Can someone please also explain correct choice (I watched multiple videos and read wiki and forums but I am still really struggling with this).
Second question: after this change, should I change device on my Interface LAN?
Currently is using device br-lan and has IP + DHCP server (default setting).
Will this work after I add VLANs or should I change Interface Device to new device (VLAN)?
Everything on your Pi's interface should be tagged, and your managed switch will handle the switching of each VLAN through to the switch ports as desired.
However, the Pi doesn't require bridge VLAN filtering -- it can simply use the standard dotted notation (eth0.x where x is the VLAN ID, and that will emerge tagged).
But how will the switch know which vlan is correct one (vlan5)?
Wouldn't be better option e) vlan5 untagged, vlan6-9 tagged
And on switch I will just add PVID5 on port connected to router (connected port would be the same configuration as R4S (vlan5 untagged, vlan6-9 tagged, only difference would be pvid5)?
I will use vlan5 only as a management vlan for this switch.
c) all tagged
And I choose gw on switch from one of vlans -> Switch management IP will be automatically in this VLAN (and only accessible from this VLAN and/or fw rules defined in R4S)?
EDIT: I think I understand now... I bought STUPID switch (labeled SMART)
Management IP is accessible from all vlans and there is no way to change this behavior?
Good thing I just bought this switch - I will return it and order NETGEAR GS308T (I hope this one will be better).
Can someone help me with second question for R4S:
After I create vlans and set them to tagged, should I change device on my Interface LAN?
Currently is using device br-lan and has static IP + DHCP server (default setting).
Will this work after I add VLANs or should I change Interface Device to new device (VLAN)?
You don't really need a br-lan since you're only connecting the lan network to one physical device, a VLAN on one Ethernet port, i.e. eth0.X. It doesn't have wifi or a bunch of Ethernet ports that you'd want to bridge.
If I understand correctly, I need to do 3 steps:
a) delete br-lan
b) make new interfaces --> vlan (802.1q) -> eth1.x (repeat for all vlans)
c) make new interfaces --> static address (repeat for all vlans)
Question:
When I plug device (switch) to eth1, switch will receive all vlans tagged (and no untagged traffic)?
If I do a,b,c I will not be able to connect PC to eth1 and see router/network (without vlan tag)?
2.1) Can I can still connect PC (192.168.1.100, mask /24) to WAN port (eth.0) to configure router?
Just create network interfaces and enter eth1.X as their device, with X different for each one. It is not necessary to explicitly create "802.1q" devices.
Then on the switch you need a set of VLANs with the same numbers, which are tagged on the port that connects to the Nanopi router, and untagged on ports that you will connect to ordinary members of the VLAN such as desktop computers or IP cameras.
Thank you for help. I want to try this, but I am afraid of "locking myself out".
I hope someone can confirm steps (a,b,c) or provide better steps.
It will also help me a lot if someone can answer this:
When I plug device (switch) to eth1, switch will receive all vlans tagged (and no untagged traffic)?
If I do a,b,c I will not be able to connect PC to eth1 and see router/network (without vlan tag)?
2.1) Can I can still connect PC (192.168.1.100, mask /24) to WAN port (eth.0) to configure router?
You could create an admin network using eth0 as its device, and connect your PC there, since you don't need to be connected to the Internet while setting this up. Then anything you do with eth1 won't lock you out.
Good thing I just bought this switch - I will return it and order NETGEAR GS308T (I hope this one will be better).