I’ve been using HAOS for quite a while with the trusted_networks option to allow local logins without needing to enter a password. I’ve got 3 users and each of those have 2-factor authentication enabled, but with the trusted_networks enabled there has never been a need to use 2FA unless you aren’t on the local network - just select your User name and click on Log In. I also have IPv6 enabled on my router as well as in HA, but recently realized that I didn’t have IPv6 enabled on my Windows laptop. As soon as I enable IPv6 on the laptop trusted_networks no longer works. I get presented with a prompt to provide a username and password, followed by a prompt for my 2-factor 6 digit code. If I disable IPv6 on the laptop everything works like it always has - no password or 2FA code needed.
I found in the documentation (https://www.home-assistant.io/docs/authentication/providers/) the following note: “The multi-factor authentication module will not participate in the login process if you are using this auth provider.” Not sure what that means as I’ve been using 2FA with trusted networks for a few years.
Is there any reason I can’t use trusted networks with IPv6 enabled on my laptop?
I’ve been trying to add my IPv6 subnet to the list of trusted networks, but I’m not sure of the correct syntax. The examples show things like - fd00::/8 or - ::1. My laptop IP starts with 2601:840:4201. I tried adding - 2601::/24 but that caused HA to boot into safe mode.
I was using a browser shortcut that pointed to http://homeassistant:8123, and I found that when I ping homeassistant with IPv6 disabled it replied with the v4 IP address, but with IPv6 enabled it responded with the v6 address. So once IPv6 was enabled on the laptop it defaulted to the v6 address, and without having the correct entry in my trusted_networks it wouldn’t recognize that the laptop was indeed local.
I’m running HAOS as a Proxmox vm, and when I went into the pve shell and ran the command “ip -a” it showed that the IPv6 address was fe80::2088:xxxx:xxxx:xxxx/64. I could have got the fe80 part by using the command ping -6 homeassistant. I also discovered that my ISP uses the /64 prefix delegation size by Googling it.
fe80 denotes link local. (think. 192.168.x.x or 10.x.x.x) The second grouping however is a unique network. Therefore that traffic should stay on the local segment. It’s like 192.168.100.0/24 v. 192.168.200.0/24 (read:they’re not valid to be routable across the internet and should be fine)
Your correct but, he’s allowing all fe80::/64. Ultimately it doesnt matter but I didnt think his goal was to allow any device on the network access.
he should change to fe80:2088::/32 in that case correct?
Asking because I spent that last month trying to wrap my head around ipv6 and some of the details are still a mystery.
Yea, never fully understood IPv4 subnetting, but IPV6 is a completely different beast!
With my IPv4 network I have 3 network ranges; one for laptops, HA, etc…, one for IOT devices and one for Guest. I use the 172.16.0.0/24 for trusted networks because the IOT and Guest devices are on different networks (192.168.20.x and 192.168.30.x) and I don’t want those to have access to HA or the entire 172.16.0.x network.
If I ping my HA IPv6 I get fe80::2088:xxxx.
If I ping my laptop IPv6 I get fe80::c924:xxxx.
So it seems that I should be using something like fe80::/32 because everything on my local network could have a different value beyond the fe80::. Is that part called the Interface ID?
My goal would be to only allow the network used by HA and my laptops (both IPv4 and IPv6) to be considered as a trusted_network.
Do any IOT devices use IPv6 addressing? If so, how would you determine their IP? I’m using a Unifi UDM and it seems to only show a devices IPv4 IP, even for my laptop.
I realize that this is becoming a class on IPv6 and may be beyond the scope of just Homeassistant, but if we’re all supposed to get on the v6 bandwagon it would be nice if someone could put together a simple primer for the non-technical for how to identify these segments on your network and how to properly configure HA to work with it. Thanks for helping!
fe80 is self assigned by device and used on local network. I think devices uses its make to create this. As was previously said it is not routeable but every device on the network using ipv6 will have fe80 address, even IOT devices
fe80 is not dhcp address or whatever ipv6 calls or uses. For this reason I personally would not grant unchecked access to any devices using fe80 address. Ultimately, I don’t think it matters that much because “if they’re on your local network” and all. I have no real concern about local IOT device accessing HA but as a practice I try to limit access.
IPv6 is enabled but is your router handing out IPv6 IPs or just passing traffic?
I just started using IPv6 because of matter devices. I have vlan network that is both ipv4 and IPv6 but while ipv4 has internet IPv6 is blocked(I think… again still learning and firewall rules are hard)
I have matter devices using something like 2006:3232:2000::
My servers are using something like 2006:3232:1000::
I would feel comfortable putting 2006:3232:1000:: IPs in allow list
I would not feel comfortable with 2006:3232:2000:: , 2006:3232:: or fe80:: in allow list even if they are all local. I hope that example makes more sense.
They are NOT ROUTABLE at all, not even on the local networks.
fe80 will exist on every IPv6 enabled interface on a device, but it will not be the same network.
This is where IPv4 and IPv6 differs a lot. In IPv4 you would not be able to have 192.168.1.0/24 on multiple interfaces, unless that was actually the same network.
I’m OK with allowing anything on the same network as my laptop and HA to be allowed to log into HA with trusted_networks. I can disable IPv6 for my Guest and IOT networks which would eliminate any devices there that would be using IPv6. I’m currently trying to scan my network using NMAP to see if there are any other devices that have picked up a IPv6 IP.
I’m still not clear on what to use for trusted_networks for IPv6 given that both HA and the laptop (and other laptops/computers/phones) are all on the same IPv4 network (172.16).
My laptop is fe80::c294, my HA is fe80::2088, my phone shows 2601:. Why no link local for the phone? How do I know if my router is handing out IPv6 to clients or just passing traffic? I would have thought that a client receiving an fe80:: IP means that it was assigned by the router. Client Address Assignment shows it’s using SLAAC.
I would argue it’s a minor difference, mainly that fe80::/64 link local addresses (LLA) are mandatory. They are analogous to IPv4 address range 169.254.0.0/16 which is auto configured when a dhcp server can’t be found. Just like IPv4 they can’t be routed, but unlike IPv4 they are on every interface in addition to other (optional) addresses.
IPv4 private subnets like 192.168.0.0/16 are comparable to IPv6 unique local addresses (ULA), which start with fdxx (you pick the xx). Just like IPv4, these are routable within your LAN but not outside of it.
No, fe80 addresses are autogenerated by the device OS for every interface. IPv6 routers don’t hand out addresses, they announce subnets and let the devices pick their own address. So if you want to route IPv6, meaning pass traffic between subnets (that’s what routing means) your router needs either a ULA (fdxx) subnet defined, or a GUA subnet (from your ISP) defined. Without either of these, you can still use IPv6 with LLA (fe80) addresses on your LAN but you can’t route between subnets / vlans.
The Temporary IP is the one that shows when I visit a “what’s My IP” web page.
So using fe80::/32 would treat any IPv6 device on any of my 3 local networks (primary, IOT and Guest) to be treated as trusted_network?
If fe80:: is assigned locally by every IPv6v device, does that mean that someone who joins my Guest WiFi network and get’s an IPv4 IP would also be treated as being on a trusted network because they also have a default fe80:: assigned to them?
I’m assuming that using anything like 2601:: for trusted_networks would NOT be a good idea? I thought that the more I dug into this the clearer it would become, but the confusion seems to be growing!
Yes they get an fe80 address because everybody does.
But can they get to your HA server? That depends on your network topology. If your guest wifi is a separate broadcast domain (vlan) from your HA server, then by definition traffic needs to pass through a router to get from one vlan to another. Even though fe80 addresses are on both vlans, a router will not pass that traffic because fe80 addresses are unroutable. You should be able to verify this with your laptop.
But if this makes you nervous, you might be able to also configure your router to define a ULA subnet for your HA/trusted vlan only. Your router will announce to devices on that subnet they can assign themselves another address, this one starting with fdxx (you pick the xx) and then you can make that your trusted subnet for HA authentication. Unfortunately every router is different and I can’t guarantee yours supports this option.
Marking this as the solution. I’m going with - fe80::/64 and can confirm that I can’t get to HA from one of the other vlan’s, although I didn’t disable any firewall rules to confirm if that’s what is preventing it. My Unifi UDM doesn’t appear to support ULA subnets yet.
Next up on the IPv6 deep-dive: Configuring my router, and AdGuard Home running in a Proxmox lxc to make sure that IPv6 DNS requests are being filtered.