Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Cannot commission Matter over Thread devices using phone connected to Home Assistant VM

Featured Replies

EDIT

The source of the issue has been found: the Asus media bridge between my switch upstairs and my ISP box downstairs causes the commissioning to fail.

Commissionning works with this:

NAS ---> Mikrotik CRS305-1G-4S+ switch --> Netgear GS108v4 switch ---> ISP box

Commissionning doesn't work with this:

NAS ---> Mikrotik CRS305-1G-4S+ switch --> Netgear GS108v4 switch ---> Asus RT-BE58U -----via Wi-Fi-----> ISP box

The new question is: how can I solve this? Thank you!

END OF EDIT

Hello,

I'm asking for your help here because I've been trying to fix this issue for 2 weeks with no success.

I will try to give as many details as possible.

I have a two-storey house. My Fiber ISP internet box is at the ground floor, and I have both IPv4 CGNAT and IPv6 connectivity. SLAAC is enabled, but I have the option to enable DHCPv6 as well.

WAN info on my ISP box:

IPv4
-----
IP address: 10.153.29.150
Default gateway: 10.153.29.151
Primary DNS: 109.0.66.10
Secondary DNS: 109.0.66.20

IPv6
-----
IPv6 address: 2a02:8428:aa24:2601:da78:7fff:fe41:683f
IPv6 prefix: 2a02:8428:aa24:2600::/56
Default gateway: fe80::5555
Primary DNS: 2a02:8400::6001
Secondary DNS: 2a02:8400::6000

My computer lab is upstairs. I have an Asus RT-BE58U configured as a "Media Bridge", connected to the wifi downstairs.

image.pngimage.png

On this Asus device, a Netgear GS108v4 switch is connected.

On this Netgear switch, I have a printer, a Raspberry Pi and a Mikrotik CRS305-1G-4S+ running SwOS v2.17.

On this Mikrotik device, my desktop computer and my Unraid NAS (v7.1.4) are connected with each a Mellanox MCX311A-XCAT ConnectX-3 card and a Cisco-Molex 74752-3701 SFP+ cable.

My computer and the NAS do have IPv6 connectivity.

Output of ifconfig en0 on my desktop computer:

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=6460<TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
	ether d2:31:9d:b5:ca:a9
	inet6 fe80::1cf5:e3cc:b692:3597%en0 prefixlen 64 secured scopeid 0xe 
	inet6 2a02:8428:aa24:2601:1499:6045:20ea:51c5 prefixlen 64 autoconf secured 
	inet6 2a02:8428:aa24:2601:10eb:fde8:b956:54f4 prefixlen 64 autoconf temporary 
	inet6 fdbb:29c5:1f4d:770b:1499:2b49:8d89:28f5 prefixlen 64 autoconf secured 
	inet 192.168.1.235 netmask 0xffffff00 broadcast 192.168.1.255
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active

Output of ifconfig br0 on my Unraid NAS:

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.20  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::f652:14ff:fe89:4250  prefixlen 64  scopeid 0x20<link>
        inet6 fdbb:29c5:1f4d:770b:f652:14ff:fe89:4250  prefixlen 64  scopeid 0x0<global>
        inet6 2a02:8428:aa24:2601:f652:14ff:fe89:4250  prefixlen 64  scopeid 0x0<global>
        ether f4:52:14:89:42:50  txqueuelen 1000  (Ethernet)
        RX packets 16654  bytes 2290570 (2.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7089  bytes 11395535 (10.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I can ping, traceroute, and access websites via IPv6 on both these devices.

On my Unraid NAS, I created an Home Assistant OS VM, and I configured USB passthrough for the Home Assistant Connect ZBT-1.

The configuration of the VM is :

<?xml version='1.0' encoding='UTF-8'?>
<domain type='kvm' id='1'>
  <name>HomeAssistant OS</name>
  <uuid>01cbc3e3-bfed-6023-551b-c45e53971159</uuid>
  <metadata>
    <vmtemplate xmlns="http://unraid" name="Linux" iconold="linux.png" icon="linux.png" os="linux" webui="" storage="default"/>
  </metadata>
  <memory unit='KiB'>1048576</memory>
  <currentMemory unit='KiB'>1048576</currentMemory>
  <memoryBacking>
    <nosharepages/>
  </memoryBacking>
  <vcpu placement='static'>2</vcpu>
  <cputune>
    <vcpupin vcpu='0' cpuset='0'/>
    <vcpupin vcpu='1' cpuset='2'/>
  </cputune>
  <resource>
    <partition>/machine</partition>
  </resource>
  <os>
    <type arch='x86_64' machine='pc-q35-9.2'>hvm</type>
    <loader readonly='yes' type='pflash' format='raw'>/usr/share/qemu/ovmf-x64/OVMF_CODE-pure-efi.fd</loader>
    <nvram format='raw'>/etc/libvirt/qemu/nvram/01cbc3e3-bfed-6023-551b-c45e53971159_VARS-pure-efi.fd</nvram>
  </os>
  <features>
    <acpi/>
    <apic/>
  </features>
  <cpu mode='host-passthrough' check='none' migratable='on'>
    <topology sockets='1' dies='1' clusters='1' cores='1' threads='2'/>
    <cache mode='passthrough'/>
  </cpu>
  <clock offset='utc'>
    <timer name='hpet' present='no'/>
    <timer name='hypervclock' present='no'/>
    <timer name='pit' tickpolicy='delay'/>
    <timer name='rtc' tickpolicy='catchup'/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/local/sbin/qemu</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='qcow2' cache='writeback' discard='unmap'/>
      <source file='/mnt/cache/domains/haos_ova-15.2.qcow2' index='1'/>
      <backingStore/>
      <target dev='hdc' bus='sata'/>
      <serial>vdisk1</serial>
      <boot order='1'/>
      <alias name='sata0-0-2'/>
      <address type='drive' controller='0' bus='0' target='0' unit='2'/>
    </disk>
    <controller type='usb' index='0' model='ich9-ehci1'>
      <alias name='usb'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x7'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci1'>
      <alias name='usb'/>
      <master startport='0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0' multifunction='on'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci2'>
      <alias name='usb'/>
      <master startport='2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x1'/>
    </controller>
    <controller type='usb' index='0' model='ich9-uhci3'>
      <alias name='usb'/>
      <master startport='4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x2'/>
    </controller>
    <controller type='sata' index='0'>
      <alias name='ide'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
    </controller>
    <controller type='pci' index='0' model='pcie-root'>
      <alias name='pcie.0'/>
    </controller>
    <controller type='pci' index='1' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='1' port='0x8'/>
      <alias name='pci.1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0' multifunction='on'/>
    </controller>
    <controller type='pci' index='2' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='2' port='0x9'/>
      <alias name='pci.2'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <controller type='pci' index='3' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='3' port='0xa'/>
      <alias name='pci.3'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/>
    </controller>
    <controller type='pci' index='4' model='pcie-root-port'>
      <model name='pcie-root-port'/>
      <target chassis='4' port='0xb'/>
      <alias name='pci.4'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x3'/>
    </controller>
    <controller type='virtio-serial' index='0'>
      <alias name='virtio-serial0'/>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
    </controller>
    <interface type='bridge'>
      <mac address='52:54:00:ca:c3:f3'/>
      <source bridge='br0'/>
      <target dev='vnet0'/>
      <model type='virtio-net'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
    </interface>
    <serial type='pty'>
      <source path='/dev/pts/1'/>
      <target type='isa-serial' port='0'>
        <model name='isa-serial'/>
      </target>
      <alias name='serial0'/>
    </serial>
    <console type='pty' tty='/dev/pts/1'>
      <source path='/dev/pts/1'/>
      <target type='serial' port='0'/>
      <alias name='serial0'/>
    </console>
    <channel type='unix'>
      <source mode='bind' path='/run/libvirt/qemu/channel/1-HomeAssistant OS/org.qemu.guest_agent.0'/>
      <target type='virtio' name='org.qemu.guest_agent.0' state='connected'/>
      <alias name='channel0'/>
      <address type='virtio-serial' controller='0' bus='0' port='1'/>
    </channel>
    <input type='tablet' bus='usb'>
      <alias name='input0'/>
      <address type='usb' bus='0' port='2'/>
    </input>
    <input type='mouse' bus='ps2'>
      <alias name='input1'/>
    </input>
    <input type='keyboard' bus='ps2'>
      <alias name='input2'/>
    </input>
    <graphics type='vnc' port='5900' autoport='yes' websocket='5700' listen='0.0.0.0' sharePolicy='ignore'>
      <listen type='address' address='0.0.0.0'/>
    </graphics>
    <audio id='1' type='none'/>
    <video>
      <model type='qxl' ram='65536' vram='16384' vgamem='16384' heads='1' primary='yes'/>
      <alias name='video0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1e' function='0x0'/>
    </video>
    <hostdev mode='subsystem' type='usb' managed='no'>
      <source>
        <vendor id='0x10c4'/>
        <product id='0xea60'/>
        <address bus='1' device='2'/>
      </source>
      <alias name='hostdev0'/>
      <address type='usb' bus='0' port='1'/>
    </hostdev>
    <watchdog model='itco' action='reset'>
      <alias name='watchdog0'/>
    </watchdog>
    <memballoon model='virtio'>
      <alias name='balloon0'/>
      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
    </memballoon>
  </devices>
  <seclabel type='dynamic' model='dac' relabel='yes'>
    <label>+0:+100</label>
    <imagelabel>+0:+100</imagelabel>
  </seclabel>
</domain>

Version of Home Assistant:

Installation method: Home Assistant OS
Core: 2025.6.1
Supervisor: 2025.05.5
Operating System: 15.2
Frontend: 20250531.3

The Home Assistant VM does have IPv6 connectivity. Output of ha network info in the CLI:

image.png

I configured the Home Assistant Connect ZBT-1 on HomeAssistant, and I now have the "Matter Server" (v8.0.0) and the "OpenThread Border Router" (v2.13.0) add-ons installed.

The OpenThread RCP v2.4.4.0 firmware has been flashed on the ZBT-1.

Now here is the problem... I am trying to commission an Eve Eenergy (Matter over Thread) plug with the Home Assistant Android app on my Samsung A55 5G phone. This phone is connected to the WiFi network broadcasted by the ISP box and does have IPv6 connectivity too.

The commissioning procedure fails at the last step "Checking network connectivity to [...]".

This is what I tried so far :

  • I had the Tailscale plugin installed and configured on the HomeAssistant VM, I uninstalled it, deleted the configuration and rebooted Unraid.

  • I had the Tailscale plugin installed on Unraid, I uninstalled it and rebooted Unraid.

  • I connected the Mikrotik CRS305-1G-4S+ directly to the Asus RT-BE58U, bypassing the Netgear GS108v4 switch.

  • I disabled any custom DNS configuration (like NextDNS) on Unraid, my phone, my router.

  • I verified that IP forwarding are enabled in Unraid for both IPv4 and IPv6, they are (net.ipv4.ip_forward = 1 and net.ipv6.conf.all.forwarding = 1).

  • On my phone, I deleted all data for the "Google Play Services" and, on the HA mobile app, I went to "Companion app > Troubleshooting > Sync Thread credentials". After 10 seconds, it said "Added network from Home Assistant to this device.". If I try again, it says "Home Assistant and this device use the same network.".

How can I debug this? Do you have any idea what the issue could be?

Thanks a lot in advance 😁

Edited by wblondel
fix title

Solved by wblondel

  • wblondel changed the title to Cannot commission Matter over Thread devices using phone connected to Home Assistant VM
  • Author

@bmartino1 hey, thanks for replying.

I went through again this post (I've already read it before).

It seems OP has part of HA in a VM, and another part in Docker in Unraid. My HA is entirely in a VM.

He does say "I am using HA (Docker) and I am currently using a VM with HAOS in it but only the Matter server. However, I want to use the Matter server in Docker to get rid of the VM.".

Then the rest of the thread is about Docker, so it seems it's not applicable to me.

However, you mentioned that IPv4 and IPv6 forwarding needs to be enabled.

That's something I already did (see 5th point of "What I tried so far").

root@NAS:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
root@NAS:~# sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1

This is right after Unraid booted.

Should I try to set net.ipv6.conf.eth0.accept_ra=2 ?

Edited by wblondel

  • Community Expert
1 minute ago, wblondel said:

@bmartino1 hey, thanks for replying.

I went through again this post (I've already read it before).

It seems OP has part of HA in a VM, and another part in Docker in Unraid. My HA is entirely in a VM.

He does say "I am using HA (Docker) and I am currently using a VM with HAOS in it but only the Matter server. However, I want to use the Matter server in Docker to get rid of the VM.".

Then the rest of the thread is about Docker, so it seems it's not applicable to me.

However, you mentioned that IPv4 and IPv6 forwarding needs to be enabled.

That's something I already did (see 5th point of "What I tried so far").

root@NAS:~# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
root@NAS:~# sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1

This is right after Unraid booted.

not quite corret..

#!/bin/bash

# Delay before starting

sleep 10

# Apply sysctl settings

apply_sysctl_settings() {

echo "Applying sysctl settings..."

sysctl -w net.ipv6.conf.all.forwarding=1

sysctl -w net.ipv6.conf.br0.accept_ra=2

sysctl -w net.ipv6.conf.br0.accept_ra_rt_info_max_plen=64

sysctl -w vm.overcommit_memory=1

echo "Verifying sysctl settings..."

sysctl net.ipv6.conf.all.forwarding

sysctl net.ipv6.conf.br0.accept_ra

sysctl net.ipv6.conf.br0.accept_ra_rt_info_max_plen

sysctl vm.overcommit_memory

}

apply_sysctl_settings



you need to adataional ipv6 forwarding commands...

sysctl -w net.ipv6.conf.br0.accept_ra=2

sysctl -w net.ipv6.conf.br0.accept_ra_rt_info_max_plen=64


whats the output of systemctl -p

  • Author

@bmartino1 alright, I'll try with these settings. I wasn't sure if they were applicable to my situation.

  • Author

@bmartino1 Unfortunately, the issue remains.

Output of sysctl -p on Unraid:

kernel.pid_max = 4194304

fs.inotify.max_user_watches = 524288

net.core.rmem_max = 16777216

net.core.wmem_max = 16777216

net.ipv4.tcp_rmem = 4096 87380 16777216

net.ipv4.tcp_wmem = 4096 65536 16777216

net.netfilter.nf_conntrack_max = 131072

net.ipv6.conf.all.forwarding = 1

net.ipv6.conf.br0.accept_ra = 2

net.ipv6.conf.br0.accept_ra_rt_info_max_plen = 64

vm.overcommit_memory = 1

Below, the debug log from the OpenThread Border Router during the commissionning steps:

core_openthread_border_router_2025-06-21T18-51-44.609Z.log

Edited by wblondel

  • Community Expert

hm... let take a deepr look then...

Thanks for the thorough breakdown—your setup is well thought-out and you're already troubleshooting in the right places. Given that the failure occurs during “Checking network connectivity to [...]” when commissioning a Matter-over-Thread device, let’s narrow this down to likely culprits based on how Matter and Thread interact.

Double check:

From my re look these see correct / good:

Confirmed Good:

  • IPv6 is working across your devices (this is essential for Thread-over-Border-Router functionality).

  • The ZBT-1 is flashed with a known-good RCP firmware and Home Assistant sees it.

  • The OpenThread Border Router (OTBR) is running.

  • Google Play Services synced the Thread credentials with your phone.

  • Your HA instance has IP forwarding enabled, and you removed Tailscale and other possible routing complications.

You may be having mdsn avahi issues..


Go back and check / review:


1. Border Router Discovery (mDNS + SRP)

For Matter-over-Thread commissioning, your phone must discover the Border Router via mDNS over IPv6.

  • Check if your phone can see the OTBR mDNS record:

    • Use an Android mDNS browser (like “Discovery” or “Bonjour Browser”) and look for _meshcop._udp or _matter._udp services.

    • Alternatively, log into your Unraid NAS and run:

      • avahi-browse -a -r

    • You should see entries related to OTBR and Matter services.

  • Ensure Avahi (or mDNSResponder) is running on the VM, and it bridges the .local domain across the interfaces.

2. Is Your OTBR Advertising the Mesh Prefix?

Check that the OpenThread Border Router is actually advertising the mesh prefix and acting as a Backbone Router.

  • Go to the OTBR Web UI (typically on port 8081 or 8000) and verify:

    • A valid mesh-local prefix (typically fdxx::/64) is present.

    • Border routing is “Enabled.”

    • Backbone Router state is "Primary".

Also verify that Thread: Enabled and the dataset is active with a network name, channel, and extended PAN ID.

3. Phone’s IPv6 Reachability to OTBR

The “Checking network connectivity…” step usually fails because the phone can’t route to the Thread network (typically fd... addresses) via the OTBR.

  • On Unraid, run:

    tcpdump -i br0 ip6

    Then start commissioning. Do you see ICMPv6 or UDP traffic coming from your phone?

  • Ensure the OTBR has a wpan0 interface (or similar) visible in ip a or ifconfig, and that interface has an address in the Thread mesh prefix.

  • On your phone (developer settings), enable Wi-Fi verbose logging and check if it assigns itself any ULA addresses in the fd... range.

Troubleshoot... Commissioning Flow Conflicts

  • Temporarily disable IPv4 on your phone (or put it in IPv6-only mode if possible) to force the HA app and Android stack to only use IPv6 for commissioning.

4. Firewall / NPT / RA Issues

  • Even if forwarding is enabled, check:

    • iptables -L -v -n (or nft list ruleset) on Unraid

    • Make sure no IPv6 traffic is being blocked between interfaces, especially ULA fdxx::/64 ranges.

  • You might also need to manually ensure:

    • sysctl -w net.ipv6.conf.all.accept_ra=2

      sysctl -w net.ipv6.conf.default.accept_ra=2

      --Which is done now...

  • other iptables cros trafic talk issues... Matter uses ipv6 and mutiicast...

Double check:

OpenThread CLI Debug

If you SSH into Home Assistant or access the OTBR container/VM, try:

ot-ctl state

ot-ctl router table

ot-ctl netdata show

You want to confirm that:

  • The node is “leader” or “router”

  • The network data shows correct prefixes

  • The router table includes other nodes when a Thread device is partially joined

As alot is guessing as there are mutiple points of failure...

Final Thoughts

The most common root causes in your scenario:

  • OTBR not advertising its route properly

  • mDNS or SRP not discoverable from Android

  • IPv6 routing/NAT/NPT problems blocking ULA communication

    • Could be at router level...

Once you verify that the Android phone sees the OTBR via mDNS and can reach the fdxx:: prefix, the Matter commissioning should go through.

some other HA debug comands:

Home asist has docker and may have soemthign with in the VM causing isseus too

docker exec -it addon_core_otbr bash

ot-ctl state

ot-ctl netdata show

ot-ctl prefix

Please paste the output from each command. Here's what we’re looking for:

  • state should return leader, router, or child

  • netdata show should include a fd.../64 mesh-local prefix and the "s" (stable) and "r" (preferred route) flags

  • prefix should list that same fd.../64 prefix

STEP 2: Confirm the OTBR is acting as a Backbone Router

in teh same shell run ot-ctl backbonerouter

You should see something like:

BBR Primary: yes

BBR Sequence Number: 57

BBR Registration Jitter: 20

BBR Registration Delay: 120

If it says BBR Primary: no or gives an error, the Border Router isn't working correctly.

STEP 3: Check if your Android phone can discover the OTBR via mDNS

On a Linux machine (like your Unraid NAS), run:

avahi-browse -a -r | grep -Ei 'matter|thread|meshcop'

This should list _meshcop._udp or _matter._udp services coming from your Home Assistant.

Alternatively, from the Android phone:

  • Install an app like Bonjour Browser, Discovery, or Service Browser

  • Check for:

    • _meshcop._udp.

    • _matter._udp.

    • any HA/Thread-related mDNS entries

otherwise we need wireshark / packet capture to see what failing where...
tcpdump -i br0 ip6 -n -vv


Start this, then attempt commissioning again via the Home Assistant mobile app.

Look for lines like:

  • ICMPv6 Echo Requests

  • UDP port 5353 (mDNS)

  • Any packets to/from fd...::/64

Hit Ctrl+C to stop after 20–30 seconds, and share a few lines of what you see.

Once you’ve run these 4 steps and shared the output, we’ll move to the next layer of debugging based on what we find. otherwise this may be a limitation of unraid. Some have reported upgradign to 7.4 the lattest uriad relase that fixed quite a bit of networking issues. thers some side unraid netowrk configuration I may want double checked...

  • Author

@bmartino1

Border Router Discovery

I am able to see the _meshcop UDP service using the mDNS Discovery app on my phone, and avahi-browse on Unraid.

However, I don’t see anything for _matter UDP.

After trying to commission a device, I see 2 devices for _matter TCP: one for IPv4 and one for IPv6.

2025-06-22 02.29.52.jpg2025-06-22 02.29.43.jpg2025-06-22 02.29.37.jpg

OTBR

I first had to enable the Web UI in the add-on configuration.

This is what I see on the Status page:

IPv6:LinkLocalAddress
fe80:0:0:0:d088:33ae:4207:8978

IPv6:LocalAddress
fd4c:f03e:4bbd:1:a7f8:42a8:2a62:e3c8

IPv6:MeshLocalAddress
fdcc:2c3b:173c:81bb:7644:8069:9eeb:bced

IPv6:MeshLocalPrefix
fdcc:2c3b:173c:81bb:

Network:Name
ha-thread-f150

Network:PANID
0xf150

Network:PartitionID
265239192

Network:XPANID
bb29c51f4d16770b

OpenThread:Version
OPENTHREAD/thread-reference-20230706-1129-g7bd3abd67-dirty; POSIX; Jan 14 2025 21:04:25

OpenThread:Version API
470

RCP:Channel
15

RCP:EUI64
04e3e5fffe6b996a

RCP:State
leader

RCP:TxPower
5 dBm

RCP:Version
SL-OPENTHREAD/2.4.4.0_GitHub-7074a43e4; EFR32; Apr 5 2025 16:25:05

WPAN service
associated

Phone’s IPv6 Reachability to OTBR

Tcpdump: command not found on Unraid.

But I confirm I can see traffic coming to the OTBR when I commission a device, as shown on the logs I uploaded on my previous message.

It’s not possible to disable IPv4 on Android.

Firewall / NPT / RA issues

Output of iptables -L -v -n

Chain INPUT (policy ACCEPT 225K packets, 30M bytes)
 pkts bytes target     prot opt in     out     source               destination
 223K   30M LIBVIRT_INP  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  76M   87G LIBVIRT_FWX  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  76M   87G LIBVIRT_FWI  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  76M   87G LIBVIRT_FWO  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  76M   87G DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  76M   87G DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  56M   75G ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  425 25712 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
  20M   12G ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
  212 53889 ACCEPT     all  --  *      br-ad0cdd8ab999  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    7   448 DOCKER     all  --  *      br-ad0cdd8ab999  0.0.0.0/0            0.0.0.0/0
  189  870K ACCEPT     all  --  br-ad0cdd8ab999 !br-ad0cdd8ab999  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-ad0cdd8ab999 br-ad0cdd8ab999  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      br-7829c5bf10a9  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-7829c5bf10a9  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-7829c5bf10a9 !br-7829c5bf10a9  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br-7829c5bf10a9 br-7829c5bf10a9  0.0.0.0/0            0.0.0.0/0
    0     0 WIREGUARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 184K packets, 47M bytes)
 pkts bytes target     prot opt in     out     source               destination
 183K   46M LIBVIRT_OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER (3 references)
 pkts bytes target     prot opt in     out     source               destination
    7   448 ACCEPT     tcp  --  !br-ad0cdd8ab999 br-ad0cdd8ab999  0.0.0.0/0            172.18.0.4           tcp dpt:2283
   22  1408 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:8112
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:8118
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:9118
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:58846
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:58946
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           udp dpt:58946

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
  20M   12G DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
  189  870K DOCKER-ISOLATION-STAGE-2  all  --  br-ad0cdd8ab999 !br-ad0cdd8ab999  0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-7829c5bf10a9 !br-7829c5bf10a9  0.0.0.0/0            0.0.0.0/0
  76M   87G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-ad0cdd8ab999  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-7829c5bf10a9  0.0.0.0/0            0.0.0.0/0
  20M   12G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
  76M   87G RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LIBVIRT_FWI (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0

Chain LIBVIRT_INP (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain LIBVIRT_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:68

Chain WIREGUARD (1 references)
 pkts bytes target     prot opt in     out     source               destination

Output of docker exec addon_core_openthread_border_router ot-ctl state

leader
Done

Output of docker exec addon_core_openthread_border_router ot-ctl router table, before trying to commission a device:

Pasted Graphic.jpg

Output of the same command, after trying to commission a device (it failed):

Pasted Graphic 3.jpg

Output of docker exec addon_core_openthread_border_router ot-ctl netdata show

Prefixes.jpg

Output of docker exec addon_core_openthread_border_router ot-ctl prefix

Pasted Graphic 2.jpg

Output of docker exec addon_core_openthread_border_router ot-ctl backbonerouter

Error 35: InvalidCommand

I am already on the latest version of Unraid: v7.1.4.

Configuration of my Mikrotik CRS305

I figured it would be useful for you to know the configuration of the switch my NAS is connected to.

I do not use VLANs and IGMP Snooping is disabled.

image.png

(I temporarily set the IGMP version to v2, it didn't change anything. it's now back to v3.)

Edited by wblondel
add CRS305 configuration

  • Community Expert

Perfect alot of data to run thorugh and check. From a glance. THis doens apear to be the hyper-v network cross issues...


in Unraid so this may be the virbr0 issues and other unraid network settings. Thank you I know that is alot to go through for testing.

Some side notes as well...
as your XML is saying to use the :

*While it shouldn't be a problem as the HA is getting a ipv4 and ipv6 and unraid is handling the ipv6 forwarding over br0...

    <interface type='bridge'>
      <mac address='52:54:00:ca:c3:f3'/>
      <source bridge='br0'/>
      <target dev='vnet0'/>
      <model type='virtio-net'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
    </interface>

yet unraid iptables confirm the unraid hpyer-v virtual network switch for VMs. This may lie our problem...

So stop all VMs we may want to xml edit the HA VM network.
as example in the first post matter thread:
xml code example:
 

    <interface type='direct' trustGuestRxFilters='yes'>
      <mac address='52:54:00:26:97:94'/>
      <source dev='vhost0' mode='bridge'/>
      <target dev='macvtap0'/>
      <model type='virtio'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
    </interface>

Chose the correct Source Dev for your system br0 is correct
while using a macvlan docker, network...
*Just throwing that out there as VMs can and may need additional settings for services...


The core thing here apears to is in the unraid VM settings and may require adational Docker settings that change and affect unraid networking...
With VMs off. Go to settings > VM Manger

Advance toggle
image.png

*Make sure the Default Network source IS NOT Virbr0 This for some reason causes some vm and unraid networks cross talk issues as seen with your iptables command.

Then under docker networking settings Make sure you have host access to custom enabled :

image.png

and restart unraid to apply the new networking config...

Then try again from the android phone device.

####

FYI yes you can temp disabled ipv4 on android. it requires going into the network and seting manul setting and disabling ipv4 and enabling ipv6
https://android.stackexchange.com/questions/136830/disable-ipv4-entirely

This is not needed.

########

if it fails here then there somethign being lost between the wifi bridge. where the router is not forwarding the matter udp muticast traffic.



  • Author

@bmartino1

"FYI yes you can temp disabled ipv4 on android. it requires going into the network and seting manul setting and disabling ipv4 and enabling ipv6"

No. I don't have this option.

Do you see any issue on the log I shared?

The default network source on the VM Manager is br0.

For Docker, host access to custom networks is disabled but why does it matter in my case? HAOS is in a VM...

Anyway, I enabled it and changed the VM interface to this:

    <interface type='direct' trustGuestRxFilters='yes'>
      <mac address='52:54:00:ca:c3:f3'/>
      <source dev='br0' mode='bridge'/>
      <target dev='macvtap0'/>
      <model type='virtio'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
    </interface>

The issue was still there so I reverted the changes.

Edited by wblondel

  • Community Expert

I have read your logs post and other data... but if you going to revert and not keep the changes then I'm done here. as Your editing the previous post and its clear you don't know what your doing..
Yes, I've seen the log but it done't have anything of use that I can devise from it... as this is still networking issues... not application issues...

Review:
https://www.youtube.com/watch?v=HYPL2HqZ_TQ
https://www.youtube.com/watch?v=uPde1aulGYY
https://www.youtube.com/watch?v=BWUAzAGtzHc
https://www.youtube.com/watch?v=jeujDTEreio

as I've even pulled data from my first OG post that went over all of that. as it doent' matter if its the VM, dcoker etc...

I run android myself. I'm not going to debate on a option for testing that is possible... Android is not a good testing system anyway. I prefer you had some linux laptop to run other commands to test connect to and run.(Make sure its not the andoid system...) debain / ubuntu mdns-scan and other linux tools for troubleshooting... then work on getting the phone to do it...

As I do simlar myself on my devices without root. other linkage there with android was to go over other ipv6 as android done't do ipv6 well...
Its also not clear how your connecting to HA from the Android device and what HA a trualy has accesses too. ?app web prower?

So All I can do is point you due to some of the limiting factors as it appear You have 3 issues:

1. Mis configuration of the OTBR
I can't help you with that...

2. Mis configuration on unriad with how networks are working and talking with each other.
-Attempted all I can say is go back and review the other post mentioned here...

3. Potential router wifi bridge network loss, preventing udp muticast and matter devces form traversing...

##########

as you 've edited previous post and this new forum is broken "I can use the quote system it make everything a quote and harder to point at xyz...
Not sure if you rebooted unraid or still have the systemctl per example as your reverting things which makes other steps or next things to check problematic.

I would recommend making a new General post asking for assistance. Its works on my machine and I went over each area on unraid to make it work. so if it not working after those settings are implemented, then Its not on unraid the OS host itself.... thus other VM options and settings or outside unraid networking setup...

Further, as this is added new:
IGMP is more associated with ping. You will not notice or see anything with igmp v2 or v3...
and that setting has to do with some packet handling:

IGMP version 3 (v3) is an enhancement over version 2 (v2), primarily adding support for source-specific multicasting and membership report aggregation. IGMPv2 introduced the "Leave Group" message, allowing hosts to explicitly signal their departure from a multicast group. IGMPv3, while maintaining backward compatibility, allows hosts to specify which sources they want to receive traffic from within a multicast group (source filtering) and report interest in multiple groups and sources in a single message

So, If your messing with options you don't understand, this can also cause problematic symptoms...

as you were seeing some matter udp on the android but not else where... thus a device connection issues or network issues.

Too many point of failure and not able to assist in this manner.

Good luck.

  • Author

I did the VM and Docker changes you asked me to make on the previous message, even though it didn't make sense to me (you even talked about "unraid hpyer-v virtual network", what does Hyper-V have ANTHING TO DO with my issue ??????? Where are we talking about Windows ??). I asked why I had to change Docker configuration and you didn't give me a reason.

Since I didn't want to keep configuration changes that 1/ seems unrelated 2/ didn't have any effect, I reverted them.

This is the ONLY thing I reverted. I don't know why you're making such a big drama about that.

You say "Its also not clear how your connecting to HA from the Android device"

The answer is on my very first post. ---> "I am trying to commission an Eve Eenergy (Matter over Thread) plug with the Home Assistant Android app on my Samsung A55 5G phone."

You say "as you were seeing some matter udp on the android but not else where"

--> I never saw Matter UDP anywhere. Only Matter TCP services after trying to commission a device. And I see them from any device.

You say "I prefer you had some linux laptop to run other commands to test connect to and run"

--> I have. Go on, what should I do?

About your remark on IGMP (my edit was already there when you replied BTW) --> someone else asked me to try to switch to v2 if it made a difference, it didn't.

You're not the only person trying to help me (but honestly I feel I'm talking to an AI more than a person).

You say "you don't know what your doing" --> not sure why you're saying that. I'm trying to find the point of failure. I've already read all the resources you gave me and all the threads related to that on this forum, all the solutions that were given didn't solve my issue. So I ask for help. But your messages seem to be written by an AI...

Tomorrow I will receive a 30-meter ethernet cable. I'll plug my switch directly to the ISP box downstairs, to bypass the Asus configured as a media bridge. If it still doesn't work then the Asus is not the issue.

What's strange to me is that there doesn't seem to have any error on Home Assistant's side (OTBR logs etc).

Edited by wblondel

On 6/21/2025 at 9:28 PM, wblondel said:

Now here is the problem... I am trying to commission an Eve Eenergy (Matter over Thread) plug with the Home Assistant Android app on my Samsung A55 5G phone. This phone is connected to the WiFi network broadcasted by the ISP box and does have IPv6 connectivity too.

I suspect this may not work, your phone and thread device on different network, although you said both could communicate each other via IPv6.

You also have media bridge between upper / lower stair .....

My first try on setup matter just use existing WiFi AP, it no need enable IPv6, I also not enable IPv6 on my network, just need enable in Unraid internally. I believe this could simplify thing.

Eve energy also provide two step for setup, but I would say it is two method instead of two step. I haven't setup "OpenThread Border Router", because matter server already direct communicate with thread device.

https://www.evehome.com/en/hub

Edited by Vr2Io

  • Community Expert

since your editing past post I'm not going to keep going back and forth with you.. having to reread new data taht want ther the first time I parsed it.

the reason for the hyper v switch is due to networking issues that can occur and look like they are occuring... with the unraid home assistant VM and that the HA is running on Unraid.
-Futher prvoing my point. THe issues may be on and at the HA VM... whcih means the Unraid Host... THis si a public Forum.. specfic to Unraid. I went thorgh all the networking gothcha that I have seen and assited others With HA on theis forum. My goal ATM is to make sure Unriad is not the problem. but with reedits and reverting that makes this difcult...

Then go ask AI... I'm trying to be as detailed and forth with regardign setting why how I came to that concluion and other... When I presented with xyz when you clear need somethign else...

ATM there are to many points of failure and I can't assit in this way.

So I'm steping back and letting you know that some one else can try and assit you here...

  • Author

@bmartino1 I am not editing past posts.

Edited by wblondel

  • Community Expert
Just now, wblondel said:

@bmartino1 I am not editing past posts. Forget this idea that is stuck in your mind.

the forum doesn't lie sir..

Edited 20 hours ago by wblondel
add CRS305 configuration

I dont' know where else to help you nor what was added where.. only that info has changed...

it would have been better as a second post...

Edited by bmartino1
data - typo

  • Author
Just now, bmartino1 said:

the forum doent' lie sir..

Edited 20 hours ago by wblondel
add CRS305 configuration

I dont' know where else to help you nor what was added where.. only that info has changed...

that was before you replied.

"but with reedits and reverting that makes this difcult..."

You are so over-acting. I edited BEFORE you replied. I reverted ONE thing. Please stop replying.

Edited by wblondel

  • Author
4 minutes ago, Vr2Io said:

I suspect this may not work, your phone and thread device on different network, although you said both could communicate each other via IPv6.

You also have media bridge between upper / lower stair .....

My first try on setup matter just use existing WiFi AP, it no need enable IPv6, I also not enable IPv6 on my network, just need enable in Unraid internally. I believe this could simplify thing.

Eve energy also provide two step for setup, but I would say it is two method instead of two step. I haven't setup "OpenThread Border Router", because matter server already direct communicate with thread device.

https://www.evehome.com/en/hub

To me there is only one network, it's just that there is a wireless bridge between the ground floor and the first floor. There is no double NAT of any kind.

There is also only one WiFi AP, it's the one of the ISP box downstairs.

Tomorrow I'll receive a 30m Ethernet cable, I'll be able to plug my NAS directly to the ISP box, bypassing the Asus bridge. Let's see if it changes anything!

Edited by wblondel

1 minute ago, wblondel said:

To me there is only one network, it's just that there is a wireless bridge between the ground floor and the first floor. There is no double NAT of any kind.

There is also only one WiFi AP, it's the the one of the ISP box downstairs.

But you use ZBT1 to form the Thread WiFi network ?

Edited by Vr2Io

  • Author
1 minute ago, Vr2Io said:

But you use BT1 to form the Thread WiFi network ?

Mmmh, yes. How can HA communicate with Thread devices if I don't set it up? I'm puzzled by your question 😁

I'm planning to add multiple Matter over Thread devices in the future.

Edited by wblondel

Just now, wblondel said:

Mmmh, yes. How can HA communicate with Thread devices if I don't set it up? I'm puzzled by your question 😁

As mention before, I use existing WiFi AP, that AP no need to setup support IPv6 or Thread. The thread device just connect to it, and actually comunicate to Unraid in Thread (IPv6) with Unraid (Matter server).

Just enable Unraid IPv6 and broadcast IPv6, also enable host access in docket setting.

Edited by Vr2Io

  • Author
Just now, Vr2Io said:

As mention before, I use existing WiFi AP, that AP no need to setup support IPv6 or Thread. The thread device just connect to it, and actually comunicate to Unraid in Thread (IPv6) with Unraid (Matter server)

How do you do that? My device is NOT Matter over WiFi, but Matter over Thread.

Edited by wblondel

The AP like a network Switch, you no need to setup a Switch to support IPv4 / IPv6 /Thread ..... both just need understand Ethernet frame for fundamental function.

Pls note English is not my nature language, hope you understand what I say.

  • Author
27 minutes ago, Vr2Io said:

Just enable Unraid IPv6 and broadcast IPv6, also enable host access in docket setting.

I did as per previous messages, I set the correct sysctl configs and enabled host access in the Docker settings (I still don't understand why the latter is needed).

I rebooted everything (ISP box + Asus + my NAS) in case and tried again to commission. It still failed.

19 minutes ago, Vr2Io said:

Pls note English is not my nature language, hope you understand what I say.

It's ok it's also not my first language :D

Edited by wblondel

That's why I suspect problem here, your Thread device were connect thr ZBT1's WiFi network and your phone in ISP's WiFi network.

During commissioning, Phone and Thread device need in same network, so you may try commissioning (pairing Thread device) by HA instead Phone.

Your HA have connect multiple network, one is usual home network and one is ZBT1 network. But me just one, all IPv4 / Thread also in one. I recommend in this way, at least this look more simple and work.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.