IP filtering whitelisting?

wyx087 · February 13, 2020, 2:20pm

I’m slightly confused on how to achieve this:

HTTP component IP filtering will block bruteforce attempts by banning after attempt limits.

Great I thought, I’ll add it into my HA.
But occationally there is invalid login message. Looking around, it seems normal. So it’s okay. Not okay, however, when somehow my router address got banned. Considering I always use external address, access on ALL devices has been banned.

So I would like to whitelist my router address, ensuring when access from home Wifi, when I need HA the most and most likely to generate false-invalid login attempts, it never gets banned.

But looking at trusted networks configuration options, I see it will not only whitelist the IP against bans, it will also remove the need to log-in via password! Way too much power is handed to this network.

Unless I’ve missed something: There doesn’t appear to be any middle ground between IP banning and a completely trusted network.

Yes, Home Wifi is a trusted network. But I don’t trust it so much I want to remove any form of authentication, even for guest users.

In another words, IP filtering whitelisting appears to be missing.

notspam · February 13, 2020, 8:45pm

Sorry for the bad news but you are better off getting a dedicated firewall appliance and separate your networks. Manage your routing via the network appliance and control who can see what via physical LAN and VLAN separations.

You don’t need expensive, just a decent router supported by something like openwrt or tomato firmwares.

wyx087 · February 14, 2020, 7:52am

I already do most of that on Asuswrt-merlin router.

But even with security on the router, marking router address as trusted will never be a good solution.

The IP filtering function itself need some sort of whitelisting feature.

tmjpugh · February 14, 2020, 9:27am

this is what use_x_forward_for does
passes the ip through router so HA can see source IP address and not just see router
must be careful with this else you provide access by mistake

you must also setup trusted_proxies
this is just an IP you know is on your network that devices show originating from. If you have docker you must set this.

wyx087 · February 14, 2020, 10:20am

This is my bit of config:

http:
  base_url: !secret http_base_url
  use_x_forwarded_for: true
  trusted_proxies: 172.30.0.0/16
  ip_ban_enabled: true
  login_attempts_threshold: 5

is for ngninx reverse proxy addon

If I recall correctly, I did try this without success. I’ll give it another try tonight.

  trusted_proxies: 
    - 172.30.0.0/16
    - 192.168.5.1

Is there something I’m missing?

How does the traffic flow if I use external address and have reverse proxy enabled?
LAN -> Router -> Reverse proxy -> HA ?

tmjpugh · February 14, 2020, 4:18pm

WAN not LAN but I think you get it

Ultimately, you should not be banned on all device because (1) device banned.
Again. Must be careful with these settings else set some external IP as trusted but your current IPs look OK.

EDIT
Your reverse proxy must also x_forward something.
So make sure your proxy settings are correct else all device appear to come from same address still

wyx087 · February 15, 2020, 8:18pm

Just tried with

# HTTP setup 
http:
  base_url: !secret http_base_url
  use_x_forwarded_for: true
  trusted_proxies: 
    - 172.30.0.0/16
    - 192.168.5.1  <the router address>

HA still reports invalid login from .5.1 even though I tried to log in from .5.20 using public address.

I think the traffic goes from LAN to Router which then gets NAT loopback to the Home Assistant server IP. I’m unsure what happens after that: How does reverse proxy work here? Why does the route address gets reported?