Hello!
I recently switched my home automations to HA from SmartThings. At this point I’m committed to HA and have been enjoying it quite a bit so thanks for all the support and the great product!
I had remote access functioning perfectly with my Netgear router using DuckDNS and LetsEncrypt.
I recently upgraded network gear to a UniFi Cloud Gateway Max (UCG-Max) and I have been “fighting” with it to give me access to HA via DuckDNS… It seems like it should be a very simple port forward but I have not been able to get this functionality back with my new gear. On my local network when I go to https://xxxxxxxx.duckdns.org it will route me to the UniFi web interface, not HA. It seems like it’s an issue with port 443, but I’m not sure and I only know enough to be dangerous.
I assume it’s an issue with how I’ve configured my controller since it worked flawlessly with my Netgear router, but I’m open to any other suggestions.
Below are the port forwarding rules that I have created in UniFi
Rather than port forward why don’t you just set up your Unifi as a VPN server and connect to your local network that way. If you install WiFiman you can also use “Teleport” to be inside your network even easier. Then it’s like you’re at home and you are not exposing your HA to the world.
I like the suggestion and at some point I do want to set up a VPN. The reason why I haven’t done that yet is I’m pretty sure my work will block the VPN on any of their devices. If that’s the case I will not be able access HA while I’m at work Personal devices are not allowed at my place of employment so I have to use one of their devices to access HA remotely still if I’m at work
See if your work devices will allow installing OpenVPN or WiFiman. If they do then you’re all set. They can not block VPN as a service, they can only block apps from being installed on their devices.
Since you have duckdns, I assume you have now also ssl configured, don’t you?
Is your HA accessible locally on port 443? If yes, you will need your port forward from 443 to 443 from wan.
Using duckdns internally may be tricky since it resolves to IP that is either sitting on your WAN or at ISP. Some routers just can’t handle that.
Depending on your ssl config, you may use http locally, or set up custom dns entry that will resolve internal IP instead.
Another option could be using things like Cloudflare Tunnel (you need to purchase a domain for that).
Thank you @stomko
To reiterate… I know enough to be dangerous
I believe that I have ssl configured and I have checked HA to see if the certs are there, and yes they are. I have uninstalled the addons removing my data to “force” downloading new certs since I thought “old certs” could be the issue. In the duckdns log file it states that it downloaded certs, and I have verified that they are in the correct location.
WRG to port 443, I have forwarded this port in my set up as well, 1) because I needed to do that with my old equipment, but did not know why… 2) to see if it would work. I did not include that forward for this topic since I did not understand why I needed to do that. You are correct however, for me to access HA locally I DO need 443 forwarded to 443.
I have tried 443 → 443 & 443 → 8123 with either forward I cannot access HA remotely, UGH.
Thank you for your assistance.
This would probably end up in a certificate error on the local side as it is not for 192.168.3.16 but for xxxxxxxx.duckdns.org.
And that can be solved by configuring hairpin NAT or by using a NGinx proxy
With reagards to my internal and external addresses within HA, I’ve had them setup like you’ve had in your screenshot, and there again working with my old equipment.
Here’s a screenshot of my NGinx proxy configuration:
I’ve opened a ticket with UniFi as this should be simple to do. It’s just blowing my mind how much time I’ve wasted on this already…
About a custom DNS server… I’m now wondering if that is part of my problem I do run my own DNS server via Unbound. Do you think there is something funky going on there/something I should try and do with my Unbound settings?
I that case, On your DNS server, you should (re-)name your local domain to “duckdns.org” and assign the correct IP to xxxxxxx.
If correctly configured, xxxxxxx.duckdns.org should resolve to your local IP address
I/UniFi found my problem. I created a rule to disable my kiddos Chromebooks every night. When I did this it asked for an end date and I picked something past 2037, IDK why I picked it so far out but I did… Apparently, this caused all my issues. I’ve changed /removed the end date and now it works just as I would have expected, UGH! Too much time wasted doing this
Thank you everyone for your help!
Ya me too… but the rule I created shows up under “Traffic & Firewall Rules” so I guess they lump them together and since my “traffic” rule was causing issue it then affected my firewall rule. That’s all I can guess, either way kinda odd
I do run my own DNS server via Unbound. Do you think there is something funky going on there/something I should try and do with my Unbound settings?