Are you saying you have “block all” out-bound traffic ?
Yes, allowing all HTTPS (443)
what’s your purpose with blocking all other outbound traffic ?
Just better control traffic.
No SMTP or any other protocol can communicate!
right, do you have any smtp-server, or other devices which “comminicate” uses the SMTP protocol ?
Not that i think it’s relevant to your HA instance, unless you have an integration with that purpose, using that protocol
I have ones tried to Block all ( with an IPSec-firewall), at a facility i worked, gave them 2 weeks to deliver a note with the various programs/services they needed to have access to, in their work.
Beside the amount of work it gave me ( kind of in reverse order ) , opening ports for days and weeks, i figured it was probably best to live with the Complains from people who felt that the network was slow ( doo to all the youtube/chats/streaming etc. services they used during their work hours,( it’s more than 10 years ago! ) … i just presented my findings (anonymous) to the management, and blocked the sites/urls/ips i recommended them.
Bottom line is, find out what and why you want to block outgoing traffic, and block it, … i.e kids/wifes devices ? block them, … SMTP ? serious ?
This is working well for me, its just HA.
HA is requiring some other protocol or service when attempting to do updates.
The question is, what. Should it not do a simple DNS resolution to the required hosts and then complete its update using HTTPS, weather thats from GIT or wherever.
All DNS traffic is going through UDP on port 53 by default (not TCP on port 443).
If you really have blocked all outbound traffic except TCP on port 443 DoH will certainly work (since DoH is using TCP on port 443) but not the “classic” DNS service.
Try by opening UDP on port 53 for outbound traffic (besides of TCP on port 443).
Yea but I have my DNS local servers in HA point to my piHole, which then has external resolvers that have firewall entries added to allow dns to.
HA resolves DNS through a Pi-hole here too (Pi-hole is installed on a different device). Works without issues.
At what point (on which device inside your LAN) are you blocking all egress traffic except of tcp 443? At the gateway (modem, router) only?
Im only blocking at the firewall, pfSense on the LAN side, hardware firewall not software.
Its weird because obviously HA CAN resolve DNS, as it is able to establish a cloudflare connection on reboot, also I can open a terminal session and ping hostnames etc from within HA, it just will not allow me to install updates as it says no host internet connection.
How about opening egress udp 53 at the pfSense temporarily, try to do those updates with HA and block that protocol/port thereafter? If that makes the updating work without issues at least you know where to start digging to eliminate the issue once and for all.
I’ve actually done this, I’ve allowed dns to any host from HA. This still does not allow updating.
The only thing that allows updating is enabling my allow all rule which basically allows all outbound and then only after a reboot, ha is able to install updates.
I feel like there is something else happening behind the scenes here.
If I tail my pihole log, I can see active dns queries coming in from HA to GitHub, homeassistant.io etc.
Further leads me to think it’s not DNS related
But your installation is marked as “Healthy” and “Supported”, is it?