June 21, 20251 yr EDITThe source of the issue has been found: the Asus media bridge between my switch upstairs and my ISP box downstairs causes the commissioning to fail.Commissionning works with this:NAS ---> Mikrotik CRS305-1G-4S+ switch --> Netgear GS108v4 switch ---> ISP boxCommissionning doesn't work with this:NAS ---> Mikrotik CRS305-1G-4S+ switch --> Netgear GS108v4 switch ---> Asus RT-BE58U -----via Wi-Fi-----> ISP boxThe new question is: how can I solve this? Thank you!END OF EDITHello,I'm asking for your help here because I've been trying to fix this issue for 2 weeks with no success.I will try to give as many details as possible.I have a two-storey house. My Fiber ISP internet box is at the ground floor, and I have both IPv4 CGNAT and IPv6 connectivity. SLAAC is enabled, but I have the option to enable DHCPv6 as well.WAN info on my ISP box:IPv4 ----- IP address: 10.153.29.150 Default gateway: 10.153.29.151 Primary DNS: 109.0.66.10 Secondary DNS: 109.0.66.20 IPv6 ----- IPv6 address: 2a02:8428:aa24:2601:da78:7fff:fe41:683f IPv6 prefix: 2a02:8428:aa24:2600::/56 Default gateway: fe80::5555 Primary DNS: 2a02:8400::6001 Secondary DNS: 2a02:8400::6000My computer lab is upstairs. I have an Asus RT-BE58U configured as a "Media Bridge", connected to the wifi downstairs.On this Asus device, a Netgear GS108v4 switch is connected.On this Netgear switch, I have a printer, a Raspberry Pi and a Mikrotik CRS305-1G-4S+ running SwOS v2.17.On this Mikrotik device, my desktop computer and my Unraid NAS (v7.1.4) are connected with each a Mellanox MCX311A-XCAT ConnectX-3 card and a Cisco-Molex 74752-3701 SFP+ cable.My computer and the NAS do have IPv6 connectivity.Output of ifconfig en0 on my desktop computer:en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM> ether d2:31:9d:b5:ca:a9 inet6 fe80::1cf5:e3cc:b692:3597%en0 prefixlen 64 secured scopeid 0xe inet6 2a02:8428:aa24:2601:1499:6045:20ea:51c5 prefixlen 64 autoconf secured inet6 2a02:8428:aa24:2601:10eb:fde8:b956:54f4 prefixlen 64 autoconf temporary inet6 fdbb:29c5:1f4d:770b:1499:2b49:8d89:28f5 prefixlen 64 autoconf secured inet 192.168.1.235 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=201<PERFORMNUD,DAD> media: autoselect status: activeOutput of ifconfig br0 on my Unraid NAS:br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.1.20 netmask 255.255.255.0 broadcast 0.0.0.0 inet6 fe80::f652:14ff:fe89:4250 prefixlen 64 scopeid 0x20<link> inet6 fdbb:29c5:1f4d:770b:f652:14ff:fe89:4250 prefixlen 64 scopeid 0x0<global> inet6 2a02:8428:aa24:2601:f652:14ff:fe89:4250 prefixlen 64 scopeid 0x0<global> ether f4:52:14:89:42:50 txqueuelen 1000 (Ethernet) RX packets 16654 bytes 2290570 (2.1 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7089 bytes 11395535 (10.8 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0I can ping, traceroute, and access websites via IPv6 on both these devices.On my Unraid NAS, I created an Home Assistant OS VM, and I configured USB passthrough for the Home Assistant Connect ZBT-1.The configuration of the VM is :<?xml version='1.0' encoding='UTF-8'?> <domain type='kvm' id='1'> <name>HomeAssistant OS</name> <uuid>01cbc3e3-bfed-6023-551b-c45e53971159</uuid> <metadata> <vmtemplate xmlns="http://unraid" name="Linux" iconold="linux.png" icon="linux.png" os="linux" webui="" storage="default"/> </metadata> <memory unit='KiB'>1048576</memory> <currentMemory unit='KiB'>1048576</currentMemory> <memoryBacking> <nosharepages/> </memoryBacking> <vcpu placement='static'>2</vcpu> <cputune> <vcpupin vcpu='0' cpuset='0'/> <vcpupin vcpu='1' cpuset='2'/> </cputune> <resource> <partition>/machine</partition> </resource> <os> <type arch='x86_64' machine='pc-q35-9.2'>hvm</type> <loader readonly='yes' type='pflash' format='raw'>/usr/share/qemu/ovmf-x64/OVMF_CODE-pure-efi.fd</loader> <nvram format='raw'>/etc/libvirt/qemu/nvram/01cbc3e3-bfed-6023-551b-c45e53971159_VARS-pure-efi.fd</nvram> </os> <features> <acpi/> <apic/> </features> <cpu mode='host-passthrough' check='none' migratable='on'> <topology sockets='1' dies='1' clusters='1' cores='1' threads='2'/> <cache mode='passthrough'/> </cpu> <clock offset='utc'> <timer name='hpet' present='no'/> <timer name='hypervclock' present='no'/> <timer name='pit' tickpolicy='delay'/> <timer name='rtc' tickpolicy='catchup'/> </clock> <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> <devices> <emulator>/usr/local/sbin/qemu</emulator> <disk type='file' device='disk'> <driver name='qemu' type='qcow2' cache='writeback' discard='unmap'/> <source file='/mnt/cache/domains/haos_ova-15.2.qcow2' index='1'/> <backingStore/> <target dev='hdc' bus='sata'/> <serial>vdisk1</serial> <boot order='1'/> <alias name='sata0-0-2'/> <address type='drive' controller='0' bus='0' target='0' unit='2'/> </disk> <controller type='usb' index='0' model='ich9-ehci1'> <alias name='usb'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x7'/> </controller> <controller type='usb' index='0' model='ich9-uhci1'> <alias name='usb'/> <master startport='0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0' multifunction='on'/> </controller> <controller type='usb' index='0' model='ich9-uhci2'> <alias name='usb'/> <master startport='2'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x1'/> </controller> <controller type='usb' index='0' model='ich9-uhci3'> <alias name='usb'/> <master startport='4'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x2'/> </controller> <controller type='sata' index='0'> <alias name='ide'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/> </controller> <controller type='pci' index='0' model='pcie-root'> <alias name='pcie.0'/> </controller> <controller type='pci' index='1' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='1' port='0x8'/> <alias name='pci.1'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/> </controller> <controller type='pci' index='2' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='2' port='0x9'/> <alias name='pci.2'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/> </controller> <controller type='pci' index='3' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='3' port='0xa'/> <alias name='pci.3'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> </controller> <controller type='pci' index='4' model='pcie-root-port'> <model name='pcie-root-port'/> <target chassis='4' port='0xb'/> <alias name='pci.4'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/> </controller> <controller type='virtio-serial' index='0'> <alias name='virtio-serial0'/> <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/> </controller> <interface type='bridge'> <mac address='52:54:00:ca:c3:f3'/> <source bridge='br0'/> <target dev='vnet0'/> <model type='virtio-net'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface> <serial type='pty'> <source path='/dev/pts/1'/> <target type='isa-serial' port='0'> <model name='isa-serial'/> </target> <alias name='serial0'/> </serial> <console type='pty' tty='/dev/pts/1'> <source path='/dev/pts/1'/> <target type='serial' port='0'/> <alias name='serial0'/> </console> <channel type='unix'> <source mode='bind' path='/run/libvirt/qemu/channel/1-HomeAssistant OS/org.qemu.guest_agent.0'/> <target type='virtio' name='org.qemu.guest_agent.0' state='connected'/> <alias name='channel0'/> <address type='virtio-serial' controller='0' bus='0' port='1'/> </channel> <input type='tablet' bus='usb'> <alias name='input0'/> <address type='usb' bus='0' port='2'/> </input> <input type='mouse' bus='ps2'> <alias name='input1'/> </input> <input type='keyboard' bus='ps2'> <alias name='input2'/> </input> <graphics type='vnc' port='5900' autoport='yes' websocket='5700' listen='0.0.0.0' sharePolicy='ignore'> <listen type='address' address='0.0.0.0'/> </graphics> <audio id='1' type='none'/> <video> <model type='qxl' ram='65536' vram='16384' vgamem='16384' heads='1' primary='yes'/> <alias name='video0'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x1e' function='0x0'/> </video> <hostdev mode='subsystem' type='usb' managed='no'> <source> <vendor id='0x10c4'/> <product id='0xea60'/> <address bus='1' device='2'/> </source> <alias name='hostdev0'/> <address type='usb' bus='0' port='1'/> </hostdev> <watchdog model='itco' action='reset'> <alias name='watchdog0'/> </watchdog> <memballoon model='virtio'> <alias name='balloon0'/> <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/> </memballoon> </devices> <seclabel type='dynamic' model='dac' relabel='yes'> <label>+0:+100</label> <imagelabel>+0:+100</imagelabel> </seclabel> </domain> Version of Home Assistant:Installation method: Home Assistant OS Core: 2025.6.1 Supervisor: 2025.05.5 Operating System: 15.2 Frontend: 20250531.3The Home Assistant VM does have IPv6 connectivity. Output of ha network info in the CLI:I configured the Home Assistant Connect ZBT-1 on HomeAssistant, and I now have the "Matter Server" (v8.0.0) and the "OpenThread Border Router" (v2.13.0) add-ons installed.The OpenThread RCP v2.4.4.0 firmware has been flashed on the ZBT-1.Now here is the problem... I am trying to commission an Eve Eenergy (Matter over Thread) plug with the Home Assistant Android app on my Samsung A55 5G phone. This phone is connected to the WiFi network broadcasted by the ISP box and does have IPv6 connectivity too.The commissioning procedure fails at the last step "Checking network connectivity to [...]".This is what I tried so far :I had the Tailscale plugin installed and configured on the HomeAssistant VM, I uninstalled it, deleted the configuration and rebooted Unraid.I had the Tailscale plugin installed on Unraid, I uninstalled it and rebooted Unraid.I connected the Mikrotik CRS305-1G-4S+ directly to the Asus RT-BE58U, bypassing the Netgear GS108v4 switch.I disabled any custom DNS configuration (like NextDNS) on Unraid, my phone, my router.I verified that IP forwarding are enabled in Unraid for both IPv4 and IPv6, they are (net.ipv4.ip_forward = 1 and net.ipv6.conf.all.forwarding = 1).On my phone, I deleted all data for the "Google Play Services" and, on the HA mobile app, I went to "Companion app > Troubleshooting > Sync Thread credentials". After 10 seconds, it said "Added network from Home Assistant to this device.". If I try again, it says "Home Assistant and this device use the same network.".How can I debug this? Do you have any idea what the issue could be?Thanks a lot in advance 😁 Edited June 25, 20251 yr by wblondel fix title
June 21, 20251 yr Community Expert ^Read the entire post^unraid neds an adataionl script to systemctl enbale ipv4 and ipv6 forwardinghttps://forums.unraid.net/topic/166559-unraid-with-matter-thread-and-unifi-ipv6-connectivity-issues/page/2/#findComment-1440114Matter is ipv6 only for devices... Unraid doent' do ipv6 well. unraid prefers ipv4...
June 21, 20251 yr Author @bmartino1 hey, thanks for replying.I went through again this post (I've already read it before).It seems OP has part of HA in a VM, and another part in Docker in Unraid. My HA is entirely in a VM.He does say "I am using HA (Docker) and I am currently using a VM with HAOS in it but only the Matter server. However, I want to use the Matter server in Docker to get rid of the VM.".Then the rest of the thread is about Docker, so it seems it's not applicable to me.However, you mentioned that IPv4 and IPv6 forwarding needs to be enabled.That's something I already did (see 5th point of "What I tried so far").root@NAS:~# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 root@NAS:~# sysctl net.ipv6.conf.all.forwarding net.ipv6.conf.all.forwarding = 1This is right after Unraid booted.Should I try to set net.ipv6.conf.eth0.accept_ra=2 ? Edited June 21, 20251 yr by wblondel
June 21, 20251 yr Community Expert 1 minute ago, wblondel said:@bmartino1 hey, thanks for replying.I went through again this post (I've already read it before).It seems OP has part of HA in a VM, and another part in Docker in Unraid. My HA is entirely in a VM.He does say "I am using HA (Docker) and I am currently using a VM with HAOS in it but only the Matter server. However, I want to use the Matter server in Docker to get rid of the VM.".Then the rest of the thread is about Docker, so it seems it's not applicable to me.However, you mentioned that IPv4 and IPv6 forwarding needs to be enabled.That's something I already did (see 5th point of "What I tried so far").root@NAS:~# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 root@NAS:~# sysctl net.ipv6.conf.all.forwarding net.ipv6.conf.all.forwarding = 1This is right after Unraid booted.not quite corret..#!/bin/bash# Delay before startingsleep 10# Apply sysctl settingsapply_sysctl_settings() {echo "Applying sysctl settings..."sysctl -w net.ipv6.conf.all.forwarding=1sysctl -w net.ipv6.conf.br0.accept_ra=2sysctl -w net.ipv6.conf.br0.accept_ra_rt_info_max_plen=64sysctl -w vm.overcommit_memory=1echo "Verifying sysctl settings..."sysctl net.ipv6.conf.all.forwardingsysctl net.ipv6.conf.br0.accept_rasysctl net.ipv6.conf.br0.accept_ra_rt_info_max_plensysctl vm.overcommit_memory}apply_sysctl_settingsyou need to adataional ipv6 forwarding commands...sysctl -w net.ipv6.conf.br0.accept_ra=2sysctl -w net.ipv6.conf.br0.accept_ra_rt_info_max_plen=64whats the output of systemctl -p
June 21, 20251 yr Author @bmartino1 alright, I'll try with these settings. I wasn't sure if they were applicable to my situation.
June 21, 20251 yr Author @bmartino1 Unfortunately, the issue remains.Output of sysctl -p on Unraid:kernel.pid_max = 4194304fs.inotify.max_user_watches = 524288net.core.rmem_max = 16777216net.core.wmem_max = 16777216net.ipv4.tcp_rmem = 4096 87380 16777216net.ipv4.tcp_wmem = 4096 65536 16777216net.netfilter.nf_conntrack_max = 131072net.ipv6.conf.all.forwarding = 1net.ipv6.conf.br0.accept_ra = 2net.ipv6.conf.br0.accept_ra_rt_info_max_plen = 64vm.overcommit_memory = 1Below, the debug log from the OpenThread Border Router during the commissionning steps:core_openthread_border_router_2025-06-21T18-51-44.609Z.log Edited June 21, 20251 yr by wblondel
June 21, 20251 yr Community Expert hm... let take a deepr look then...Thanks for the thorough breakdown—your setup is well thought-out and you're already troubleshooting in the right places. Given that the failure occurs during “Checking network connectivity to [...]” when commissioning a Matter-over-Thread device, let’s narrow this down to likely culprits based on how Matter and Thread interact.Double check:From my re look these see correct / good:Confirmed Good:IPv6 is working across your devices (this is essential for Thread-over-Border-Router functionality).The ZBT-1 is flashed with a known-good RCP firmware and Home Assistant sees it.The OpenThread Border Router (OTBR) is running.Google Play Services synced the Thread credentials with your phone.Your HA instance has IP forwarding enabled, and you removed Tailscale and other possible routing complications.You may be having mdsn avahi issues..Go back and check / review:1. Border Router Discovery (mDNS + SRP)For Matter-over-Thread commissioning, your phone must discover the Border Router via mDNS over IPv6.Check if your phone can see the OTBR mDNS record:Use an Android mDNS browser (like “Discovery” or “Bonjour Browser”) and look for _meshcop._udp or _matter._udp services.Alternatively, log into your Unraid NAS and run:avahi-browse -a -rYou should see entries related to OTBR and Matter services.Ensure Avahi (or mDNSResponder) is running on the VM, and it bridges the .local domain across the interfaces.2. Is Your OTBR Advertising the Mesh Prefix?Check that the OpenThread Border Router is actually advertising the mesh prefix and acting as a Backbone Router.Go to the OTBR Web UI (typically on port 8081 or 8000) and verify:A valid mesh-local prefix (typically fdxx::/64) is present.Border routing is “Enabled.”Backbone Router state is "Primary".Also verify that Thread: Enabled and the dataset is active with a network name, channel, and extended PAN ID.3. Phone’s IPv6 Reachability to OTBRThe “Checking network connectivity…” step usually fails because the phone can’t route to the Thread network (typically fd... addresses) via the OTBR.On Unraid, run:tcpdump -i br0 ip6 Then start commissioning. Do you see ICMPv6 or UDP traffic coming from your phone?Ensure the OTBR has a wpan0 interface (or similar) visible in ip a or ifconfig, and that interface has an address in the Thread mesh prefix.On your phone (developer settings), enable Wi-Fi verbose logging and check if it assigns itself any ULA addresses in the fd... range.Troubleshoot... Commissioning Flow ConflictsTemporarily disable IPv4 on your phone (or put it in IPv6-only mode if possible) to force the HA app and Android stack to only use IPv6 for commissioning.4. Firewall / NPT / RA IssuesEven if forwarding is enabled, check:iptables -L -v -n (or nft list ruleset) on UnraidMake sure no IPv6 traffic is being blocked between interfaces, especially ULA fdxx::/64 ranges.You might also need to manually ensure:sysctl -w net.ipv6.conf.all.accept_ra=2sysctl -w net.ipv6.conf.default.accept_ra=2--Which is done now...other iptables cros trafic talk issues... Matter uses ipv6 and mutiicast...Double check:OpenThread CLI DebugIf you SSH into Home Assistant or access the OTBR container/VM, try:ot-ctl stateot-ctl router tableot-ctl netdata showYou want to confirm that:The node is “leader” or “router”The network data shows correct prefixesThe router table includes other nodes when a Thread device is partially joinedAs alot is guessing as there are mutiple points of failure...Final ThoughtsThe most common root causes in your scenario:OTBR not advertising its route properlymDNS or SRP not discoverable from AndroidIPv6 routing/NAT/NPT problems blocking ULA communicationCould be at router level...Once you verify that the Android phone sees the OTBR via mDNS and can reach the fdxx:: prefix, the Matter commissioning should go through.some other HA debug comands:Home asist has docker and may have soemthign with in the VM causing isseus toodocker exec -it addon_core_otbr bashot-ctl stateot-ctl netdata showot-ctl prefixPlease paste the output from each command. Here's what we’re looking for:state should return leader, router, or childnetdata show should include a fd.../64 mesh-local prefix and the "s" (stable) and "r" (preferred route) flagsprefix should list that same fd.../64 prefixSTEP 2: Confirm the OTBR is acting as a Backbone Routerin teh same shell run ot-ctl backbonerouterYou should see something like:BBR Primary: yesBBR Sequence Number: 57BBR Registration Jitter: 20BBR Registration Delay: 120If it says BBR Primary: no or gives an error, the Border Router isn't working correctly.STEP 3: Check if your Android phone can discover the OTBR via mDNSOn a Linux machine (like your Unraid NAS), run:avahi-browse -a -r | grep -Ei 'matter|thread|meshcop'This should list _meshcop._udp or _matter._udp services coming from your Home Assistant.Alternatively, from the Android phone:Install an app like Bonjour Browser, Discovery, or Service BrowserCheck for:_meshcop._udp._matter._udp.any HA/Thread-related mDNS entriesotherwise we need wireshark / packet capture to see what failing where...tcpdump -i br0 ip6 -n -vvStart this, then attempt commissioning again via the Home Assistant mobile app.Look for lines like:ICMPv6 Echo RequestsUDP port 5353 (mDNS)Any packets to/from fd...::/64Hit Ctrl+C to stop after 20–30 seconds, and share a few lines of what you see.Once you’ve run these 4 steps and shared the output, we’ll move to the next layer of debugging based on what we find. otherwise this may be a limitation of unraid. Some have reported upgradign to 7.4 the lattest uriad relase that fixed quite a bit of networking issues. thers some side unraid netowrk configuration I may want double checked...
June 22, 20251 yr Author @bmartino1Border Router DiscoveryI am able to see the _meshcop UDP service using the mDNS Discovery app on my phone, and avahi-browse on Unraid.However, I don’t see anything for _matter UDP.After trying to commission a device, I see 2 devices for _matter TCP: one for IPv4 and one for IPv6.OTBRI first had to enable the Web UI in the add-on configuration.This is what I see on the Status page:IPv6:LinkLocalAddress fe80:0:0:0:d088:33ae:4207:8978 IPv6:LocalAddress fd4c:f03e:4bbd:1:a7f8:42a8:2a62:e3c8 IPv6:MeshLocalAddress fdcc:2c3b:173c:81bb:7644:8069:9eeb:bced IPv6:MeshLocalPrefix fdcc:2c3b:173c:81bb: Network:Name ha-thread-f150 Network:PANID 0xf150 Network:PartitionID 265239192 Network:XPANID bb29c51f4d16770b OpenThread:Version OPENTHREAD/thread-reference-20230706-1129-g7bd3abd67-dirty; POSIX; Jan 14 2025 21:04:25 OpenThread:Version API 470 RCP:Channel 15 RCP:EUI64 04e3e5fffe6b996a RCP:State leader RCP:TxPower 5 dBm RCP:Version SL-OPENTHREAD/2.4.4.0_GitHub-7074a43e4; EFR32; Apr 5 2025 16:25:05 WPAN service associatedPhone’s IPv6 Reachability to OTBRTcpdump: command not found on Unraid.But I confirm I can see traffic coming to the OTBR when I commission a device, as shown on the logs I uploaded on my previous message.It’s not possible to disable IPv4 on Android.Firewall / NPT / RA issuesOutput of iptables -L -v -nChain INPUT (policy ACCEPT 225K packets, 30M bytes) pkts bytes target prot opt in out source destination 223K 30M LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 76M 87G LIBVIRT_FWX all -- * * 0.0.0.0/0 0.0.0.0/0 76M 87G LIBVIRT_FWI all -- * * 0.0.0.0/0 0.0.0.0/0 76M 87G LIBVIRT_FWO all -- * * 0.0.0.0/0 0.0.0.0/0 76M 87G DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0 76M 87G DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0 56M 75G ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 425 25712 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 20M 12G ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 212 53889 ACCEPT all -- * br-ad0cdd8ab999 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 7 448 DOCKER all -- * br-ad0cdd8ab999 0.0.0.0/0 0.0.0.0/0 189 870K ACCEPT all -- br-ad0cdd8ab999 !br-ad0cdd8ab999 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-ad0cdd8ab999 br-ad0cdd8ab999 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * br-7829c5bf10a9 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 DOCKER all -- * br-7829c5bf10a9 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-7829c5bf10a9 !br-7829c5bf10a9 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- br-7829c5bf10a9 br-7829c5bf10a9 0.0.0.0/0 0.0.0.0/0 0 0 WIREGUARD all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 184K packets, 47M bytes) pkts bytes target prot opt in out source destination 183K 46M LIBVIRT_OUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER (3 references) pkts bytes target prot opt in out source destination 7 448 ACCEPT tcp -- !br-ad0cdd8ab999 br-ad0cdd8ab999 0.0.0.0/0 172.18.0.4 tcp dpt:2283 22 1408 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:8112 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:8118 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:9118 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:58846 0 0 ACCEPT tcp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 tcp dpt:58946 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.17.0.2 udp dpt:58946 Chain DOCKER-ISOLATION-STAGE-1 (1 references) pkts bytes target prot opt in out source destination 20M 12G DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 189 870K DOCKER-ISOLATION-STAGE-2 all -- br-ad0cdd8ab999 !br-ad0cdd8ab999 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER-ISOLATION-STAGE-2 all -- br-7829c5bf10a9 !br-7829c5bf10a9 0.0.0.0/0 0.0.0.0/0 76M 87G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-ISOLATION-STAGE-2 (3 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * br-ad0cdd8ab999 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * br-7829c5bf10a9 0.0.0.0/0 0.0.0.0/0 20M 12G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) pkts bytes target prot opt in out source destination 76M 87G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LIBVIRT_FWI (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain LIBVIRT_FWO (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain LIBVIRT_FWX (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 Chain LIBVIRT_INP (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 Chain LIBVIRT_OUT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68 0 0 ACCEPT tcp -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:68 Chain WIREGUARD (1 references) pkts bytes target prot opt in out source destinationOutput of docker exec addon_core_openthread_border_router ot-ctl stateleader DoneOutput of docker exec addon_core_openthread_border_router ot-ctl router table, before trying to commission a device:Output of the same command, after trying to commission a device (it failed):Output of docker exec addon_core_openthread_border_router ot-ctl netdata showOutput of docker exec addon_core_openthread_border_router ot-ctl prefixOutput of docker exec addon_core_openthread_border_router ot-ctl backbonerouterError 35: InvalidCommandI am already on the latest version of Unraid: v7.1.4.Configuration of my Mikrotik CRS305I figured it would be useful for you to know the configuration of the switch my NAS is connected to.I do not use VLANs and IGMP Snooping is disabled.(I temporarily set the IGMP version to v2, it didn't change anything. it's now back to v3.) Edited June 22, 20251 yr by wblondel add CRS305 configuration
June 22, 20251 yr Community Expert Perfect alot of data to run thorugh and check. From a glance. THis doens apear to be the hyper-v network cross issues...in Unraid so this may be the virbr0 issues and other unraid network settings. Thank you I know that is alot to go through for testing.Some side notes as well...as your XML is saying to use the :*While it shouldn't be a problem as the HA is getting a ipv4 and ipv6 and unraid is handling the ipv6 forwarding over br0... <interface type='bridge'> <mac address='52:54:00:ca:c3:f3'/> <source bridge='br0'/> <target dev='vnet0'/> <model type='virtio-net'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface>yet unraid iptables confirm the unraid hpyer-v virtual network switch for VMs. This may lie our problem...So stop all VMs we may want to xml edit the HA VM network.as example in the first post matter thread:xml code example: <interface type='direct' trustGuestRxFilters='yes'> <mac address='52:54:00:26:97:94'/> <source dev='vhost0' mode='bridge'/> <target dev='macvtap0'/> <model type='virtio'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface>Chose the correct Source Dev for your system br0 is correctwhile using a macvlan docker, network...*Just throwing that out there as VMs can and may need additional settings for services...The core thing here apears to is in the unraid VM settings and may require adational Docker settings that change and affect unraid networking...With VMs off. Go to settings > VM MangerAdvance toggle*Make sure the Default Network source IS NOT Virbr0 This for some reason causes some vm and unraid networks cross talk issues as seen with your iptables command.Then under docker networking settings Make sure you have host access to custom enabled :and restart unraid to apply the new networking config...Then try again from the android phone device.####FYI yes you can temp disabled ipv4 on android. it requires going into the network and seting manul setting and disabling ipv4 and enabling ipv6https://android.stackexchange.com/questions/136830/disable-ipv4-entirelyThis is not needed.########if it fails here then there somethign being lost between the wifi bridge. where the router is not forwarding the matter udp muticast traffic.
June 22, 20251 yr Author @bmartino1"FYI yes you can temp disabled ipv4 on android. it requires going into the network and seting manul setting and disabling ipv4 and enabling ipv6"No. I don't have this option.Do you see any issue on the log I shared?The default network source on the VM Manager is br0.For Docker, host access to custom networks is disabled but why does it matter in my case? HAOS is in a VM...Anyway, I enabled it and changed the VM interface to this: <interface type='direct' trustGuestRxFilters='yes'> <mac address='52:54:00:ca:c3:f3'/> <source dev='br0' mode='bridge'/> <target dev='macvtap0'/> <model type='virtio'/> <alias name='net0'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface>The issue was still there so I reverted the changes. Edited June 22, 20251 yr by wblondel
June 22, 20251 yr Community Expert I have read your logs post and other data... but if you going to revert and not keep the changes then I'm done here. as Your editing the previous post and its clear you don't know what your doing..Yes, I've seen the log but it done't have anything of use that I can devise from it... as this is still networking issues... not application issues...Review:https://www.youtube.com/watch?v=HYPL2HqZ_TQhttps://www.youtube.com/watch?v=uPde1aulGYYhttps://www.youtube.com/watch?v=BWUAzAGtzHchttps://www.youtube.com/watch?v=jeujDTEreioas I've even pulled data from my first OG post that went over all of that. as it doent' matter if its the VM, dcoker etc...I run android myself. I'm not going to debate on a option for testing that is possible... Android is not a good testing system anyway. I prefer you had some linux laptop to run other commands to test connect to and run.(Make sure its not the andoid system...) debain / ubuntu mdns-scan and other linux tools for troubleshooting... then work on getting the phone to do it...As I do simlar myself on my devices without root. other linkage there with android was to go over other ipv6 as android done't do ipv6 well...Its also not clear how your connecting to HA from the Android device and what HA a trualy has accesses too. ?app web prower?So All I can do is point you due to some of the limiting factors as it appear You have 3 issues:1. Mis configuration of the OTBRI can't help you with that...2. Mis configuration on unriad with how networks are working and talking with each other.-Attempted all I can say is go back and review the other post mentioned here...3. Potential router wifi bridge network loss, preventing udp muticast and matter devces form traversing...##########as you 've edited previous post and this new forum is broken "I can use the quote system it make everything a quote and harder to point at xyz...Not sure if you rebooted unraid or still have the systemctl per example as your reverting things which makes other steps or next things to check problematic.I would recommend making a new General post asking for assistance. Its works on my machine and I went over each area on unraid to make it work. so if it not working after those settings are implemented, then Its not on unraid the OS host itself.... thus other VM options and settings or outside unraid networking setup...Further, as this is added new:IGMP is more associated with ping. You will not notice or see anything with igmp v2 or v3...and that setting has to do with some packet handling:IGMP version 3 (v3) is an enhancement over version 2 (v2), primarily adding support for source-specific multicasting and membership report aggregation. IGMPv2 introduced the "Leave Group" message, allowing hosts to explicitly signal their departure from a multicast group. IGMPv3, while maintaining backward compatibility, allows hosts to specify which sources they want to receive traffic from within a multicast group (source filtering) and report interest in multiple groups and sources in a single messageSo, If your messing with options you don't understand, this can also cause problematic symptoms...as you were seeing some matter udp on the android but not else where... thus a device connection issues or network issues.Too many point of failure and not able to assist in this manner.Good luck.
June 22, 20251 yr Author I did the VM and Docker changes you asked me to make on the previous message, even though it didn't make sense to me (you even talked about "unraid hpyer-v virtual network", what does Hyper-V have ANTHING TO DO with my issue ??????? Where are we talking about Windows ??). I asked why I had to change Docker configuration and you didn't give me a reason.Since I didn't want to keep configuration changes that 1/ seems unrelated 2/ didn't have any effect, I reverted them.This is the ONLY thing I reverted. I don't know why you're making such a big drama about that.You say "Its also not clear how your connecting to HA from the Android device"The answer is on my very first post. ---> "I am trying to commission an Eve Eenergy (Matter over Thread) plug with the Home Assistant Android app on my Samsung A55 5G phone."You say "as you were seeing some matter udp on the android but not else where"--> I never saw Matter UDP anywhere. Only Matter TCP services after trying to commission a device. And I see them from any device.You say "I prefer you had some linux laptop to run other commands to test connect to and run"--> I have. Go on, what should I do?About your remark on IGMP (my edit was already there when you replied BTW) --> someone else asked me to try to switch to v2 if it made a difference, it didn't.You're not the only person trying to help me (but honestly I feel I'm talking to an AI more than a person).You say "you don't know what your doing" --> not sure why you're saying that. I'm trying to find the point of failure. I've already read all the resources you gave me and all the threads related to that on this forum, all the solutions that were given didn't solve my issue. So I ask for help. But your messages seem to be written by an AI...Tomorrow I will receive a 30-meter ethernet cable. I'll plug my switch directly to the ISP box downstairs, to bypass the Asus configured as a media bridge. If it still doesn't work then the Asus is not the issue.What's strange to me is that there doesn't seem to have any error on Home Assistant's side (OTBR logs etc). Edited June 22, 20251 yr by wblondel
June 22, 20251 yr On 6/21/2025 at 9:28 PM, wblondel said:Now here is the problem... I am trying to commission an Eve Eenergy (Matter over Thread) plug with the Home Assistant Android app on my Samsung A55 5G phone. This phone is connected to the WiFi network broadcasted by the ISP box and does have IPv6 connectivity too.I suspect this may not work, your phone and thread device on different network, although you said both could communicate each other via IPv6.You also have media bridge between upper / lower stair .....My first try on setup matter just use existing WiFi AP, it no need enable IPv6, I also not enable IPv6 on my network, just need enable in Unraid internally. I believe this could simplify thing.Eve energy also provide two step for setup, but I would say it is two method instead of two step. I haven't setup "OpenThread Border Router", because matter server already direct communicate with thread device.https://www.evehome.com/en/hub Edited June 22, 20251 yr by Vr2Io
June 22, 20251 yr Community Expert since your editing past post I'm not going to keep going back and forth with you.. having to reread new data taht want ther the first time I parsed it.the reason for the hyper v switch is due to networking issues that can occur and look like they are occuring... with the unraid home assistant VM and that the HA is running on Unraid.-Futher prvoing my point. THe issues may be on and at the HA VM... whcih means the Unraid Host... THis si a public Forum.. specfic to Unraid. I went thorgh all the networking gothcha that I have seen and assited others With HA on theis forum. My goal ATM is to make sure Unriad is not the problem. but with reedits and reverting that makes this difcult...Then go ask AI... I'm trying to be as detailed and forth with regardign setting why how I came to that concluion and other... When I presented with xyz when you clear need somethign else... ATM there are to many points of failure and I can't assit in this way. So I'm steping back and letting you know that some one else can try and assit you here...
June 22, 20251 yr Author @bmartino1 I am not editing past posts. Edited June 22, 20251 yr by wblondel
June 22, 20251 yr Community Expert Just now, wblondel said:@bmartino1 I am not editing past posts. Forget this idea that is stuck in your mind.the forum doesn't lie sir..Edited 20 hours ago by wblondeladd CRS305 configurationI dont' know where else to help you nor what was added where.. only that info has changed...it would have been better as a second post... Edited June 22, 20251 yr by bmartino1 data - typo
June 22, 20251 yr Author Just now, bmartino1 said:the forum doent' lie sir..Edited 20 hours ago by wblondeladd CRS305 configurationI dont' know where else to help you nor what was added where.. only that info has changed...that was before you replied."but with reedits and reverting that makes this difcult..."You are so over-acting. I edited BEFORE you replied. I reverted ONE thing. Please stop replying. Edited June 22, 20251 yr by wblondel
June 22, 20251 yr Author 4 minutes ago, Vr2Io said:I suspect this may not work, your phone and thread device on different network, although you said both could communicate each other via IPv6.You also have media bridge between upper / lower stair .....My first try on setup matter just use existing WiFi AP, it no need enable IPv6, I also not enable IPv6 on my network, just need enable in Unraid internally. I believe this could simplify thing.Eve energy also provide two step for setup, but I would say it is two method instead of two step. I haven't setup "OpenThread Border Router", because matter server already direct communicate with thread device.https://www.evehome.com/en/hubTo me there is only one network, it's just that there is a wireless bridge between the ground floor and the first floor. There is no double NAT of any kind.There is also only one WiFi AP, it's the one of the ISP box downstairs.Tomorrow I'll receive a 30m Ethernet cable, I'll be able to plug my NAS directly to the ISP box, bypassing the Asus bridge. Let's see if it changes anything! Edited June 22, 20251 yr by wblondel
June 22, 20251 yr 1 minute ago, wblondel said:To me there is only one network, it's just that there is a wireless bridge between the ground floor and the first floor. There is no double NAT of any kind.There is also only one WiFi AP, it's the the one of the ISP box downstairs.But you use ZBT1 to form the Thread WiFi network ? Edited June 22, 20251 yr by Vr2Io
June 22, 20251 yr Author 1 minute ago, Vr2Io said:But you use BT1 to form the Thread WiFi network ?Mmmh, yes. How can HA communicate with Thread devices if I don't set it up? I'm puzzled by your question 😁I'm planning to add multiple Matter over Thread devices in the future. Edited June 22, 20251 yr by wblondel
June 22, 20251 yr Just now, wblondel said:Mmmh, yes. How can HA communicate with Thread devices if I don't set it up? I'm puzzled by your question 😁As mention before, I use existing WiFi AP, that AP no need to setup support IPv6 or Thread. The thread device just connect to it, and actually comunicate to Unraid in Thread (IPv6) with Unraid (Matter server).Just enable Unraid IPv6 and broadcast IPv6, also enable host access in docket setting. Edited June 22, 20251 yr by Vr2Io
June 22, 20251 yr Author Just now, Vr2Io said:As mention before, I use existing WiFi AP, that AP no need to setup support IPv6 or Thread. The thread device just connect to it, and actually comunicate to Unraid in Thread (IPv6) with Unraid (Matter server)How do you do that? My device is NOT Matter over WiFi, but Matter over Thread. Edited June 22, 20251 yr by wblondel
June 22, 20251 yr The AP like a network Switch, you no need to setup a Switch to support IPv4 / IPv6 /Thread ..... both just need understand Ethernet frame for fundamental function.Pls note English is not my nature language, hope you understand what I say.
June 22, 20251 yr Author 27 minutes ago, Vr2Io said:Just enable Unraid IPv6 and broadcast IPv6, also enable host access in docket setting.I did as per previous messages, I set the correct sysctl configs and enabled host access in the Docker settings (I still don't understand why the latter is needed).I rebooted everything (ISP box + Asus + my NAS) in case and tried again to commission. It still failed.19 minutes ago, Vr2Io said:Pls note English is not my nature language, hope you understand what I say.It's ok it's also not my first language :D Edited June 22, 20251 yr by wblondel
June 22, 20251 yr That's why I suspect problem here, your Thread device were connect thr ZBT1's WiFi network and your phone in ISP's WiFi network.During commissioning, Phone and Thread device need in same network, so you may try commissioning (pairing Thread device) by HA instead Phone.Your HA have connect multiple network, one is usual home network and one is ZBT1 network. But me just one, all IPv4 / Thread also in one. I recommend in this way, at least this look more simple and work.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.