Network Segmentation for Homelab Security Using VLANs

CompactHost · March 26, 2026

I used to run everything on the same network—my Jellyfin server, smart home devices, work machines, and guest laptops all sharing the same broadcast domain. Then one of my IoT devices got compromised, and I realized how dangerous that was. Within an hour, someone had lateral access to sensitive services. That's when I committed to proper network segmentation using VLANs, and I'm never going back. In this guide, I'll show you exactly how I did it.

Why Network Segmentation Matters in a Homelab

Your homelab isn't just a hobby—it's likely running services that store your files, photos, and possibly business data. Without segmentation, a single compromised device (a smart bulb, an IoT sensor, a guest's infected laptop) becomes a bridgehead into your entire infrastructure.

VLANs (Virtual Local Area Networks) let you slice a physical network into isolated logical networks. Traffic between VLANs is blocked by default unless explicitly routed. I've organized my homelab into four VLANs:

Management VLAN (10): Only trusted admin devices and the router itself
Services VLAN (20): Self-hosted apps (Nextcloud, Jellyfin, Gitea, Vaultwarden)
IoT VLAN (30): Smart home devices, printers, anything that doesn't need direct access to services
Guest VLAN (40): Visitor devices—zero trust access

This architecture means a compromised smart bulb can't directly touch my file server. A guest's laptop can't see my backup storage. And if something goes wrong on the services VLAN, it doesn't cascade across the entire network.

Hardware Prerequisites

To implement VLANs properly, you need networking gear that supports them. I use a UniFi dream machine, but you don't need enterprise equipment:

Managed Switch with VLAN support: TP-Link SG108PE, Netgear ProSafe, or UniFi Switch (I prefer UniFi for its UI and tight router integration)
Router with VLAN support: Ubiquiti UniFi, OpenWrt/DD-WRT, or Mikrotik—consumer routers like stock Asus/TP-Link often won't cut it
Optional but recommended: A second managed switch for redundancy, and VLAN-aware NAS/server NICs if you want them on multiple VLANs

If you're on a tight budget, an older Cisco SG300 series switch from eBay (£40–60) combined with an OpenWrt router works perfectly. I started there before upgrading to UniFi.

Watch out: Not all switches support VLANs—especially the cheap unmanaged ones. Always verify VLAN capability before buying. Check the product spec sheet for "802.1Q" or "VLAN" support. Some switches claim VLAN support but have crippled implementations that won't work for real segmentation.

Setting Up VLANs on a UniFi Dream Machine

I'll walk you through my exact setup using UniFi, since it's the most beginner-friendly ecosystem I've found. The principle translates to other platforms.

Step 1: Create the VLANs in UniFi

Log into your UniFi dashboard and navigate to Settings > Networks. Create four new networks:


# UniFi Network Configuration (done via GUI, but here's the structure)
# Network Name: Management
# VLAN ID: 10
# IP Address: 192.168.10.0/24
# DHCP: Enabled (192.168.10.100–192.168.10.200)

# Network Name: Services
# VLAN ID: 20
# IP Address: 192.168.20.0/24
# DHCP: Enabled (192.168.20.100–192.168.20.200)

# Network Name: IoT
# VLAN ID: 30
# IP Address: 192.168.30.0/24
# DHCP: Enabled (192.168.30.100–192.168.30.200)

# Network Name: Guest
# VLAN ID: 40
# IP Address: 192.168.40.0/24
# DHCP: Enabled (192.168.40.100–192.168.40.200)

The VLAN ID is the critical part—it's the tag that switches use to identify and isolate traffic. Make sure each VLAN gets its own IP subnet (10.x, 20.x, 30.x, 40.x in my setup).

Step 2: Configure Firewall Rules

Creating VLANs is step one; controlling traffic between them is step two. In UniFi, go to Settings > Firewall & Security > Firewall Rules. I set up these baseline rules:


# Rule 1: Block Guest VLAN from everything except DNS and DHCP
Source: VLAN 40 (Guest)
Destination: Any
Port: Any
Action: Drop

# Rule 2: Allow Guest DNS only (port 53)
Source: VLAN 40 (Guest)
Destination: WAN + Local
Port: 53
Action: Allow

# Rule 3: Allow IoT to Services only for specific ports
Source: VLAN 30 (IoT)
Destination: VLAN 20 (Services)
Port: 8123 (Home Assistant), 5000 (Jellyfin API)
Action: Allow

# Rule 4: Block IoT from Management
Source: VLAN 30 (IoT)
Destination: VLAN 10 (Management)
Port: Any
Action: Drop

# Rule 5: Allow Services to Management (for backups/admin)
Source: VLAN 20 (Services)
Destination: VLAN 10 (Management)
Port: 22, 443
Action: Allow

# Rule 6: Allow Management everywhere (admin override)
Source: VLAN 10 (Management)
Destination: Any
Port: Any
Action: Allow

These rules follow the principle of "least privilege"—every VLAN gets exactly the access it needs, nothing more. The order matters; UniFi processes rules top-to-bottom.

Tip: Start with strict rules and add exceptions as needed. It's much easier to debug missing access than to spot an unintended security hole. I keep a spreadsheet of every device and the access it legitimately needs.

Tagging Ports on Your Switch

Once VLANs exist on the router, you need to tell your managed switch which ports belong to which VLANs. This is called "VLAN tagging." Using a TP-Link SG108PE as an example:

Log into the switch's web interface (usually 192.168.0.1 or the IP shown on the label). Navigate to VLAN > 802.1Q VLAN > VLAN Configuration.

Create four VLAN entries with IDs 10, 20, 30, 40. Then go to VLAN > 802.1Q VLAN > Port Configuration and assign ports:

Port 1 (to router): Tagged for all VLANs (10T, 20T, 30T, 40T) — the "T" means tagged
Port 2 (Management devices): Untagged for VLAN 10
Port 3 (Service servers): Untagged for VLAN 20
Port 4 (IoT devices): Untagged for VLAN 30
Port 5 (Guest WiFi AP): Tagged for VLAN 40 — guests need to tag the AP, not individual ports
Ports 6–8: Leave untagged on VLAN 1 for flexibility or assign as needed

"Untagged" means the switch automatically strips the VLAN tag on that port—the connected device sees regular Ethernet traffic with no VLAN awareness. "Tagged" means the VLAN tag stays in the frame—useful for uplinks and multi-VLAN devices.

Configuring WiFi SSIDs for VLANs

In UniFi (or your preferred WiFi controller), you can bind each SSID to a specific VLAN. I created these:

CompactLAN: VLAN 10 (Management) — WPA3, strong password, only my devices
CompactServices: VLAN 20 (Services) — WPA3, for systems needing service access
CompactGuest: VLAN 40 (Guest) — Open or WPA2, expiring passwords, captive portal option
CompactIoT: VLAN 30 (IoT) — WPA2, pre-shared key, minimal visibility

When a device joins "CompactGuest," the AP automatically tags its traffic as VLAN 40. The switch and router know to enforce VLAN 40 firewall rules. It's transparent to the user but rock-solid in the background.

Testing Your Segmentation

After setup, verify that isolation is working. Join a device to the Guest VLAN and try pinging a service VLAN host:


# From a guest device (VLAN 40, say 192.168.40.105)
ping 192.168.20.10  # Should timeout — no route between VLANs

# From a management device (VLAN 10, say 192.168.10.50)
ping 192.168.20.10  # Should work — Management can reach Services

# From IoT device (VLAN 30, say 192.168.30.20)
ping 192.168.10.1   # Should timeout — IoT blocked from Management
ssh 192.168.20.10   # May work if you allow SSH in firewall rules

# Check VLAN membership on the switch
ssh [email protected]  # If using OpenWrt or advanced firmware
cat /etc/config/network | grep vlan

Use SSH, ping, and HTTP requests from each VLAN to verify isolation. If a device can't reach something it should, check three things: (1) VLAN assignment in the switch, (2) Firewall rules in the router, (3) VLAN ID matching between router and switch.

Common Pitfalls and Fixes

Devices can't get DHCP on their VLAN: Check that DHCP is enabled on that network in UniFi, and the VLAN ID matches between router and switch. DHCP relies on broadcast; if the VLAN isn't properly tagged, the DHCP offer never reaches the client.

Devices on the same physical switch can still talk to each other: You didn't set up port VLAN assignments correctly. Each port must be tagged or untagged to exactly one VLAN (unless it's a trunk port). Re-check the switch's VLAN port configuration.

One VLAN can reach another even though you set a drop rule: Firewall rules might be in the wrong order, or you created the rule in the wrong direction. UniFi processes rules top-to-bottom; an Allow rule above a Drop rule will let traffic through. Also, check if you're mixing "Any" with specific destinations—"Any" is often ambiguous.

Performance is sluggish after enabling VLANs: Some cheap switches don't handle inter-VLAN routing well. If your router is doing all the heavy lifting, it becomes a bottleneck. If you see consistently high CPU on the router when VLANs are active, consider a more powerful switch or router (Mikrotik hEX S or UniFi Dream Machine handle this easily).

Next Steps: Advanced Segmentation

Once your basic VLANs are running, consider these refinements:

Intrusion Detection: UniFi has IDS/IPS built-in. Enable it in Settings > Security > IPS. It won't stop everything, but it flags suspicious traffic patterns.
Per-Device Rules: Pin management devices to static IPs and create firewall rules specific to their MAC addresses. Adds complexity but prevents DHCP spoofing within a VLAN.
Isolated Services VLAN: If you run untrusted services (like community Jellyfin or open APIs), put them in a separate VLAN (VLAN 50) that can reach the internet but nothing else.
VPN-only Access: Use Tailscale or Wireguard (installed on your management VLAN) to access services remotely. External traffic never touches your internal network.

Real-World Example: My Homelab After Segmentation

Here's how my devices map now:

VLAN 10 (Management): Main PC, Macbook, phone (on Management WiFi), admin account on NAS
VLAN 20 (Services): NAS (Synology with 2× NICs), Docker host (Proxmox), backup server, Tailscale gateway
VLAN 30 (IoT): Shelly relays, Tasmota bulbs, Home