Docker IP banned instead of public IP
i4mr000t opened this issue · 25 comments
Problem/Motivation
Setup Addon to get remote access to my HA. It’s working but I want to ban public ip address for failed logins
Expected behavior
In configuration.yaml
http:
ip_ban_enabled: true
Should ban public IP instead of docker IP
Actual behavior
Docker IP gets banned when login attempts failed.
Steps to reproduce
http:
use_x_forwarded_for: true
ip_ban_enabled: true
login_attempts_threshold: 5
trusted_proxys:
- <IP_of_NPM>
Proposed changes
IP of Remote Host instead of Docker IP
Seems that this may be configred with Access List in NPM 
Yes I know but I want the way with HA. Thank you anyways.
What I read is that you have to set X-Forwarded-For header setting for $remote_addr in NGINX. Maybe this could also be set in NPM?
so, i've try
http:
ip_ban_enabled: true
login_attempts_threshold: 5
use_x_forwarded_for: true
trusted_proxies:
- 192.168.88.0/24
- 172.30.232.0/23
- 172.30.32.0/23
- 127.0.0.1 # Add the localhost IPv4 address
- ::1 # Add the localhost IPv6 address
homeassistant domain in NPM does not have any Custom location or Custom Nginx Configuration.
After 5 failed logins my external ip goes to ban:
cat /root/config/ip_bans.yaml
97.25.131.114:
banned_at: '2024-01-05T22:51:47.997039+00:00'
Interesting!
My configuration.yaml looks like yours with other IPs but my NPM still gets banned.
http:
ip_ban_enabled: true
login_attempts_threshold: 5
use_x_forwarded_for: true
trusted_proxies:
- 172.30.32.0/23
- 192.168.178.0/24
- 127.0.0.1
- ::1
Banned IP is: 172.30.32.1
I checked Configuration with no errors and restarted Homeassistant. Any Custom Location or Config in NPM.
What IP from your Configuration is 172.30.232.0/23? This IP is missing in my config but I tried it with that with no success.
What IP from your Configuration is 172.30.232.0/23? This IP is missing in my config but I tried it with that with no success.
Bridge network of primary environment
Thanks but tried that too and it didn’t work for me.
Still banning Docker IP instead of public IP.
weired thing is that 172.30.32.1 is configured as trusted proxie but still gets banned…
here’s something similar: nginx-proxy/nginx-proxy#133 (comment)
What ip do you use to forward in proxying rule?
you mean the host I want to reach with npm?
192.168.178.5
Yeah, in my case NPM and home assistant are run on same host, and i use homeassistant hostname ( which is resolved as 172.30.32.1) to proxing all services on it, instead of lan ip (192.168.88.0/24 ). It allows reduce traffic in network.
It should not solve issue, but it is the last thing that is different in our setup and may affect somehow
Okay I’ll give that a try and resolve Hostname instead of IP.
Nope! Docker IP gets still banned.
Maybe the Problem for me is that I use IPv6 & IPv4 as mentioned in this post https://community.home-assistant.io/t/home-assistant-community-add-on-nginx-proxy-manager/111830/685
I will try to disable IPv6 for testing and see if real IP gets logged if login failed.
Anyways thanks for your help!!!
thought I give this another try with the new updated version but still my docker ip gets banned. I don’t know why that is happening :(
Can you post the HA Log entry for the ban?
NPM Log:
[16/Jan/2024:17:34:15 +0100] - 200 200 - GET https MY_PUBLIC_HOSTNAME "/auth/authorize?response_type=code&client_id=https://home-assistant.io/iOS&redirect_uri=homeassistant://auth-callback" [Client 172.30.32.1] [Length 1192] [Gzip 2.03] [Sent-to homeassistant.local] "Home%20Assistant/2023.508 CFNetwork/1490.0.4 Darwin/23.2.0" "-" [16/Jan/2024:17:34:15 +0100] - 200 200 - GET https MY_PUBLIC_HOSTNAME "/manifest.json" [Client 172.30.32.1] [Length 1663] [Gzip -] [Sent-to homeassistant.local] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-" [16/Jan/2024:17:34:15 +0100] - 200 200 - GET https MY_PUBLIC_HOSTNAME "/auth/providers" [Client 172.30.32.1] [Length 66] [Gzip -] [Sent-to homeassistant.local] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-" [16/Jan/2024:17:34:16 +0100] - 200 200 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow" [Client 172.30.32.1] [Length 194] [Gzip -] [Sent-to homeassistant.local] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-" [16/Jan/2024:17:34:17 +0100] - 200 200 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/c0fb8f2aa7ef5f1e161bf1c7e41dc7ae" [Client 172.30.32.1] [Length 209] [Gzip -] [Sent-to homeassistant.local] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-" [16/Jan/2024:17:34:19 +0100] - 200 200 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/c0fb8f2aa7ef5f1e161bf1c7e41dc7ae" [Client 172.30.32.1] [Length 209] [Gzip -] [Sent-to homeassistant.local] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-" [16/Jan/2024:17:34:20 +0100] - 200 200 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/c0fb8f2aa7ef5f1e161bf1c7e41dc7ae" [Client 172.30.32.1] [Length 209] [Gzip -] [Sent-to homeassistant.local] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-" [16/Jan/2024:17:34:21 +0100] - 200 200 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/c0fb8f2aa7ef5f1e161bf1c7e41dc7ae" [Client 172.30.32.1] [Length 209] [Gzip -] [Sent-to homeassistant.local] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-" [16/Jan/2024:17:34:22 +0100] - 200 200 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/c0fb8f2aa7ef5f1e161bf1c7e41dc7ae" [Client 172.30.32.1] [Length 209] [Gzip -] [Sent-to homeassistant.local] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-" [16/Jan/2024:17:34:23 +0100] - 403 403 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/c0fb8f2aa7ef5f1e161bf1c7e41dc7ae" [Client 172.30.32.1] [Length 14] [Gzip -] [Sent-to homeassistant.local] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-"
Homeassistant Core Log:
`Logger: homeassistant.components.http.ban
Source: components/http/ban.py:154
Integration: HTTP (documentation, issues)
First occurred: 17:34:22 (1 occurrences)
Last logged: 17:34:22
Banned IP 172.30.32.1 for too many login attempts`
Host Log:
Jan 16 16:32:36 homeassistant systemd-journal-gatewayd[1778994]: microhttpd: MHD_OPTION_EXTERNAL_LOGGER is not the first option specified for the daemon. Some messages may be printed by the standard MHD logger. Jan 16 16:34:04 homeassistant systemd[1]: run-docker-runtime\x2drunc-moby-1a58bfef768141c51c8a464ed07c535c1fdc7d68f5643a79af38eb544177f9d6-runc.EfKLfB.mount: Deactivated successfully. Jan 16 16:34:47 homeassistant systemd[1]: run-docker-runtime\x2drunc-moby-23c0bfb6a3d419c411e265f65611841a285a14b5d5149f3ab89357b1109852e0-runc.FRERBc.mount: Deactivated successfully. Jan 16 16:35:04 homeassistant systemd[1]: run-docker-runtime\x2drunc-moby-1a58bfef768141c51c8a464ed07c535c1fdc7d68f5643a79af38eb544177f9d6-runc.A0EKxT.mount: Deactivated successfully.
Hopefully one of this is the right log you wanted. If not please point me in the right direction
So here is the confusing part, 172.30.32.1 I believe is always the HA container itself, not the proxy manager (you can validate this via something like the SSH addon).
How is the proxy configured, I see mention of homeassistant.local in the logs, is that being used to forward?, in which case I would recommend just using homeassistant, as per the demo in the docs (as this will route via the docker network).
Yes you’re right. That’s the HA container.
I tried both „homeassistant“ and „homeassistant.local“ both have the same result where the IP of the HA Container IP is banned..
I’m running homeassistant OS on a PI from the official Image.
Looking at the Nginx log, it sees that as your client address:
[16/Jan/2024:17:34:15 +0100] - 200 200 - GET https MY_PUBLIC_HOSTNAME "/auth/authorize?response_type=code&client_id=https://home-assistant.io/iOS&redirect_uri=homeassistant://auth-callback" [Client 172.30.32.1] [Length 1192] [Gzip 2.03] [Sent-to homeassistant.local] "Home%20Assistant/2023.508 CFNetwork/1490.0.
Can you try from a different device?, also if this is the Companion App, can you try with a browser?
thanks for your reply!
I tried with a different device and my device in a browser window.
Same result.
Same IP gets banned.
But something i don’t understand. If I try to redirect from NPM to http://homeassistant:8123 it’s working when I access from WAN.
If I try to access http://homeassistant:8123 from my LAN it doesn’t resolve.
Thats because my LAN does not resolve Docker Hostnames but NPM does?
It would be helpful to see the log entries for the other attempts, from everything you have shared the proxy reports the client address as the one placed in the bans which is the expected behaviour and shows that the X-Forwarded-For entries are being passed.
If I try to redirect from NPM to http://homeassistant:8123/ it’s working when I access from WAN.
If I try to access http://homeassistant:8123/ from my LAN it doesn’t resolve.
I don't really follow what you mean here, the homeassistant name is resolved by the container name resolution, so the NPM container will be able to resolve it, you won't be able to from a client device.
here are the logs from another device accessing through Browser:
[18/Jan/2024:10:02:26 +0100] - 200 200 - GET https MY_PUBLIC_HOSTNAME "/frontend_latest/61588.a56eASxMh7g.js" [Client 172.30.32.1] [Length 7179] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-" [18/Jan/2024:10:02:26 +0100] - 200 200 - GET https MY_PUBLIC_HOSTNAME "/frontend_latest/61596._pT9GSiWyV0.js" [Client 172.30.32.1] [Length 807] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-" [18/Jan/2024:10:02:26 +0100] - 200 200 - GET https MY_PUBLIC_HOSTNAME "/frontend_latest/61598.wUAjamqP8kw.js" [Client 172.30.32.1] [Length 861] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-" [18/Jan/2024:10:02:26 +0100] - 200 200 - GET https MY_PUBLIC_HOSTNAME "/frontend_latest/61648.MEeA7fyQDiY.js" [Client 172.30.32.1] [Length 1308] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-" [18/Jan/2024:10:02:26 +0100] - 200 200 - GET https MY_PUBLIC_HOSTNAME "/frontend_latest/61659.RO6ULsDpn0Y.js" [Client 172.30.32.1] [Length 18393] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-" [18/Jan/2024:10:02:26 +0100] - 200 200 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/c047249cdd6186b9b2c4bf2eeafbea4b" [Client 172.30.32.1] [Length 210] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-" [18/Jan/2024:10:02:26 +0100] - 403 403 - GET https MY_PUBLIC_HOSTNAME "/frontend_latest/61724._gYEoK7TeCw.js" [Client 172.30.32.1] [Length 14] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-" [18/Jan/2024:10:02:27 +0100] - 403 403 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/c047249cdd6186b9b2c4bf2eeafbea4b" [Client 172.30.32.1] [Length 14] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-"
here is the log from my device with accessing throug APP:
[18/Jan/2024:10:19:41 +0100] - 200 200 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow" [Client 172.30.32.1] [Length 196] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-" [18/Jan/2024:10:19:52 +0100] - 200 200 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/d24adea3ed07721b363c5036df3a79d4" [Client 172.30.32.1] [Length 210] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-" [18/Jan/2024:10:19:53 +0100] - 200 200 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/d24adea3ed07721b363c5036df3a79d4" [Client 172.30.32.1] [Length 210] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-" [18/Jan/2024:10:19:54 +0100] - 200 200 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/d24adea3ed07721b363c5036df3a79d4" [Client 172.30.32.1] [Length 210] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-" [18/Jan/2024:10:19:55 +0100] - 200 200 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/d24adea3ed07721b363c5036df3a79d4" [Client 172.30.32.1] [Length 210] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-" [18/Jan/2024:10:19:56 +0100] - 200 200 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/d24adea3ed07721b363c5036df3a79d4" [Client 172.30.32.1] [Length 210] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-" [18/Jan/2024:10:19:56 +0100] - 403 403 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/d24adea3ed07721b363c5036df3a79d4" [Client 172.30.32.1] [Length 14] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148" "-"
And here with accessing through browser:
[18/Jan/2024:10:22:58 +0100] - 200 200 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/48f136ebb8e91d31e5b8af25f1749bd7" [Client 172.30.32.1] [Length 210] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Mobile/15E148 Safari/604.1" "-" [18/Jan/2024:10:22:58 +0100] - 200 200 - GET https MY_PUBLIC_HOSTNAME "/frontend_latest/60477.lU3LGvt9HeU.js" [Client 172.30.32.1] [Length 4983] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Mobile/15E148 Safari/604.1" "-" [18/Jan/2024:10:22:58 +0100] - 200 200 - GET https MY_PUBLIC_HOSTNAME "/frontend_latest/61038.ZQuj_x-v6oc.js" [Client 172.30.32.1] [Length 6931] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Mobile/15E148 Safari/604.1" "-" [18/Jan/2024:10:22:58 +0100] - 200 200 - GET https MY_PUBLIC_HOSTNAME "/frontend_latest/61046.RcZ_phuwQvY.js" [Client 172.30.32.1] [Length 4693] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Mobile/15E148 Safari/604.1" "-" [18/Jan/2024:10:22:58 +0100] - 200 200 - GET https MY_PUBLIC_HOSTNAME "/frontend_latest/61049.reS7HL6mdKg.js" [Client 172.30.32.1] [Length 75535] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Mobile/15E148 Safari/604.1" "-" [18/Jan/2024:10:22:59 +0100] - 200 200 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/48f136ebb8e91d31e5b8af25f1749bd7" [Client 172.30.32.1] [Length 210] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Mobile/15E148 Safari/604.1" "-" [18/Jan/2024:10:22:59 +0100] - 403 403 - GET https MY_PUBLIC_HOSTNAME "/frontend_latest/61472.qQ2LsYbPEpU.js" [Client 172.30.32.1] [Length 14] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Mobile/15E148 Safari/604.1" "-" [18/Jan/2024:10:23:01 +0100] - 403 403 - POST https MY_PUBLIC_HOSTNAME "/auth/login_flow/48f136ebb8e91d31e5b8af25f1749bd7" [Client 172.30.32.1] [Length 14] [Gzip -] [Sent-to homeassistant] "Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Mobile/15E148 Safari/604.1" "-"
`Logger: homeassistant.components.http.ban
Source: components/http/ban.py:129
Integration: HTTP (documentation, issues)
First occurred: 10:22:55 (5 occurrences)
Last logged: 10:22:59
Login attempt or request with invalid authentication from 5c53de3b-esphome.local.hass.io (172.30.32.1). Requested URL: '/auth/login_flow/48f136ebb8e91d31e5b8af25f1749bd7'. (Mozilla/5.0 (iPhone; CPU iPhone OS 17_2_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Mobile/15E148 Safari/604.1)`
Why shows the log a Login attempt from esphome.local.hass.io?!
Do you need more?
I think you followed me correctly.
I thought that i can resolve http://homeassistant:8123/ from my Client device.
In every log the client address being reported by Nginx is the one being banned, which again shows it is functioning correctly.
What is your network setup, what is the client address?, I'm assuming this is a standard home network?
Shouldnt it be the public IP Adress of my Device?
The Clients Adresses are from my mobile isp (ipv6) and the other clients i tried is from my office (ipv4).
Yes its a standard home network but i dont have a public ip4, just an ipv6 so i use a vps server to 6tunnel ipv4 traffik to my ipv6 address.
just an ipv6 so i use a vps server to 6tunnel ipv4 traffik
And this is likely where the address is coming from, please ensure that it forwards the addresses correctly, alternatively use IPv6
Im not sure I understand you correctly.
my tunnel is only for tunneling ipv4 to ipv6 so NPM should get the ipv6 when ipv4 tunnels to IPv6 in my opinion.
Thats what my office device needs because there is only ipv4.
my own devices (iPhone, iPad) are all using ipv6 so they are connecting directly without the tunnel to my pi at home.
In both cases the same ip is blocked. That could not be true in my opinion.
Could you explain it to me please?
Let’s say I would shut down the tunnel should it work then when I connect with IPv6?!
I disabled the tunnel and connected via IPv6.
same result.
what really confusing me is why does homeassistant now show this message?
Login attempt or request with invalid authentication from 5c53de3b-esphome.local.hass.io (172.30.32.1). See the log for details.
Something really strange is happening I don’t understand…
The logs you have shared show a source address that is being passed on Client 172.30.32.1
This address space is common to any Docker install, be it under HA or anything else.
I'm afraid this isn't an issue with the addon, it is functioning as expected and passing the data it receives in the X-Forwarded-For header. This is set prior to anything within the addons or Homeassistant. I would suggest to get further help you ask on the Homeassistant Forums or Discord as this is configuration and not an issue.
I still don’t understand why the docker ip is forwarded.
In my opinion the public ip should be forwarded when I access NPM from outside like the third comment here showed.
But maybe I misunderstood or misconfigured something.
I will asked in the ha community for further help.
Thanks anyway and sorry for pointing you in a wrong direction with this issue.
I still don’t understand why the docker ip is forwarded.
It's not the docker IP, it's a docker IP from a container elsewhere in all likelyhood
I'm going to close this out, as shown earlier the addon functions as expected, it's a configuration issue.