Configure mixed VLANs on a Zyxel xgs1250-12 managed switch

Hi All,

I recently picked up a Zyxel xgs1250-12 and had hoped to use it via OpenWRT as a managed L2 switch. I did manage to get the firmware installed properly and was able to log onto both the WebUI and SSH to attempt to configure the switch; however, I couldn't seem to figure out how to configure vlans quite how I need them.

Unfortunately I spent more time testing this than I probably should have and so re-flashed the stock firmware so I could at least deploy the switch as I need it to progress the larger infra upgrade I'm undertaking in my home lab.

I tested configs similar to below on the following version:
openwrt-realtek-rtl930x-zyxel_xgs1250-12-squashfs-sysupgrade : snapshot
openwrt-22.03.3-realtek-rtl930x-zyxel_xgs1250-12-squashfs-sysupgrade : old stable
openwrt-22.03.5-realtek-rtl930x-zyxel_xgs1250-12-squashfs-sysupgrade : old stable
openwrt-23.05.0-rc4-realtek-rtl930x-zyxel_xgs1250-12-squashfs-sysupgrade : release candidate

I did get them working to some degree; however, with mixed results.

VLAN1 untagged ports: 1, 2
VLAN1 tagged ports: 8, 9, 10, 11

VLAN2 untagged ports: 3, 4
VLAN2 tagged ports: 8, 9, 10, 11

VLAN3 untagged ports: 5, 6
VLAN3 tagged ports: 8, 9, 10, 11

Symptoms and notes:
1: Only in the older version I tested 22.03.3 was I able to leverage the WebUI to properly configure the vlans to pass any traffic between clients.

2: I then leveraged the base config generated via 22.03.3 WebUI and reading the DSA mini tutorial I tried to modify it slightly by hand.

3: When cabled to the tagged ports with static IPs set on clients I was able to ping between clients.

4: Similarly when cabled to the tagged ports with static IPs set on 802.1q tagged interfaces I was able to ping between clients.

5: If I mixed and matched cabling one client to an untagged port and the other to a tagged port I was unable to ping between clients.

6: I found that iperf worked fine on the untagged interfaces, but sent only very briefly a couple hundred kb on the tagged ports then nothing more.

I pulled a few backups during my course of testing, so I do have the network, firewall, and other relevant configs; however, unless I get some real down time or someone is pretty confident they can point out my blunder I likely won't be able to justify taking down the network to re-flash OpenWRT to test what was going wrong here. I do plan to pick up a second of these switches at some point in the near future; however, so I would be willing to potentially test on the new one prior to deploying it. As such I really would appreciate any input as I would really love to have a more trustworthy OS running on my switching infra.

network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'REDACTED::/48'
	option packet_steering '1'

config device 'switch'
	option name 'switch'
	option type 'bridge'
	option macaddr 'REDACTED'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	list ports 'lan6'
	list ports 'lan7'
	list ports 'lan8'
	list ports 'lan9'
	list ports 'lan10'
	list ports 'lan11'
	list ports 'lan12'
	option mtu '1518'

config bridge-vlan 'lan_vlan'
	option device 'switch'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan8:t'
	list ports 'lan9:t'
	list ports 'lan10:t'
	list ports 'lan11:t'

config bridge-vlan
	option device 'switch'
	option vlan '2'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	list ports 'lan8:t'
	list ports 'lan9:t'
	list ports 'lan10:t'
	list ports 'lan11:t'

config bridge-vlan
	option device 'switch'
	option vlan '3'
	list ports 'lan5:u*'
	list ports 'lan6:u*'
	list ports 'lan8:t'
	list ports 'lan9:t'
	list ports 'lan10:t'
	list ports 'lan11:t'

config device
	option name 'switch.1'
	option type '8021q'
	option ifname 'switch'
	option vid '1'
	option ipv6 '0'

config device
	option name 'switch.2'
	option type '8021q'
	option ifname 'switch'
	option vid '2'
	option ipv6 '0'

config device
	option name 'switch.3'
	option type '8021q'
	option ifname 'switch'
	option vid '3'
	option ipv6 '0'

config interface 'vlan1'
	option proto 'none'
	option device 'switch.1'
	option force_link '1'

config interface 'vlan2'
	option device 'switch.2'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option force_link '1'

config interface 'vlan3'
	option proto 'none'
	option device 'switch.3'
	option force_link '1'

config device
	option name 'eth0'
	option mtu '1518'

firewall:

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vlan2'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Also, and please bear in mind I'm not trying to be rude in any way here, if my 2 cents is worth anything and any devs are looking at this a more dumbed down "simple" vlan wizard would be fantastic for these switch devices as my guess is that, like me, many people are just after a L2+ switch and just need basics like tagged vlans, maybe some igmp snooping, and a bit more debug tooling so if a wizard could handle some simple basics then deep diving documentation to configure specialized configs would be fine.

After reading the forums I know I'm not the first and would bet 5 whole dollars I won't be the last grug brained "sysadmin" to stumble here.

Nothing useful to add except a corroborating report. I observe exactly the same behaviour with untagged/pvid port traffic.

I have the firewall disabled.

With tcpdump:

  • I can see tagged broadcast traffic on the incoming lan port, the bridge and then the outgoing lan port (and then also on the connected device).

I can see untagged broadcast traffic on the lan port, the same traffic, now tagged with the port's PVID on the bridge device and then... nothing.

I'm not an expert, but I've been doing a bunch of reading and this does not seem to be the expected behaviour. I've used exactly the same config on another device and verified the settings on the bridge devices on each using the cli tools.

On the other device it all works as expected, it just seems to be the xgs

This PR may be worth looking at/keeping an eye on:

Especially since it claims to be fixing VLAN behaviour.

1 Like