Zigbee devices you don't want on your network

Want a stable mesh network? Running ZHA or Zigbee2MQTT as part of your home automation system? Here are some devices you should avoid running on your network.

Stability and performance issues?

  • Philips Hue A19 White and Color Ambiance (LCT001), released in ~2013
  • Philips Hue Table Lamp (LLC012), released in ~2013

The devices above will stop routing traffic and responding to commands, causing issues with your mesh network.

Pairing issues?

LinkTap GW-02, a wireless timer gateway leaves itself in Permanent Join mode and will reject join requests for any Zigbee device on your network. Sometimes, devices do not implement handling of rejected joins properly and will "give up."

Devices (re)-join Zigbee networks all the time to find a better parent route, so this will cause stability issues which are hard to diagnose.


ser2net and Zigbee coordinator USB dongle

Use ser2net on a Raspberry Pi if you would like to have your Zigbee coordinator in a central location, away from your Home Assistant machine. Can be especially useful if you have a PoE switch, and can use a PoE to MicroUSB adapter with Ethernet pass-through.

/etc/ser2net.conf:

5678:raw:0:/dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_$UUID-if00-port0:115200 NONE 1STOPBIT -XONXOFF NOBREAK

Home Assistant would then point at socket://x.x.x.x:5678 if using ZHA (Zigbee Home Automation) integration.

Network ACLs should be established to restrict access to ser2net to prevent abuse of the Zigbee controller.

DNS-based firewall rules on OpenWrt 22.03 using IP sets and fw4

I wanted to be able to use DNS-based firewall rules like on pfsense, opnsense and Sophos UTM for certain use cases. OpenWRT does not have this functionality built in. I came up with the following solution.

This allows you to list DNS names, for example in /etc/ipset-dns/dst_host_search_engines.list:

google.com
www.google.com
yahoo.com
www.yahoo.com
bing.com
www.bing.com

With a corresponding IP set entry in /etc/system/firewall:

config ipset
        option name 'dst_host_search_engines'
        option match 'dst_ip'
        option enabled '1'
        option timeout '0'

And an example firewall rule you could use with OpenWRT in /etc/config/firewall:

config rule
        option name 'Allow-Search-Engines'
        option family 'ipv4'
        list proto 'all'
        option ipset 'dst_host_search_engines'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'lan'

And the entirety of the script, which will query the hosts listed based on their IP address family, and set a timeout based on the TTL of the DNS entries.

/etc/ipset-dns.sh (don't forget to set executable bit):

#!/bin/sh

for filename in /etc/ipset-dns/*.list; do
        ipset=$(basename $filename | cut -d '.' -f1)
        stdout=$(nft list set inet fw4 $ipset 2>&1)
        if [ $? -gt 0 ]; then
                echo $stdout | sed 's/^Error/Warning/'
                continue
        fi

        nft_type=$(echo $stdout | grep -oE 'type \w+' | awk '{ print $2 }')
        type=
        if [[ "$nft_type" == "ipv4_addr" ]]; then
                type=A
        elif [[ "$nft_type" == "ipv6_addr" ]]; then
                type=AAAA
        else
                echo "Warning: invalid type $nft_type for $ipset"
                continue
        fi


        dig $type -f $filename +noall +answer | while read _ ttl _ _ ip; do
                ttl=$(( ttl + 500 ))
                nft add element inet fw4 $ipset { ${ip} timeout ${ttl}s };
        done
done

And the following crontab entry for the root user, in /etc/crontabs/root so that the script runs at boot and every 5 minutes (modify to suit, but make sure to update the 500 second addition on the TTL):

@reboot /etc/ipset-dns.sh
5 * * * * /etc/ipset-dns.sh

UEFI enabled libvirt virtual machines on Ubuntu

Required steps

  • Install the ovmf package
  • Restart libvirt-bin
  • Create /var/lib/libvirt/qemu/nvram to store NVRAM from a UEFI-enabled virtual machine (VM)

libvirt XML definition example for UEFI enabled VM

libvirt edit $VM_NAME and amend the XML definition.

  <os>
    <type arch='x86_64' machine='pc-q35-2.11'>hvm</type>
    <loader readonly='yes' secure='no' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader>
    <nvram template='/usr/share/OVMF/OVMF_VARS.fd'/>
    <boot dev='hd'/>
  </os>

MOES IR Control Tuya (SRW-001) flashing (ESPHome, etc)

The device MOES IR Control Hub, which uses Tuya ESP8266 is no longer vulnerable to the vulnerability that tuya-convert exploits. You will need to open the device to flash it.

They are currently shipped with an TYWE3S which is an ESP8266 (as of June, 2021). You can see the pin outs for the TYWE3S at the Tasmota site.

Use a thin utility knife to open, I would recommend starting at the USB port area. There are two tabs on either side, and a few spread throughout. Once you have the device open and have connections setup you are ready to flash.

How to flash?

  1. Tie GPI0 to GND to start flash mode (when RST or power on the device, you will know you are in flash mode because the blue status LED does not come on)
  2. RX, TX, GND to your USB TTL (remember RX and TX are reversed for the USB TTL side)
  3. GND on TYWE3S is connected to the same ground plane as the rest of the board (i.e. GND on your USB TTL)
  4. Then power up via MicroUSB
  5. Flash via esptool (rev 1ca08af instead of master due to Issue #635 in esptool)
  6. Unplug everything and power up normally, and configure ESPHome as you normally would.