I am running Home Assistant OS. I would like to allow other add-ons and homeassistant to talk to the Mosquitto add-on using port 1883 without exposing that port on the host itself. I don’t want to allow insecure connections from the outside world but I don’t have a problem doing that inside the docker network.
Currently this is impossible though because if you don’t expose that port on the host then the add-on doesn’t set up that port at all. Nothing can talk to it inside or outside the docker network.
I would like that port to be set up for internal usage only even if port 1883 is not exposed on the host. Or a setting that allows me to set up that port for internal usage only without exposing it on the host.
And how would your other devices (let’s say an MQTT based light) talk to the MQTT broker if it’s only available in your docker network?
The only ways I know is linking the docker containers or creating separate docker networks, but both is probably not possible with Home Assistant OS without some non-persistent workarounds.
They wouldn’t be able to. People that need that would have to expose a port on the host. Which I’m not saying should be prevented at all, anyone that needs that should still be able to do that.
I’m just saying I would like an option that allows people like me, who only have other add-ons and HA talking to the broker, to keep it fully internal and not require exposing a port on the host.
I’m curious, what add-ons are you using and don’t these have other means to talk to HA than MQTT?
The primary one is Zigbee2MQTT and no that one does not have any other way to talk to HA. I could use a different add-on for zigbee but that one works well for me so I don’t really see a reason to switch.
Everything else is related to that. HA needs to talk to MQTT in order to get messages from Z2M. And I have Node RED talking to MQTT basically just so my automations can send messages back to Z2M (like for triggering OTA update requests, there’s no service call for that).
I see, so you don’t have any devices that talk to the MQTT broker directly, only indirect through the respective add-on.
But why don’t you want to expose the port to the local network? It’s not like this port will be exposed to the public, when it’s exposed on the host.
Totally fair point. You’re right, it is only internal and so it probably isn’t a big deal. I wouldn’t call this a major issue at all.
I guess the security disclosure a few weeks just made more conscious to the risks I run with so much data in HA and so I’m trying to proactively lock down anything I can. You’re right nothing currently has given me the impression that exposing this port on my network is unsafe. But at the same time if I don’t need to expose the port (and I don’t since only things on the docker network talk to it) I would prefer not to.
Also a few times now when I’ve shared my addon configs in the discord chat on addons to try and debug an issue Frenck has pointed out that I don’t need to expose ports on the host if only HA is talking to the addon and recommended I don’t unless I have to. Since this is a situation I can’t follow that advice I thought it would be good to raise a feature request so people can follow that guidance in the future given it is a best practice.
1 Like
You have my vote 
I don’t have any use for it, but sounds like a feasible request to me.
1 Like