MQTT Bridge Troubleshooting Guide (Starter, Pro, Business)

This guide covers the most common connection and data issues across all MQTT tiers, plus a few tier-specific checks. If youโ€™re using Mesh-Plug (WordPress) or Meshtastic, the โ€œMesh-Plug and Meshtasticโ€ sections will save you time.

Quick start; what you need to know

Most issues come down to one of these:

  • Wrong port (TLS vs WebSocket)
  • Wrong hostname (broker vs API endpoint)
  • Missing/incorrect username + password
  • Wrong topic root or duplicated root (example: msh/msh/...)
  • Client doesnโ€™t trust the CA certificate (TLS)
  • Youโ€™re connected, but publishing/subscribing to topics your account canโ€™t access (ACL/permissions)

1) Identify your tier and connection type

Connection types (most common)

A) MQTT over TLS (recommended for devices/servers)

  • Port: 8883
  • Used by: ESP32/ESP8266, Mosquitto CLI, Node apps, backend services

B) MQTT over WebSocket (recommended for browsers/WordPress dashboards)

  • Port: 9001 (commonly)
  • Used by: Mesh-Plug and browser-based dashboards

If your app is a web page (JavaScript in the browser), it must use WebSocket; browsers cannot speak raw MQTT/TLS directly.

2) โ€œIs the service up?โ€ checks (all tiers)

A. Basic network sanity

From a machine on the same network as your client:

  • Confirm DNS resolves:
    • ping <broker-hostname> (or nslookup <broker-hostname>)
  • Confirm ports are reachable:
    • If you have nc:
      • nc -vz <broker-hostname> 8883
      • nc -vz <broker-hostname> 9001

If ports are blocked, check:

  • Local firewall
  • Router outbound rules
  • Corporate network restrictions (often blocks 8883)

B. WebSocket reverse proxy sanity (for WordPress / browser)

If you use Nginx in front of MQTT WS:

  • A โ€œconnected but no dataโ€ symptom can be a proxy config issue
  • A 502 Bad Gateway usually means:
    • Nginx canโ€™t reach the upstream WebSocket listener; wrong upstream host/port; service down

3) Credentials and ACL issues (all tiers)

Symptoms

  • Connect fails immediately
  • Or connects, but publishes/subscribes silently fail
  • Logs show โ€œNot authorizedโ€ or โ€œACL deniedโ€

Fix

  • Verify you are using the exact username/password issued for that bridge
  • Confirm you did not include extra spaces when copying credentials
  • Confirm your client is subscribing/publishing to the allowed topic namespace for that bridge

Tip: ACL problems often look like โ€œnothing happensโ€ because some clients donโ€™t surface the rejection clearly.

4) TLS problems (Starter/Pro/Business)

Common TLS symptoms

  • โ€œcertificate verify failedโ€
  • โ€œunknown CAโ€
  • โ€œhandshake failureโ€
  • Works on one machine but not another

Fix checklist

  • Confirm youโ€™re on the TLS port (8883)
  • Use the system CA bundle where possible
  • If your client needs a CA file, use your OS CA store or the CA bundle path provided by your platform

Mosquitto CLI test (TLS):

mosquitto_pub -d \
  -h <broker-hostname> -p 8883 \
  --cafile /etc/ssl/certs/ca-certificates.crt \
  -u "<username>" -P "<password>" \
  -t "<allowed-topic>/hello" \
  -m "auth ok"

If this works, your credentials and TLS path are good; the problem is likely your original client config (topic root, WS vs TLS, or ACL namespace).

5) WebSocket problems (WordPress / Mesh-Plug)

Common WS symptoms

  • Dashboard shows โ€œConnectedโ€ but no nodes/data
  • White map; empty tables; headers visible
  • JavaScript console errors
  • Data appears only sometimes (intermittent)

Fix checklist

  • Confirm youโ€™re using the WebSocket port (often 9001)
  • Confirm the URL is wss://... (secure websocket) when your site is HTTPS
  • Confirm your reverse proxy supports WebSocket upgrade headers
  • Confirm your WordPress site is not blocking the websocket due to mixed content or CSP rules

Browser console check
Open DevTools โ†’ Console:

  • Look for WebSocket connection to ... failed
  • Look for 401/403 style errors (auth/ACL)
  • Look for JSON parse errors (bad payload format)

6) Topic root problems (very common; all tiers)

The classic symptom

You are connected, but you see no messages; or you see messages in one place but not another.

Whatโ€™s happening

Your publisher and subscriber are using different topic roots, or you accidentally duplicated the root.

Example of a duplication:

  • Expected: msh/2/json/...
  • Actual: msh/msh/2/json/...

Fix

  • Decide your single canonical root (example: msh)
  • Make sure:
    • Meshtastic MQTT settings use msh once
    • Mesh-Plug โ€œRoot topicโ€ uses msh once
    • Any bridge prefixes (if you use them) are consistent everywhere

Quick debug
Subscribe broad (temporarily) to see whatโ€™s actually arriving:

mosquitto_sub -d -h <broker-hostname> -p 8883 \
  --cafile /etc/ssl/certs/ca-certificates.crt \
  -u "<username>" -P "<password>" \
  -t "#"

Then refine back down after you confirm the real topic structure.

7) Mesh-Plug and Meshtastic specific troubleshooting

A) โ€œNodes list emptyโ€ but you see traffic elsewhere

  • Confirm Mesh-Plugโ€™s subscription topics include position and/or telemetry types your mesh is actually publishing
  • Confirm your Meshtastic device is configured to send:
    • Position updates
    • Telemetry (if you expect sensor readings)

B) โ€œChat not showingโ€

Chat visibility often depends on:

  • Correct topics for Meshtastic text payloads
  • Correct channel mapping
  • Whether your node is actually forwarding chat to MQTT (some setups forward only certain message types)

C) Map marker jumps/drifts

This is usually not โ€œdriftโ€; itโ€™s one of:

  • Node reporting stale coordinates
  • Position derived from last known fix; poor GPS lock
  • Mixed node identity; youโ€™re seeing a relayed nodeโ€™s last fix
  • Time/clock skew causing the โ€œlatestโ€ position logic to pick the wrong record

Fix checklist

  • Ensure the node has a GPS module and reliable satellite lock
  • Ensure the node is configured to publish position periodically
  • Confirm Mesh-Plug uses message timestamps consistently (device time vs broker receive time)

D) macOS Meshtastic app quirk (important)

In some macOS client setups, the Meshtastic app may not emit NodeInfo packets over MQTT reliably. If Mesh-Plug depends on NodeInfo for names/metadata, you can see โ€œID but no nameโ€ behavior.

Workaround

  • In Mesh-Plug settings, manually set the Gateway Hex (if your setup uses it) so identification and association work even when NodeInfo packets are missing.

8) Tier-specific troubleshooting

Starter tier (typical issues)

Starter plans usually have simpler limits; common pain points:

  • Hitting connection/session limits (too many reconnecting clients)
  • Using a browser dashboard plus a device plus a phone; exceeds expected concurrency
  • Publishing outside allowed namespace

If you suspect limits

  • Disconnect all but one client
  • Test with Mosquitto CLI publish/subscribe
  • Then add clients back one at a time

Pro tier (typical issues)

Pro often adds features like multiple clients, expanded ACL, or more throughput.
Common pain points:

  • Multiple topic namespaces; one client publishes to the wrong namespace
  • Retained messages or โ€œlast willโ€ behavior confusing dashboards

Fix

  • Standardize a single topic convention per deployment
  • Clear retained messages if youโ€™re seeing โ€œghostโ€ data:
    • Publish empty retained payload to the retained topic (implementation varies)

Business tier (typical issues)

Business setups commonly involve:

  • Multiple bridges/environments (staging vs production)
  • Multiple sites consuming the same broker
  • Webhook/automation integrations

Common pain points:

  • Using staging credentials against production broker (or vice versa)
  • Integrations expecting QoS/retained behavior that isnโ€™t configured consistently
  • De-provisioning events on cancel/suspend not reflected immediately in client apps (they keep retrying with old creds)

Fix

  • Label credentials clearly (ENV + Bridge ID)
  • Rotate credentials if thereโ€™s any doubt which set is active
  • After cancellation/suspension, remove creds from devices; reboot device to stop reconnect storms

9) Common error messages and what they mean

  • โ€œConnection refusedโ€
    • Wrong host/port; service down; firewall block
  • โ€œNot authorizedโ€ / โ€œACL deniedโ€
    • Wrong username/password; topic not permitted
  • โ€œcertificate verify failedโ€
    • CA trust issue; incorrect TLS settings; MITM proxy on network
  • Browser shows โ€œWebSocket closedโ€
    • Wrong WS URL; proxy doesnโ€™t support upgrade; auth rejected; mixed content

11) Recomended โ€œgolden pathโ€ test sequence

Use this sequence to isolate issues fast:

Add additional clients one-by-one โ†’ confirms youโ€™re not hitting tier limits

Test TLS publish with Mosquitto CLI โ†’ confirms credentials + TLS + basic ACL

Test TLS subscribe to the exact namespace you expect โ†’ confirms messages exist

Test WS dashboard (Mesh-Plug) โ†’ confirms proxy + browser path works

Verify topic root is not duplicated โ†’ confirms consistent routing