SOLVED: HTTPS broken locally with hairpin NAT

waldo22 · May 3, 2025, 4:14pm

My HTTPS setup stopped working locally with hairpin NAT (aka NAT reflection) sometime in the past 2 or 3 weeks.

~~During that time, there were a few LetsEncrypt updates that I can’t imagine are unrelated. Currently running LE 5.4.9 but it also didn’t work on 5.4.8 and 5.4.7.~~ (this was unrelated)

I can access my HA via https within my home network at https://192.168.1.3:8123 and at https://homeassistant.local:8123 if I ignore the security cert mismatch warnings.

I can also access it externally at https://home.mydomain.com:8123. Both my HA app and Google Assistant have no problem accessing HA from outside the network.

I can no longer access it locally at https://home.mydomain.com:8123, which is a problem because that is the URL that my HA app is using, so I can’t use it from my app when at home unless I disable WiFi on my phone.

I would normally blame this on a router issue with hairpin NAT aka NAT reflection, but my router settings haven’t changed in years. The only difference is HA updates.

Does anyone know what could have changed with HA recently to break TLS locally when using hairpin NAT?

The error I get is a 403: Forbidden response from the HA server, but the browser recognizes the certificate from LE as valid and says “connection is secure”.

~~The only thing I can figure is either a config change in the HA Core webserver or a LetsEncrypt change in the way the cert is configured, but I don’t know enough about it to troubleshoot it.~~

SOLUTION: the local IP of my router was banned in ip_bans.yaml and Ubiquiti routers apparently re-write the source of hairpin/loopback/reflected NAT as the internal IP of the router, which is non-standard. Deleting the ban and restarting HA fixed the problem.

WallyR · May 3, 2025, 6:43pm

LE certificates have not changed and the updates to LE addons n are unrelated.
It is just support for new providers.
This does not look like a certificate issue at all.

tmjpugh · May 3, 2025, 10:22pm

IP ban?

Did you try from another device?

waldo22 · May 4, 2025, 12:10am

Same result from my HA app on Android, my wife’s HA app on iOS, Firefox on my computer and Edge on her computer.

These same devices and browsers all work when using homeassistant.local:8123 or by IP.

The IP ban is interesting. When you do hairpin NAT, does the request look like it’s coming from the internal IP of the router, ie. 192.168.1.1

Is it possible that is banned?

tmjpugh · May 4, 2025, 1:08pm

It should not

The originating IP should show. Exception is when you have reverse proxy and do not correctly configure proxy or set use_x_forwarded_for. In this case I’ve seen reverse proxy get banned. I guess the router is possible but if so am IP woukd show in ip_bans.yaml

waldo22 · May 4, 2025, 5:01pm

I do not have a reverse proxy set up.

…but check out ip_bans.yaml:
192.168.1.1: banned_at: '2025-04-17T22:13:15.339683+00:00'

It appears that Ubiquiti EdgeRouters (and maybe others?) re-write the source address to the internal IP of the router when doing Hairpin NAT / NAT reflection.

Apparently this is not standard behavior.

Deleting the ban from ip_bans.yaml and restarting HA fixed the problem.

Thanks a bunch for the suggestion!

tmjpugh · May 4, 2025, 6:23pm

You can create rule on Ubiquiti to forward traffic for https://home.mydomain.com directly to HA server

Doing that will avoid NAT issues by never leaving router

I’m pretty sure this is available on ubuiqiti or add some local dns resolver

WallyR · May 4, 2025, 8:53pm

There really is no standard for hairpin NAT.
It is a patch for those that do not run splitDNS.