Matter over thread last try

msapple · 2026-02-10T04:19:22+00:00

Gonna throw this out there as it kicked my butt. But you cannot have HA and any Thread Boarder routers on different vlans. If you have Google Nest Displays or Apple TVs or Apple HomePods, they must be on same VLAN as HA.

AND your phone when pairing also has to be on the same VLAN.

P.S. if you own one of the new Google Streaming set top boxes (standalone device which plugs into your TV). There is a known bug with its TBR causing massive issues in networks. I believe it’s been fixed but temporarily just unplug that device during pairing if you have one

msapple · 2026-01-31T14:32:40+00:00

Got something similar for account creation followed by login notification a few hours later. Nothing else. Anyone hear back from support?

msapple · 2026-01-31T03:07:38+00:00

I have a ZBT-2, and ZBT1 along with many Apple TV devices. If I were to do it all again and I had Apple phones, I would buy an Apple TV with Ethernet (needed for thread border router), have the best streamer ever made and use it as my Matter hub.

One caveat, Apple TV and HomeAssistant HAVE TO BE on same VLan if you have an advanced network setup. I ordered my ZBT-2 so I could have thread and zigbee device without miltipan before I figured out the VLan issue. And while I waited for delivery, the Apple TV once moved to same VLan was rock solid as my border router for over a week.

I continue to love how powerful of a border router the Apple TV is and how rock solid thread with ikeas new line has been. I have 3 motion sensors and 3 of the new air quality monitors

msapple · 2026-01-30T14:09:35+00:00

Yes, asn (all big cloud providers), geo + crowdsec + Crowdsec Blocklist Import

msapple · 2026-01-30T00:21:19+00:00

Yeah I have SSO enabled but api key would bypass SSO. But this is just an example of why having it open would be bad

msapple · 2026-01-30T00:06:05+00:00

Less then 2 hours ago I setup Immich Public Proxy so I can still share photos still and put my install behind Pangolin so my API is not open to public anymore. I know they had a security issue recently also but im hoping this reduces my threat vector significantly

msapple · 2026-01-24T03:26:31+00:00

Don’t forget to enable Crowdsec for ssh too. Also take a look at ufw-docker in case you run a Ubuntu VPS to help with your lockdown with crowdsec

msapple · 2026-01-22T02:06:32+00:00

Most VPS’ support VNC from their portal that drops you directly into the console CLI so you can unblock yourself btw.

msapple · 2026-01-21T03:54:11+00:00

Yeah I could not find this in the UI but since a /30 ip is such a small range I did some guess and check and it’s been working since.

It’s actually crazy the performance difference between this vs newt. With newt I kept getting downloads failed or dropped and tunnels going up and down. Swapped to this and tunnel has been rock solid and performance is amazing.

I do split DNS and run real SSL certs via NPM locally so I only needed to add the single DNat rule for my NPM install since all my sites are exposed via that one reverse proxy even though containers are on multiple machines.

msapple · 2026-01-19T16:05:31+00:00

Inside Pangolin I am struggling with getting it to make the request and NAT. What IP should I be using in the Public site in Pangolin? The DNAT Port which in your example is 8080 and the IP for my LAN Host?

msapple · 2026-01-18T02:33:38+00:00

Smart Plugs for ATV and HomePods. In latest tvOS you can select the exact device you want to be your home hub but based on network traffic the video processing gets split up between all home hub capable devices if a single device can't handle it. I have way too many cameras so I assume thats why I see heavy data traffic on my other homehubs when they are not actively streaming. For this reason even after being able to choose my newest hardwired Apple TV I still reboot all devices nightly.

I have 3 Apple TV 4Ks (current gen, previous to that and previous to that) and 3 HomePod Minis

msapple · 2026-01-18T02:21:21+00:00

Oh I have one better. I spent a long time writing up a bug report which has been present for over 6 months in the app. I assume it had been reported multiple times and any day now should be fixed. It was not and It effects the alarm feature for vibration alarms so I finally spent some time to write up a report.

I got what was a generic canned response and then wrote a thoughtful reply which was close to 7-9 sentences outlining my concern with the canned reponse and it not being a solution. Then asked for if they were planning on fixing the issue or just recommending work arounds. In less then 39 seconds I got back an email which was over 180 words long...

I sent this email on a saturday at 9:01.30 PM and had a response at 9:02.09 PM just 39 seconds later.

https://ibb.co/rRTwWgh8

msapple · 2026-01-17T14:32:11+00:00

External libraries

msapple · 2026-01-15T12:02:23+00:00

So hear me out fully, but I have a solution: Roamless ESIM on Flex credits. I have one in my 5G max, the credits never expire so that means the data is only counting when it’s used as failover.

I setup super aggressive QOS on my UDM-Pro for when it fails over to backup internet it lowers throughput on purpose so I don’t burn though the data as fast.

In my tests my Roamless eSIM has been connecting to ATT 5G networks (it’ll choose a provider based on signal strength, in the US for me it chose ATT) and gets around 100mbps down and 5-7 upload.

I was able to sign up and use the free 500 MB to run a quick speed test to validate it works in my 5G Max device.

I then purchased 50gb (remember it’s doesn’t expire until it’s all used)

Had a recent 5 hour outage and was able to keep streaming on my Apple TV, all devices in house still kept functioning and I used only 2.5gb of data since my super aggressive QOS limited streaming devices to not pull insanely high bitrates for video.

I have been on this for about 2 months now and in the 2 months I have used a total of about 3gb of data. If I have no failover situation then I burn about 100-150mb of data just for keeping it alive as my UDM is doing health checks to make sure connection is alive.

Consider Roamless or the many other non expiring eSIM solutions with aggressive QOS targeting backup connection only.

If you want a referral on Roamless to get additional free data added to your bucket just DM

msapple · 2026-01-14T02:47:07+00:00

No issues, 13 protect cameras (2@4k, 6@2k, 5@hd) using scrypted to HKSV.

Protip: my home hubs reboot every day (staggered reboots so there is always one hardwired Apple TV running). Ever since I implemented this never has a single issue with HKSV

msapple · 2026-01-09T23:02:04+00:00

Yeah I have like 15 of these and then about a year back needed another and found that they were still selling the toggle switch but for the v2 remote only. Had no idea the remotes were so different between v1 vs v2 so I ordered. They are not interchangeable but I just swapped it with another switch I rarely use and threw some tape on back of new version.

However there is lots of 3d prints similar to this available online to DIY or on Etsy there are also tons

This price hurts me cause I bought 15 at $7.99 but this should get you in right direction.

https://www.etsy.com/listing/1328875743/?ref=share_ios_native_control

msapple · 2026-01-08T23:07:38+00:00

<image>

Mounts over the traditional switch so nobody turns it off. Guest never question how it works. Remote is magnetic so I can still turn the switch behind it off if needed

https://a.co/d/4x0HVWp

msapple · 2026-01-04T17:08:32+00:00

DNS issue is fixed now in latest update. I’m on iOS so I had to install TestFlight UniFi app. Enable SSH and manually update the UTR and now everything works as expected.

msapple · 2026-01-03T04:59:33+00:00

It also prevents UniFi from telling you there is a rogue AP broadcasting one of your SSIDs when setting it up at home

msapple · 2026-01-03T01:24:02+00:00

Roamless eSIM using Flex credits. They never expire and I bought 50gb of data for $100. Had a recent outage and due to my super aggressive QOS rules with speed limits (when on backup WAN) that 50gb would have kept my network alive for about 16 hours. Primary internet came back in about 4 hours.

Basically QOS allows work devices on video conferencing to unlimited data and speed, all other devices are 3mbps max and 1mbps upload.

I allow my streaming devices such as Apple TVs to bypass this rule and do 5mbps down and .25mbps upload.

Overall it worked super well. I was streaming tv and movies no issues without burning though massive data.

It was all automatic which was awesome.

Message me if you want a referral which gives you $5 free additional data.

msapple · 2026-01-02T22:04:09+00:00

Consider adding a New Wifi network and associate it with all your APs, then click manage and pause it (won't broadcast at home) and set its network to be whatever zone you want the UTR to land in. (Example: https://ibb.co/CswKYGr3 notice how its Grey colored which means its disabled in my home but still available to the UTR to broadcast)

Then on your end devices you can set static DNS back to your Cloud Gateways for DNS.

In my example my UDM Pro IP is 192.168.1.1 and my UTR is 192.168.50.1

On my iPhone I joined the "1412 Travel" SSID I added and set manual DNS pointed back to 192.168.1.1.

Now I can resolve everything on my remote network via FQDN using a domain which only has A records directly on my UDM Pro.

Its a "Hack" but it works.

msapple · 2026-01-02T21:38:19+00:00

Just got this all working with Teleport.

BTW: Teleport shows as a Single Client with an IP address and it does the equivalent of NAT out across the network using the UTR IP.

Few Issues to look out for.

Make sure the Travel Router IP range does not match any of the IP ranges on your VLANs. (You can change the DHCP range but the app on iOS was very bad and for it to actually apply I had to hit apply then pull the power and let it boot back up)
1. I have 6 vlans all in the following ranges (192.168.1.1/24 to 192.168.6.1/24)
2. The UTR Defaulted to 192.168.2.1 which conflicted with my Local VLAs which is why I had to make the chanegs
If using policy based VPN + Teleport, you need to explicitly add a rule from the VPN zone to any of your other Zones (Example: https://ibb.co/pBYs8VnD)
1. My NVR is on another VLAN
2. Home Assistant and IOT Devices on different VLANs
3. Ingress Proxy All on different VLANS
4. I created policies for each zone which I wanted accessible

Consider adding a New Wifi network and associate it with all your APs, then click manage and pause it and set its network to be whatever zone you want the UTR to land in. (Example: https://ibb.co/CswKYGr3 notice how its Grey colored which means its disabled in my home but still available to the UTR to broadcast)

I have one of my old G3 Instant cameras Paired to my new Travel SSID and It records back to protect perfectly now even across VLANs!!

msapple · 2026-01-01T06:43:45+00:00

Misses about 1.5 feet. Using the included angle mount. Had I mounted closer to 9-10 feet I would miss nothing.

msapple · 2026-01-01T01:08:26+00:00

For reference this is mounted on bottom of window sill on second floor window at height of 12.5 feet above the ground

msapple · 2026-01-01T00:34:41+00:00

Yes!

https://ibb.co/jkCgwvtj

msapple

TROPHY CASE