PfSense DNS Resolver - No local access

I am unable to figure out how to access HA on my LAN. I have complete access remotely and had this working with my EdgeRouter but recently upgraded that to a PFsense machine. I have spent some time searching and although there seems to be a solution I appear to be implementing it wrong… Any fellow HA users with Pfsense machines, and duckdns/lets encrypt setups?


You should be able to enter https://:8123 and access your instance.

Your browser may throw a warning about security but you can ignore it.

If you want to use your duck dns address it should work. I think my pfsense instance did it automatically or I had to tweak some NAT settings.

I had the same issue. Resolved it by:

In pfsense, goto DNS resolver/General settings/ Host overrides:
Add hostname, parent domain of the host and ip to return for host.

1 Like

This may only work if you’re using pfSense as your caching resolver. A problem may be that you have HTTPS turned on for the pfSense UI, and you’ve got some conflicts. I took the easy way out, and just use other than port 443 to avoid that issue.

My situation may be a bit different, as I have nginx running behind a NAT port forwarding rule that does Host: or TLS SNI name-based proxying to various things, including Home Assistant and Grafana. It also does TCP stream forwarding for MQTT over TLS, too (though, of course, on a different port.) So all the certificate management and stuff is handled in nginx, and nginx just proxies requests over plain HTTP to Home Assistant.

really? urls without hostnames are a thing now?

No the text got auto formatted. Should have been https:// < yourip >:8123.

I forgot to leave a space around the text.

Would mind sharing your setup and config - Are you using nginx addon or caddy addon ?

I’m not using hassio here; just running nginx on Ubuntu 18.04. It’s a hand-built configuration… I don’t have Home Assistant doing TLS/HTTPS; I do that in nginx which proxies external traffic based on the host name to home assistant, grafana and one or two other applications.

I have stuff that looks like this in the nginx configuration:

server {
    # Update this line to be your domain

    listen *:443 ssl http2;
    listen [::]:443 ssl http2;

    # Ensure these lines point to your SSL certificate and key
    ssl_certificate         /etc/letsencrypt/live/domain/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/domain/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/domain/fullchain.pem;

    include snippets/ssl.conf;

    proxy_buffering off;

    location /api/notify.html5/callback {
        if ($http_authorization = "") { return 403; }
        allow all;
     	proxy_pass http://localhost:8123;
    	proxy_set_header Host $host;
    	proxy_redirect http:// https://;

    location / {
        # access_log off;
        access_log /var/log/nginx-access.log;
 	    error_log  /var/log/nginx-error.log;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

This is just a snippet from a larger, more complex configuration. In particular, there’s some stuff related to how I use Let’s Encrypt that’s probably not what you’re using. But you can see how I have this server instance listening on port 433 with HTTPS (and HTTP/2 for that matter), and how it proxies those requests, via plain HTTP to home assistant on port 8123 running on the same host.

I fear this will probably sow more confusion as it’s incomplete and doesn’t have much of the surrounding context… Maybe it’s helpful. Maybe not…

On pfsense under System/AdvancedFirewall & NAT try setting “Enable automatic outbound NAT for Reflection” to true and “NAT Reflection mode for port forwards " to NAT+ proxy”. I not sure if you need the second one.

I’m using hassio on ubuntu 18.04. with this setup I needed to also add to {“dns”: [“”, “”]} to /etc/docker/daemon.json. This will allow HA to resolve local dns hosts.