LetsEncrypt/Port Forwarding - Trouble accessing internally

I’m running HA installed via the AIO installer in a virtual environment on a Raspberry pi 2 model B.

I’ve just set up port forwarding and encryption on my HA setup, and my wife and I can access it from our cell phones when using cellular data.

However, when I’m at home and on my wireless network, I cannot access my.pi’s.ip.address:8123. I’m told the site cannot be reached. I also cannot hit https://my-domain-prefix.duckdns.com nor can I hit my-domain-prefix.duckdns.com. I CAN go to https://my.pi’s.ip.address:8123 from inside my network and I get a warning that the connection is not secure, but I can finally proceed to the HA front-end.

I’ve looked everywhere I can, but the only clue I have is that it might have something to do with my router’s NAT settings. Can anyone help me out?

Check to see if your router supports loopback. That’s likely the issue.

You might be able to build yourself a workaround via your computers HOSTS file. Hit Google and search for HOSTS + your OS name if you’re unfamiliar with it.

Well, some googling and I’ve learned my particular router doesn’t support loopback.

Does this mean that (as long as I’m using this router) I can’t have a setup that’s accessible both inside and outside my network?

If your router supports making a static DNS entry, you can make one the same name but pointing to your internal IP.

Since you are using a secure connection, you need to point your browser to the external address because that is what your SSL certificate is configured with. As rpress pointed out, if you create a DNS or host entry that resolves the external FQDN to your internal IP address, that might cut out a network hop.

If your router supports making a static DNS entry, you can make one the same name but pointing to your internal IP.

I’ve a section titled Static Routes with fields for Destination Address, IP Subnet Mask, Gateway IP Address, and Metric. Am I in the right place?

I’ve assigned a static internal IP to my raspberry pi.

If it helps my router is a Netgear WNR1000v2.

This is so odd! I have the same issue, but the only thing is that I never had this issue before! I just got it tonight for no particular reason. I am on the latest HA update and haven’t updated my router software either. I’m not sure what gives?

Edit: I use merlin for my Asus router software and was using merlin’s NAT Loopback and that seemed to be the issue. I changed from Merlin to Asus and the issue is resolved now.

I don’t think you can do it with that router, unless you install some kind of new firmware like Tomato.

You can also try changing the hostname on your Pi to your full duckdns name. Your router might take that from DHCP and make a local DNS A record.

I don’t think you can do it with that router, unless you install some kind of new firmware like Tomato.

Well dang. After googling around to see which open firmware I could explore between the big three of dd-wrt, open wrt, and tomato, it looks like the only one to officially support my router is open wrt. I only express disappointment because, while I’m familiar and comfortable with Linux CLI, I’d prefer having a web interface for administration.

Looks like I might be SOL on this.

DD-WRT has a web configuration interface.

Also - you can do the HOSTS thing I mentioned. It’s like setting a static DNS entry, but device by device. I’m not sure you can do it with a phone, but you can do it with a computer.

Yeah. Unfortunately my router has been listed as a WIP on the website for a while.

For my use case, we’ll be interacting with Home Assistant via our cell phones 99% of the time .

Thanks for the help and answers guys. Looks like I’ll be putting a new router on my Christmas list!

Did you try changing the Pi hostname like I mentioned? Maybe it will work.

I’m a big fan of the Mikrotik hAP ac. It has very powerful software.

Thanks for the recommendation. That’s an incredibly reasonably priced router. Is there dd-wrt support?

It runs a Mikrotik specific OS called RouterOS, which is based on Linux. You can check out the demo at the site below.

I’ve not yet had a chance to sit down and try this. I’ll give it a shot and report back.

I had the same issue.
You can check if your router supports NAT loopback if you use tracert on Windows or traceroute on *nix systems. If they resolve your internal IP when tracing from an internal address, the loopback is available.
What remains is a redirection between ports. I couldn’t find a way to do this, but it turned out, that I had to setup an nginx proxy for it… https://home-assistant.io/docs/ecosystem/nginx/ to work on port 443 which was already forwarded.

So I should run traceroute <my_pi_ip_address> and see if it resolves? It appears to. Since my first post, I’ve obtained a new router that’s running OpenWRT but I’m just lost when it comes to networking. There are options in the Firewall section for Traffic Rules, but again I’m not sure how to configure it to allow what I need.

You have to do a hairpin NAT (Loopback NAT) I believe.

Try to google it, maybe its in luci?
Otherwise ping me.

So my brother gifted me a router running Advanced Tomato and I’ve enabled Loopback and everything is working perfectly now: HTML5 notifications, I can access it internally, and I hope to add Google Home support soon for voice commands! Thanks for helping me understand the issue and solution.

sorry for necroposting, but i hope, you can help me.
I’m using mikrotik router and set letsEncrypt/port forwarding and can access to Home assistant from wan, but can’t from lan.
Try your advice “If your router supports making a static DNS entry you can make one the same name but pointing to your internal IP” - doesn’t help(
When I ping my example.duckdns.org i see my rPi ip, but when i try to onep it in browser get “This site can’t be reached”.
I tried to setup hairpin NAT (Loopback NAT) by mikrotik wiki instructions - doesn’t help.
If you have working home assistant external/internal configuration for mikrotik, can you share with my.
Thanks.