Firewall - Port Forwards: Modem - Router - NAS for Home Assistant

Hi, I have the following problem, I have the following Port Forwards configuration problem. My configuration is as follows:

FTTH --> ISP Router --> WRT3200ACM Router (OpenWRT) --> NAS

The chain is configured as follows:

1)ISP Router (a Vodafone Station) all disabled to function as a simple model that sends incoming traffic via DMZ to the WAN port of the OpenWRT router:
ISP IP: 192.168.1.1 -- DMZ --> WAN OpenWRT IP: 192.168.1.100

  1. OpenWRT router two interfaces:
    WAN
  • Protocol: Static address
  • IP4: 192.168.1.100 (DHCP active)
  • IP4 netmask: 255.255.255.0
  • IP4 gateway: 192.168.1.1
  • DNS on docker Pihole (resident on NAS with static IP)

LAN

  • Protocol: Static address
  • IP4: 192.168.10.1 (DHCP active)
  • IP4 netmask: 255.255.255.0
  • IP4 gateway: 192.168.1.100
  • DNS on docker Pihole (resident on NAS with static IP)
  1. NAS (static IP 192.168.10.222)
    VM for Home Assistant (static IP 192.168.0.235) with installed and configured
  • DuckDNS
  • NGINX

In order to be able to access Home Assistant from outside the network, it is necessary to open ports 443 and 8123 which I have set up in OpenWRT in the Port Forwards section as follows:

External Port: 443
Protocol: TCP
Source zone: WAN
Destination zone: LAN
Internal IP: 192.168.0.235 (Home Assistant)
Internal Port:443

External Port: 8123
Protocol: TCP
Source zone: WAN
Destination zone: LAN
Internal IP: 192.168.0.235 (Home Assistant)
Internal Port:8123

With https://canyouseeme.org I verified that ports 443 and 8123 were OPEN, but when I try to access from outside via https://xxx.duckdns.org:443 I cannot access Home Assistant (the page remains blank)

Am I doing something wrong?

I don't fully understand how the OpenWrt router should be able to access Home Assistant in a different subnet, i.e. 192.168.0.235 while the LAN subnet is 192.168.10.1 (i assume /24?)?

Can you access HA at 192.168.0.235 in your local network?

Note: I can't, but my HA is dockerized. I have to use the host's IP address.

Hi,
my error, the LAN and NAS (so also VM Home Assistant) are on the same subnet:

LAN: 192.168.10.1 (DHCP active) --> NAS: 192.168.10.222 --> (VM HA: 192.168.10.235)

The configuration I have indicated allows me to browse the network internally without any problems.
As I said when I set the Port Forwards to access Home Assistant from the outside, despite having made the various configurations and checked ports 443 and 8123 if they are open, I can't get to the HA start-up homepage.

My two cents:

  • Do not expose port 8123, because that is unsecure.
  • Is you HA instance listening to port 443 already?
  • Use the NGINX as a reverse proxy and do the HTTPS work (with letsencrypt certificates).

You cannot redirect traffic to IPs in the range 192.168.0.0, as those are internal to your NAS, and unknown to the OpenWrt router. You must use the NAS address, and make sure to redirect that traffic to the proper VM.

Hi,
I will definitely follow the advice to change port 8123, thank you. While with respect to the other observations:
NGINX (installed as a plug-in in HA listens on port 443 and then sends back to HA on port 8123, I followed the various guides to configure everything including the certificates, the DuckDNS and NGINX plug-ins do not give me any errors.
While, perhaps I have not been clear, the OpenWRT router in the LAN zone assigns in DHCP the IPs to the NAS, the VM with HA is configured in bridge and has an IP in the same subnet, if I go to the table of IPs assigned by OpenWRT via its LAN I also see the one of the VM HA (which I have also assigned as static for safety).
From what I can see it seems to me that on the OpenWRT router side the various resources and their IPs are seen correctly.
I'll add another detail, if I deliberately change the Port Forwards rules so that they are incorrect, when I check via https://canyouseeme.org/ it tells me that ports 443 and 8123 are closed.

The NAS (and the HA instance) will be receiving connections from outside your network; are their respective firewalls configured to accept those connections?

The NAS firewall is disabled. Should I check/set something else?

I guess it's time for the big guns... tcpdump + wireshark will allow you to "see" the packets, and where they are being blocked.

Hi,
I only know these software and their functions from hearsay. Could you please give me some more info on how to use them or if there is already a guide on how to analyse my network?

Thanks

I haven't used this myself for ages, but the idea is to use tcpdump on the router, and pipe the output to a wireshark on the PC:

ssh root@router "tcpdump -n -i pppoe-wan -w - port 443" | wireshark -k -i -

Adapt this to your setup, then run it on the WAN and LAN interfaces on the router, to see whether the packets are getting to and from the router.

Hi,
before trying my hand at wireshark, I did another test.
I installed HA in a dedicated mini-pc that I connected directly to the router via LAN.
I set the port forwards to the IP of the mini-pc but the problem persists.