Network Segmentation With VLANs at Home
Table of Contents
The Problem With Flat Networks
Most home networks are flat. Every device - your laptop, phone, smart TV, IP cameras, baby monitor, thermostat, printer, and game console - sits on the same network segment. They can all communicate freely with each other. Your laptop can reach the IP camera. The baby monitor can reach the NAS. The smart thermostat can reach your desktop.
This is a problem because IoT devices are notoriously insecure. They run outdated firmware, use weak or default credentials, and receive infrequent (or no) security updates. When one of these devices is compromised - and with the volume of IoT vulnerabilities discovered every month, it is a matter of when, not if - the attacker has direct access to every other device on your network.
A compromised smart bulb becomes a pivot point to attack your NAS, exfiltrate files from your desktop, or sniff credentials from network traffic. The flat network architecture gives the attacker this lateral movement for free.
What VLANs Are
A VLAN (Virtual Local Area Network) creates logical network segments on a single physical switch. Devices on VLAN 10 cannot communicate with devices on VLAN 20, even though they are plugged into the same switch. The switch tags each Ethernet frame with a VLAN ID (using the 802.1Q standard) and only delivers frames to ports assigned to the same VLAN.
Traffic between VLANs must pass through a router or firewall. This is called inter-VLAN routing. The router applies firewall rules to this traffic, letting you control exactly what communication is allowed between segments. IoT devices on VLAN 20 can reach the internet (through the router) but cannot reach devices on VLAN 10 because the firewall blocks that traffic.
The physical infrastructure does not change. You do not need separate switches or separate cables. VLANs are a configuration change on equipment you likely already own (or can buy cheaply). The separation is enforced in hardware at the switch level.
graph TD
subgraph "Flat Network - No VLANs"
ALL_DEV[All Devices on 192.168.1.0/24]
LAPTOP1[Laptop] <-->|Free Communication| CAMERA1[IP Camera]
CAMERA1 <-->|Free Communication| NAS1[NAS]
NAS1 <-->|Free Communication| IOT1[Smart Bulb]
IOT1 <-->|Free Communication| LAPTOP1
end
subgraph "Segmented Network - VLANs"
subgraph "VLAN 10 - Trusted"
LAPTOP2[Laptop]
NAS2[NAS]
end
subgraph "VLAN 20 - IoT"
CAMERA2[IP Camera]
IOT2[Smart Bulb]
end
subgraph "VLAN 30 - Guest"
GUEST[Guest Phone]
end
FW[Firewall Rules]
LAPTOP2 --> FW
CAMERA2 --> FW
GUEST --> FW
FW -->|Blocked| CAMERA2
FW -->|Allowed| INTERNET[Internet]
end
Flat network vs VLAN-segmented network - VLANs prevent IoT devices from reaching your trusted devices
Hardware You Need
VLAN segmentation requires two things: a managed switch that supports 802.1Q VLANs, and a router/firewall that supports VLAN interfaces and inter-VLAN routing.
Managed switches that support VLANs are available at consumer-prosumer prices. The TP-Link TL-SG108E (around $30) handles VLANs for a small network. UniFi switches integrate with the UniFi controller for easier management. Netgear ProSafe switches offer a web-based VLAN configuration interface. Any switch marketed as "managed" or "smart managed" supports VLANs.
Router/firewall options include pfSense (discussed in a previous article), OPNsense, or a UniFi Security Gateway/Dream Machine. Consumer routers generally do not support VLANs at all - this is one of the main reasons to upgrade to a proper firewall. The firewall creates virtual interfaces for each VLAN, assigns each a different subnet, and applies firewall rules to traffic crossing between them.
If you use UniFi for your access points and switch, the UniFi controller manages VLANs, WiFi SSID-to-VLAN mapping, and firewall rules through a single interface. If you use pfSense with a separate managed switch, you configure VLANs on both devices (they must agree on VLAN IDs) and firewall rules on pfSense.
A Three-VLAN Home Setup
A practical home VLAN setup uses three segments.
VLAN 10 - Trusted (192.168.10.0/24). Computers, phones, tablets - devices you control, update, and trust. These devices can reach everything: the internet, IoT devices (if needed for management), and other trusted devices.
VLAN 20 - IoT (192.168.20.0/24). Cameras, smart speakers, thermostats, smart bulbs, robot vacuums, anything with "smart" in the name. These devices can reach the internet (they need cloud connectivity to function) but cannot initiate connections to the Trusted VLAN. If you need to access a camera's web interface from your laptop, the firewall allows established/related connections back from IoT to Trusted, just not new connections initiated from IoT.
VLAN 30 - Guest (192.168.30.0/24). Visitor devices. Internet access only. No access to Trusted, no access to IoT, no access to other guest devices (client isolation). Give guests the Guest WiFi password and nothing on your network is exposed to whatever is on their devices.
Configuring VLANs on Your Switch
Switch VLAN configuration involves two concepts: tagged (trunk) ports and untagged (access) ports.
Untagged/access ports connect to end devices (computers, cameras, printers). The switch assigns all traffic on that port to a specific VLAN. The end device does not know VLANs exist - it sends and receives normal Ethernet frames.
Tagged/trunk ports carry traffic for multiple VLANs simultaneously. Each frame is tagged with its VLAN ID so the other end knows which VLAN it belongs to. Trunk ports connect your switch to your router/firewall and to access points that serve multiple SSIDs on different VLANs.
Example: ports 1-4 are untagged on VLAN 10 (trusted devices), ports 5-7 are untagged on VLAN 20 (IoT devices), and port 8 is tagged for VLANs 10, 20, and 30 (trunk to the firewall). The firewall creates sub-interfaces for each VLAN on the trunk port.
Firewall Rules Between VLANs
The firewall rules make or break your segmentation. Without rules, inter-VLAN routing allows all VLANs to communicate freely - defeating the purpose.
IoT VLAN rules: Allow traffic to the internet (destination: not RFC 1918 addresses). Block traffic to VLAN 10 (Trusted). Block traffic to VLAN 30 (Guest). Allow DNS to your local DNS server (Pi-hole or the firewall itself). Allow DHCP. Block everything else.
Guest VLAN rules: Allow traffic to the internet. Block traffic to VLAN 10. Block traffic to VLAN 20. Block traffic to other Guest clients (if your switch supports per-port client isolation, enable it). Allow DNS and DHCP. Block everything else.
Trusted VLAN rules: Allow everything. Your trusted devices need full access to manage other VLANs, access the firewall interface, and reach the internet.
graph LR
subgraph "VLAN 10 - Trusted"
T[Trusted Devices]
end
subgraph "VLAN 20 - IoT"
I[IoT Devices]
end
subgraph "VLAN 30 - Guest"
G[Guest Devices]
end
subgraph "Firewall"
FW[Inter-VLAN Rules]
end
INET[Internet]
T -->|Full Access| FW
FW -->|Allowed| INET
FW -->|Allowed to IoT| I
I -->|Internet Only| FW
FW -->|Allowed| INET
FW -->|BLOCKED to Trusted| T
G -->|Internet Only| FW
FW -->|Allowed| INET
FW -->|BLOCKED to Trusted| T
FW -->|BLOCKED to IoT| I
Firewall rules between VLANs - Trusted can reach everything, IoT reaches internet only, Guest reaches internet only
WiFi SSIDs Per VLAN
To place wireless devices on the correct VLAN, create separate WiFi SSIDs mapped to each VLAN. Most modern access points (UniFi, TP-Link Omada, and many others) support multiple SSIDs, each tagged to a different VLAN.
"HomeNet" on VLAN 10 for your phones and laptops. "HomeIoT" on VLAN 20 for smart devices. "HomeGuest" on VLAN 30 for visitors. Each SSID uses its own password (except Guest, which you might leave open or use a simple password you are comfortable sharing).
When setting up IoT devices, connect them to the HomeIoT SSID during initial setup. Some IoT devices need temporary access to your phone for configuration - if both are on different VLANs, the setup may fail. A workaround: temporarily connect your phone to the IoT SSID for setup, then switch back to the Trusted SSID afterward.
Testing Isolation
After configuring VLANs and firewall rules, verify that isolation actually works. Do not assume your configuration is correct.
Connect a device to the IoT VLAN and try to ping a device on the Trusted VLAN. It should fail. Try to access the firewall's web interface from the IoT VLAN. It should be blocked (or allowed, depending on your management policy). Connect to the Guest VLAN and try to reach anything on the local network. Everything should fail except DNS and internet access.
The BLEShark Nano adds another dimension to testing. Connect it to each VLAN's WiFi SSID and run a scan. From the IoT SSID, the Nano should see IoT devices but not Trusted devices (at the IP layer - WiFi broadcasts may still be visible). From the Guest SSID, it should see only itself. This verifies that your VLAN-to-SSID mapping is correct and that isolation is enforced.
Common Mistakes
Several mistakes commonly derail home VLAN deployments.
VLAN ID mismatch. The VLAN IDs on your switch, firewall, and access points must match exactly. If your switch tags IoT traffic as VLAN 20 but your firewall expects VLAN 200, that traffic goes nowhere. Double-check IDs on every device.
Forgetting to allow DNS. IoT devices on a separate VLAN need DNS access to function. If your DNS server (Pi-hole or the firewall) is on a different VLAN, you need a firewall rule explicitly allowing DNS queries from the IoT VLAN to the DNS server's IP. Without it, IoT devices cannot resolve domain names and appear to have no internet.
No inter-VLAN routing on the firewall. Creating VLANs on the switch but not configuring corresponding interfaces on the firewall means VLAN traffic has nowhere to go. Each VLAN needs a gateway address on the firewall, a DHCP scope, and firewall rules.
Overcomplicating the setup. Three VLANs (Trusted, IoT, Guest) handle 95% of home use cases. Adding VLANs for printers, media servers, gaming, and home automation individually creates a management burden that most home users will not maintain. Start simple.
Get the BLEShark Nano - $36.99+