Home Assistant Duckdns/LetsEncrypt NAT settings behind double NAT.

  • Brief overview of topology:

    I've been trying get Homeassistant https://home-assistant.io/ accessible locally by my duck-dns host name.

    The server is running on port 8123 and I have nginx configured to forward port 80 and 443 traffic to localhost:8123

    I've forwarded the ports on Comcast router and PFsense.

    I was able to get this partially working via the DNS forwarder (forwarding all traffic to my ddns domain to the local IP) but this did not solve my homeassistant server being able to reach itself via DDNS hostname.

    Specifically when trying to curl -v https://my-domain.duckdns.org from the homeassistant(ubuntu-server in the diagram) server i would get a connection refused.

    Various people have mentioned NAT Reflection / NAT loopback but I have some questions.


    When should I use NAT reflection over Split DNS?
    Is what I want to do achievable given my current topology?

    Desired behavior:
    Access my Home assistant server by ddns name locally and externally while enforcing SSL via Lets Encrypt.

    Observed behavior:

    Using split DNS to forward my-ddns domain to local IP I can access via DDNS hostname from machines other than the machine running the home assistant server. But I can not access the server via hostname from the server.

    e.g ssh'd into Home assistant server( curl -v https:my-ddns domain gives connection refused.

    Other thoughts:

    I'm willing to go a different route, I could possibly move PFsense to the DMZ to avoid Double NAT. If this is something I can accomplish with double NAT that would be preferred.

    Thanks in advanced.

  • @sterfry1988 Have you found a solution. I have something very simailar and I dont know how to fix it. LetsEncrypt can't do challenge. I try to dns forward my subdomain.domain.com to my letsencrypt server but does not work.

  • @sterfry1988 said in Home Assistant Duckdns/LetsEncrypt NAT settings behind double NAT.:


    I have a very similar issue and don't want to open another ticket. Basically ISP Router>PVE>Pfsense. Stuck behind double NAT and unable to reach HA. Trying to figure this one out also.

  • @franky29 I finally succeed to setup my Double NAT configuration. The problem was my pfsense UI port. I change mine for 444. Now: ISP forward 80/443 through DMZ IP to PfSense. I was using docker with letencrypts and i wasn't able to change port so i changed pfsense ui port. Let's encrypt is now able accomplish is verification!

  • were you getting the "Potential DNS Rebind attack page? Cause that's what I'm getting. I have my PfSense in the Router's DMZ and got a port fwd rule in pfsense to fwd 443 wan to 8123 LAN. but getting that error

  • @franky29 I never own a "Potential DNS Rebind attack" page. I just know that my probleme was due to port forwarding. Sorry

  • @g146m026 no worries. I'm getting a bit further now. I got packet capture from the WAN side and I can see some 443 traffic trying to hit 8123 but getting dropped. 2020-03-18_2318.png

Log in to reply