PI-NET 2.0 - Configure Reset or Unconfigured Zyxel GS1900 Switch
This guide explains how to access and configure a reset or unconfigured Zyxel GS1900-48 switch when it is deployed behind a MikroTik router in a PI-NET 2.0 setup.
This is useful when the physical cabling is correct, but the switch is not yet configured for the expected VLAN, LACP, or management setup.
Example site used in this guide:
Site ID: FRSTQ Router: FRSTQ-NETGW01 Switch: FRSTQ-NETSW01 Switch model: Zyxel GS1900-48 Temporary access: MikroTik ether5 emergency VLAN14
Important SAVE note
On Zyxel switches, Apply and SAVE are not the same thing.
Apply = makes the change active now SAVE = writes the change to startup configuration
If SAVE is not clicked, settings may be lost after reboot or power outage.
After every switch configuration change:
Click Apply Then click SAVE
Step 1 - Enable MikroTik ether5 emergency access
Upload the emergency access script from the pi-net-gateway repository to the MikroTik router.
Script file: ether5_emergency_access_vlan14_enable.rsc
In Winbox:
Files > Upload
Upload the script file.
Then open MikroTik Terminal and run:
import ether5_emergency_access_vlan14_enable.rsc
The script may show an error even if ether5 becomes usable.
Example error:
Script Error: invalid internal item number (/interface/bridge/vlan/get; line 27)
Do not assume the whole change failed. Verify that ether5 is active as VLAN14 access before making more changes.
Step 2 - Find the switch DHCP address in MikroTik
In Winbox, find the switch lease here:
IP > DHCP Server > Leases
Look for a Zyxel switch. It will most likely be named:
GS1900
Example:
Name: GS1900 Interface: ether5 IP address: 192.168.14.254
Open the switch in a browser:
http://192.168.14.254
Use the actual DHCP address shown in Winbox.
Step 3 - Log in to the switch
Log in using the default Zyxel credentials.
If the switch requires a new password before continuing, use a temporary randomized password.
Password format:
4-5 randomized ASCII words No spaces No special characters
Reason:
Zyxel GS1900 password handling can be sensitive with spaces and special characters.
Step 4 - Prepare the Bitwarden item
Create or prepare the Bitwarden item for the site switch.
Example:
Bitwarden item name: FRSTQ-NETSW01 Username: frstq-netadmin Password: randomized 4-5 ASCII words, no spaces, no special characters
The site-specific password will be used later when creating the final site admin user.
Step 5 - Restore the PI-NET 2.0 switch template
In the Zyxel GUI, go to:
Maintenance > Configuration > Restore
Use:
Method: HTTP File: TMPID-NETSW01_vlan14_LACP_12_34_45_47
Then click:
Apply
The switch will reboot.
Wait a few minutes before trying to reconnect.
Step 6 - Log in after template restore
After template restore, the switch uses the PI-NET switch template credential.
Use this Bitwarden item:
Bitwarden item: PI-NET-SW00 default Username: tmpid-netsw00 Password: stored in Bitwarden
If the switch IP changed after reboot, find it again in MikroTik:
IP > DHCP Server > Leases
Look for:
GS1900
or the restored switch hostname if it has updated.
Step 7 - Create the site admin user
In the Zyxel GUI, go to:
Configuration > Management > Users
Create the site admin user.
Example for FRSTQ:
User: frstq-netadmin Encryption: Encrypted Password: password from Bitwarden item FRSTQ-NETSW01 Password Confirm: same password Privilege Level: Admin
Then:
Click Apply Click SAVE
Important:
Do not remove the tmpid-netsw00 user yet.
First confirm that the new site admin user works.
Step 8 - Test the site admin user
Log out from the switch.
Log in again using the new site admin user.
Example:
Username: frstq-netadmin Password: password from Bitwarden item FRSTQ-NETSW01
Confirm that login works and that the user has admin access.
Step 9 - Remove the temporary template user
Only after the new site admin login has been tested successfully, remove the temporary template user.
Remove this user:
tmpid-netsw00
Then:
Click Apply Click SAVE
Important:
Do not remove tmpid-netsw00 before confirming that the site admin user works.
Otherwise, you may lock yourself out of the switch.
Step 10 - Set switch hostname and location
In the Zyxel GUI, go to:
Configuration > System > Information
Set:
System Name: <SITEID>-NETSW01 System Location: <SITEID>
Example:
System Name: FRSTQ-NETSW01 System Location: FRSTQ
Then:
Click Apply Click SAVE
Step 11 - Verify expected link status
On a new site without cells connected, the switch should normally show link on:
Port 01 = Dell server ETH1 Port 02 = Dell server ETH2 Port 45 = MikroTik ether3 Port 47 = MikroTik ether4 Port 48 = MikroTik ether5, only if emergency access is enabled and connected
Cells and score viewers should later be connected only to:
Switch ports 05-44
Infrastructure ports are reserved:
Switch ports 01-04 Switch ports 45-48
Step 12 - Check LAG status
In the Zyxel GUI, go to:
Configuration > Link Aggregation > LAG Management
Expected LAG overview:
LAG1 = MikroTik ether3 + ether4 Expected ports: 45 and 47 LAG3 = Dell server ETH1 + ETH2 Expected ports: 1 and 2 LAG2 = uplink to second switch Expected ports: 3 and 4 May be down if no second switch is connected
Step 13 - Check for one-port cabling mistakes
Do not assume the cabling is correct just because the switch is reachable.
LACP redundancy can hide cabling mistakes.
Example mistake:
Wrong: C05 connected to switch port 43 C06 connected to switch port 45 Correct: C05 connected to switch port 45 C06 connected to switch port 47
The switch may still work because one LACP member is active, but the cabling is still wrong and should be corrected.
Use this menu to confirm:
Configuration > Link Aggregation > LAG Management
Check whether one of the active cables is outside the expected ports.
Step 14 - Return to normal PI-NET 2.0 operation
After the switch template is restored, the site admin user is created, hostname/location are set, and cabling is confirmed, return the MikroTik and switch path to normal PI-NET 2.0 operation.
Normal state:
MikroTik ether3 + ether4 = normal switch uplink/bond MikroTik ether5 = emergency access only, disabled or not used
If access to the switch is lost after restoring the template, return to the normal ether3+ether4 uplink path.
This is expected because the final PI-NET 2.0 switch configuration is designed to work through ether3+ether4, not through emergency ether5.
Final checklist
* [ ] Ether5 emergency access enabled temporarily
* [ ] Switch found in MikroTik DHCP leases
* [ ] Switch accessed through browser
* [ ] PI-NET 2.0 switch template restored
* [ ] Switch rebooted
* [ ] Logged in with PI-NET-SW00 default credential
* [ ] Site admin user created
* [ ] Clicked SAVE after creating site admin user
* [ ] Logged out and confirmed site admin login works
* [ ] Removed tmpid-netsw00 user
* [ ] Clicked SAVE after removing tmpid-netsw00
* [ ] Set System Name to <SITEID>-NETSW01
* [ ] Set System Location to <SITEID>
* [ ] Clicked SAVE after hostname/location change
* [ ] Verified expected switch links
* [ ] Checked LAG Management
* [ ] Corrected any misplaced cables
* [ ] Returned MikroTik/switch path to normal ether3+ether4 operation