What Is a VLAN and Why Would You Want One at Home?
A VLAN (Virtual Local Area Network) lets you logically divide a single physical network into separate, isolated segments. At home, this is incredibly useful for:
- Isolating smart home / IoT devices (which often have poor security) from your main computers
- Creating a secure guest WiFi network that can't access your personal files
- Separating work-from-home traffic from personal devices
This tutorial assumes you have a managed switch and a router that supports VLANs (such as Ubiquiti UniFi, pfSense/OPNsense, or a TP-Link Omada setup). Consumer routers from ISPs typically don't support this.
What You'll Need
- A VLAN-capable router or firewall (pfSense, OPNsense, Ubiquiti, MikroTik)
- A managed or smart switch
- A wireless access point that supports multiple SSIDs (optional, for WiFi VLANs)
Step 1: Plan Your VLANs
Before touching any hardware, decide what VLANs you need. A simple home setup might look like this:
| VLAN ID | Name | Subnet | Purpose |
|---|---|---|---|
| 10 | Trusted | 192.168.10.0/24 | Main computers, phones |
| 20 | IoT | 192.168.20.0/24 | Smart TVs, cameras, smart speakers |
| 30 | Guest | 192.168.30.0/24 | Visitor WiFi |
Step 2: Create VLANs on Your Router
- Log into your router's admin interface.
- Navigate to the Network or Interfaces section.
- Create a new virtual interface (e.g.,
eth0.10for VLAN 10). - Assign it a static IP from the subnet you planned (e.g.,
192.168.10.1as the gateway). - Enable a DHCP server on each VLAN interface so connected devices get IP addresses automatically.
- Repeat for each VLAN.
Step 3: Configure Your Managed Switch
- Log into your switch's management interface.
- Create the VLANs (VLAN 10, 20, 30) in the VLAN configuration section.
- Set the uplink port (connecting to your router) as a trunk port — this carries traffic for all VLANs tagged.
- Set device-facing ports as access ports, assigned to a specific VLAN. For example, the port your IoT hub connects to should be set to VLAN 20 (untagged).
Step 4: Configure Wireless SSIDs (Optional)
If your access point supports multiple SSIDs:
- Create separate SSIDs (e.g., "HomeNetwork", "IoT-Devices", "Guest-WiFi").
- Tag each SSID with the corresponding VLAN ID.
- Ensure the cable between your switch and access point is a trunk port carrying all relevant VLANs.
Step 5: Set Firewall Rules
VLANs alone don't block traffic between segments — your firewall does. Add rules to:
- Block IoT VLAN from initiating connections to the Trusted VLAN
- Block Guest VLAN from accessing any internal resources
- Allow all VLANs outbound internet access
Testing Your Setup
Connect a device to each VLAN and verify it receives the correct IP range. Then try to ping a device on a different VLAN — if your firewall rules are correct, it should be blocked. Use tools like ping and traceroute to confirm traffic flows as expected.
Setting up VLANs takes some initial effort, but the security and organizational benefits are well worth it — especially as the number of connected devices in homes continues to grow.