Community discussions

MikroTik App
 
User avatar
Vsider
just joined
Topic Author
Posts: 9
Joined: Wed Dec 14, 2022 6:34 pm

HomeAssistant, Hairpin NAT and Proxy

Wed Dec 14, 2022 7:17 pm

Greeteings,

I have a working setup of Homeassistant running on my Ubuntu server behind Mikotik Router with public IP address.
The server with LAN address 192.168.88.186 uses Apache2 reverse proxy to forward port 443 (https) to 8123 (Homeassistant native port). SSL encryption is done by Apache2 server, homeassistant knows nothing about SSL.
The Mikrotik has Hairpin NAT set up, so that Homeassistant is now available at my public address https://mydomain.com both from inside and outside the LAN.:
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1 
 1    chain=dstnat action=dst-nat to-addresses=192.168.88.186 protocol=tcp dst-address=x.x.x.x dst-port=80,443 log=no log-prefix="" 
 2    chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.186 dst-port=80,443 log=no log-prefix="" 
Now I decided to put homessistant in the dedicated virtual machine (using KVM running Homeassistant OS as Guest), the network bridge has been setup for direct access to that virtual machine, so now i have another address 192.168.88.23 on my network and the second Homeassistant server is available at 192.168.88.23:8123 from inside of my LAN. So far so good.

The last step is to make this new instance available at https://mydomain.com, which seems easy by changing 192.168.88.186 to 192.168.88.23 in my reverese proxy config in apache virtual host directives, but this made the new instance available ONLY from outside of LAN. From inside of LAN it says 403 Forbidden.

Since from outside of LAN everything works fine, the problem seems to be related to Hairpin NAT settings and the fact that proxying changed from different ports at localhost to a different IP in the LAN, and therefore some lines for need to be adjusted.

I've tried several configurations without success, need help.
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Thu Dec 15, 2022 10:07 am

Did you change the dst-address IP of your masquerade rule too?
 
User avatar
Vsider
just joined
Topic Author
Posts: 9
Joined: Wed Dec 14, 2022 6:34 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Thu Dec 15, 2022 10:19 am

Did you change the dst-address IP of your masquerade rule too?
No.
As far as I understand, dst-address of my masquerade should be the address of the Apache that does the proxying, and it works at the host machine (192.168.88.186), and besides it serves several other domains on the same IP, that also need access from inside of the LAN.
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Thu Dec 15, 2022 10:51 am

Yes, you're right. I missed that you didn't move the proxy too
I remember I had a similar issue with Nginx PM. It had to do with allowed IPs and domains to add/set in its config. file.
Last edited by BartoszP on Thu Dec 15, 2022 10:32 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart.
 
User avatar
Vsider
just joined
Topic Author
Posts: 9
Joined: Wed Dec 14, 2022 6:34 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Thu Dec 15, 2022 11:17 am

It had to do with allowed IPs and domains to add/set in its config. file.
There is ":Allow from all" in virtual host proxy settings, here how it looks:
SSLEngine On
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On

<Proxy *>
    Allow from all
</Proxy>

ProxyPass / http://192.168.88.23:8123/
ProxyPassReverse / http://192.168.88.23:8123/

SSLCertificateFile <removed for security reasons>
SSLCertificateKeyFile <removed for security reasons>
Include /etc/letsencrypt/options-ssl-apache.conf
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Thu Dec 15, 2022 3:27 pm


There is ":Allow from all" in virtual host proxy settings, here how it looks:
...
Sorry, but I know nothing about the Apache2 reverse proxy.
 
User avatar
Vsider
just joined
Topic Author
Posts: 9
Joined: Wed Dec 14, 2022 6:34 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Thu Dec 15, 2022 3:57 pm

It was just for reference.

Since all works fine from outside of the LAN, the problem should be somewhere in Mikrotik Hairpin NAT settings, probably pakets return to client not through proxy, but directly.
I hope, someone can help.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Thu Dec 15, 2022 4:02 pm

The last step is to make this new instance available at https://mydomain.com, which seems easy by changing 192.168.88.186 to 192.168.88.23 in my reverese proxy config in apache virtual host directives, but this made the new instance available ONLY from outside of LAN. From inside of LAN it says 403 Forbidden.

If I understand things right, the situation is like this:
  1. there's server running apache as RP at 192.168.88.186
  2. there's old HomeAssistant running at 192.168.88.X
    or is it running on same machine as RP and then RP was configured to ProxyPass to localhost:8123?
  3. there's new HomeAssistant running at 192.168.88.23
  4. you want keep accessing new HomeAssistant through RP

If that's so, then you should leave ROS settings alone, ROS should still perform DST NAT and Hairpin NAT towards RP. The only change you have to do is configuration of RP - it should pass HTTP requests[*] to the new HomeAssist server IP address. But you have to make sure that clients resolve "mydomain.com" to WAN IP address, not to some LAN IP address.

One additional check is to try connection to 192.168.88.23:8123 from machine running RP but using some "user friendly tool" (such as curl :wink: ) ... if it doesn't work, then it's HomeAssist configuration which is messed up. If it works, then look at RP config again ... and ROS config as well. If the answer to question in bulet #2 above is "yes", then it's definitely the configuration of HomeAssistant that needs access from RP (some services come by default configured so that only connections from same machine are allowed).

[*]Exactly that ... RP passes HTTP requests, it doesn't pass connections (or else it couldn't terminate SSL/TLS by it self).
 
User avatar
Vsider
just joined
Topic Author
Posts: 9
Joined: Wed Dec 14, 2022 6:34 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Thu Dec 15, 2022 4:16 pm

Almost :)

The old HomeAssistant runs at 192.168.88.186, same IP as RP.
So the RP passed requests from 443 port to 8123 port of the localhost. The whole configuration worked fine and old Homeassistant was accessible https://mydomain.com both from outside and inside of my LAN.

As you suggest I did change only IP in RP settings from localhost to 192.168.88.23, and it works fine when accessing https://mydomain.com from outside of my LAN I can now see my new Homeassistant.
However from inside it shows 403 Forbidden. :-? That's why I think there is something needs to be done in ROS NAT settings.
 
User avatar
Vsider
just joined
Topic Author
Posts: 9
Joined: Wed Dec 14, 2022 6:34 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Thu Dec 15, 2022 4:20 pm

New Homeassistant is accessible at 192.168.88.23:8123 in web browser from inside of the LAN, there seem to be no problems about it.
How do I check it with curl from 192.168.88.186?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Thu Dec 15, 2022 4:35 pm

Simply by running
curl http://192.168.88.23:8123/

If curl shows valid HTML code, then it's working. If curl will get HTTP response 403, then curl will display matching (tiny) HTML code.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Thu Dec 15, 2022 4:43 pm

The thing which puzzles me is this: if RP is in the path every time (both when connecting from WAN and fro mLAN), then HomeAssistant will always see RP's IP address as client IP address. So if things behave differently, then it would be logically result of some configuration on RP. The fragment you showed doesn't explain that.

There's a tiny bit of further information/configuration involved: RP's can include IP address of client that placed request in request header (usually that's X-Forwarded-For) and backend server can act on it. Whether RP includes that header or not is up to configuration of RP (apache2 might have it enabled by default, I don't know it from top of my memory).
 
User avatar
Vsider
just joined
Topic Author
Posts: 9
Joined: Wed Dec 14, 2022 6:34 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Thu Dec 15, 2022 5:04 pm

Okay, curl shows a valid HTML code.

My new Homeassistant has the following setting:
http:
  use_x_forwarded_for: true
  trusted_proxies:
#   - 127.0.0.1
    - 192.168.88.186
Obviously, the old Homeassistant had 127.0.0.1 activated.

In RP settings there are no difference in WAN or LAN access, here is the full version:
    <VirtualHost *:443>
        ServerName ha.gurke.ru
        DocumentRoot /var/www/html/generic
        <Directory "/var/www/html/generic">
            allow from all
            Options None
            Require all granted
        </Directory>
        SSLEngine On
        SSLProxyEngine On
        ProxyRequests Off
        ProxyPreserveHost On
        <Proxy *>
            Allow from all
        </Proxy>

        Header add Connection "Upgrade"
        RequestHeader set Connection "Upgrade"
        RewriteEngine on
        
#       RewriteCond %{HTTP:Upgrade} =websocket
#       RewriteRule /(.*)     ws://127.0.0.1:8123/$1  [P,L]
#       RewriteCond %{HTTP:Upgrade} !=websocket
#       RewriteRule /(.*)     http://127.0.0.1:8123/$1 [P,L]
#       ProxyPass / http://127.0.0.1:8123/
#       ProxyPassReverse / http://127.0.0.1:8123/

        RewriteCond %{HTTP:Upgrade} =websocket
        RewriteRule /(.*)     ws://192.168.88.23:8123/$1  [P,L]
        RewriteCond %{HTTP:Upgrade} !=websocket
        RewriteRule /(.*)     http://192.168.88.23:8123/$1 [P,L]
        ProxyPass / http://192.168.88.23:8123/
        ProxyPassReverse / http://192.168.88.23:8123/

        SSLCertificateFile <removed>
        SSLCertificateKeyFile <removed>
        Include /etc/letsencrypt/options-ssl-apache.conf

    </VirtualHost>

The #commented lines - are ones that were working fine with old localhost instance of Homeassistant.
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Thu Dec 15, 2022 6:09 pm

My two cents (again :-))

Couldn't it have something to do with Hairpin NAT with Dynamic WAN IP?

https://www.youtube.com/watch?v=_kw_bQyX-3U

Meanwhile, could you please try to change your src-nat rule this way:

chain=srcnat action=masquerade protocol=tcp src-address=192.168.88.0/24 dst-address=192.168.88.0/24 dst-port=80,443 log=no log-prefix=""
and check what happens?
 
User avatar
Vsider
just joined
Topic Author
Posts: 9
Joined: Wed Dec 14, 2022 6:34 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Thu Dec 15, 2022 7:05 pm

Couldn't it have something to do with Hairpin NAT with Dynamic WAN IP?
I have a static IP.

Meanwhile, could you please try to change your src-nat rule this way:
Nothing changed.
 
User avatar
broderick
Member Candidate
Member Candidate
Posts: 242
Joined: Mon Nov 30, 2020 7:44 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Thu Dec 15, 2022 7:22 pm

Ok, just to rule out some issues and focus on something else.
Last edited by BartoszP on Thu Dec 15, 2022 10:31 pm, edited 1 time in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart. lines of quote, 1 line of post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: HomeAssistant, Hairpin NAT and Proxy  [SOLVED]

Thu Dec 15, 2022 10:18 pm

Check apache log files to see if RP causes response code 403. But judging on config I doubt it.
Then it's down to HomeAssistant ... I've no idea what is it, how it uses "X-Forwarded-For" (referenced in shown config) etc. Should show reason for 403 in HA logs.

In short: I don't think it's hairpin NAT doing, I doubt it's RP doing.
 
User avatar
Vsider
just joined
Topic Author
Posts: 9
Joined: Wed Dec 14, 2022 6:34 pm

Re: HomeAssistant, Hairpin NAT and Proxy

Fri Dec 16, 2022 12:44 am

Ok, found it.
There is some ip filtering included in Homeassistant, which passed packets from 127.0.0.1 but not from 192.168.*.*. Switching it off solved the issue, so at least it's not about Hairpin NAT or proxy, as you said.

Thanks for narrowing down the search.

Who is online

Users browsing this forum: abdullanetworking, cmmike and 38 guests