How to correctly redirect traffic in IPv6 installation?

Software SW tweaks
1

Hi,

I normally use certbot-implementation’s dns-challenge to get my certificates installed/renewed on my servers interactively as unfortunatelly my registrar (strato.de) doesn’t offer a DNS-API.
This doesn’t work for my homeassistant installation (installed in a virtual machine with IPv4 and IPv6), therefore I tried to use http-challenge. For this to work I need to redirect port 80 from wan to vm.
I set up following firewall redirect (tested both IPv4 and IPv6 version with the same results below):

config redirect
	option name 'WAN-access for HA letsencrypt'
	option target 'DNAT'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_ip 'IPv4'
#	option dest_ip 'IPv6'
	option dest_port '80'
	list proto 'tcp'
#	option family 'ipv6'
	option enabled '1'

And I added a DDNS-job for updating my native IPv6 (only natted IPv4) for my domain <my.tld>

But unfortunately this doesn’t work - I always get the following error-log in homeassistant when trying to issue a certificate:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: <my.tld>
Type: connection
Detail: <correct external IPv6>: Fetching http://<my.tld>/.well-known/acme-challenge/7tqKEqwIm49FUyw1jylooMAscB6Kuxj59pJ9fifj8kU: Connection refused

I think this is some IPv4/IPv6 problem but I cannot figure out what exactly to look for.
What I until now tested:

  • I can ping my router IPv6 and the IPv6 of homeassistant vm from outside without issues.
  • I can ping my <my.tld> without issues (and get the <correct external IPv6> displayed)
  • I can access the homeassistant webserver by IPv4 and IPv6 from lan network
  • when changing the above redirect from port 80 to port 8123 I can access the homeassistant installation neither via http://[correct external IPv6]:8123 nor http://<my.tld>:8123
  • when adding a really simple rule like
config rule
	option target 'ACCEPT'
	option name 'luci WAN-Test'
	option src 'wan'
	option proto 'tcp'
	option dest_port '443'

I cannot access my luci/reforis from outside. This worked without issues with my former provider, that offered both public IPv4 and IPv6.

Any idea?

BR,
ssdnvv

2

If you use turris minipot, you need to turn it off before updating.

3

That is not correct. Minipots turn off automatically if there is port forwarding rule set

4

First example is what you are looking for

1 Like
5

I don’t use Minipots.

Thanks, but that doesn’t solve the situation.

Maybe the problem lies somehow within <correct external IPv6> vs. <homeassistant's IPv6>?

6

The AAAA record for your homeassistant.yourdomain.tld should point to IPv6 of home assistant not router unless you use something like haproxy on the router.

Do you have special subdomain for HASS.io or you just want to use top level domain?

1 Like
7

I finally got it working, thank you! I have a subdomain homeassistant.mydomain.de.
Even though this is not a perfect solution - I do not have any warranty that my ISP does not somewhen in the future change my /56-prefix. So setting the AAAA for the vm-IPv6 is sort of “I know it will break in the future and it will break exactly at the point in time, when I do not have physical access to the machine” :man_shrugging:
The problem with HA OS is, that it is (what makes perfectly sense security wise) so locked down, that you cannot install custom software. When looking for a DDNS plugin, you have the choice between DuckDNS, NOIP and cloudflare (which do not happen to be my registrars and I will for sure not switch registrars) - so I cannot update my external IP and thus don’t get a future-proof installation.

8

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.