VLAN Network Segmentation for Your Homelab

Networking 2026-03-04 · 6 min read vlans networking security pfsense opnsense managed-switch segmentation
By HomeLab Starter Editorial Team — Home lab enthusiasts covering hardware setup, networking, and self-hosted services for home and small office environments.

VLAN Network Segmentation for Your Homelab

Photo by Mehdi Mirzaie on Unsplash

Most homelabs start flat: everything on the same network, from your NAS to your sketchy smart thermostat. That works until the thermostat gets compromised and starts scanning your local network. VLANs let you carve your network into isolated segments — keeping IoT junk away from your servers, giving guests internet access without LAN access, and isolating experiments from production systems.

This guide covers VLAN fundamentals and practical setup with managed switches and either pfSense or OPNsense.

Why Bother with VLANs?

Security: IoT devices are notoriously insecure. VLAN segmentation contains a compromised device — it can't reach your NAS or workstations even if it's fully owned.

Experiment isolation: Running a new tool that might have side effects on the network? Spin it up in a lab VLAN. It can't break your production services.

Traffic shaping: Apply QoS rules per VLAN. Give video calls higher priority than bulk downloads. Throttle the guest network.

Compliance: If you handle any sensitive data, network segmentation is often a baseline requirement.

How VLANs Work

A VLAN (Virtual LAN) tags Ethernet frames with a VLAN ID (1–4094). Managed switches read these tags and either:

Forward the frame on ports configured for that VLAN
Drop the frame if the port isn't allowed to carry that VLAN

Access ports: Strip VLAN tags — connect end devices (PCs, NAS, cameras). The device doesn't know it's on a VLAN.

Trunk ports: Carry multiple VLANs tagged — connect switches to routers, or switches to other switches. The router sees each VLAN as a separate logical interface.

Hardware Requirements

Router/Firewall: pfSense, OPNsense, or a router that supports VLANs (OpenWrt, Ubiquiti EdgeRouter). Your firewall is where you create VLAN interfaces and write inter-VLAN firewall rules.

Managed switch: Any switch that supports 802.1Q VLAN tagging. Good options:

TP-Link TL-SG108E: ~$30, 8-port, web GUI — great for beginners
Netgear GS308E: ~$35, 8-port
UniFi USW-Lite-8-PoE: ~$109, solid ecosystem integration
Cisco SG350: Enterprise-grade, more complex CLI

Unmanaged switches: Cannot do VLANs. All ports carry all traffic. You need at least one managed switch.

Access points: For wireless VLANs, your AP needs to support multiple SSIDs mapped to different VLANs. UniFi APs do this natively. OpenWrt APs can with configuration.

Like what you're reading? Subscribe to HomeLab Starter — free weekly guides in your inbox.

Planning Your VLANs

Design your VLANs before touching hardware. A typical homelab setup:

VLAN ID	Name	Subnet	Purpose
10	Trusted	192.168.10.0/24	Workstations, laptops
20	Servers	192.168.20.0/24	NAS, Proxmox, self-hosted apps
30	IoT	192.168.30.0/24	Smart home, cameras, sensors
40	Guest	192.168.40.0/24	Visitor WiFi
50	Lab	192.168.50.0/24	Experiments, VMs

VLAN 1 (default) is usually the management VLAN. Keep it separate or change the management VLAN to something non-default.

Inter-VLAN Rules (Firewall Policy)

Before you configure anything, decide what can talk to what:

Trusted → Servers: ALLOW (access your own services)
Trusted → IoT: DENY (don't let workstations probe IoT)
Trusted → Guest: DENY
Servers → IoT: Limited (only specific ports, e.g., MQTT)
IoT → Internet: ALLOW (many IoT devices need cloud)
IoT → Servers: DENY
IoT → Trusted: DENY
Guest → Internet: ALLOW
Guest → Everything else: DENY
Lab → Internet: ALLOW
Lab → Servers: DENY (or limited)

Write these down before you start. Firewall rules are easier to add when you have a policy document to reference.

Step 1: Configure VLANs on pfSense/OPNsense

Create VLAN Interfaces

In pfSense: Interfaces → Assignments → VLANs → Add

For each VLAN:

Parent Interface: The physical NIC connected to your switch trunk port
VLAN Tag: 10, 20, 30, etc.
Description: Trusted, Servers, IoT, etc.

Assign Interfaces

After creating VLANs, assign them as interfaces: Interfaces → Assignments → Add (select each VLAN)

Enable each interface and assign an IP (the gateway for that subnet):

VLAN 10: 192.168.10.1/24
VLAN 20: 192.168.20.1/24
VLAN 30: 192.168.30.1/24
etc.

Enable DHCP per VLAN

Services → DHCP Server → [each interface]

Configure a DHCP pool for each VLAN:

VLAN 10: 192.168.10.100–192.168.10.200
VLAN 20: 192.168.20.100–192.168.20.200
etc.

Write Firewall Rules

Firewall → Rules → [each interface]

Example rules for IoT VLAN (VLAN 30):

Action	Source	Destination	Port	Description
Allow	192.168.30.0/24	any	80,443	Internet access
Allow	192.168.30.0/24	192.168.20.10	1883	MQTT broker
Block	192.168.30.0/24	192.168.0.0/8	*	Block all LAN
Allow	192.168.30.0/24	*	*	Internet fallthrough

The order matters — pfSense processes rules top to bottom. Put specific allows before the broad block.

Block inter-VLAN traffic: Add an alias RFC1918 containing 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Then create a block rule on each VLAN: Block source=VLAN subnet, destination=RFC1918.

Step 2: Configure the Managed Switch

Using a TP-Link TL-SG108E as an example (one of the most common homelab switches).

Access the Switch Web UI

Find the switch IP (check your router's DHCP leases) and navigate to it in a browser.

Default login: admin/admin — change this immediately.

802.1Q VLAN Configuration

Go to VLAN → 802.1Q VLAN:

Enable 802.1Q VLAN. Then configure per-VLAN membership:

VLAN 10 (Trusted):

Port 1 (uplink to router): Tagged
Port 2 (workstation): Untagged
All other ports: Not Member

VLAN 20 (Servers):

Port 1 (uplink): Tagged
Port 3 (NAS): Untagged
Port 4 (Proxmox): Untagged
All other ports: Not Member

VLAN 30 (IoT):

Port 1 (uplink): Tagged
Port 5 (IoT switch/hub): Untagged
All other ports: Not Member

PVID (Port VLAN ID) Configuration

After setting VLAN membership, configure the PVID for each untagged port. The PVID determines which VLAN untagged traffic gets assigned to.

VLAN → 802.1Q PVID Setting:

Port 1 (uplink): PVID 1 (management)
Port 2 (workstation): PVID 10
Port 3 (NAS): PVID 20
Port 4 (Proxmox): PVID 20
Port 5 (IoT): PVID 30

This tells the switch: when untagged traffic arrives on port 2, tag it as VLAN 10.

The Trunk Port

Port 1 (the uplink to your router) is the trunk port. It carries traffic for ALL VLANs tagged. The router detaggs the traffic and routes it to the right VLAN interface.

Configure port 1 as tagged in every VLAN you're using.

Step 3: Wireless VLANs

UniFi Access Points

In UniFi Network Controller:

Settings → WiFi → Create New WiFi for each VLAN
Set the network to the corresponding VLAN

Example:

SSID "HomeNetwork" → VLAN 10 (Trusted)
SSID "HomeServers" → VLAN 20 (Servers) — or skip this, servers usually use wired
SSID "HomeIoT" → VLAN 30 (IoT)
SSID "Guest" → VLAN 40 (Guest)

UniFi APs handle VLAN tagging automatically.

OpenWrt Access Points

Create multiple SSIDs, each mapped to a VLAN-tagged interface:

# In /etc/config/wireless
config wifi-iface
    option device radio0
    option mode ap
    option ssid HomeNetwork
    option network vlan10

config wifi-iface
    option device radio0
    option mode ap
    option ssid HomeIoT
    option network vlan30

In /etc/config/network, define the VLAN interfaces:

config interface vlan10
    option ifname eth0.10
    option proto dhcp

config interface vlan30
    option ifname eth0.30
    option proto dhcp

Verifying Your Setup

After configuration, verify isolation:

# From a Trusted VLAN device, ping the IoT gateway
ping 192.168.30.1    # Should succeed (router is reachable)

# Try to ping an IoT device directly
ping 192.168.30.50   # Should fail (firewall blocks it)

# From an IoT device, try to reach the NAS
ping 192.168.20.10   # Should fail

# Verify DHCP is assigning correct IPs
ip addr show         # Should show 192.168.30.x on IoT device

Use nmap to verify isolation:

# From IoT VLAN, scan the Servers VLAN
nmap -sn 192.168.20.0/24   # Should show no hosts (all blocked)

Common Mistakes

Leaving VLAN 1 as default: VLAN 1 is the default on most switches. Don't use it for any real traffic — it's the native VLAN and can cause security issues. Put management on a dedicated VLAN and explicitly tag everything.

Forgetting PVID: Setting VLAN membership without PVID means untagged traffic gets dumped into VLAN 1 instead of the intended VLAN.

Firewall allows before blocks: In pfSense, inter-VLAN traffic will succeed unless explicitly blocked. "Default deny" is safer — block RFC1918 on each interface, then add specific allows.

One-way rules: Add firewall rules on the initiating side. If Trusted needs to reach Servers, add the allow rule to the Trusted interface's rules.

DNS Across VLANs

You probably want DNS to work from all VLANs. Two options:

Option 1: Allow DNS to router: Add a firewall rule on each VLAN allowing UDP/TCP port 53 to the router (192.168.10.1, etc.). The router's DNS resolver serves all VLANs.

Option 2: Pi-hole or AdGuard per VLAN: Run Pi-hole on the Servers VLAN and allow each VLAN to query it on port 53.

For maximum isolation, give IoT devices a public DNS server (1.1.1.1) so they can't query your internal resolver and enumerate your internal hostnames.

Wrapping Up

VLANs aren't just for enterprises. A basic segmentation setup — trusted, servers, IoT, guest — meaningfully reduces your attack surface and lets you run lab experiments without risking production services. The upfront configuration is an afternoon of work; the security benefit is permanent.

Start small: isolate IoT devices first, since they're the highest risk. Add more VLANs as your homelab grows.