Strange Ports for Webinterface

Hello everybody,

I found a strange behavior with my setup. Hassio is running in a docker on my server, the Duckdns and Ningx add-ons are running and the http section in hassios config is empty, as required by Nginx. My IPS only grants me an ipv6 address, I have a AAAA DNS entry pointing to my ipv6 adress.

The funny thing is, that I have to open all incoming ports in my router and point them to port 443 to get access to hassio from outside my network, connections via IP:8123 are still working. If I open only 80 -> 80 and 443 -> 443, or 80 -> 443 and 443 -> 443, or 80-443 -> 443 I get no connection. The app shows “Website not available” and “net::ERR_FAILED” and the browser shows a big home assistant badge with “retry” below it. It took me hours to figure out it is the damn router which is making the trouble.

I would appreciate any ideas where to look or a hint why this working that way, maybe its supposed to work like that and I am missing something.

Thanks in advance.

What kind of router is it? I know some of the cheap ISP router/modems have crappy firewalls in them, but I’ve never encountered one that doesn’t respect basic port rules.

Some things I would suggest looking at is if those rules are maybe doing both UDP/TCP or maybe just UDP? That’s one of the only reasons I can think of that it would not respect a 443->443 rule. Plus, if your router has port forwarding, try doing a port forward from WAN 443 -> [ha_ip]:443 OR 80 -> 443. Also, make sure that your ISP isn’t actively blocking WAN -> LAN common ports (many of them do). You can use https://www.canyouseeme.org/ to make sure that those ports aren’t being blocked by your ISP and/or router. If 80 and/or 443 are being blocked, try using a non-standard port or something like 8443 or 8080.

My last suggestion is that if all that fails, use Nabu Casa. Yes, it is a $5 monthly fee, but it makes exposing your local instance really easy (and helps support the devs, which I’m a big advocate for doing). I went with NC last year and haven’t had a single issue with it. :wink:

So, IPv6 works a bit differently than IPv4 when it comes to port forwarding. Port forwarding (router WAN IP:PORT to device LAN IP:PORT) doesn’t exist with IPv6. Any device that supports IPv6 has its own global (public) IPv6 address as long as the router and ISP both support IPv6 and have it enabled. Depending on your router, manual configuration might be required to enable devices on your LAN to grab global IPv6 addresses.

Find your home assistant host’s global IPv6 address and set your AAAA record to that. If NGINX is running on port 443 on your home assistant host, you need to set up a firewall rule allowing traffic on port 443 to your home assistant host’s global IPv6 address. Some routers like Google WiFi call this “port opening,” but how you accomplish this will ultimately depend on what router you have. I’ve also discovered some routers unfortunately don’t have the ability to change such firewall rules.

1 Like

I completely glossed over IPV6.

Thank you for your quick repy!

@code-in-progress
It is indeed a cheap router from my IPS. It can not be a problem with UDP since I get an connection with TCP protocol and opening all ports. Like @Tediore said, with ipv6 one does not need port forwarding since every device gets a public IP which is accessible via internet, but every router has a firewall which in turn prevents all access to the local network, so you have to define exceptions for the IPs you want to access from the internet. This is what I did. I can not use https://www.canyouseeme.org/ because it only sees the ipv4 address which I got from my IPS, but it is ds-lite so the ipv4 address is shared with many other. That is why I have to use ipv6.

I did think about Nabu Casa last night, when I was unable to get any connection, but then thought it to be a bit expensive for a simple “port forwarding”. But supporting the devs is a way I didn’t think about it. It certainly is worth considering.

@Tediore
My server has a global IP and the AAAA record is up and running. But the behavior I find strange is, that I have to open all ports in the routers firewall for my IPv6 to get access. If I open port 80 and 443 no connection is possible.

I wonder if Home Assistant or the Nginx addon are using another port which I have to open. Or what is preventing the connection.

Yeah, I completely glanced over the fact that you are using IPV6. My reply was pre-coffee. Sorry about that!

To be fair, voice assistant integrations seem to be a lot smoother with NC (ymmv) and you always have an obfuscated public facing DNS address. But, like you, supporting the devs is really the main reason I use it at all.

Sorry I couldn’t be more help!

No worries mate :wink: Thanks for trying!

Maybe someone else has an idea, why I have to open all ports, just for curiosity purpose.

1 Like