Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trying to Access Home Assistant from outside network

    General pfSense Questions
    remote access webserver home assistant vlan haproxy
    5
    8
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nfaheem
      last edited by

      Hello, I am new here, so please don't mind if the question is too basic. I have been stuck and can't get my head wrapped around this issue.

      TDLR: I want to be able to access my Home Assistant or other services such as Nextcloud, or TrueNas from outside without the need to use a VPN,
      c2847e79-79c5-4f33-b957-79cf6a4ba9c3-image.png

      I am using a mini PC to run pFsense and have use worked for almost 4 years. I never felt the need to mess around with accessing my network and services, but recently tried to migrate to Home Asisstant and using their cloud service, I still cannot using certain services because my network blocks traffic.
      Interfaces:
      WAN
      LAN : Bridged switch consisting of LAN, LAN2, LAN3 It's names (MySwitch)
      VLAN

      7ebfdf39-826d-4d6b-b783-ba5f5d17891f-image.png

      My LAN (192.168.10.0/24)is used primarily for my servers and wired network, and VLAN (192.168.50.0/24)is used for all IoT including Home Bridge, Home Assistant, and Adguard.

      My Home Assistant is on my VLAN on (192.168.50.11:8123)

      I own a domain and have a Cloudflare account. I installed ACME and HAProxy.
      Cloudflare: I have added my domain and added a DNS recorded for the subdomain I want to use for Home Assistant, I am using proxy mode there
      1f74565a-80e9-402b-809e-bf87d74b452d-image.png
      PfSense: I have added a Dynamic DNS account for the subdomain
      8e1854b4-4598-41c8-9fe4-6725556f93d5-image.png
      ACME: I have created AccountKey using Let's Encrypt Staging Server and created and issued certificates for the subdomain. I used the DNS-Clouflare method here using my CloudFlrare API Token
      HAProxy: Created both backend
      99c87446-5a00-437b-b8e2-f3387514f32b-image.png
      and front end:
      d930b49b-29f9-4a93-bdbc-a3a6d29fbb68-image.png
      ba1ad16b-086e-42cb-a492-a6dc0382c327-image.png
      57796a23-2c1f-413e-9656-0c3da6e4916b-image.png

      PfSense Firewall Rules:
      WAN:
      a2defa3a-9c17-48dd-98ac-326b4ad4d649-image.png
      LAN:
      01f0bba4-098b-4fb7-af55-be5d7b9d91d5-image.png
      MySwitch:
      4ac55b4f-d7a4-4d0c-bf13-0a33b6e78f8c-image.png
      Vlan:
      5b3edde6-3430-441f-8e64-a20eab0a57ba-image.png

      I had some rules that would block VLAN from accessing stuff on my LAN, but I deleted those to see if I can get this to work, but still no luck. Please help as I do know what am I missing here.

      Thanks,

      S stephenw10S 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @nfaheem
        last edited by

        @nfaheem https://www.home-assistant.io/docs/configuration/remote/#port-forwarding

        But note if you forward a port from "any" IP the world can try to log in. Hence a VPN, or another option is to set up a dynamic DNS service on the remote computer, and allow that dyndns hostname as the source on the NAT forward.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        N 1 Reply Last reply Reply Quote 1
        • N
          nfaheem @SteveITS
          last edited by

          @SteveITS Thanks for the reply. I did setup DDNS from using cloudflare: 3d83f8c5-f167-4d62-b0f3-4902b93a9a75-image.png
          Do you suggest using the host for example hassio.mydomain.app as the source? and do I specify a port r leave it to any port and set one for each service separately?

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @nfaheem
            last edited by

            @nfaheem I’ve never used home assistant.

            The source would be the hostname of the remote computer.

            Each device or port forwarded needs a unique port.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            N 1 Reply Last reply Reply Quote 0
            • N
              nfaheem @SteveITS
              last edited by

              @SteveITS got it. I have the same problem with every service. For example, TrueNas which details to 80/443 is have the same issue.

              1 Reply Last reply Reply Quote 0
              • planedropP
                planedrop
                last edited by

                Just want to chime in here and say you really SHOULD consider using a VPN instead, it's far more secure and just a better way to do this sort of thing. General rule of thumb is that you should only publicly expose things that are actually for the public, like a Plex server that you want a ton of people you know to use, etc... For something like TrueNAS, Home Assistant, etc... you should build a VPN, especially for the management interfaces of those devices like TrueNAS.

                VPNs have gotten really easy to setup now, especially with WireGuard (IPsec is still a clunky thing), so might be worth going down that route. Is there a reason you aren't wanting to do that? It's super risky to expose things when you don't need to and if it's just you accessing it then VPNs are pretty easy. Nextcloud is the only one in this list I would publicly expose but there is still always a risk, general rule is to NEVER expose management interfaces like TrueNAS's over the WAN though.

                Speaking of, do you mean you want to access TrueNAS storage or the webGUI outside of your home network? If you're talking storage, a VPN is also going to be your best friend here, SMB isn't something you should really ever run over the WAN without a VPN on top, same with NFS. Not saying there aren't ways to build this but just not a good idea.

                I know none of this helps your problem directly, and I apologize for that, it's just that this is a mistake I see a lot of people do (wanting to make things easily accessible remotely) and they regret it later.

                NogBadTheBadN 1 Reply Last reply Reply Quote 0
                • NogBadTheBadN
                  NogBadTheBad @planedrop
                  last edited by NogBadTheBad

                  I use homebridge with an AppleTV, that works fine without having to punch holes in the firewall.

                  Do you have many HA accessories?

                  Accessing other services as people have mentioned, set up a VPN.

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  1 Reply Last reply Reply Quote 1
                  • stephenw10S
                    stephenw10 Netgate Administrator @nfaheem
                    last edited by

                    @nfaheem said in Trying to Access Home Assistant from outside network:

                    but recently tried to migrate to Home Asisstant and using their cloud service, I still cannot using certain services because my network blocks traffic.

                    If Home Assistant has a cloud service then I wouldn't expect any of this to be necessary. Everything would be accessed via the cloud. I could be misreading that though.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post