help with forwarding for home assistant
-
I'm trying to forward traffic on port 8123 to home assistant. I thought this would be simple but I can't get it to work.
If I try to connect to home assistant via the external IP I get a timeout. Same if I use a port checker to test the port. What did I get wrong?
-
What you're showing here is a firewall rule, not a port forwarding. So we can assume you have it set correctly.
Does the home assistant accept access from outside its subnet? You may test that by attempting to access from another internal network.
-
@viragomann
I dont have another subnet to try this. Here is the port forward rule-
I tried enabling logging for this rule but I'm not seeing anything related to it in the firewall log. Maybe I'm looking at the wrong log?
-
I think maybe I found the issue. I was trying to connect from the same LAN using the external IP. Don't understand why that doesn't work but if I connect from my iPhone via LTE I'm successful.
-
@wgstarks
If you can't see anything in the log maybe the port is blocked by your ISP.You Packet Capture from the Diagnostic menu to investigate.
Take a capture on WAN interface, set the port filter to 8123 and attempt to access it from outside.
If you get nothing there, the packets don't reach your WAN. -
@wgstarks said in help with forwarding for home assistant:
but if I connect from my iPhone via LTE I'm successful.
So its working as expected?
@wgstarks said in help with forwarding for home assistant:
I was trying to connect from the same LAN using the external IP.
No idea how you have done that.
-
@viragomann said in help with forwarding for home assistant:
No idea how you have done that.
Just a browser window and enter <MyWANIP>:8123
This works from outside my local network but not internally? Not sure why?
The port is being forwarded though. Thanks for your help. -
@wgstarks said in help with forwarding for home assistant:
Just a browser window and enter <MyWANIP>:8123
This only works with NAT reflection.
You can activate it in a single NAT rule or globally in system settings. However, its recommended to better use hostnames and split DNS. -
@viragomann
Like this?
-
Why would you want to expose your home assistant to the public internet? Doesn't seem like a very smart thing to do from a security point of view..
-
Maybe use IPSEC or OPENVPN instead of exposing your server directly to the WAN.
-
@wgstarks said in help with forwarding for home assistant:
Like this?
Yes, using pfSense for DNS resolution presumed. So can access the home assistant with the same host name from within your network as well as from outside.
However, security concerns are not regarded with this recommendation. -
Is there really a security concern? I'm asking this as a legitimate question. I only have a basic layman's knowledge regarding network security but I have a very strong password set for HA and would think that it would be adequate. Maybe that's not true?
-
@tman904 said in help with forwarding for home assistant:
Maybe use IPSEC or OPENVPN instead of exposing your server directly to the WAN.
I have OpenVPN setup on my iPhone but at the time I set it up I couldn't find a way to keep it active. Maybe that has changed now (it's been a few years)?
-
Why do you think you even need to open the port? There should be zero reason for opening inbound ports to control your home smart things while outside your home.. They phone home (company servers) and you control via that connection.
I can turn on/off my lights, change the temp on the hvac, etc. without having any ports open.
If your using some home grown thing - that you need to talk to while remote, then yes vpn would be the secure way to do that.. Not opening it up to the whole internet..
-
@johnpoz said in help with forwarding for home assistant:
Why do you think you even need to open the port? There should be zero reason for opening inbound ports to control your home smart things while outside your home.. They phone home (company servers) and you control via that connection.
I can turn on/off my lights, change the temp on the hvac, etc. without having any ports open.
My iOS app fails to connect without a connection to my local network.
-
You are using this?
https://www.home-assistant.io/ -
@wgstarks said in help with forwarding for home assistant:
@johnpoz said in help with forwarding for home assistant:
Why do you think you even need to open the port? There should be zero reason for opening inbound ports to control your home smart things while outside your home.. They phone home (company servers) and you control via that connection.
I can turn on/off my lights, change the temp on the hvac, etc. without having any ports open.
My iOS app fails to connect without a connection to my local network.
Yes
-
Yeah you would want vpn then... If they server doesn't make a connection to outside services, like alexa, google, all the other 3rd brand lights and switches, and etc.. That you can use to control your devices. VPN is the way to do it securely.
https://www.home-assistant.io/docs/configuration/remote/
"Just putting a port up is not secure. "They recommend using ssl - but that still leaves it exposed.. From a security point of view you should setup vpn on your phone to your pfsense box.. Then you can access your remote assistant through the vpn.. This does not expose it to the public internet and anyone hitting that port.
-
@johnpoz said in help with forwarding for home assistant:
Yeah you would want vpn then... If they server doesn't make a connection to outside services, like alexa, google, all the other 3rd brand lights and switches, and etc.. That you can use to control your devices. VPN is the way to do it securely.
They do have a paid service for this but I would rather connect manually (turn the vpn on/off) and save the money if I can't find anyway to keep the vpn active.