Could someone provide the firmware version and config file for a working ZyXEL XGS1250-12?

I installed openWRT on my ZyXEL XGS1250-12 switch and now I can only interact with the switch using Serial connection (earlier post with more info). I initially installed OpenWrt version 23.05.5, and when that did not work I tried installing 22.03.7, which also did not fix the issue I'm encountering. It looks to me like my experience is similar to the one described in this issue.

Since I would like to have the switch working with OpenWrt, I'm hoping someone with a working ZyXEL XGS1250-12 can post their firmware version and /etc/config/network contents.

Thanks for reading!

What firmware is currently installed?

Since you've got a serial connection, let's see the following:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Firmware version 22.03.7.

From ubus call system board:

{
 "kernel": "6.6.74",
 "hostname": "OpenWrt",
 "system": "RTL9302B",
 "model": "Zyxel XGS1250-12 Switch",
 "board_name": "zyxel,xgs1250-12",
 "rootfs_type": "squashfs",
 "release": {
  "distribution": "OpenWrt",
  "version": "SNAPSHOT",
  "revision": "r28724-807074309d",
  "target": "realtek/rtl930x",
  "description": "OpenWrt SNAPSHOT r28724-807074309d",
  "builddate": "1738094344"
 }
}

From cat /etc/config/network:

config interface 'loopback'
 option device 'lo'
 option proto 'static'
 option ipaddr '127.0.0.1'
 option netmask '255.0.0.0'

config globals 'globals'
 option ula_prefix 'fd10:219e0021:be0600be::/48'

config device 'switch'
 option name 'switch'
 option type 'bridge'
 option macaddr REDACTED

config bridge-vlan 'lan_vlan'
 option device 'switch'
 option vlan '1'
 option ports 'lan1 lan2 lan3 lan4 lan5 lan6 lan7 lan8 lan12'

config device
 option name 'switch.1'
 option macaddr REDACTED

config interface 'lan'
 option device 'switch.1'
 option proto 'static'
 option ipaddr '192.168.1.1'
 option netmask '255.255.255.0'
 option ip6assign '60'

The /etc/config/dhcp file does not exist

From cat /etc/config/firewall:

config defaults
 option syn_flood 1
 option input  REJECT
 option output  ACCEPT
 option forward  REJECT

config zone
 option name  lan
 list   network  'lan'
 option input  ACCEPT
 option output  ACCEPT
 option forward  ACCEPT

config zone
 option name  wan
 list   network  'wan'
 list   network  'wan6'
 option input  REJECT
 option output  ACCEPT
 option forward  REJECT
 option masq  1
 option mtu_fix  1

config forwarding
 option src  lan
 option dest  wan

config rule
 option name  Allow-DHCP-Renew
 option src  wan
 option proto  udp
 option dest_port 68
 option target  ACCEPT
 option family  ipv4

config rule
 option name  Allow-Ping
 option src  wan
 option proto  icmp
 option icmp_type echo-request
 option family  ipv4
 option target  ACCEPT

config rule
 option name  Allow-IGMP
 option src  wan
 option proto  igmp
 option family  ipv4
 option target  ACCEPT

config rule
 option name  Allow-DHCPv6
 option src  wan
 option proto  udp
 option dest_port 546
 option family  ipv6
 option target  ACCEPT

config rule
 option name  Allow-MLD
 option src  wan
 option proto  icmp
 option src_ip  fe80::/10
 list icmp_type  '130/0'
 list icmp_type  '131/0'
 list icmp_type  '132/0'
 list icmp_type  '143/0'
 option family  ipv6
 option target  ACCEPT

config rule
 option name  Allow-ICMPv6-Input
 option src  wan
 option proto icmp
 list icmp_type  echo-request
 list icmp_type  echo-reply
 list icmp_type  destination-unreachable
 list icmp_type  packet-too-big
 list icmp_type  time-exceeded
 list icmp_type  bad-header
 list icmp_type  unknown-header-type
 list icmp_type  router-solicitation
 list icmp_type  neighbour-solicitation
 list icmp_type  router-advertisement
 list icmp_type  neighbour-advertisement
 option limit  1000/sec
 option family  ipv6
 option target  ACCEPT

config rule
 option name  Allow-ICMPv6-Forward
 option src  wan
 option dest  *
 option proto  icmp
 list icmp_type  echo-request
 list icmp_type  echo-reply
 list icmp_type  destination-unreachable
 list icmp_type  packet-too-big
 list icmp_type  time-exceeded
 list icmp_type  bad-header
 list icmp_type  unknown-header-type
 option limit  1000/sec
 option family  ipv6
 option target  ACCEPT

config rule
 option name  Allow-IPSec-ESP
 option src  wan
 option dest  lan
 option proto  esp
 option target  ACCEPT

config rule
 option name  Allow-ISAKMP
 option src  wan
 option dest  lan
 option dest_port 500
 option proto  udp
 option target  ACCEPT

Note: I've tried to turn the firewall off by running /etc/init.d/firewall stop
Also, I can't ssh or interact with the web interface. As far as I can tell, none of the Ethernet ports are working.

ok... try making a single connection between the switch and your computer. Make sure there are no other connections at all, including wifi,

Set your computer to a static IP of 192.168.1.3 with subnet mask 255.255.255.0.

Then, see if you can ping 192.168.1.1.

If that doesn't work.... try editing the network config file... specifically:

Delete these two stanzas:

And replace them with these:

config device 'switch'
  option name 'switch'
  option type 'bridge'
  option macaddr REDACTED
  list ports 'lan1'
  list ports 'lan2'
  list ports 'lan3'
  list ports 'lan4'
  list ports 'lan5'
  list ports 'lan6'
  list ports 'lan7'
  list ports 'lan8'
  list ports 'lan12'

config bridge-vlan
  options device 'switch'
  option vlan '1'
  list ports 'lan1:u*'
  list ports 'lan2:u*'
  list ports 'lan3:u*'
  list ports 'lan4:u*'
  list ports 'lan5:u*'
  list ports 'lan6:u*'
  list ports 'lan7:u*'
  list ports 'lan8:u*'
  list ports 'lan12:u*'

Then reboot the switch and try again (same procedure as my previous comment -- static IP on your computer, ping the switch).

If you can ping, ssh should work. I would not expect to see the LuCI web interface, though, because you've got a snapshot installed.

By the way, this is not correct. You have a more recent snapshot instead.

I connected a computer with no other network connections to the switch, and gave that computer and IP of 192.168.1.3.

I found I could not ping the switch, ping 192.168.1.1 gave me this output:

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
From 192.168.1.3 icmp_seq=1 Destination Host Unreachable
From 192.168.1.3 icmp_seq=2 Destination Host Unreachable
From 192.168.1.3 icmp_seq=3 Destination Host Unreachable

I change the network config file contents to:

config interface 'loopback'
 option device 'lo'
 option proto 'static'
 option ipaddr '127.0.0.1'
 option netmask '255.0.0.0'

config globals 'globals'
 option ula_prefix 'fd10:219e0021:be0600be::/48'

config device 'switch'
  option name 'switch'
  option type 'bridge'
  option macaddr REDACTED
  list ports 'lan1'
  list ports 'lan2'
  list ports 'lan3'
  list ports 'lan4'
  list ports 'lan5'
  list ports 'lan6'
  list ports 'lan7'
  list ports 'lan8'
  list ports 'lan12'

config bridge-vlan
  options device 'switch'
  option vlan '1'
  list ports 'lan1:u*'
  list ports 'lan2:u*'
  list ports 'lan3:u*'
  list ports 'lan4:u*'
  list ports 'lan5:u*'
  list ports 'lan6:u*'
  list ports 'lan7:u*'
  list ports 'lan8:u*'
  list ports 'lan12:u*'

config device
 option name 'switch.1'
 option macaddr REDACTED

config interface 'lan'
 option device 'switch.1'
 option proto 'static'
 option ipaddr '192.168.1.1'
 option netmask '255.255.255.0'
 option ip6assign '60'

and then rebooted, but I found I also did not get a response when I tired ping 192.168.1.1

Also, thank you for pointing out that I did not have the firmware version I thought I had. I must have transferred the wrong file when downgrading. Should I try your suggestions again, but with different firmware installed?

Yes. Try either 24.10.0 (just released) or 23.05.5.

Okay, I downloaded 24.10.0 and I'm transferring if to the switch using the Serial connection. I expect the transfer won't be complete until tomorrow.

The 24.10.0 image I installed did not allow me to ping the switch with either configuration network file. On the download page, installed the "Kernel" image, should I be installing the "Snapshot" image instead?

Did you tried sah access with IPv6 Link local addresses?
On a first glimpse the config looks valid so far.

On the switch, I tried ping6 to see if I could ping the connected computer using the computer's IPv6 address, but the computer did not ping back.

I can't tell what the switch's IPv6 address is, and I have not tried to find it or ssh into the switch using its IPv6 address. Can you tell me how to find the switch's IPv6 address?

Out of curiosity, have you tried simply passing traffic through the switch? This doesn't solve anything, but I am curious if the switch operates as a switch should. So if you plug your upstream router into this switch, does your computer get an IP and then access as expected to the internet (not the switch, though).

Obviously, if you run this test, make sure that the switch doesn't have the same IP as your router or anything else on your network... even though it's not responding properly, no need to introduce a potential source of issues.

Ping from your PC/laptop ping ff02::1%interface, like eth0 or eno1 or which ever interface you use.

One response is from you, the other one from the router. You can use this link local address with the interface identifier to connect via ssh.

I do wonder why the wiki entry does not mention the failsafe anymore.

@hobowrt To recover (to stock firmware or another OpenWrt version if you'd like), do this over serial:

# dd if=/dev/zero of=/dev/mtd5 bs=1M count=2

Reboot, and you'll get a web recovery on http://192.168.1.3 allowing you to flash a firmware image.

I have some old image that I think it's working (with some manual patches taken from githubs), I had one fully working, even the SPF+ cages, but spanning tree was not working correctly, I was missing an entry in the driver, then I tried something new and I it didn't work anymore, then I didn't had time to bisect what commit was the culprit and now I just reverted to original firmware, I can share you the image if you want, but I can't vouch it's the fully functional one as I made the dumb mistake to overwrite the one I know as working.

Ping from your PC/laptop ping ff02::1%interface, like eth0 or eno1 or which ever interface you use.
One response is from you, the other one from the router. You can use this link local address with the interface identifier to connect via ssh.

Thanks, I didn't know the syntax you shared. When I tried your command using my computers Ethernet interface, there was only one response. The one response was my computer's IPv6 address.

Following up with @Borromini, I don't know what is on /dev/mtd5, but the idea of overwriting storage with random info seems a little scary. I have a copy of the stock firmware, is there a reason I could not install the stock firmware by transfering the firmware over the serial connection and installing with sysupgrade?

I can share you the image if you want, but I can't vouch it's the fully functional one as I made the dumb mistake to overwrite the one I know as working.

Yeah, @lucize, if you can point me to a firmware version that sort of works, any network connectivity is still an improvement.

Yeah @psherman, I have tried this. I find that if I connect the switch to my WAN connection or to the rest of the network, no computer connected to the switch can connect to the internet or to other computers on my network.

To test for internet connectivity I pinged a DNS server with ping 4.2.2.1, and to test for connectivity within my network, I tried ping but with another computers IP.

@hobowrt Highlighting doesn't work if you leave a space between the @ sign and the nickname.

Mtd5 is your kernel or rootfs. If the bootloader does not find a bootable kernel, it starts the web recovery.

please see abut this https://drive.google.com/file/d/1-1h1Q-LhbSqghNYAKDVj1t1y-01Vt4YR/view?usp=sharing