VLANs and connecting two GS108Ev3 Switches

---

Jake_D wrote:

After reading your post for a couple of times, I decided to create a quick sketch (attached on the left) of what I am trying to accomplish because I think the details might be important and I guess I explained it wrong in my post above.

Thabt's about what I understood - OK. Please add on each link the VLAN numbers plus if the VLAN is tagged or not. eg. switch<->Internet Router VLAN 1 U, PVID 1 (only)  ... and put the updated sektch for a review.

---

Jake_D wrote:

Basically, the ESXi virtualized machines should only be able to talk to eachother and reach the internet. They have their own subnet, pfSense take care of that. As long as I don't use any VLAN settings on the switches, this part works. One part that I didnt mention before is, that both switches are connected using 2 Powerline adapters and the ESXi is also connected using a Powerline adapter. Since these work on Layer 2, that shouldn't be a problem and is quite fast (I can't use ethernet cables unfortunately).

Well, you have the "normal" LAN as an intermediate transfer network between the VM VLAN and the Internet router. Fully block this on the pfSense might be a challenge.

Can't help on that PLC side - earlier days these devices struggled on the additional tag information. But that should be easy to figure out.

---

Jake_D wrote:

So this means, i have switch A, a trunk connection goes into the powerline, on another outlet, a trunk connection goes into a NIC in the ESXi (physical machine) and another trunk connection goes into switch B. By trunk I mean that I have seleced "T" on the swiches. Is that correct?

You don't have to strictly isolate it switch by switch - you can configure access-type ports for the workstations for both the normal VLAN (VLAN 1, PIVD1) as well as for the VM VLAN (VLAN10,PVID10) on each switch as with the effective trunk between the two switches (I suggest VLAN 1, PVID1, [U]natgaged and VLAN 10, [T]agged for the connection between the two switches making up the trunk.

Note: A trunk (by port, or by LAG) can carry many VLANs, where either all are [T]agged, or one does run [U]ntagged, the other VLANs [T]aged. The [T] indicates that all frames leaving the switch carry a tag with a VLAN ID, and frames coming into the switch with a tag are associated to the VLAN ID.

Tagging the frames on a link does not imply it's a trunk, but often used as one - but there can be many VLANs.

---

Jake_D wrote:

What I would like to achieve is that I have a VLAN (x) for the trusted devices on switch A, another one (VLAN y) for the trusted devices on switch B and another one (VLAN x) for all VMs on the ESXi. VLAN x should be able to reach only the internet, VLAN y should be able to reach the internet and 2 ports on switch A, VLAN x should be only able to reach the internet. All VLANs should be able to talk to hosts within the same VLAN.

I've used 1 for (x) and 10 for (y) above - less confusion.

A strict diferentiation could only be done if your Internet router would support multiple LANs, either by port, or by VLAN tag. Typical consumer routers don't. That's why you can't bring the VLAN 10 direct to the router (where another set of NAT rules would be required, a DHCP server for the additional network, ... you get the point if you master pfSense.

For a test if the PLC devices can deal with the VLAN tags, you can temporely link the VLAN 10, PVID 10 [U] to the router, configure an access port on the Switch B with VLAN 10, PVID 10, [U] - a computer on that port must be able to get an IP address from the ISP router and acess the Internet. 

Next challenge would be configuring the software switch on the VM platform.