I've had Zyxel VMG8324-B10A and VMG8924-B10A devices since 2013. As well as hacking on their software I also use one as my primary VDSL gateway on the end of an approximately 1.95km copper line from the nearest OpenReach cabinet. The original BT-supplied VDSL modem (HG612 I think) could only sync for incoming (downstream) at around 7Mbps. These Zyxel's sync above 10Mbps. At these distances every little helps! However, I digress.
Starting with the first firmware version I was able to configure and operate 2 separate internal VLANs - the default and a management VLAN (id 99). I configured the WAN Ethernet port as a 5th LAN port, added the VLAN id and tag, and configured a separate IP subnet via the LAN Setup page.
I upgraded the firmware pretty regularly as newer releases were published and the VLANs continued to work. Then, in late 2015, after upgrading to version 15 the device lost the separate VLAN ability. Despite extensive investigation I couldn't figure out what had changed but had other priorities and left it.
Until this past week when I upgraded the device to version 18 and was irked by still not having the separate VLAN function. I raised a suppport ticket with Zyxel (which they have escalated) and set about figuring out a solution.
The original loss of functionality when version 15 was released seems to have coincided with the moving of the LAN VLAN settings page from being a Home Networking tab, to being a separate sub-menu of the Network Setting menu. The user guides (V1.00 dated 2013 and V2.00 dated 2015) document this move but nothing else regarding VLAN settings.
Today I finally figured out why it failed and a (manual intervention) step to have it work once more
I'm documenting the steps here both for others and as an aide-memoire in case I forget!
Pre-requisites:0. This assumes the VDSL interface is the active outgoing connection. If using ADSL, or Ethernet WAN, then you'll need to modify the steps below to use an unused WAN interface in the Interface Group.
- Enable moving the WAN Ethernet port to an additional LAN port. Network Setting > Home Networking > 5th Ethernet Port
- Ensure Network Setting > Broadband > Broadband has an ADSL interface defined and marked active (this creates an atm0.1 interface). If using ADSL then ensure the VDSL interface is defined and active (creates a ptm0.1 interface).
- Add a new Network Setting > Interface Group that includes the idle but active ADSL atm0.1 interface and add to it the 5th Ethernet port (listed as "eth4" under "Available LAN Interfaces"). Give the new group a name (e.g. "Management")
- Mark the 5th Ethernet port as part of a Network Setting > Vlan Group. Create a group (e.g. "Management"), set it's 802.1q tag ID to "99", and mark "LAN5" as included. If necessary mark it for Tx Tagging (packets exiting the interface will have the tag ID added).
- Configure a new sub-net via Network Setting > Home Networking > LAN Setup by selecting the new Interface Group (e.g. "Management") from the drop-down list. Configure the settings for the group as desired. These are entirely separate from the existing default settings.
- At this point the separate VLAN subnet is completely configured. However, it still won't work. The reason is that there is no way via the web configuration to add the new VLAN interface (eth4.99) to the Interface Group's bridge interface (which should be br1). It only added the underlying eth4
- To fix it you'll need to use a remote terminal via either SSH or Telnet to the device, so ssh supervisor@LAN-IP to connect to the command line interpreter
- Start a pure shell and use it to add the VLAN interface to the bridge and remove the underlying interface:
> sh
brctl show
brctl addif br1 eth4.99
brctl delif br1 eth4
exit
Note: if the device is rebooted you'll need to repeat this step as there's no way I've found so far to save this change so that it is applied at boot-time.
Now configure another device on the 5th Ethernet port (mine is connected to a 48-port switch) in the VLANs sub-net, ensure that device can already ping other devices in the VLAN, then try pinging the IP address of the router (e.g.
ping 10.254.0.254 in my case).
You can apply this solution to use another Ethernet port, it doesn't require using the 5th Ethernet port, but I use it because it is already logically and colour-code separated from the other LAN ports.