VLAN Segmentation: Isolating Your Home Lab Network
When your home lab lives on the same flat network as your family's phones, laptops, and smart TVs, everything can talk to everything. Your kid's tablet can reach your NAS. A compromised IoT device can reach your password manager. A misconfigured Docker container can broadcast to every device on the subnet.
VLANs (Virtual Local Area Networks) fix this by carving one physical network into multiple isolated logical networks. Devices on different VLANs can't see each other unless you explicitly create a firewall rule allowing it. It's the same technology enterprises use to separate departments — and it works beautifully in a home lab.
This guide covers why VLANs matter, what hardware you need, and how to set them up with a managed switch and pfSense or OPNsense.
Why Bother with VLANs?
Security Isolation
The biggest reason. Without VLANs, a compromised device on your network has Layer 2 access to everything else. With VLANs:
- Your IoT devices (smart bulbs, cameras, robot vacuums) are isolated from your main network. These devices are notorious for poor security, slow patches, and phoning home to questionable servers. Isolate them.
- Your home lab servers are separated from family devices. An experimental service with an open port doesn't expose your family's traffic.
- Your guest network is truly isolated — visitors get internet access without seeing your NAS, printers, or lab equipment.
Traffic Management
VLANs let you apply different firewall rules, bandwidth limits, and DNS settings per network segment. Your IoT devices can be blocked from accessing the internet except for their required cloud services. Your lab network can use Pi-hole while your family uses a regular DNS.
Organization
A clean VLAN setup makes your network easier to understand and troubleshoot. Instead of 50 devices on one /24 subnet, you have logical groups: Trusted (VLAN 10), Lab (VLAN 20), IoT (VLAN 30), Guest (VLAN 40). Each with its own subnet, DHCP range, and firewall rules.
What You Need
A Managed Switch
This is the key piece of hardware. Unmanaged switches (the cheap ones most people have) don't support VLANs. You need a "managed" or "smart managed" switch with 802.1Q VLAN tagging.
Good options for home labs:
| Switch | Ports | Approximate Price | Notes |
|---|---|---|---|
| TP-Link TL-SG108E | 8x 1GbE | $30 | Budget "easy smart" switch. Basic VLAN support. |
| Netgear GS308T | 8x 1GbE | $50 | Full managed. Web UI and CLI. |
| TP-Link TL-SG3210XHP-M2 | 8x 2.5GbE + 2x SFP+ | $200 | PoE, 2.5G, great for a larger lab. |
| MikroTik CSS326 | 24x 1GbE + 2x SFP+ | $120 | 24 ports with SFP+ uplinks. |
| Used HP/Aruba 2530 | 24-48x 1GbE | $30-60 | Enterprise quality, fanless models available. |
| Used Cisco SG300 | 24-52x 1GbE | $30-50 | Well-documented, widely supported. |
For a small lab, the TP-Link TL-SG108E ($30) or a used HP 2530 ($40) is plenty. You don't need anything fancy — just 802.1Q VLAN support and a web management interface.
A Router/Firewall with VLAN Support
Your router needs to be the gateway for all VLANs, routing traffic between them (when allowed) and providing DHCP for each VLAN subnet. Consumer routers typically don't support VLANs. You need:
- pfSense or OPNsense: The most common choice. Runs on any x86 hardware. Full VLAN support.
- MikroTik RouterOS: Built into MikroTik routers. Capable but steeper learning curve.
- Ubiquiti UniFi: If you're in the UniFi ecosystem, their gateways handle VLANs natively.
- OpenWrt: If you want to VLAN-enable a consumer router. Hit or miss depending on hardware support.
This guide uses pfSense/OPNsense for the examples since they're the most common in home labs.
Planning Your VLANs
Before touching any hardware, plan your VLAN layout. Here's a common home lab scheme:
| VLAN ID | Name | Subnet | Purpose |
|---|---|---|---|
| 1 | Management | 192.168.1.0/24 | Switch management, iDRAC/iLO, router admin |
| 10 | Trusted | 192.168.10.0/24 | Personal devices — laptops, phones, desktops |
| 20 | Lab | 192.168.20.0/24 | Home lab servers, VMs, containers |
| 30 | IoT | 192.168.30.0/24 | Smart home devices, cameras, sensors |
| 40 | Guest | 192.168.40.0/24 | Guest WiFi, visitors |
VLAN 1 is the default/native VLAN on most switches. Some people avoid using VLAN 1 for security reasons (certain attacks target the native VLAN), but for a home lab, it's fine for management.
Key firewall rules you'll want:
- Trusted can reach everything
- Lab can reach the internet but not Trusted
- IoT can reach the internet (limited) but not Trusted or Lab
- Guest can reach only the internet
- All VLANs can reach the router for DNS and DHCP
Setting Up VLANs
Step 1: Configure the Switch
The exact steps depend on your switch model, but the concept is the same everywhere.
Terminology:
- Tagged port (trunk): Carries traffic for multiple VLANs. Frames include a VLAN tag header. Used for connections between switches, and between the switch and the router.
- Untagged port (access): Assigned to a single VLAN. Frames have no VLAN tag. Used for end devices (computers, servers, IoT devices).
Example for a TP-Link TL-SG108E:
- Log into the switch web UI (default: 192.168.0.1)
- Go to VLAN > 802.1Q VLAN
- Enable 802.1Q VLAN
- Create VLANs:
- VLAN 10: Ports 2-3 untagged (trusted devices), Port 1 tagged (trunk to router)
- VLAN 20: Ports 4-5 untagged (lab servers), Port 1 tagged
- VLAN 30: Ports 6-7 untagged (IoT devices), Port 1 tagged
- VLAN 40: Port 8 untagged (guest AP), Port 1 tagged
- Set PVID (Port VLAN ID) for each untagged port to match its VLAN
Port 1 is the trunk port — it connects to your firewall and carries all VLANs tagged. Every other port is an access port — assigned to one VLAN, no tagging.
Step 2: Configure VLANs on pfSense/OPNsense
Create VLAN Interfaces
In pfSense:
- Go to Interfaces > Assignments > VLANs
- Click Add for each VLAN:
- Parent Interface: your LAN interface (e.g.,
igb1) - VLAN Tag: 10 (or 20, 30, 40)
- Description: "Trusted" (or "Lab", "IoT", "Guest")
- Parent Interface: your LAN interface (e.g.,
- Repeat for each VLAN
In OPNsense:
- Go to Interfaces > Other Types > VLAN
- Click + to add each VLAN with the parent interface, tag, and description
Assign Interfaces
- Go to Interfaces > Assignments
- Add each new VLAN interface
- Click on each new interface to configure it:
- Enable the interface
- Set IPv4 Configuration Type to "Static IPv4"
- Set the IP address for this VLAN's gateway:
VLAN 10 (Trusted): 192.168.10.1/24
VLAN 20 (Lab): 192.168.20.1/24
VLAN 30 (IoT): 192.168.30.1/24
VLAN 40 (Guest): 192.168.40.1/24
Set Up DHCP
For each VLAN interface, enable DHCP:
- Go to Services > DHCP Server
- Select the VLAN interface tab
- Enable DHCP
- Set the range:
VLAN 10: 192.168.10.100 - 192.168.10.250
VLAN 20: 192.168.20.100 - 192.168.20.250
VLAN 30: 192.168.30.100 - 192.168.30.250
VLAN 40: 192.168.40.100 - 192.168.40.250
Set DNS servers per VLAN. For example, the Lab VLAN might point to Pi-hole (192.168.20.5) while the Guest VLAN points to Cloudflare (1.1.1.1).
Step 3: Create Firewall Rules
This is where the actual isolation happens. Without firewall rules, VLANs can still communicate through the router. You need explicit rules on each VLAN interface.
On the Trusted VLAN (10) — Allow everything:
Action: Pass
Source: VLAN10 net
Destination: any
Description: Allow Trusted to access everything
On the Lab VLAN (20) — Internet yes, Trusted no:
Rule 1:
Action: Block
Source: VLAN20 net
Destination: VLAN10 net
Description: Block Lab from reaching Trusted
Rule 2:
Action: Pass
Source: VLAN20 net
Destination: any
Description: Allow Lab to access internet and other VLANs
On the IoT VLAN (30) — Internet only, nothing local:
Rule 1:
Action: Pass
Source: VLAN30 net
Destination: VLAN30 address (gateway only)
Destination Port: 53
Description: Allow IoT to use router DNS
Rule 2:
Action: Block
Source: VLAN30 net
Destination: RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
Description: Block IoT from all private networks
Rule 3:
Action: Pass
Source: VLAN30 net
Destination: any
Description: Allow IoT to reach the internet
The RFC1918 block rule is the key trick for IoT isolation. It blocks access to all private IP ranges (your internal networks) while still allowing internet access. Create an alias called "RFC1918" containing 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 and reference it in the rule.
On the Guest VLAN (40) — Same as IoT, internet only:
Rule 1:
Action: Pass
Source: VLAN40 net
Destination: VLAN40 address
Destination Port: 53
Description: Allow Guest DNS
Rule 2:
Action: Block
Source: VLAN40 net
Destination: RFC1918
Description: Block Guest from all private networks
Rule 3:
Action: Pass
Source: VLAN40 net
Destination: any
Description: Allow Guest internet access
Step 4: Test the Configuration
Verification is crucial. Connect a device to each VLAN and test:
# From a device on the Lab VLAN (20):
# Should work — internet access
ping 8.8.8.8
curl https://example.com
# Should work — reach other Lab devices
ping 192.168.20.5
# Should FAIL — can't reach Trusted VLAN
ping 192.168.10.100
# Should work — reach the gateway for DNS
ping 192.168.20.1
nslookup example.com
# From a device on the IoT VLAN (30):
# Should work — internet
ping 8.8.8.8
# Should FAIL — can't reach any other VLAN
ping 192.168.10.100 # Trusted — blocked
ping 192.168.20.100 # Lab — blocked
ping 192.168.40.100 # Guest — blocked
If traffic is getting through when it shouldn't be, check your firewall rules. Remember that pfSense/OPNsense rules are processed top to bottom — the first matching rule wins. Block rules should come before pass rules.
Adding WiFi VLANs
Most WiFi access points support multiple SSIDs, each mapped to a VLAN. This lets you have separate WiFi networks (Home, IoT, Guest) that map to your VLANs.
- Ubiquiti UniFi APs: Create separate networks in the UniFi controller, each with a VLAN tag. Create one SSID per network.
- TP-Link Omada APs: Similar to UniFi — create VLAN profiles and assign to SSIDs.
- OpenWrt APs: Create multiple wireless interfaces, each bridged to a VLAN interface.
The AP connects to the switch on a trunk port (tagged for all WiFi VLANs). When a device connects to the "IoT" SSID, its traffic is tagged with VLAN 30 and isolated from everything else.
Common Mistakes
Locking yourself out: If you misconfigure the management VLAN, you can lose access to the switch. Before making changes, make sure you have a way back in — like a console cable or a port that stays on the management VLAN.
Forgetting PVID settings: If a port's PVID doesn't match its untagged VLAN assignment, untagged traffic goes to the wrong VLAN. Always set PVID when configuring access ports.
Missing DNS rules: If IoT/Guest VLANs can't reach DNS, nothing works even though the internet is technically accessible. Make sure DNS (port 53) to the gateway is allowed.
Not testing both directions: Just because VLAN 30 can't reach VLAN 10 doesn't mean the reverse is true. Firewall rules are per-interface. If you want bidirectional blocking, add rules on both interfaces (though usually you want Trusted to reach everything).
VLAN segmentation transforms a home network from a flat, trust-everything topology into a properly structured network where you control exactly what can talk to what. The initial setup takes an afternoon, but once it's done, it runs maintenance-free. Your IoT toaster can't touch your password vault, your guests get internet without seeing your lab, and your home network finally behaves like a network should.