Homelab Network Segmentation with VLANs: A Practical Guide
A flat network is a security liability. When every device in your home -- your kid's tablet, your smart thermostat, your NAS full of family photos, your Proxmox host running a dozen containers -- sits on the same Layer 2 network, any compromised device can reach everything else. A hacked smart bulb can scan your NAS. A guest on your Wi-Fi can discover your management interfaces. An experimental container with an open port is accessible from every device in the house.
Photo by Mehdi Mirzaie on Unsplash
VLANs (Virtual Local Area Networks) solve this by splitting one physical network into multiple isolated segments. Devices on VLAN 10 cannot see devices on VLAN 20 unless you explicitly create a firewall rule allowing specific traffic. It is the same technology that enterprises use to separate departments, and it works just as well at home. This guide walks you through planning, configuring, and maintaining VLANs in a homelab environment.
What VLANs Actually Do
Without VLANs, every device plugged into your switch (or connected to your Wi-Fi) shares the same broadcast domain. ARP requests, DHCP discovers, and mDNS announcements from one device reach all others. This is convenient for discovery but terrible for security and performance.
A VLAN creates a virtual boundary inside your switch. Ports assigned to VLAN 10 behave as if they are on a completely separate physical switch from ports on VLAN 20. Broadcast traffic stays within its VLAN. Devices cannot communicate across VLANs without a router (your firewall) making explicit forwarding decisions.
The key concept is VLAN tagging (802.1Q). When a frame travels between switches or between a switch and a router, a 4-byte tag is inserted into the Ethernet frame header that identifies which VLAN it belongs to. Ports come in two types:
- Access ports (untagged): The device plugged in does not know about VLANs. The switch strips the VLAN tag on the way out and adds it on the way in. You use these for endpoints like servers, desktops, and IoT devices.
- Trunk ports (tagged): Multiple VLANs travel over a single cable, each frame carrying its VLAN tag. You use these between switches, between your switch and firewall, and for devices that need to participate in multiple VLANs (like a Proxmox host).
Planning Your VLAN Architecture
Before touching any configuration, plan your VLANs on paper. The most common homelab VLAN layout looks like this:
| VLAN ID | Name | Subnet | Purpose |
|---|---|---|---|
| 1 | Default | 192.168.1.0/24 | Management (switch, firewall, AP management interfaces) |
| 10 | Trusted | 10.0.10.0/24 | Your personal devices (laptops, phones, desktops) |
| 20 | Lab/Services | 10.0.20.0/24 | Homelab servers and services |
| 30 | IoT | 10.0.30.0/24 | Smart home devices, cameras, sensors |
| 40 | Guest | 10.0.40.0/24 | Guest Wi-Fi, untrusted devices |
| 50 | Management | 10.0.50.0/24 | IPMI/iLO/iDRAC, switch management |
Some notes on this design:
- Keep VLAN 1 for infrastructure management or avoid it entirely (some switches have special behavior on VLAN 1). Many people use a dedicated management VLAN instead.
- Use different subnets per VLAN. Each VLAN gets its own IP range. Your firewall acts as the gateway for each subnet.
- VLAN IDs are arbitrary but keeping them logical (10, 20, 30...) makes configuration easier to read.
- Start with 3-4 VLANs. You can always add more later. Over-segmenting early creates unnecessary complexity.
Hardware Requirements
You need three things to run VLANs:
1. A Managed Switch
Unmanaged switches do not understand VLANs. You need a managed (or "smart managed") switch that supports 802.1Q VLAN tagging. Good budget options for homelabs:
- TP-Link TL-SG108E (~$30): 8-port, basic VLAN support, web UI. Great starter switch.
- Netgear GS308T (~$50): 8-port, full management, SNMP support.
- MikroTik CRS305-1G-4S+IN (~$130): 4x SFP+ 10G ports, excellent for backbone links.
- UniFi USW-24 (~$200): 24-port, integrates with UniFi ecosystem.
If you already have a switch, check whether it supports 802.1Q VLANs in its management interface. If it only has a "Port-Based VLAN" option without tagging, it will not work for proper VLAN segmentation.
2. A VLAN-Aware Firewall/Router
Your firewall needs to route traffic between VLANs and enforce rules about what is allowed. Popular choices:
- OPNsense (free, BSD-based): Excellent VLAN support, clean UI
- pfSense (free, BSD-based): Mature, huge community
- VyOS (free, Linux-based): CLI-focused, very flexible
- MikroTik RouterOS: If you are using MikroTik hardware
The firewall connects to the switch via a trunk port carrying all VLANs. It assigns an IP on each VLAN interface and acts as the default gateway for every subnet.
3. VLAN-Capable Access Points (for Wi-Fi)
If you want VLANs on your wireless network (which you should for IoT and guest isolation), your access points need to support VLAN tagging per SSID. Most enterprise and prosumer APs support this:
- UniFi APs (U6-Lite, U6-Pro): Assign VLANs per SSID in the UniFi controller
- TP-Link Omada APs: VLAN tagging per SSID through the Omada controller
- OpenWrt-compatible APs: Full VLAN control through OpenWrt configuration
Consumer routers in "AP mode" generally do not support VLAN tagging.
Like what you're reading? Subscribe to HomeLab Starter — free weekly guides in your inbox.
Step-by-Step: Configuring VLANs
This walkthrough uses OPNsense as the firewall and a TP-Link managed switch. The concepts apply to any VLAN-capable equipment.
Step 1: Configure the Trunk Port on Your Switch
Log into your managed switch's web UI and configure the port connected to your firewall as a trunk port carrying all VLANs:
Port 1 (to firewall): Tagged on VLANs 10, 20, 30, 40, 50
PVID = 1 (untagged traffic goes to VLAN 1)
On a TP-Link switch, this is under "VLAN" > "802.1Q VLAN". Create each VLAN, then set Port 1 as "Tagged" for all of them.
Step 2: Assign Access Ports
Assign each remaining switch port to the appropriate VLAN as an untagged (access) port:
Port 2: Untagged VLAN 20 (Proxmox host -- or tagged if host needs multiple VLANs)
Port 3: Untagged VLAN 20 (NAS)
Port 4: Untagged VLAN 10 (Desktop)
Port 5: Untagged VLAN 30 (IoT hub)
Port 6: Untagged VLAN 20 (Docker host)
Port 7: Tagged VLANs 10, 30, 40 (Access Point trunk)
Port 8: Untagged VLAN 50 (IPMI/management)
Note that the access point also gets a trunk port -- it needs to put each SSID on a different VLAN.
Step 3: Create VLAN Interfaces on OPNsense
In OPNsense, navigate to Interfaces > Other Types > VLAN and create a VLAN interface for each network:
Parent interface: igc0 (your LAN port connected to the switch)
VLAN tag: 10 Description: Trusted
VLAN tag: 20 Description: Lab
VLAN tag: 30 Description: IoT
VLAN tag: 40 Description: Guest
VLAN tag: 50 Description: Management
Then go to Interfaces > Assignments and assign each VLAN interface. Enable each one and configure its IP:
VLAN 10 (Trusted): Static IP 10.0.10.1/24
VLAN 20 (Lab): Static IP 10.0.20.1/24
VLAN 30 (IoT): Static IP 10.0.30.1/24
VLAN 40 (Guest): Static IP 10.0.40.1/24
VLAN 50 (Management): Static IP 10.0.50.1/24
Step 4: Configure DHCP per VLAN
Set up a DHCP server on each VLAN interface in Services > DHCPv4:
VLAN 10 (Trusted): Range 10.0.10.100 - 10.0.10.254, DNS = 10.0.10.1
VLAN 20 (Lab): Range 10.0.20.100 - 10.0.20.254, DNS = 10.0.20.1
VLAN 30 (IoT): Range 10.0.30.100 - 10.0.30.254, DNS = 10.0.30.1
VLAN 40 (Guest): Range 10.0.40.100 - 10.0.40.254, DNS = 10.0.40.1
VLAN 50 (Management): Range 10.0.50.100 - 10.0.50.254, DNS = 10.0.50.1
You can point DNS to Pi-hole or AdGuard Home on specific VLANs while using a standard DNS on others.
Step 5: Create Firewall Rules
This is the most important step. Without firewall rules, all VLANs can reach each other by default (the router forwards everything). You need to explicitly define what is and is not allowed.
In OPNsense, go to Firewall > Rules and configure rules per VLAN interface. The general principle is to deny inter-VLAN traffic by default, then allow specific exceptions.
IoT VLAN (VLAN 30) -- restrictive:
# Allow DNS to firewall (so DHCP-assigned DNS works)
Pass | Source: IoT net | Dest: IoT address | Port: 53 | Proto: TCP/UDP
# Allow IoT devices to reach the internet
Pass | Source: IoT net | Dest: !RFC1918 | Port: any | Proto: any
# Block everything else (implicit, but explicit is clearer)
Block | Source: IoT net | Dest: any
Guest VLAN (VLAN 40) -- internet only:
# Allow DNS
Pass | Source: Guest net | Dest: Guest address | Port: 53
# Allow internet, block all private subnets
Pass | Source: Guest net | Dest: !RFC1918 | Port: any
# Block everything else
Block | Source: Guest net | Dest: any
Trusted VLAN (VLAN 10) -- can access Lab services:
# Allow access to Lab VLAN (for accessing services)
Pass | Source: Trusted net | Dest: Lab net | Port: any
# Allow internet
Pass | Source: Trusted net | Dest: any | Port: any
Lab VLAN (VLAN 20) -- can reach internet, limited inter-VLAN:
# Allow internet
Pass | Source: Lab net | Dest: !RFC1918 | Port: any
# Allow lab devices to reach each other
Pass | Source: Lab net | Dest: Lab net | Port: any
# Block access to other VLANs
Block | Source: Lab net | Dest: RFC1918
The !RFC1918 alias is a shortcut for "not private IP addresses" -- effectively meaning internet-only. Create an alias in OPNsense containing 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 and use its negation.
Handling Proxmox and Docker Across VLANs
If your Proxmox host needs to run VMs on different VLANs, configure its switch port as a trunk and create VLAN-aware bridges in Proxmox:
# /etc/network/interfaces on Proxmox
auto vmbr0
iface vmbr0 inet static
address 10.0.20.10/24
gateway 10.0.20.1
bridge-ports enp1s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 10 20 30 50
Then when creating a VM or container, you can assign it to a specific VLAN in the network settings by setting the VLAN tag on the network interface.
For Docker, the simplest approach is to run Docker on a host that sits on the Lab VLAN. If you need Docker containers to be accessible from other VLANs, expose them via your reverse proxy (which can have interfaces on multiple VLANs) rather than giving containers direct VLAN access.
Common VLAN Architectures
Basic Home + Lab (3 VLANs)
For a minimal setup, use three VLANs:
- Home (VLAN 10): All personal devices and trusted traffic
- Lab (VLAN 20): All homelab services and servers
- IoT (VLAN 30): All smart home devices
This gives you the core security benefit (IoT isolation) without excessive complexity.
Full Segmentation (5-6 VLANs)
The layout from the planning section above. Adds Guest and Management VLANs. This is where most mature homelabs end up.
Multi-Site with VPN (Advanced)
If you have a homelab at two locations (home and office, or home and a friend's house), you can extend VLANs across a WireGuard tunnel:
# Site A: WireGuard interface on OPNsense with VLAN routing
# Site B: Same VLAN IDs, same subnets routed over the tunnel
# Use different DHCP ranges per site to avoid conflicts:
# Site A: 10.0.20.100-10.0.20.199
# Site B: 10.0.20.200-10.0.20.254
Troubleshooting VLANs
Device Cannot Get an IP Address
The most common VLAN problem. Check these in order:
- Is the switch port correctly configured? Verify the port is set to the right VLAN as untagged/access.
- Is DHCP running on that VLAN interface? Check your firewall's DHCP service.
- Is the VLAN interface enabled? In OPNsense, assigned interfaces must be explicitly enabled.
- Can you ping the gateway? Assign a static IP in the right subnet on the device and try pinging the firewall's VLAN IP.
# On the device, manually set an IP and test
sudo ip addr add 10.0.20.50/24 dev eth0
ping 10.0.20.1
Devices on the Same VLAN Cannot See Each Other
Check whether your switch has "port isolation" or "private VLAN" enabled. Some switches enable this by default, which blocks intra-VLAN traffic.
Cannot Access a Service on Another VLAN
Verify that your firewall rules allow the specific traffic. Use the firewall's live log to see which rules are matching:
# In OPNsense: Firewall > Log Files > Live View
# Filter by source and destination to see if traffic is being blocked
mDNS/Bonjour Not Working Across VLANs
mDNS (used by Chromecast, AirPlay, Home Assistant discovery) is broadcast-based and does not cross VLAN boundaries. You need an mDNS reflector:
# Install Avahi reflector on your firewall or a dedicated host
sudo apt install avahi-daemon
# Edit /etc/avahi/avahi-daemon.conf
[reflector]
enable-reflector=yes
Alternatively, OPNsense has an mDNS repeater plugin that handles this natively.
Maintaining Your VLAN Setup
Once your VLANs are configured, document everything:
# Document your VLAN assignments
echo "VLAN Map - Updated $(date)" > ~/vlan-map.txt
echo "VLAN 10 - Trusted - 10.0.10.0/24 - Personal devices" >> ~/vlan-map.txt
echo "VLAN 20 - Lab - 10.0.20.0/24 - Servers and services" >> ~/vlan-map.txt
echo "VLAN 30 - IoT - 10.0.30.0/24 - Smart home devices" >> ~/vlan-map.txt
echo "VLAN 40 - Guest - 10.0.40.0/24 - Guest Wi-Fi" >> ~/vlan-map.txt
echo "VLAN 50 - Mgmt - 10.0.50.0/24 - IPMI/management" >> ~/vlan-map.txt
Review your firewall rules quarterly. As you add services, you will need to punch holes for specific traffic flows. Each new rule should be as narrow as possible -- allow only the specific ports and protocols needed, not blanket access.
VLANs add a small amount of operational overhead to your homelab, but the security and organizational benefits are substantial. Once you have the initial setup working, day-to-day management is minimal, and you will wonder how you ever ran everything on a flat network.