
Your reverse proxy must also x_forward something.
So make sure your proxy settings are correct else all device appear to come from same address still
HA still reports invalid login from .5.1 even though I tried to log in from .5.20 using public address.
I think the traffic goes from LAN to Router which then gets NAT loopback to the Home Assistant server IP. I’m unsure what happens after that: How does reverse proxy work here? Why does the route address gets reported?