Why VLANs Matter in a Home Lab
A flat home network — everything on 192.168.1.0/24 — means a compromised smart bulb has unrestricted access to every other device: your NAS, your Proxmox server, your workstation. VLANs fix this. Each segment gets its own subnet, and inter-VLAN traffic must traverse your router/firewall, which enforces rules about what can talk to what.
A common homelab VLAN design: VLAN 10 for trusted workstations and laptops; VLAN 20 for servers and VMs; VLAN 30 for IoT devices (smart home, printers); VLAN 40 for guest WiFi. The firewall allows specific flows (workstations can reach servers, IoT cannot initiate connections to anything except the internet) and blocks everything else by default.
What Equipment You Need
You need three components: a managed switch that supports 802.1Q VLAN tagging (any TP-Link TL-SG108E or Netgear GS308E at $30–50 works); a VLAN-aware router running pfSense, OPNsense, or a router with OpenWrt; and optionally a VLAN-capable wireless access point if you want separate SSIDs for each VLAN. Most consumer APs support multiple SSIDs mapped to different VLANs — Ubiquiti UniFi, TP-Link EAP series, and OpenWrt-based APs all handle this.
If your router is a VM on Proxmox, the Proxmox bridge acts as your trunk interface. You create VLAN sub-interfaces inside pfSense/OPNsense and configure the Proxmox bridge to pass tagged traffic through to the VM.
Planning Your VLAN Numbering
VLAN IDs range from 1 to 4094. VLAN 1 is the default untagged VLAN on most managed switches — avoid using it for production traffic because many switches treat it specially. Common homelab conventions: VLAN ID matches the third octet of the subnet (VLAN 10 → 10.0.10.0/24 or 192.168.10.0/24), making troubleshooting intuitive. Reserve a management VLAN (often VLAN 99 or VLAN 1) for accessing switch and AP management interfaces from a trusted workstation only.
Switch Configuration: Access and Trunk Ports
Managed switch ports operate in two modes for VLAN purposes. An access port carries traffic for a single VLAN — the switch strips the VLAN tag before delivering frames to the connected device. Plug in an IoT device on an access port in VLAN 30 and it has no idea it is on a VLAN; it just sees a regular Ethernet connection. A trunk port carries multiple VLANs simultaneously using 802.1Q tags. Your uplink from the switch to the router must be a trunk port carrying all VLANs. If you have an AP with multiple SSIDs, its uplink is also a trunk port.
Router/Firewall VLAN Configuration
In OPNsense or pfSense, create VLAN sub-interfaces on the LAN physical interface (or bridge, if using a VM). Each VLAN gets its own interface with its own subnet and DHCP server. Then write firewall rules. A basic rule set: allow inter-VLAN traffic from trusted workstations (VLAN 10) to servers (VLAN 20); block all traffic from IoT (VLAN 30) to any other VLAN; allow IoT to reach the internet; block guest WiFi (VLAN 40) from reaching all internal subnets.
Common Homelab VLAN Design
| VLAN ID | Name | Subnet | Devices | Can Reach |
|---|---|---|---|---|
| 10 | Trusted Clients | 192.168.10.0/24 | Laptops, desktops, phones | Servers, IoT (initiating), Internet |
| 20 | Servers | 192.168.20.0/24 | Proxmox, NAS, Docker hosts | Internet (outbound only), Clients on request |
| 30 | IoT | 192.168.30.0/24 | Smart home, printers, cameras | Internet only; blocked from all VLANs |
| 40 | Guest WiFi | 192.168.40.0/24 | Visitor devices | Internet only; isolated from all VLANs |
| 99 | Management | 192.168.99.0/24 | Switch/AP management IPs | Trusted clients only; blocked from internet |
Frequently Asked Questions
Do I need a managed switch for VLANs?
Yes, for any meaningful VLAN setup. An unmanaged switch forwards all frames to all ports — it has no concept of VLANs. A managed switch ($30–60 for an 8-port model) lets you assign VLAN IDs to individual ports and configure trunk ports for uplinks. Some consumer routers have a built-in managed switch chip that supports VLANs natively.
Can I do VLANs on a single Proxmox host without a physical managed switch?
Yes. If everything is virtual (all VMs on one Proxmox host), you create multiple Linux bridges or use Proxmox's VLAN-aware bridge. VMs attach to different bridges and route through your firewall VM. No physical managed switch is needed for an all-virtual setup.
What is a trunk port vs an access port?
An access port carries untagged traffic for a single VLAN. The connected device does not need to understand VLANs. A trunk port carries multiple VLANs simultaneously, with each frame tagged with its VLAN ID using 802.1Q headers. Uplinks between switches, between switches and routers, and between switches and multi-SSID APs are trunk ports.
How do I assign a specific VLAN to a WiFi SSID?
On VLAN-capable APs (UniFi, TP-Link EAP, or OpenWrt), you create an SSID and set its VLAN ID in the wireless configuration. The AP sends frames from that SSID tagged with the matching VLAN ID on its trunk uplink to the switch. The managed switch must have that VLAN allowed on the trunk port connecting the AP.