How to smoothly migrate to driver-level VLANs?

After purchasing some managed switches to be able to better segregate my LAN into several segments, I thought about how I could smoothly transition from 1 LAN (on eth0) to a trunked driver-level VLAN solution, where all internal segments are still coming in through eth0, but are tagged, and the managed switch attache to eth0 then takes care of what port is assigned to which VLAN.

I thought I could create new interfaces for the additional (new) segments, using eth0.x1..xn as interfaces for them.

For migrating the existing LAN on eth0 I thought I could just but eth0 into bridging mode together with eth0.1 (where x1..xn are >1 !), i.e. I have not created a new seperate interface on eth0.1
I though after introducing all firewall rules I could then just remove the bridge on eth0 / eth0.1 and only use eth0.1, leaving eth0 out.

Note that my patform has only separate ethernet interface and they are not switched, so there will be used driver-level VLANs.

So I did this:

Screenshot 2020-01-14 at 22.58.551668×738 85.8 KB

And the network came to a screeching halt.
Bummer!
I had to remove "eth0.1" from the LAN interface using the console and reboot to be back in business.

Obviously I did not fully understand what I was doing.
Would someone care to give me a hint why this did not work?

And what would be your proposed smooth migration path?
Current setup: openwrt eth0 attached to cascade of cheap unmanaged switches, carries only LAN
Desired setup: openwrt eth0 attached to cascade of decent managed switches, carries VLANS for LAN, VOIP, IOT, GUEST, WHATNOT in a trunked fashion

I assume there are decent guide articles on this already, I am just not aware of them. Everything I found talks about setting up VLANs on switched interfaces on the router platform, and not about driver-level VLANs.

What device are you using, and what version of OpenWrt?

Generally this is pretty easy to do on most hardware.

18.06.4 on an APU

Should be possible and easy. Can you provide a copy of your /etc/config/network file -- this will help me craft an example.

This is just about eth0 and I am determined to do this using Luci, only.
Here you go:

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.1.1'
	option ip6assign '64'
	option ifname 'eth0'

Basically what I did through Luci was replacing "eth0" with "eth0 eth0.1"

Thanks.

What you have now would present an untagged (PVID) network on eth0. If you want to create a tagged network (you may have zero, one or many tagged networks), just do the eth0.x notation and create a new subnet. Don't forget to also setup the DHCP server, assuming you want that running on this network.

My exmaple below is VLAN100 (tagged) with an address of 10.0.100.1

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.100.1'
	option ip6assign '64'
	option ifname 'eth0.100'

You must make sure that your switch is configured appropriately. In this case, VLAN100 tagged on that port (VID).

Then make VLAN100 untagged (PVID) on at least one other port of your switch. (switches all have slightly different ways of assigning port membership and PVID/VID, so make sure this is done correctly for your hardware). When you plug in a computer via ethernet to that untagged port, it should work on the new VLAN.

This is what I figured (see my posting).
This does however not answer my questions.
Let me remind:

What is wrong with my migration idea for LAN from eth0 to eth0.1?
Why can I not have eth0 and eth0.1 bridged so that the untagged traffic still works the same as any tagged traffic for VLAN1?
If you look at my config above I can tell you what actually happens:
eth0 will not have an IP any more, but eth0.1 will be 10.0.1.1
I guess this is why the untagged traffic cannot reach the router any more, is that correct?
Is it that we cannot have an interface and one of its tagged subinterfaces with the same IP?

Would that mean that I have to create a new additional LAN-1 interface on top of eth0.1 and keep LAN on top of eth0 for the mirgration phase, so that the old LAN setup still works in parallel to the VLAN setup until all machines have been migrated from LAN to LAN-1 .. LAN-N?

it should make a bridge br-lan over eth0 and eth0.1 and the bridge should get the IP address.

I don't know why the LAN comes to a halt when you bridge these two, but it may have something to do with misconfiguration on the switch.

currently eth0 is attached to an unmanaged switch and there is no tagged traffic yet, i want to extend my setup so that I can slowly piece by piece migrate each machine from LAN over to one of the VLANs before I later tear down LAN for the untagged traffic. I will replace the unmanaged switch by a managed switch in the next few days.

What is a smooth migration path from LAN to the new VLANs using Openwrt?

good question... I think by smooth you mean that you don't apply some settings and then lose access to the router. Your bridge idea is sound in principle. I wonder if you aren't somehow creating a loop in the network...

Basically a packet comes in to the router on say eth0... the router then bridges this packet to eth0.1, the unmanaged switch floods this packet to all ports, which means the router sees it coming back on eth0.1, which makes it bridge it to eth0 and eth0.1.... and suddenly one packet is just going all over the place on the switch....

I think you need a managed switch, and you should create a "management" vlan, and then connect via this management vlan and alter the LAN vlan settings from there.

A few quick things:

1. I wouldn't recommend bridging the VLANs directly. Instead, route them. This is easily accomplished by creating a firewall zone for each VLAN and then setting up forwarding between the zones. You can allow complete/open forwarding, selective forwarding (including only allowing one network to initiate a connection to the other and not vice versa), or complete isolation.

2. Do not attempt to do VLANs with an unmanaged switch. The behavior of unmanged switches is not defined for VLANs -- some may kind of work, some may cause issues. Best to wait until you have a smart switch before you do anything with VLANs. The smooth migration starts with having the correct downstream equipment (smart switches are usually equivalent to unmanaged switches for all practical considerations in their default state, but they have well defined behavior for tagged traffic ingress).

@psherman: (1) the bridge was meant as a transitory solution during migration.
@dlakelan: I guess this could be a reason that the router send everything that goes to LAN to eth0 and eth0.1, effectively have a tagged duplicate packed for each packet and the unmanaged switch might not like that.

@all:
So instead of bridging the old untagged LAN on eth0 and the tagged VLAN eth0.1, I would set the new tagged VLAN on eth0.1 up as a separate interface LAN-1 and allow free routing in between LAN and LAN-1 during the migration phase?

Something like that, instead of LAN-1 call it MGMT put it on say VLAN 10, and have it be your VLAN exclusively for managing the device... then from there, when you have everything set up on the switch, log in on MGMT and change LAN to use eth0.1

Tagged and untagged on the same cable is always a tricky situation. You should switch over to only tagged. If you have an extra port on the managed switch (which as @psherman said, you have to have a managed switch for VLANs to make any sense) , set it up tagged in the same VLAN that you're now using untagged. Then change the router and move the cable over to the tagged port. You can then expand by adding more VLANs at both ends.