Is my VLAN 1 a security risk?
Solution 1:
Per section 8.2 of the manual if a port is set to a static VLAN, packets received on that port will be sent to the configured VLAN whether they're tagged or not.
Solution 2:
I just recently bought a second-hand GS-1548 which runs the same firmware as the GS-1524 and exhibits the same issue.
In short, the web-based management UI does not allow removing ports from VLAN 1 (the fixed management VLAN). All the ports are always part of VLAN 1, either in tagged or untagged mode. You can freely remove ports from other VLANs but the “not a member” mode is not togglable in VLAN 1.
A quick Google search revealed this restriction is only implemented client-side — in the JavaScript code that runs in your browser. A Blogger user going by the name berry120 has published instructions on how to circumvent this check manually using the web developer tools built into your browser.
I took this one step further and wrote a userscript that transparently bypasses the check and lets you manage VLAN 1 the exact same way as the other VLANs. You can find it here.
(The same issue — and fix — also applies to the other models in the ZyXEL Switch 1500 Series: the ES-1528 and the ES-1552.)