Stuck with port forwarding for node-red-contrib-google-smarthome

Hi folks,

I have completed my Node-RED development backlog, so now I want to continue with my own home automation. First thing on my list is getting node-red-contrib-google-smarthome up and running. But I'm already stuck with my port forwarding. How embarrasing :roll_eyes:

Until now my port forwarding was fine using this rule (on my pfSense firewall), which send all traffic to my RPI port 1880:

image

However the google-smarthome node listens to port 3001, so I think I need to change this to:

image

However then I can't even access my Node-RED dashboard anymore. BTW on my smartphone I navigate to https://xxxx.duckdns.org/ui, and duckdns forwards me to my pfSense firewall...

In my firewall log I see this arriving, when trying to access my dashboard:

Does anybody see which (stupid) mistake I am making?

Thanks!!
Bart

First question, is Node-RED configured to accept HTTPS traffic?

Before the change it would have accepted access on port 80 (and forwarded to 1880) so wouldn't have needed to be HTTPS enabled.

Hi Ben,
Thanks for helping me!!

I have LetsEncrypt certificates installed and this is configured in my settings.js file:

    https: function() {
        // This function should return the options object, or a Promise
        // that resolves to the options object
        return {
            key: require("fs").readFileSync('/home/pi/.node-red/privkey.pem'),
            cert: require("fs").readFileSync('/home/pi/.node-red/cert.pem')
        }
    },

Or do you mean something else?

Because I have a https connection (with Letsencrypt certificate) running without problems, when I change the source port to * instead of 443 in my firewall rule (like in my first screenshot above).

Yes indeed. Before I started this discussion I had also added this rule:

image

But that doesn't solve anything. Wasn't expected any improvement by this rule (since I specify https in my URL), but you never know ...

I don't really understand the source port numbers, arriving from my smartphone:

When I look at those, I can imagine that only a * filter would allow them.
I think I am misinterpreting here something very incorrectly ...

Ok, when reading through the pfsense docs, I see that I should use * (= "any"):

So I will use *...
But then - with my limited network knowledge - I don't know how I can:

  • Forward https://xxxx.duckdns.org/ui to port 1880
  • Forward https://xxxx.duckdns.org:3001 to port 3001 on the same RPI
https://xxxx.duckdns.org:1880/ui
https://xxxx.duckdns.org:3001` to port 3001 on the same RPI

Hi Bart,
This should work

Thanks @edje11,
If I remember correctly, I had intentionally not specified port 1880 in my url: because I couldn't have a look at my alarm from my pc at work. They only allow access to the standard ports 80 and 443.

So I use a https url without port (which is mapped by my browser to port 443), and I want that pfSense forwards requests at port 443 to port 1880.

Getting a bit closer, but meanwhile I had to create a lot of school books covers for my sons :wink:

I found this diagram:
image

So I first map port 443 to 1880 and port 3001 to 3001 (for any source port *):

And then I change the firewall rules to pass traffic to port 1880 and 3001:

image

Then I can again access my Node-RED dashboard via https://xxxx.duckdns.org/ui (so without using port 1880 in the url).

Not sure if the above setup is a good way of working? And I still can't access https://xxxx.duckdns.org:3001 ...

Hmm perhaps not a port forwarding problem anymore, because it seems I can't access the service from within my LAN either:

image

Will need to digg into that further tonight ...

Getting nowhere with this. Even this first step doesn't work. So depressing ...

  • When I check the service locally, then that seems to work:

    image

  • When I check the service from the web (https://xxx.duckdns.org:3001/check via https://reqbin.com/), then I get only a timeout :frowning_face:

Although it's not helping answer your question...

Why not buy a cheap domain name and route the lot through Cloudflare.
You would not be able to use port 3001 for fulfilment (as it's blocked by Cloudflare), but you could use port 2053 instead.
If you have a dynamically assigned IP, it's easy to update Cloudflare with the address (I have a simple flow which does that automatically).

That's how mine is configured, and works great.

Hi Paul,
That could indeed be another way of working.
But on the google-smarthome node readme page they clearly mention:

image

This node has been downloaded 21932 times in the last year.
So I keep hoping that one of those users joins this discussion, and points me in the right direction :wink:

Yes, and that's why I suggested using port 2053.
If you specify the fulfilment port to be 2053 in Google actions, then just open port 2053 in your firewall, and also state it in the node-red-contrib-google-smarthome management node config.
And yes node-RED server would still be running on port 1880 (or whatever), but the responses from google will then be arriving from port 2053.

Ah now I don't understand it I'm afraid.
I thought that said that Cloudflare blocks port 3001?
Has it any advantages for me using that port, since I don't use Cloudflare?

Yes, see Identifying network ports compatible with Cloudflare's proxy – Cloudflare Help Center

No, you can use any port for fulfilment so long as you have selected it in Google actions, AND added the same port to the node-red-contrib-google-smarthome management node config.
I suggested port 2053 simply because that's what I use with Cloudflare, and it works great.
I know very little about duckdns, but probably a little more about Cloudflare.

1 Like

Ok thanks for the confirmation! Since I have now setup everything to use port 3001, I am going to try to keep it like that for this experiment.

I have enabled packet logging in my firewall rules.
Everytime I try https://xxx.duckdns.org:3001/check, I see in the rule logs that he forwards me to port 1880 via the other rule:

And then it is forwarded to the 1880 port, which will explain the timeout.
No clue why it keeps forwarding me to port 1880 for this url :woozy_face:

P.S. Duckdns is not the cause. Because when I use https://<my_wan_ip>:3001/check then I get also the timeout, while https://<my_wan_ip>/ui shows me correctly my Node-RED dashboard...

Last night - when I was lying in bed for about 1 minute - I suddenly realized that my modem also has a very basic firewall. Many years ago I had added a rule there to allow port 443 to be forwarded (o my own pfSense setup) :woozy_face:
So I assume/hope that it works when I add a rule there to forward port 3001 for the node-red-contrib-google-smarthome service. But cannot test it, because the website of my ISP provider keeps showing a progress bar, without adding my new rule :rage:
To be continued ...

1 Like

I have an Ubee router/modem from a service provider, and when I want to create a port forward, I have to reset the device to activate the rule ... Detected after unsuccessful attempts ...

@markost,
Thanks for the tip. I have added the rule about 15 minutes ago in my modem, but it still doesn't work. Going to restart the modem. But I have to wait 5 minutes, because my son's game half hour (after first school day) is not completed yet :wink: