Skip to main content

PI-NET 2.0 - Configure Reset or Unconfigured Zyxel GS1900 Switch Through MikroTik Ether5 Emergency Access

This guide explains how to access and configure a reset or unconfigured Zyxel GS1900-48 switch when it is deployed behind a MikroTik router in a PI-NET 2.0 setup.

PI-NET 2.0 - Configure Reset or Unconfigured Zyxel GS1900 Switch

This guide explains how to access and configure a reset or unconfigured Zyxel GS1900-48 switch when it is deployed behind a MikroTik router in a PI-NET 2.0 setup.

This is useful when the physical cabling is correct, but the switch is not yet configured for the expected VLAN, LACP, or management setup.

Example site used in this guide:

Site ID: FRSTQ Router: FRSTQ-NETGW01 Switch: FRSTQ-NETSW01 Switch model: Zyxel GS1900-48 Temporary access: MikroTik ether5 emergency VLAN14

Important SAVE note

On Zyxel switches, Apply and SAVE are not the same thing.

Apply = makes the change active now SAVE  = writes the change to startup configuration

If SAVE is not clicked, settings may be lost after reboot or power outage.

After every switch configuration change:

Click Apply Then click SAVE

Step 1 - Enable MikroTik ether5 emergency access

Upload the emergency access script from the pi-net-gateway repository to the MikroTik router.

Script file: ether5_emergency_access_vlan14_enable.rsc

In Winbox:

Files > Upload

Upload the script file.

Then open MikroTik Terminal and run:

import ether5_emergency_access_vlan14_enable.rsc

The script may show an error even if ether5 becomes usable.

Example error:

Script Error: invalid internal item number (/interface/bridge/vlan/get; line 27)

Do not assume the whole change failed. Verify that ether5 is active as VLAN14 access before making more changes.

Step 2 - Find the switch DHCP address in MikroTik

In Winbox, find the switch lease here:

IP > DHCP Server > Leases

Look for a Zyxel switch. It will most likely be named:

GS1900

Example:

Name: GS1900 Interface: ether5 IP address: 192.168.14.254

Open the switch in a browser:

http://192.168.14.254

Use the actual DHCP address shown in Winbox.

Step 3 - Log in to the switch

Log in using the default Zyxel credentials.

If the switch requires a new password before continuing, use a temporary randomized password.

Password format:

4-5 randomized ASCII words No spaces No special characters

Reason:

Zyxel GS1900 password handling can be sensitive with spaces and special characters.

Step 4 - Prepare the Bitwarden item

Create or prepare the Bitwarden item for the site switch.

Example:

Bitwarden item name: FRSTQ-NETSW01 Username: frstq-netadmin Password: randomized 4-5 ASCII words, no spaces, no special characters

The site-specific password will be used later when creating the final site admin user.

Step 5 - Restore the PI-NET 2.0 switch template

In the Zyxel GUI, go to:

Maintenance > Configuration > Restore

Use:

Method: HTTP File: TMPID-NETSW01_vlan14_LACP_12_34_45_47

Then click:

Apply

The switch will reboot.

Wait a few minutes before trying to reconnect.

Step 6 - Log in after template restore

After template restore, the switch uses the PI-NET switch template credential.

Use this Bitwarden item:

Bitwarden item: PI-NET-SW00 default Username: tmpid-netsw00 Password: stored in Bitwarden

If the switch IP changed after reboot, find it again in MikroTik:

IP > DHCP Server > Leases

Look for:

GS1900

or the restored switch hostname if it has updated.

Step 7 - Create the site admin user

In the Zyxel GUI, go to:

Configuration > Management > Users

Create the site admin user.

Example for FRSTQ:

User: frstq-netadmin Encryption: Encrypted Password: password from Bitwarden item FRSTQ-NETSW01 Password Confirm: same password Privilege Level: Admin

Then:

Click Apply Click SAVE

Important:

Do not remove the tmpid-netsw00 user yet.

First confirm that the new site admin user works.

Step 8 - Test the site admin user

Log out from the switch.

Log in again using the new site admin user.

Example:

Username: frstq-netadmin Password: password from Bitwarden item FRSTQ-NETSW01

Confirm that login works and that the user has admin access.

Step 9 - Remove the temporary template user

Only after the new site admin login has been tested successfully, remove the temporary template user.

Remove this user:

tmpid-netsw00

Then:

Click Apply Click SAVE

Important:

Do not remove tmpid-netsw00 before confirming that the site admin user works.

Otherwise, you may lock yourself out of the switch.

Step 10 - Set switch hostname and location

In the Zyxel GUI, go to:

Configuration > System > Information

Set:

System Name: <SITEID>-NETSW01 System Location: <SITEID>

Example:

System Name: FRSTQ-NETSW01 System Location: FRSTQ

Then:

Click Apply Click SAVE

Step 11 - Verify expected link status

On a new site without cells connected, the switch should normally show link on:

Port 01 = Dell server ETH1 Port 02 = Dell server ETH2 Port 45 = MikroTik ether3 Port 47 = MikroTik ether4 Port 48 = MikroTik ether5, only if emergency access is enabled and connected

Cells and score viewers should later be connected only to:

Switch ports 05-44

Infrastructure ports are reserved:

Switch ports 01-04 Switch ports 45-48

Step 12 - Check LAG status

In the Zyxel GUI, go to:

Configuration > Link Aggregation > LAG Management

Expected LAG overview:

LAG1 = MikroTik ether3 + ether4 Expected ports: 45 and 47  LAG3 = Dell server ETH1 + ETH2 Expected ports: 1 and 2  LAG2 = uplink to second switch Expected ports: 3 and 4 May be down if no second switch is connected

Step 13 - Check for one-port cabling mistakes

Do not assume the cabling is correct just because the switch is reachable.

LACP redundancy can hide cabling mistakes.

Example mistake:

Wrong: C05 connected to switch port 43 C06 connected to switch port 45  Correct: C05 connected to switch port 45 C06 connected to switch port 47

The switch may still work because one LACP member is active, but the cabling is still wrong and should be corrected.

Use this menu to confirm:

Configuration > Link Aggregation > LAG Management

Check whether one of the active cables is outside the expected ports.

Step 14 - Return to normal PI-NET 2.0 operation

After the switch template is restored, the site admin user is created, hostname/location are set, and cabling is confirmed, return the MikroTik and switch path to normal PI-NET 2.0 operation.

Normal state:

MikroTik ether3 + ether4 = normal switch uplink/bond MikroTik ether5 = emergency access only, disabled or not used

If access to the switch is lost after restoring the template, return to the normal ether3+ether4 uplink path.

This is expected because the final PI-NET 2.0 switch configuration is designed to work through ether3+ether4, not through emergency ether5.

Final checklist

* [ ] Ether5 emergency access enabled temporarily
* [ ] Switch found in MikroTik DHCP leases
* [ ] Switch accessed through browser
* [ ] PI-NET 2.0 switch template restored
* [ ] Switch rebooted
* [ ] Logged in with PI-NET-SW00 default credential
* [ ] Site admin user created
* [ ] Clicked SAVE after creating site admin user
* [ ] Logged out and confirmed site admin login works
* [ ] Removed tmpid-netsw00 user
* [ ] Clicked SAVE after removing tmpid-netsw00
* [ ] Set System Name to <SITEID>-NETSW01
* [ ] Set System Location to <SITEID>
* [ ] Clicked SAVE after hostname/location change
* [ ] Verified expected switch links
* [ ] Checked LAG Management
* [ ] Corrected any misplaced cables
* [ ] Returned MikroTik/switch path to normal ether3+ether4 operation
Did this answer your question?