Hardware Builds #VLAN#home lab#network segmentation

Home Lab VLAN Setup and Network Segmentation Guide

Complete guide to setting up VLANs and network segmentation in a home lab using pfSense, OPNsense, or Ubiquiti UniFi — with firewall rules and switch config.

7 min read

Network segmentation transforms a flat home network — where every device trusts every other device — into a properly isolated architecture where your IoT thermostat cannot communicate with your NAS, and your guest Wi-Fi cannot reach your Proxmox server. This guide walks through VLAN design, switch configuration, and firewall rules using pfSense/OPNsense and Ubiquiti UniFi hardware.

Why Segment Your Home Lab Network?

A flat /24 network where everything shares the same subnet is a security liability. Consider what can happen without segmentation:

  • A compromised smart TV can scan and attack your NAS
  • A guest on your Wi-Fi can access your Proxmox management interface
  • A vulnerable IoT device becomes a pivot point into your entire network
  • Malware on a gaming PC can spread laterally to work laptops

With VLANs, you define exactly which devices can talk to which — network traffic is isolated at the switch and router level, not just at the OS firewall.

Here’s a practical VLAN structure for a home lab:

VLAN IDNameSubnetPurpose
10Management10.0.10.0/24Switches, APs, router, Proxmox, IPMI
20Trusted10.0.20.0/24Laptops, desktops, phones
30Servers10.0.30.0/24NAS, Jellyfin, Home Assistant, Docker
40IoT10.0.40.0/24Smart plugs, cameras, TVs, thermostats
50Guest10.0.50.0/24Guest Wi-Fi — internet only
60Lab10.0.60.0/24VMs, containers under test

The key rules:

  • Management VLAN is locked down — no inbound access from any other VLAN
  • IoT VLAN gets internet access only — no communication with Trusted or Servers
  • Guest VLAN gets internet access only — completely isolated
  • Trusted VLAN can initiate connections to Servers VLAN (not vice versa)
  • Lab VLAN is isolated by default — explicitly allow only what you need

Hardware Requirements

Router/Firewall

  • pfSense (free, on Netgate hardware or your own mini PC)
  • OPNsense (free, more frequent updates, excellent plugin ecosystem)
  • Ubiquiti UniFi Dream Machine Pro — all-in-one with managed switch and controller
  • Mini PC option: Protectli VP2420 (4-port, Intel Atom x6414RE) — runs pfSense/OPNsense well

Managed Switch (Required for VLANs)

  • TP-Link TL-SG108E (~$35) — 8-port managed, excellent budget choice
  • TP-Link TL-SG2210P (~$90) — PoE for APs, VLAN-aware
  • Ubiquiti UniFi USW-24-PoE (~$400) — Best integration with UniFi ecosystem
  • Netgear GS308E (~$40) — Browser-managed, easy VLAN setup

Wireless Access Points (VLAN-capable)

  • Ubiquiti UniFi U6 Lite (~$99) — Best value, multiple SSIDs mapped to VLANs
  • TP-Link EAP670 — Omada ecosystem, budget-friendly VLAN support

Unmanaged switches cannot do VLANs. Your basic 5-port TP-Link or Netgear unmanaged switch does not support 802.1Q tagging and cannot be used for VLAN segmentation.

OPNsense VLAN Configuration

Step 1: Create VLAN Interfaces

In OPNsense web UI: Interfaces → Other Types → VLAN

Click "+ Add"
Parent Interface: igb0 (or your LAN NIC)
VLAN Tag: 20
VLAN Priority: 0
Description: Trusted

Repeat for each VLAN (10, 20, 30, 40, 50, 60).

Step 2: Assign and Enable Interfaces

Interfaces → Assignments

Assign each VLAN interface (e.g., vlan0.20) and enable it. Give each a static IP as the gateway for that subnet:

OPT1 (VLAN 20 - Trusted): 10.0.20.1/24
OPT2 (VLAN 30 - Servers): 10.0.30.1/24
OPT3 (VLAN 40 - IoT): 10.0.40.1/24

Step 3: Configure DHCP

Services → DHCPv4 → [Each Interface]

VLAN 20 (Trusted):
  Range: 10.0.20.100 – 10.0.20.200
  DNS: 10.0.20.1 (OPNsense itself, or your Pi-hole/AdGuard)

VLAN 40 (IoT):
  Range: 10.0.40.100 – 10.0.40.200
  DNS: 10.0.40.1

VLAN 50 (Guest):
  Range: 10.0.50.100 – 10.0.50.200
  DNS: 8.8.8.8 (give guests external DNS, not your internal resolver)

Firewall Rules

Firewall rules in pfSense/OPNsense are processed per interface, inbound. Rules are evaluated top-down, first match wins.

IoT VLAN Rules (VLAN 40)

# Allow IoT to internet only
Rule 1: Block - Source: IoT net - Dest: 10.0.0.0/8 (all RFC1918) - Action: BLOCK
Rule 2: Allow - Source: IoT net - Dest: any - Action: PASS

# Effect: IoT devices can reach internet, cannot reach any internal subnet

Guest VLAN Rules (VLAN 50)

Rule 1: Block - Source: Guest net - Dest: 10.0.0.0/8 - Action: BLOCK
Rule 2: Block - Source: Guest net - Dest: 192.168.0.0/16 - Action: BLOCK
Rule 3: Block - Source: Guest net - Dest: 172.16.0.0/12 - Action: BLOCK
Rule 4: Allow - Source: Guest net - Dest: any - Action: PASS

Trusted VLAN Rules (VLAN 20)

Rule 1: Allow - Source: Trusted net - Dest: Servers net - Port: 443,80,22,32400 - Action: PASS
Rule 2: Allow - Source: Trusted net - Dest: any - Action: PASS
# Trusted devices can access the internet and servers, but not Management VLAN

Management VLAN Rules (VLAN 10)

Rule 1: Block - Source: any - Dest: Management net - Action: BLOCK
# No traffic initiated FROM other VLANs reaches Management
# Management devices can reach everywhere for admin purposes
Rule 2: Allow - Source: Management net - Dest: any - Action: PASS

Managed switches carry VLAN traffic using 802.1Q tagging. Each port is configured as:

  • Access port: untagged on one VLAN (for end devices — they don’t speak 802.1Q)
  • Trunk port: tagged on multiple VLANs (connects to router and other switches/APs)

In the TP-Link web UI:

802.1Q VLAN Configuration:

VLAN 20 (Trusted):
  Port 1 (router uplink): Tagged
  Port 2 (desktop): Untagged
  Port 3 (laptop dock): Untagged

VLAN 40 (IoT):
  Port 1 (router uplink): Tagged
  Port 6 (smart TV): Untagged
  Port 7 (smart hub): Untagged

PVID (Port VLAN ID) Settings:
  Port 2: PVID 20
  Port 3: PVID 20
  Port 6: PVID 40
  Port 7: PVID 40

The PVID determines which VLAN untagged traffic from a port joins. Always set PVID to match the access VLAN for end-device ports.

UniFi Wi-Fi SSID to VLAN Mapping

In UniFi Network Controller:

  1. Settings → Networks → Create New Network

    • Name: IoT
    • VLAN ID: 40
    • DHCP: Disabled (OPNsense handles it)

  2. Settings → WiFi → Create New WiFi

    • SSID: HomeNet-IoT
    • Network: IoT (VLAN 40)
    • Security: WPA2

Repeat for each SSID. Your UniFi AP will tag wireless traffic with the appropriate VLAN ID, and your managed switch delivers it to OPNsense on the correct VLAN interface.

Testing Your VLAN Segmentation

Verify isolation with ping tests

From a device on VLAN 40 (IoT):

# Should FAIL (blocked by firewall rule)
ping 10.0.20.1    # Trusted gateway
ping 10.0.30.100  # Your NAS

# Should SUCCEED
ping 8.8.8.8      # Internet
curl https://google.com

From a device on VLAN 50 (Guest):

# Should FAIL
ping 10.0.20.1    # Any internal IP

# Should SUCCEED
curl https://example.com

Check OPNsense firewall logs

Firewall → Log Files → Live View — watch blocks and passes as you test. This is invaluable for debugging why a rule isn’t working as expected.

DNS Filtering Per VLAN

Combine VLAN segmentation with per-VLAN DNS policies using AdGuard Home on your server VLAN:

# AdGuard Home - different upstream resolvers per client CIDR
clients:
  - name: IoT
    ids:
      - 10.0.40.0/24
    settings:
      filtering_enabled: true
      blocked_services:
        - twitch   # Block unnecessary services on IoT VLAN

Point each VLAN’s DHCP DNS setting to your AdGuard Home instance (10.0.30.x) for network-wide ad blocking while maintaining VLAN isolation.

Proper VLAN segmentation is the single most impactful security improvement you can make to a home lab. It takes a few hours to configure but provides lasting protection against lateral movement, device compromise, and unauthorized access to your most sensitive systems.

#OPNsense #pfSense #network segmentation #home lab #VLAN

// related articles

hardware-builds NAS vs Cloud Storage: Which Is Right for You in 2026? 7 min read hardware-builds Home Lab Fiber Optic Cabling Guide 7 min read hardware-builds Home Network Patch Panel Setup Guide 7 min read