Trying to Access Home Assistant from outside network

nfaheem

Hello, I am new here, so please don't mind if the question is too basic. I have been stuck and can't get my head wrapped around this issue.

TDLR: I want to be able to access my Home Assistant or other services such as Nextcloud, or TrueNas from outside without the need to use a VPN,

I am using a mini PC to run pFsense and have use worked for almost 4 years. I never felt the need to mess around with accessing my network and services, but recently tried to migrate to Home Asisstant and using their cloud service, I still cannot using certain services because my network blocks traffic.
Interfaces:
WAN
LAN : Bridged switch consisting of LAN, LAN2, LAN3 It's names (MySwitch)
VLAN

My LAN (192.168.10.0/24)is used primarily for my servers and wired network, and VLAN (192.168.50.0/24)is used for all IoT including Home Bridge, Home Assistant, and Adguard.

My Home Assistant is on my VLAN on (192.168.50.11:8123)

I own a domain and have a Cloudflare account. I installed ACME and HAProxy.
Cloudflare: I have added my domain and added a DNS recorded for the subdomain I want to use for Home Assistant, I am using proxy mode there

PfSense: I have added a Dynamic DNS account for the subdomain

ACME: I have created AccountKey using Let's Encrypt Staging Server and created and issued certificates for the subdomain. I used the DNS-Clouflare method here using my CloudFlrare API Token
HAProxy: Created both backend

and front end:

PfSense Firewall Rules:
WAN:

LAN:

MySwitch:

Vlan:

I had some rules that would block VLAN from accessing stuff on my LAN, but I deleted those to see if I can get this to work, but still no luck. Please help as I do know what am I missing here.

Thanks,

SteveITS

@nfaheem https://www.home-assistant.io/docs/configuration/remote/#port-forwarding

But note if you forward a port from "any" IP the world can try to log in. Hence a VPN, or another option is to set up a dynamic DNS service on the remote computer, and allow that dyndns hostname as the source on the NAT forward.

nfaheem

@SteveITS Thanks for the reply. I did setup DDNS from using cloudflare:
Do you suggest using the host for example hassio.mydomain.app as the source? and do I specify a port r leave it to any port and set one for each service separately?

SteveITS

@nfaheem I’ve never used home assistant.

The source would be the hostname of the remote computer.

Each device or port forwarded needs a unique port.

nfaheem

@SteveITS got it. I have the same problem with every service. For example, TrueNas which details to 80/443 is have the same issue.

planedrop

Just want to chime in here and say you really SHOULD consider using a VPN instead, it's far more secure and just a better way to do this sort of thing. General rule of thumb is that you should only publicly expose things that are actually for the public, like a Plex server that you want a ton of people you know to use, etc... For something like TrueNAS, Home Assistant, etc... you should build a VPN, especially for the management interfaces of those devices like TrueNAS.

VPNs have gotten really easy to setup now, especially with WireGuard (IPsec is still a clunky thing), so might be worth going down that route. Is there a reason you aren't wanting to do that? It's super risky to expose things when you don't need to and if it's just you accessing it then VPNs are pretty easy. Nextcloud is the only one in this list I would publicly expose but there is still always a risk, general rule is to NEVER expose management interfaces like TrueNAS's over the WAN though.

Speaking of, do you mean you want to access TrueNAS storage or the webGUI outside of your home network? If you're talking storage, a VPN is also going to be your best friend here, SMB isn't something you should really ever run over the WAN without a VPN on top, same with NFS. Not saying there aren't ways to build this but just not a good idea.

I know none of this helps your problem directly, and I apologize for that, it's just that this is a mistake I see a lot of people do (wanting to make things easily accessible remotely) and they regret it later.

NogBadTheBad

I use homebridge with an AppleTV, that works fine without having to punch holes in the firewall.

Do you have many HA accessories?

Accessing other services as people have mentioned, set up a VPN.

stephenw10

@nfaheem said in Trying to Access Home Assistant from outside network:

but recently tried to migrate to Home Asisstant and using their cloud service, I still cannot using certain services because my network blocks traffic.

If Home Assistant has a cloud service then I wouldn't expect any of this to be necessary. Everything would be accessed via the cloud. I could be misreading that though.