I have a fairly recent install of HA-OS installed following directions for virt-install on top of Ubuntu. HA works well. I am trying to get the Mosquitto broker up and running, and am having trouble getting the ports (TCP/1883) to be reachable from the LAN interface of the host. Testing publish/receive from the MQTT client within HA works, but there is no communication established from outside of the host. I decided to try another add-on to see if there were similiar issues and there are. Uptime Kuma runs a web server on TCP/3001 that is also inaccessible. Running a portscan on the host’s IP address shows port 8123 up, but the ports for Uptime Kuma and Mosquitto broker are not showing up in portscan.
What do I need to do to get ports running in add-ons to be accessible from outside of the host that is running the HAOS VM? HAOS is running in ‘network’ mode in virsh - I didn’t do anything special to get HAOS up and running.
Found my solution - adding here for reference.
Since I have HAOS installed in virsh (QEMU) on Ubuntu, the problem was with IPTABLES on the host. At install time of HAOS, IPTABLES was updated to allow for accessing port 8123, but does not get updated for any HAOS add-ons. Here are the steps I took - all of these are done on the host, not the HAOS guest. I am far from a linux admin - these took a lot of hunting and pecking, but they worked for me. YMMV.
#list current rules
sudo iptables -L --line-numbers
#you should see the following line, among others - this is added when HAOS guest was installed
#1 ACCEPT tcp -- anywhere 192.168.122.86 tcp dpt:8123
#add additional rules as needed. These ports are for Mosquitto broker and Uptime Kuma. The IP address is the main IP of the HAOS guest, and can be found with the HAOS cli or on rule displayed above.
sudo iptables -I FORWARD -p tcp -d 192.168.122.86 --dport 1883:1884 -j ACCEPT
sudo iptables -I FORWARD -p tcp -d 192.168.122.86 --dport 8883:8884 -j ACCEPT
sudo iptables -I FORWARD -p tcp -d 192.168.122.86 --dport 3001 -j ACCEPT
#display NAT table
sudo iptables -t nat -L -n -v
#insert DNAT rules
sudo iptables -t nat -A PREROUTING -p tcp --dport 1883:1884 -j DNAT --to-destination 192.168.122.86:1883-1884
sudo iptables -t nat -A PREROUTING -p tcp --dport 8883:8884 -j DNAT --to-destination 192.168.122.86:8883-8884
sudo iptables -t nat -A PREROUTING -p tcp --dport 3001 -j DNAT --to-destination 192.168.122.86:3001
#without a way to make these rules persistent, they will be lost at reboot
sudo apt-get install iptables-persistent
#save a backup of iptables rules:
sudo iptables-save >> ~/iptables-backup.txt