Restrict network

mmiller7 · May 30, 2020, 2:00pm

I’m getting a warning “[homeassistant.components.hassio.handler] Found incompatible HTTP option ‘server_host’. Watchdog feature disabled”. I see many things suggesting to remove that, but I need some way to limit which interfaces the system is accessible from.

Brief context: I have my home network segmented into a few VLANs to limit what things can see each other. I’ve got a “trusted” VLAN (my computers, servers, etc), and “LAN-Only” (IoT totally isolated offline can’t route to anything), and some VPN/guest/etc ones. I do this because IoT often has little to no security controls or updates. I don’t want to have a router advertising or allowing “normal” devices to access the IoT junk so there is no routing between the “trusted” and “LAN-Only” VLANs.

I have successfully used the nmcli commands to get 2 network interfaces set up so the HassOS box sits with 1 interface on the “trusted” VLAN for the web UI and device tracker, and then a 2nd network interface on the “LAN-Only” one, so it can talk to esphome sensors and stuff freely.

To ensure some obsolete crap IoT can’t easily attack my servers, I want to ensure the few things that straddle both networks are configured to not allow anything coming in on the LAN-Only network interface (192.168.3.0/24), and then accept anything that comes in from the main network (or is routed from VPN/Internet/whatever) on the main network (192.168.1.0/24).

In another CCTV server running CentOS, I simply configured firewalld to only open up ports for HTTP/SSH/etc on the “trusted” interface and block all inbound traffic on LAN-Only network interface.

On HassOS, the only thing I could find is setting some kind of limits were the options to listen on a specific network interface, which is apparently conflicting with some watchdog (though I think it accomplishes exactly what I want).

http:
  server_host: 192.168.1.221

I’ve seen using trusted_networks but I don’t want to have to figure out how to list every imaginable permutation of networks as allowed – I just want to blacklist ONLY the one network that I know should specifically never ever be valid logins.

Is there something similar to this, but instead of “allowed” being “untrusted_networks blocked”?

auth_providers:
   - type: trusted_networks

ovizii · April 28, 2023, 11:58am

Sorry for necroing this 3-year-old thread but when searching for “Watchdog feature disabled” there are only a handful of unresolved results.

I also started seeing this error on one of my 2 HA instances.

Found incompatible HTTP option 'server_host'. Watchdog feature disabled.

I would really like to figure out what watchdog this error is referring to. What is it doing, where can I configure it, etc.