NAT loopback with reverse proxy on synology

Hi,

I have a bit of an issue with NAT loopback for my HA, the specific is that I’m not only running HA but also a reverse proxy out of a synology and I cannot seem to find the answer anywhere else.

Let me first detail my setup, explain what I can do locally and remotely and finally what the issue is (reaching my HA on the local network by using the external address)

I have the external address:

My local setup is:

  • Router at 001.001.001.001
  • Home Assistant on a Pi (123.123.123.123)
  • Synology NAS (456.456.456.456)
  • HA:
    • runs duckdns linked to xxx.duckdns.org
    • runs DNSMasq with the following config:
defaults:
  - 8.8.8.8
  - 8.8.4.4
forwards: []
hosts:
  - host: xxx.duckdns.org
    ip: 123.123.123.123
  - host: ha.xxx.duckdns.org
    ip: 123.123.123.123
  - host: nas.xxx.duckdns.org
    ip: 456.456.456.456
services: []
cnames: []

Outside of my local network I can do the following:

  1. reach my NAS 1. with nas.xxx.duckdns.org (ssl ok)
  2. reach my HA with ha.xxx.duckdns.org (ssl ok)
  3. reach my HA with xxx.duckdns.org:8123 (legacy, to be decomissioned, ssl ok)

Locally I can:

  1. reach my NAS with nas.xxx.duckdns.org (all good, ssl ok, expected behaviour)
  2. reach my HA with xxx.duckdns.org:8123 (legacy, to be decomissioned, ssl ok)
  3. reach my HA with 123.123.123.123:8123 (ssl nok, obviously)
  4. nslookup ha.xxx.duckdns.org which resolves correctly to the local IP adress of my HA 123.123.123.123 (same with nslookup xxx.duckdns.org, obviously)
  5. ping ha.xxx.duckns.org and get a response (from the local HA address 123.123.123.123)

what I cannot do (and cannot figure out why) is actually reaching my HA through the browser by hitting ha.xxx.duckdns.org when I’m on the local network; I get a ERR_CONNECTION_REFUSED error.

Happy to provide more context and run any query you magicians need to help me solve my issues.

Many thanks

PS: I’m not opposed to moving all the DDNS and local DNS resolver to the NAS, or moving the reverse proxy to HA (whatever makes more sense… and is easiest)

Update: I moved the DNS server to the NAS and the situation remained the same.
I also managed to configure my own domain, say my-domain.com and everything continues to work in the same fashion, i.e.,

Outside the network:

Locally:

  • Access to the NAS through nas.my-domain.com is ok
  • nslookup ha.my-domain.com returns 123.123.123.123 correctly
  • Access to HA through xxx.duckdns.org:8123 is ok
  • Access to HA through my-domain.org:8123 is ok (although with a warning on the certificate, somewhat expected and might be a lead but I do not know how to exploit truly)
  • Access to HA through ha.my-domain.com is not ok

Again, many thanks for any help

Ok I solved it… the reason was mainly me being an idiot…

The DNS server (dnsmasq or the one running on the NAS) needs to redirect ha.my-domain.com to the local IP of the reverse proxy (456.456.456.456 in my case) and not home assistant itself…
It’s quite obvious when you think about it: how can my browser know to hit port 8123 if it doesn’t go to the reverse proxy, and how can it go to the reverse proxy locally if I force it to go directly to HA…

so to sumarrize, my full setup is as follow:

  • Router at 001.001.001.001
  • Home Assistant on a Pi (123.123.123.123)
  • NAS (456.456.456.456)

My subdomains:

Reverse proxy running on the NAS with the following rule

DNS server on the NAS for the local traffic:

Hope it helps somebody in the future :wink: