Set Up VLANs at Home

VLANs (Virtual Local Area Networks) divide one physical network into multiple isolated segments. At home, this lets you put smart home devices and IoT gadgets on a completely separate network from your laptops and phones — so a compromised smart bulb cannot reach your NAS or work computer.

Why Segment Your Home Network

The typical home network puts every device — laptops, phones, smart TVs, security cameras, thermostats, and baby monitors — on the same flat network. Any device can reach any other device. This matters because IoT devices are frequently unpatched, ship with weak default credentials, and become entry points for attackers who want to move laterally to more valuable targets.

A VLAN-segmented network creates hard boundaries. Even if an IoT device is compromised, it cannot initiate connections to the trusted segment where your computers and NAS live. The device can still reach the internet — it just cannot reach your other devices.

The Three-VLAN Model

Most home setups benefit from three segments:

• Trusted VLAN — laptops, phones, tablets, desktop computers. Full local network access. This is your primary network.
• IoT VLAN — smart TVs, smart speakers, thermostats, cameras, lights, doorbells. Internet access only. No access to trusted VLAN. No access to NAS or printers except where explicitly permitted by firewall rules.
• Guest VLAN — visitors' devices. Internet access only. Completely isolated from both trusted and IoT segments.

Each VLAN gets its own subnet and SSID. You connect each device to the appropriate Wi-Fi network by its purpose. Smart home devices go to the IoT SSID; your laptop goes to the trusted SSID.

Hardware Requirements

Not every router supports custom VLANs. You need one of:

• Ubiquiti UniFi — the most capable consumer-grade VLAN management. Create VLANs, assign SSIDs, build firewall rules between segments, configure mDNS across VLANs. Best option if you want full control.
• TP-Link Omada — similar enterprise-level features at a lower price point. Omada Controller manages VLANs, multiple SSIDs, and inter-VLAN firewall rules.
• ASUS with Merlin firmware — adds VLAN and advanced firewall capabilities to many ASUS routers without replacing the OS entirely.
• OpenWrt — open-source firmware for hundreds of supported routers. Full VLAN support with 802.1Q tagging, bridge filtering, and custom firewall rules via LuCI or CLI.
• pfSense / OPNsense — dedicated firewall OS running on a mini PC. The most flexible option but requires separate hardware and more setup time.

For wired devices on different VLANs, you also need a managed switch that supports 802.1Q VLAN tagging. An unmanaged switch forwards all traffic to all ports — it cannot separate VLANs. TP-Link TL-SG108E (8-port) and Netgear GS308E are inexpensive managed switches suitable for home use.

Creating VLANs on UniFi

UniFi is the most common platform for home VLAN setups. The steps in the UniFi Network application:

• Settings → Networks → Create New Network → select VLAN-only or Corporate (with its own subnet and DHCP)
• Assign a VLAN ID (e.g., 10 for IoT, 20 for guest) and configure the subnet (e.g., 192.168.10.0/24)
• Settings → WiFi → Create New WiFi → assign the network to the new VLAN. The SSID will tag traffic with the VLAN ID automatically
• Settings → Firewall → create rules blocking traffic from IoT VLAN to trusted VLAN (direction: IoT → LAN, action: drop)

UniFi's client isolation option on the guest network blocks device-to-device communication within the same VLAN — useful for guest networks where you do not want visitors seeing each other.

The mDNS Problem with Casting

The biggest practical annoyance with VLAN segmentation is casting. Chromecast, Apple TV, AirPlay speakers, and similar devices use mDNS (multicast DNS) for discovery — a protocol that announces device presence on the local subnet. mDNS does not cross VLAN boundaries, so a phone on the trusted VLAN cannot discover a Chromecast on the IoT VLAN.

The solution is an mDNS repeater, which bridges mDNS announcements between VLANs without opening the full network path:

• UniFi: Settings → Networks → enable mDNS for the IoT network. UniFi handles the cross-VLAN mDNS relay automatically.
• OPNsense / pfSense: install the Avahi package, configure it to repeat mDNS between your trusted and IoT interfaces.
• OpenWrt: install the avahi-daemon package and enable interface bridging in its config.

With mDNS repeating enabled, your phone discovers the Chromecast and initiates the cast — but the Chromecast still cannot initiate connections back to your laptop or NAS.

Firewall Rules Between VLANs

The default behavior when you create a VLAN depends on the platform. Some platforms allow inter-VLAN traffic by default; others block it. You need explicit rules. The key rules for a home IoT setup:

• Block IoT VLAN → Trusted VLAN (prevents IoT devices from reaching your computers)
• Block Guest VLAN → Trusted VLAN (prevents guests from reaching your computers)
• Block Guest VLAN → IoT VLAN (prevents guest devices from controlling IoT devices)
• Allow Trusted VLAN → IoT VLAN (optional, if you want to manage IoT devices from your laptop)
• Allow all VLANs → internet (each VLAN routes to the WAN independently)