Shelly IoT - Device is Offline / Pending Connection

TCB13 · December 20, 2023, 1:59pm

Hello,

I have a bunch of Shelly IoT switches and while they work with my stock ISP routers without touching any settings they don't seem to work on OpenWRT.

The devices can be reconfigured using their App and they're able to connect to the network as the router shows:

However on the App they'll always show up as "Device Offline" or "Pending Connection":

After some research I believe those devices use multicast / IGMP and I installed IGMPProxy as described here and it still doesn't work.

The only logs I get about IGMPProxy are:

user.warn igmpproxy[148681]: select() failure; Errno(4): Interrupted system call
(...)
user.warn igmpproxy[4553]: MRT_DEL_MFC; Errno(2): No such file or directory

Also I'm not sure is if IGMPProxy will also pass the multicast traffic to the WiFi interface, if not, how can this be done?

Does anyone have experience with those devices?

psherman · December 21, 2023, 6:33am

We can start by looking to see if there are any misconfigurations...

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

TCB13 · December 21, 2023, 1:49pm

Hey @psherman here is the information:

ubus call system board
{
 "kernel": "5.15.137",
 "hostname": "xxxxxxx",
 "system": "ARMv8 Processor rev 4",
 "model": "Bananapi BPI-R3",
 "board_name": "bananapi,bpi-r3",
 "rootfs_type": "squashfs",
 "release": {
  "distribution": "OpenWrt",
  "version": "23.05.2",
  "revision": "r23630-842932a63d",
  "target": "mediatek/filogic",
  "description": "OpenWrt 23.05.2 r23630-842932a63d"
 }
}

cat /etc/config/network

config interface 'loopback'
 option device 'lo'
 option proto 'static'
 option ipaddr '127.0.0.1'
 option netmask '255.0.0.0'

config globals 'globals'
 option ula_prefix 'fd14:xxxx:xxxx::/48'

config device
 option name 'br-lan'
 option type 'bridge'
 list ports 'lan1'
 list ports 'lan2'
 list ports 'lan3'
 list ports 'lan4'
 list ports 'sfp2'

config interface 'lan'
 option device 'br-lan'
 option proto 'static'
 option ip6assign '60'
 list ipaddr '10.10.10.1/24'
 option igmp_snooping 1

config device
 option name 'br-wan'
 option type 'bridge'
 list ports 'eth1'
 list ports 'wan'

config device
 option name 'eth1'
 option macaddr '22:XXXXXXXXXX'

config device
 option name 'wan'
 option macaddr '22:XXXXXXXXXX'

config interface 'wan'
 option device 'br-wan'
 option proto 'dhcp'

config interface 'wan6'
 option device 'br-wan'
 option proto 'dhcpv6'

config interface 'Wireguard'
(... from this point on nothing other than the WG config)

cat /etc/config/wireless

config wifi-device 'radio0'
 option type 'mac80211'
 option path 'platform/soc/18000000.wifi'
 option channel 'auto'
 option band '2g'
 option htmode 'HE20'
 option country 'XX'
 option cell_density '0'

config wifi-iface 'default_radio0'
 option device 'radio0'
 option network 'lan'
 option mode 'ap'
 option ssid 'XXXXXXXXXXXXXX'
 option encryption 'sae-mixed'
 option key 'XXXXXXXXXXXXXXX'

config wifi-device 'radio1'
 option type 'mac80211'
 option path 'platform/soc/18000000.wifi+1'
 option channel 'auto'
 option band '5g'
 option htmode 'HE160'
 option country 'XX'
 option cell_density '0'

config wifi-iface 'default_radio1'
 option device 'radio1'
 option network 'lan'
 option mode 'ap'
 option ssid 'XXXXXXXXXXXXXX'
 option encryption 'sae-mixed'
 option key 'XXXXXXXXXXXXXXX'

cat /etc/config/dhcp

config dnsmasq
 option domainneeded '1'
 option localise_queries '1'
 option rebind_protection '1'
 option rebind_localhost '1'
 option local '/lan/'
 option domain 'lan'
 option expandhosts '1'
 option cachesize '1000'
 option authoritative '1'
 option readethers '1'
 option leasefile '/tmp/dhcp.leases'
 option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
 option localservice '1'
 option ednspacket_max '1232'
 option port '0'

config dhcp 'lan'
 option interface 'lan'
 option start '100'
 option limit '150'
 option leasetime '12h'
 option dhcpv4 'server'
 option dhcpv6 'server'
 option ra 'server'
 list ra_flags 'managed-config'
 list ra_flags 'other-config'
 list dhcp_option '6,10.10.10.1/24'

config dhcp 'wan'
 option interface 'wan'
 option ignore '1'

config odhcpd 'odhcpd'
 option maindhcp '0'
 option leasefile '/tmp/hosts/odhcpd'
 option leasetrigger '/usr/sbin/odhcpd-update'
 option loglevel '4'

config dhcp 'Wireguard'
 option interface 'Wireguard'
 option ignore '1'

config host
 option name 'homeassistant'
 option mac 'B8:XXXXXXXXXXXXX'
 option ip '10.10.10.25'

cat /etc/config/firewall

config defaults
 option input 'REJECT'
 option output 'ACCEPT'
 option forward 'REJECT'
 option synflood_protect '1'

config zone
 option name 'lan'
 option input 'ACCEPT'
 option output 'ACCEPT'
 option forward 'ACCEPT'
 list network 'Wireguard'
 list network 'lan'

config zone
 option name 'wan'
 list network 'wan'
 list network 'wan6'
 option input 'REJECT'
 option output 'ACCEPT'
 option forward 'REJECT'
 option masq '1'
 option mtu_fix '1'

config forwarding
 option src 'lan'
 option dest 'wan'

config rule
 option name 'Allow-DHCP-Renew'
 option src 'wan'
 option proto 'udp'
 option dest_port '68'
 option target 'ACCEPT'
 option family 'ipv4'

config rule
 option name 'Allow-Ping'
 option src 'wan'
 option proto 'icmp'
 option icmp_type 'echo-request'
 option family 'ipv4'
 option target 'ACCEPT'

config rule
 option name 'Allow-IGMP'
 option src 'wan'
 option proto 'igmp'
 option family 'ipv4'
 option target 'ACCEPT'

config rule
 option name 'Allow-DHCPv6'
 option src 'wan'
 option proto 'udp'
 option dest_port '546'
 option family 'ipv6'
 option target 'ACCEPT'

config rule
 option name 'Allow-MLD'
 option src 'wan'
 option proto 'icmp'
 option src_ip 'fe80::/10'
 list icmp_type '130/0'
 list icmp_type '131/0'
 list icmp_type '132/0'
 list icmp_type '143/0'
 option family 'ipv6'
 option target 'ACCEPT'

config rule
 option name 'Allow-ICMPv6-Input'
 option src 'wan'
 option proto 'icmp'
 list icmp_type 'echo-request'
 list icmp_type 'echo-reply'
 list icmp_type 'destination-unreachable'
 list icmp_type 'packet-too-big'
 list icmp_type 'time-exceeded'
 list icmp_type 'bad-header'
 list icmp_type 'unknown-header-type'
 list icmp_type 'router-solicitation'
 list icmp_type 'neighbour-solicitation'
 list icmp_type 'router-advertisement'
 list icmp_type 'neighbour-advertisement'
 option limit '1000/sec'
 option family 'ipv6'
 option target 'ACCEPT'

config rule
 option name 'Allow-ICMPv6-Forward'
 option src 'wan'
 option dest '*'
 option proto 'icmp'
 list icmp_type 'echo-request'
 list icmp_type 'echo-reply'
 list icmp_type 'destination-unreachable'
 list icmp_type 'packet-too-big'
 list icmp_type 'time-exceeded'
 list icmp_type 'bad-header'
 list icmp_type 'unknown-header-type'
 option limit '1000/sec'
 option family 'ipv6'
 option target 'ACCEPT'

config rule
 option name 'Allow-IPSec-ESP'
 option src 'wan'
 option dest 'lan'
 option proto 'esp'
 option target 'ACCEPT'

config rule
 option name 'Allow-ISAKMP'
 option src 'wan'
 option dest 'lan'
 option dest_port '500'
 option proto 'udp'
 option target 'ACCEPT'

Also the config of the igmpproxy:

cat /etc/config/igmpproxy
config igmpproxy
 option quickleave 1
# option verbose [0-3](none, minimal[default], more, maximum)

config phyint
 option network wan
 option zone wan
 option direction upstream
 list altnet 0.0.0.0/0

config phyint
 option network lan
 option zone lan
 option direction downstream

Thank you.

m80 · December 21, 2023, 2:33pm

I may be wrong but shouldn't the igmp_snooping option in

config interface 'lan'
 option device 'br-lan'
 option proto 'static'
 option ip6assign '60'
 list ipaddr '10.10.10.1/24'
 option igmp_snooping 1

belong to the device/bridge section?

config device
 option name 'br-lan'
 option type 'bridge'
 option igmp_snooping '1'
 ...

TCB13 · December 21, 2023, 4:07pm

Well you might be right but it still doesn't work. Thank you for spotting that.

slh · December 21, 2023, 9:37pm

sae-mixed is not liked by quite a few clients, it makes more sense to use wpa2psk/ccmp or a dedicated wpa2psk/ccmp and a dedicated wpa2sae BSSID.

TCB13 · December 21, 2023, 10:01pm

But the devices show up as connected and HA can interact with them. It's only the Shelly App that seems to fail.

psherman · December 22, 2023, 1:51am

How does the Shelly App connect to the devices? Does it do it via local explicit IPs? mdns discovery services? or a cloud service or cloud reflector?

What happens if you stop your WireGuard interface?

TCB13 · December 22, 2023, 11:09am

The only information they seem to provide is this and it doesn't make much sense.

The Shelly App allows remote control of the devices, even if you aren't home. From other information I found on reddit it appears to require multicast to work.

Still doesn't work. The WireGuard interface isn't my gateway to the internet, I just use it to access a few things on my network when I'm not at home.

TCB13 · December 22, 2023, 3:31pm

Found the issue:

Due to some reason, most likely copy paste, the router's DHCP was advertising 10.10.10.1/24 as the network DNS server.

Removing the /24, obviously, fixed the problem

Anyways I found out the following about Shelly devices:

They'll connect to iot.shelly.cloud and time.google.com;
You can open the device by IP on a browser to get to a debug UI that will tell you if the device is connected to their cloud / has time and allows you to enable logging as well;
They aren't as smart as a Windows/macOS client as they won't simply ignore a mistake like this;
If there's an issue with DNS they don't seem to fallback to anywhere else;
Multicast / IGMPProxy is not required;
UPnP is not required.

Thank you guys!

system · January 1, 2024, 3:56pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.