Network Segmentation with VLANs

Most home networks are flat: every device — your laptop, your kid's tablet, your smart fridge, your security cameras — shares the same Layer 2 broadcast domain. A compromised IoT device can ARP-spoof your workstation, scan internal services, or pivot to anything else on the network.

VLANs (Virtual LANs) create separate broadcast domains on a single physical network, and inter-VLAN traffic must pass through a router/firewall where you control it.

VLAN Architecture

┌─────────────────────────────────────────────────────┐
│                   HOME NETWORK                       │
│                                                     │
│  VLAN 10: Trusted (192.168.10.0/24)                │
│  ├── Your workstation                               │
│  ├── Your phone                                     │
│  ├── NAS (restricted access)                        │
│  └── Access: Full internet + all VLANs (outbound)  │
│                                                     │
│  VLAN 20: IoT (192.168.20.0/24)                    │
│  ├── Smart thermostat, lights, speakers            │
│  ├── Smart TV, streaming devices                    │
│  └── Access: Internet only, NO access to other VLANs│
│                                                     │
│  VLAN 30: Guest (192.168.30.0/24)                  │
│  ├── Guest WiFi devices                             │
│  └── Access: Internet only, isolated from all VLANs│
│                                                     │
│  VLAN 40: Cameras/Security (192.168.40.0/24)       │
│  ├── Security cameras, door locks                   │
│  └── Access: NVR only, NO internet (optional)      │
│                                                     │
│  VLAN 50: Lab (192.168.50.0/24)                    │
│  ├── Development servers, VMs, home lab             │
│  └── Access: Internet + limited trusted VLAN access│
└─────────────────────────────────────────────────────┘

Hardware Requirements

You need:

1. A managed switch that supports 802.1Q VLAN tagging (TP-Link TL-SG108E ~$30, or UniFi Switch Lite 8 PoE ~$100)
2. A router/firewall that supports VLANs (OPNsense/pfSense on any x86 box, or OpenWrt on a supported router)
3. A WiFi access point that supports multiple SSIDs mapped to VLANs (UniFi AP, or OpenWrt-compatible AP)

OPNsense VLAN Configuration

# OPNsense: Create VLANs
# Interfaces → Other Types → VLAN
# Create VLAN 10 on parent interface igb1 (LAN)
# Create VLAN 20 on parent interface igb1
# etc.

# Assign interfaces
# Interfaces → Assignments → Add each VLAN
# VLAN10 → OPT1 (rename to "Trusted")
# VLAN20 → OPT2 (rename to "IoT")
# VLAN30 → OPT3 (rename to "Guest")

# Enable DHCP on each interface
# Services → DHCPv4 → [each VLAN interface]
# VLAN10: 192.168.10.100 - 192.168.10.250
# VLAN20: 192.168.20.100 - 192.168.20.250
# VLAN30: 192.168.30.100 - 192.168.30.250

Switch Configuration (TP-Link Managed)

# 802.1Q VLAN Configuration
# Port 1 (uplink to router): Tagged on VLANs 10, 20, 30, 40, 50
# Port 2-4 (trusted devices): Untagged VLAN 10
# Port 5-6 (IoT devices): Untagged VLAN 20
# Port 7 (camera NVR): Untagged VLAN 40
# Port 8 (lab server): Untagged VLAN 50

# WiFi: Create SSIDs per VLAN
# SSID "HomeNet" → VLAN 10 (WPA3)
# SSID "IoT" → VLAN 20 (WPA2 for compatibility)
# SSID "Guest" → VLAN 30 (WPA2, client isolation ON)

Why This Matters

Without VLANs, a compromised smart lightbulb can:

• ARP spoof to intercept traffic from your workstation
• Port scan to find your NAS, home lab, or SSH services
• Serve as a pivot point for lateral movement
• Exfiltrate data from any device on the LAN

With VLANs + firewall rules, the lightbulb can only talk to the internet and sees nothing else. The compromise is contained to VLAN 20, and your firewall logs the boundary crossing attempt.

VLAN segmentation is the single highest-impact network security improvement for a home network.