Configure Zyxel Router

1 view
Skip to first unread message

Carol Gudes

unread,
Aug 3, 2024, 2:53:21 PM8/3/24
to juncblooderyl

My switch is currently working with a basic VLAN 1 or default setup - as if the switches involved are 'dumb'. I want to add a few VLANs on a LAGG between my GS1920-24v2 and my router, which runs pfsense.

Unfortunately I cannot find any tutorials that explain setting up this switch that aren't either years out of date or relate to different Zyxel products using a different GUI or to switches from other manufacturers. The GS1920-24v2 manual refers to specific sections in detail, but does a poor job of explaining how different sections work together and in what order to make changes to the configuration.

I especially don't understand how to retain what is currently working and add to it without messing it all up! I have had to factory reset everything multiple times and wasted countless hours - hence this plea for help!

Existing LAN network and access to management GUI's on router and switches is the typical 192.168.1.0/24. Ideally I would like to change this, but that can come later - right now with the router, two switches and the AP to manage via web gui's on this subnet I daren't make any changes. How to go about making that change might be a future question!

Port 16 connects to a 5-port TP-Link PoE switch and from there to a Unifi U6 Access Point (VLAN aware) - I think this should be Tagged as it will carry VLANs 1, 33 (GUEST) and 44 (CAMS) ? VLAN trunking box ticked?

(I will also have to figure out the TP-Link PoE switch's configuration. It has a non-PoE port no. 5 that does data only and which should therefore be Tagged as a trunk port. But I'm not really asking for help on a TP-Link device in a Zyxel forum!)

As I said with everything currently working on the default VLAN 1 on the GS1920-24 connecting to pfsense, and also to my AP via the TP-Link PoE switch - essentially everything is currently working as if the switches involved were 'dumb'. However there is no Guest Wifi and no security cameras or audio devices connected to any ports on any switch.

Your understanding is correct. However, in the default VLAN setting of the switch, the PVID is 1, so it assigns VID 1 to incoming untagged packets and forwards them with VID 1. Therefore, both tagging and untagging Port 16 (connected to TP-Link) on the GS1920-24v2 to VLAN1 are acceptable.

Regarding Port 13 connected to the pfsense router, upon reviewing the pfsense router settings, there's no option to configure the VLAN ID for the LAN interface. Therefore, you will need to set your GS1920-24v2 Port 13 with VLAN 1, untag, and the packets will be forwarded as LAN1.

As for the Port 16 connects to a 5-port TP-Link PoE switch that I think needs to be able to do VLAN too or if you can connect all CAMS to one switch you can make that untag to port 16 and tag to port 13 VLAN 44 then port 17 with to Access Point switch untag to port 17 and tag to port 13 VLAN 33

"As for the Port 16 connects to a 5-port TP-Link PoE switch that I think
needs to be able to do VLAN too or if you can connect all CAMS to one
switch you can make that untag to port 16 and tag to port 13 VLAN 44
then port 17 with to Access Point switch untag to port 17 and tag to
port 13 VLAN 33"

Thank you both once again for your replies. I'm still trying to wrap my head around it all. Then I have to find a fairly big chunk of free time to get it all set up and troubleshoot. Given ongoing health problems I don't know when that will be but I'm a lot clearer on the basic plan thanks to your support.

The issue I am facing:
Pi-hole seems to be blocking ads as connected via ethernet to my Zyxel VMG4825-B10A router and Windows PC as evidenced by blank ad spaces on news websites and such. But the admin panel does not show anything being blocked, and just a total of 6 queries despite much internet usage. Other devices running off the router are not having ads blocked. Zyxel interface is confusing to me as to where to enter the DNS settings.

What I have changed since installing Pi-hole:
Just trying to find proper place(s) to enter DNS settings in the router configuration. See three screenshots for the three places that seemed to be where I needed to enter the DNS information. As another post on here mentioned in screenshot 1 under DNS values Zyxel routers require you to enter both DNS server 1 and 2 fields. In screenshot 3 I put the hostname as raspberrypi.local because it required me to enter a hostname.domainname which I was unsure of. Any guidance would be appreciated, thanks for the help

In addition, I noticed you configured for a hostname raspberry.local.
.local ist the domain name reserved for the mDNS protocol and shouldn't be used with DNS.
Avoid setting it as your local domain aka search domain aka search suffix.

Try entering Pi-hole's IPv4 twice.
If that doesn't work, try 0.0.0.0 as second.
If that is rejected as well, put in an unused(!) IP from your router's reserve, i.e. outside of your router's DHCP pool range.

I think I used the wrong test here, but maybe I also have the wrong expectations too (I am new to the mesh world). I believed that the mesh would work in combination with the devices on the same radio (5G), but not reducing in half the available bandwidth (unless a client really uses that bandwidth on the bridged 5G channel).

I believed that the mesh would work in combination with the devices on the same radio (5G), but not reducing in half the available bandwidth (unless a client really uses that bandwidth on the bridged 5G channel).

it has a Mediatek MT7621, so yes Hardware offloading is supported.
See here for vpn performance on that chip: _vpn_performance
i can see between 100/200Mbps with Wiregard. About 20Mbps with openvpn.

I disabled mesh on the main router and wi-fi doesn't really seem to go more than 300Mbps/sec (common Internet speed test).
I unboxed the last router I have with the original Zyxel firmware, put it in bridge mode and attached to the wired uplink. I can reach briefly 400Mbps/sec but it seems to be able to sustain 370Mbps/sec.

I can see a link of over 1000Mbps/sec on my phone (Google pixel 7 pro), so I believe it is a 2x2 mimo ax.
My tests are mainly Internet speed tests. I definitely saw more than 600Mps over the 5G network when connecting to devices wired to the AP with Openwrt and running iperf (upstream node).
Which makes even stranger why I don't see better speeds now that I enabled the hardware acceleration.
But I can live with that!

I was quite puzzled by that sencence (that I saw in post from @ghen as well), and I can confirm, after a test with another unit.
These are my updated notes for the process (since I had some trouble the first time with :

I installed today without logging in as well. However, I connected WAN straight from the beginning and refreshed the upgrade page a few times. Whole process done in less than 5 minutes. I edited the installation instructions in the Wiki to make it even clearer that no ZyXEL account is required.

For the first one, I started by using a Windows 11 machine but gave up after uploading and installing openwrt-23.05.0-ramips-mt7621-zyxel_wsm20-initramfs-kernel.bin via the web interface. From that moment, I have been using a laptop running Raspbian for x86.

Thanks for your post and welcome! Indeed, this is the case also for others and has been documented already on - but not for very long yet, which may be why you missed it. It is nice to have confirmation, though, so again: thanks for posting.

it should be as we have 3 machines with the same setup, one of them is here local to me and i can ssh in to openmediavault just fine, and yes i also have tailscale running because my ISP is using CG-NAT so i cant get an direct connection

I was just using my Nighthawk D7000 and a netgear extender, until I needed more upload speed for home security cameras. CenturlyLink double bounded is not compatable with the Netgear Nighhawk D7000, so I was forced to get their Zyxel C3000Z modem. The technition put the Zyxel in the basement and connected my Nighthawk via ethernet in my office, as he stated it is a better product and I can continue using it. I now have 2G, 5G, 2G_EXT, 5G_EXT (from Netgear) and 2.G and 5G from CenturyLink showing. How can I clean this up so I do not have 6 options please? I would like to go back to 4 using the higher speed that I am paying for.

Did the D7000 get configured as a wireless access point, or do you
now have two NAT routers cascaded? What's an IP address of a
computer/device which is connected to the D7000[vX]? And when connected
to the C3000Z?

There is an outlet in the office that is wired to the basement - connected that to the Zyxel the plugged from the outlet to the back of the Nighthawk. Ethernet LAN ports. Four Gigabit Ethernet RJ-45 LAN ports to connect the modem router to LAN devices. These ports are colored yellow

That "No" seemed pretty clear (to me). But that applies to its DSL
modem section, not to its router section. And you don't need to use its
DSL modem section. Look for "Set Up the Modem Router for Cable or Fiber
Service" in the D7000 User Manual.

I had CenturyLink internet using my Netgear Nighthawk D7000 modem/router that could only be plugged in, in the very front of the house, or the very back, based on the only 2 phone jacks visible in the house. I think there is one in the kitchen but the previous homeowners tiled over it.

c80f0f1006
Reply all
Reply to author
Forward
0 new messages