DocumentationBack to app →
All guides

Other

Site router swap runbook (Pi + Shelly on same Wi‑Fi)

Use when replacing the on-site travel router (e.g. TP‑Link) with a new unit (e.g. GL.iNet Mango) while the gate Pi and Shelly relay both join that router over Wi‑Fi.

Tye Gym reference: Pi hostname / Tailscale tyegym-gate-001; config in gitignored access-engine/device.env, pushed with repo-root deploy.sh. Record reserved IPs and router notes in Platform → Organization settings → Gate deployment config (YAML/JSON, platform admin only).

How the stack is wired

PieceConfigurationAfter router swap
Pi → clouddevice.envdeploy.sh writes access-engine/.env on the PiUnaffected if Pi gets internet (Tailscale + HTTPS).
Pi → ShellySHELLY_IP (preferred) or SHELLY_HOST in device.envMust match Shelly’s new LAN IP if DHCP subnet or lease changes.
Shelly → routerManual (Shelly app / AP setup / web UI)Re-join Wi‑Fi if SSID/password or band changes.
Pi → routerOS Wi‑Fi (not in deploy.sh)Re-join Wi‑Fi if SSID/password changes.

The Pi does not discover Shelly automatically — it uses the IP baked into .env. A router swap often changes Shelly’s IP even when both devices “connect fine.”

Design rule (do this on every site)

On the new router, before cutover:

  1. Pick a stable LAN subnet (e.g. 192.168.8.0/24 on Mango — note Mango’s default may differ from TP‑Link’s 192.168.0.x / 192.168.1.x).
  2. Capture both Wi‑Fi MAC addresses (Pi + Shelly) while still on the old router — see Capture MAC addresses below. Without MACs you cannot reliably pre-configure GL.iNet (or any router) DHCP reservations.
  3. Add DHCP reservations (static leases) on the Mango before cutover:
    • pi.wifi_macpi.lan_ip (e.g. 192.168.8.10)
    • shelly.macshelly.lan_ip (e.g. 192.168.8.20)
  4. Save MACs, reserved IPs, and router model in Organization settings → Gate deployment config (YAML) so the next swap does not depend on memory.
  5. Put shelly.lan_ip in access-engine/device.env as SHELLY_IP=… and redeploy before or immediately after cutover.

Optional but reduces on-site work: use the same SSID and WPA password on the Mango as the old TP‑Link so Pi and Shelly reconnect without re-provisioning — still set static leases and verify SHELLY_IP.

Capture MAC addresses (Pi + Shelly)

Why: GL.iNet (and most travel routers) bind a fixed LAN IP to a client MAC. If you only note “Shelly was 192.168.1.100” on the old router, the new router may hand out a different IP after swap and the Pi’s SHELLY_IP will be wrong.

Record MACs in lowercase with colons (e.g. dc:a6:32:ab:cd:ef) — GL.iNet accepts this format in Clients → … → Bind IP or Network → DHCP → Static DHCP.

DeviceWhere to read MACCommand / UI
Pi (Wi‑Fi)wlan0 hardware addressSSH: ip link show wlan0 → line link/ether …
Pi (Ethernet)Only if the gate uses eth0 instead of Wi‑Fiip link show eth0
ShellyWi‑Fi station MAC on the relayShelly app → device → Network / Device info; or old router DHCP client list (hostname often shelly…)
Cross-checkOld TP‑Link adminConnected devices / DHCP leases — match by hostname (tyegym-gate-001, shelly…) or current IP

Pi example (Tailscale SSH):

ssh porta@tyegym-gate-001 'ip link show wlan0 | awk "/link\\/ether/ {print \$2}"'

Paste into org deployment config (platform admin):

pi:
  wifi_mac: dc:a6:32:aa:bb:cc
  lan_ip: 192.168.8.10
shelly:
  mac: c4:5b:be:xx:yy:zz
  lan_ip: 192.168.8.20

Pre-configure GL.iNet Mango (before power-off of old router)

With MACs and target IPs from above:

  1. Admin UI → NetworkLAN — set subnet (e.g. 192.168.8.1/24) and DHCP range.
  2. NetworkDHCP (or Clients → select device → Bind IP / “Static address”):
    • Add lease: Pi wifi_macpi.lan_ip
    • Add lease: Shelly macshelly.lan_ip
  3. Wireless — create/clone 2.4 GHz SSID (Shelly usually needs 2.4 GHz; Pi can use the same SSID).
  4. Firewall / guest Wi‑Fi — disable AP isolation / client isolation on the gate SSID.
  5. Export or screenshot the reservation table and store with the deployment config YAML.

After cutover, both devices should pull the same IPs they were assigned in step 2 without retyping SHELLY_IP (still verify with ping + test_shelly_connection.py).

Phase 0 — Baseline (on old router, from laptop)

Record in the fleet / deployment notes (fleet-checkin-device-registry.md):

FieldWhere to get it
Router model / admin URL / passwordLabel / client
Wi‑Fi SSID, password, band (2.4 vs 5)TP‑Link admin; Shelly is usually 2.4 GHz only
LAN subnet & DHCP rangeRouter LAN settings
Pi Wi‑Fi MAC (required for GL.iNet reservation)ssh porta@tyegym-gate-001ip link show wlan0 (link/ether)
Pi current LAN IPip -4 addr show wlan0
Shelly Wi‑Fi MAC (required for GL.iNet reservation)Shelly app → device → network; or old router DHCP client list
Shelly current LAN IPShelly app or DHCP list
SHELLY_IP in local device.envYour laptop copy (must equal Shelly’s real IP)
SHELLY_API, SHELLY_USER, SHELLY_PASSWORDdevice.env
Tailscale statustailscale status on Pi — confirm node online
Smoke testFrom Pi: cd …/access-engine && ./venv/bin/python test_shelly_connection.py

If test_shelly_connection.py fails before the swap, fix Shelly/network first.

Phase 1 — Prepare Mango (bench or on-site, old router still running)

  1. Flash/update Mango firmware if needed.
  2. LAN: Set subnet and DHCP range; enable DHCP reservation for Pi + Shelly MACs (from Phase 0).
  3. Wi‑Fi: Either:
    • A — Same SSID/password as TP‑Link (fastest reconnect), or
    • B — New SSID/password (plan time to reconfigure Pi Wi‑Fi + Shelly manually).
  4. 2.4 GHz: Ensure a 2.4 GHz AP exists (Shelly Mini / Plus often won’t stay on 5 GHz-only).
  5. WAN: Plug uplink (gym internet / modem). Confirm Mango gets internet (ping 1.1.1.1 from admin UI).
  6. Disable client isolation / “AP isolation” if enabled (Pi must reach Shelly on LAN).
  7. Do not power off the TP‑Link until Phase 3 — keep it as rollback.

Phase 2 — Update device.env (laptop, before cutover if IPs are pre-planned)

# access-engine/device.env (local, gitignored)
SHELLY_IP=192.168.8.20          # reserved Shelly IP on Mango
# SHELLY_API=rpc                # Mini Gen3 / Plus — if already in use, keep unchanged
# SHELLY_USER=admin
# SHELLY_PASSWORD=...

If you are keeping the same Shelly IP on the same subnet and only swapping router hardware with cloned settings, you may skip changing SHELLY_IP — but verify the Shelly lease after swap anyway.

Phase 3 — Cutover (target ~30–45 min)

Order matters: router first, then confirm LAN, then Shelly, then Pi config deploy.

  1. Power off TP‑Link; power on Mango; wait for Wi‑Fi + DHCP stable.
  2. Shelly
    • If same SSID/password: wait 2–5 min; check Shelly app — online?
    • If offline or new SSID: Shelly AP mode → join new Wi‑Fi (manual, same as original install).
    • Confirm Shelly has the reserved IP (app or Mango DHCP list).
  3. Pi
    • If same SSID/password: Pi should reconnect; confirm via Tailscale (ping tyegym-gate-001 or SSH).
    • If new SSID: attach keyboard/monitor or pre-stage wpa_supplicant / raspi-config / DietPi Wi‑Fi — not handled by deploy.sh.
  4. From Pi (SSH via Tailscale): 
    ip -4 addr show wlan0
ping -c 2 <SHELLY_IP>
cd ~/member-access-os/access-engine   # or your deploy path
./venv/bin/python test_shelly_connection.py
  5. From laptop (updates .env on Pi from device.env): 
    PI_USER=porta PI_HOST=tyegym-gate-001 ./deploy.sh access-engine/device.env
  6. Restart & watch: 
    ssh porta@tyegym-gate-001 'sudo systemctl restart member-access && sudo journalctl -u member-access -n 50 --no-pager'
  7. Physical test: authorized tag/wallet tap → strike clicks; denied tap → no strike.
  8. Portal: Gate activity / heartbeat still updating for the facility access point.

Phase 4 — Rollback

If Shelly or Pi cannot join Mango within the visit window:

  1. Power off Mango; power on TP‑Link.
  2. Wait for Pi + Shelly to reconnect to old Wi‑Fi.
  3. If you already deployed new SHELLY_IP, either redeploy old device.env or restore previous SHELLY_IP and run deploy.sh again.

Keep the TP‑Link in the kit until one full business day passes with no gate faults.

Verification checklist

#CheckPass
1Mango has internet on WAN
2Pi online on Tailscale
3Pi wlan0 has expected IP
4Shelly online in Shelly app at reserved IP
5ping Shelly from Pi
6test_shelly_connection.py → HTTP 200
7Live tap grants access + strike
8Live deny does not strike
9device.env SHELLY_IP matches Shelly LAN IP
10Pi + Shelly MACs recorded in org Gate deployment config
11GL.iNet DHCP reservations match those MACs → expected IPs
12Deployment log updated (router model, date, IPs, MACs)

Common failures

SymptomLikely causeFix
Tap grants in logs, door silentWrong SHELLY_IP or SHELLY_APIFix device.env, redeploy; test with test_shelly_connection.py
Pi online, Shelly offlineShelly on wrong SSID / 5 GHz only / wrong passwordManual Shelly Wi‑Fi setup
Nothing on TailscalePi Wi‑Fi not joined or Mango has no WANFix Pi Wi‑Fi or Mango uplink first
Shelly works from app, Pi cannot pingAP/client isolation or different VLANDisable isolation; same LAN for both
Worked on TP‑Link, broke on MangoSubnet changed (192.168.1.x192.168.8.x)Update SHELLY_IP + reservations