Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Zyxel VMG8924 / VMG8324 - How To configure Isolated local VLANs  (Read 276 times)

Iam_TJ

  • Member
  • **
  • Posts: 86

I've had Zyxel VMG8324-B10A and VMG8924-B10A devices since 2013. As well as hacking on their software I also use one as my primary VDSL gateway on the end of an approximately 1.95km copper line from the nearest OpenReach cabinet. The original BT-supplied VDSL modem (HG612 I think) could only sync for incoming (downstream) at around 7Mbps. These Zyxel's sync above 10Mbps. At these distances every little helps! However, I digress.

Starting with the first firmware version I was able to configure and operate 2 separate internal VLANs - the default and a management VLAN (id 99). I configured the WAN Ethernet port as a 5th LAN port, added the VLAN id and tag, and configured a separate IP subnet via the LAN Setup page.

I upgraded the firmware pretty regularly as newer releases were published and the VLANs continued to work. Then, in late 2015, after upgrading to version 15 the device lost the separate VLAN ability. Despite extensive investigation I couldn't figure out what had changed but had other priorities and left it.

Until this past week when I upgraded the device to version 18 and was irked by still not having the separate VLAN function. I raised a suppport ticket with Zyxel (which they have escalated) and set about figuring out a solution.

The original loss of functionality when version 15 was released seems to have coincided with the moving of the LAN VLAN settings page from being a Home Networking tab, to being a separate sub-menu of the Network Setting menu. The user guides (V1.00 dated 2013 and V2.00 dated 2015) document this move but nothing else regarding VLAN settings.

Today I finally figured out why it failed and a (manual intervention) step to have it work once more  :fingers:

I'm documenting the steps here both for others and as an aide-memoire in case I forget!

Pre-requisites:

0. This assumes the VDSL interface is the active outgoing connection. If using ADSL, or Ethernet WAN, then you'll need to modify the steps below to use an unused WAN interface in the Interface Group.

  • Enable moving the WAN Ethernet port to an additional LAN port. Network Setting > Home Networking > 5th Ethernet Port
  • Ensure Network Setting > Broadband  > Broadband has an ADSL interface defined and marked active (this creates an atm0.1 interface). If using ADSL then ensure the VDSL interface is defined and active (creates a ptm0.1 interface).
  • Add a new Network Setting > Interface Group that includes the idle but active ADSL atm0.1 interface and add to it the 5th Ethernet port (listed as "eth4" under "Available LAN Interfaces"). Give the new group a name (e.g. "Management")
  • Mark the 5th Ethernet port as part of a Network Setting > Vlan Group. Create a group (e.g. "Management"), set it's 802.1q tag ID to "99", and mark "LAN5" as included. If necessary mark it for Tx Tagging (packets exiting the interface will have the tag ID added).
  • Configure a new sub-net via Network Setting > Home Networking > LAN Setup by selecting the new Interface Group (e.g. "Management") from the drop-down list. Configure the settings for the group as desired. These are entirely separate from the existing default settings.
  • At this point the separate VLAN subnet is completely configured. However, it still won't work. The reason is that there is no way via the web configuration to add the new VLAN interface (eth4.99) to the Interface Group's bridge interface (which should be br1). It only added the underlying eth4
  • To fix it you'll need to use a remote terminal via either SSH or Telnet to the device, so ssh supervisor@LAN-IP to connect to the command line interpreter
  • Start a pure shell and use it to add the VLAN interface to the bridge and remove the underlying interface:
Code: [Select]
> sh
brctl show
brctl addif br1 eth4.99
brctl delif br1 eth4
exit
Note: if the device is rebooted you'll need to repeat this step as there's no way I've found so far to save this change so that it is applied at boot-time.

Now configure another device on the 5th Ethernet port (mine is connected to a 48-port switch) in the VLANs sub-net, ensure that device can already ping other devices in the VLAN, then try pinging the IP address of the router (e.g. ping 10.254.0.254 in my case).

You can apply this solution to use another Ethernet port, it doesn't require using the 5th Ethernet port, but I use it because it is already logically and colour-code separated from the other LAN ports.
« Last Edit: August 04, 2017, 10:32:31 PM by Iam_TJ »
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 19602
  • Over the Rainbow
    • The ELRepo Project
Re: Zyxel VMG8924 / VMG8324 - How To configure Isolated local VLANs
« Reply #1 on: August 03, 2017, 04:01:17 PM »

Thank you for documenting those details.  :)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Iam_TJ

  • Member
  • **
  • Posts: 86
Re: Zyxel VMG8924 / VMG8324 - How To configure Isolated local VLANs
« Reply #2 on: September 08, 2017, 10:51:40 AM »

I've finally had a response from Zyxel on this and it turns out there is a way to configure a VLAN using the web interface that will be saved in the configuration. It's obscure and not entirely obvious it will be the result of the steps but it is simple to do.
  • Enable moving the WAN Ethernet port to an additional LAN port. Network Setting > Home Networking > 5th Ethernet Port.

  • Ensure Network Setting > Broadband  > Broadband has an ADSL interface defined and marked active (this creates an atm0.1 interface). If using ADSL then ensure the VDSL interface is defined and active (creates a ptm0.1 interface).

  • Mark the 5th Ethernet port as part of a Network Setting > Vlan Group. Create a group (e.g. "Management"), set it's 802.1q tag ID to "99", and mark "LAN5" as included. If necessary mark it for Tx Tagging (packets exiting the interface will have the tag ID added).

  • Add a new Network Setting > Interface Group
     
    • Give the new group a name (e.g. "Management").
    • Include the idle but active ADSL atm0.1 interface.
    • Under the Automatically Add Clients With the following DHCP Vendor IDs section press the Add button.
    • In the dialog choose the radio-button item VLAN Group.
    • In the associated drop-down selection box choose the appropriate VLAN name defined in step 3 above. Press the Apply button.
    • Press the Apply button on the Interface Group page.
       I find with firmware v18 the web interface spins and never returns at this point but refreshing the page recovers.

  • Configure a new sub-net via Network Setting > Home Networking > LAN Setup by selecting the new Interface Group (e.g. "Management") from the drop-down list. Configure the settings for the group as desired. These are entirely separate from the existing default settings.

  • At this point the separate VLAN subnet is completely configured. The result is that the default VLAN (0) (on bridge br0) has interface eth4.0 and the new VLAN on bridge br1 has interface eth4.99.
Code: [Select]
~ # brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.28285d077608       no              eth0.0
                                                        eth1.0
                                                        eth2.0
                                                        eth3.0
                                                        wl0
                                                        wl1
                                                        eth4.0
br1             8000.28285d077608       no              eth4.99
« Last Edit: September 08, 2017, 07:21:13 PM by Iam_TJ »
Logged
 

anything