Why Separate IoT Devices at the Network Level
A VLAN (Virtual LAN) for IoT devices creates a logical network boundary between your smart home devices and your computers, phones, and NAS. Without this separation, every device on your network can initiate connections to every other device — a compromised smart bulb can attempt to access your computer's file shares, scan for open ports on your NAS, or intercept unencrypted traffic. With IoT on a separate VLAN, a compromised device can reach the internet (for cloud control) but cannot reach anything on the main LAN unless you explicitly create a firewall rule to allow it.
Guest Network vs VLAN: The Key Difference
Most consumer routers offer a guest network feature that provides simple IoT isolation without VLAN configuration. A proper VLAN goes further: it is a tagged network at the switch level, allowing wired IoT devices (like a wired camera or a Zigbee hub connected via Ethernet) to also be isolated. Guest networks typically only apply to Wi-Fi; a VLAN applies to both wired and wireless clients on the same segment.
| Feature | Guest Network (IoT) | Dedicated IoT VLAN |
|---|---|---|
| Setup complexity | Low — toggle in router UI | Medium-High — requires VLAN-capable router and switch |
| Covers Wi-Fi devices | Yes | Yes |
| Covers wired devices | No | Yes (with VLAN-capable switch) |
| Firewall rules between segments | Basic (LAN access blocked) | Granular (allow specific cross-VLAN traffic) |
| Allows local hub → IoT device | Not without workarounds | Yes, with specific firewall rules |
| Required hardware | Any modern router | Router with VLAN support + managed switch (for wired) |
Setting Up an IoT VLAN
The general steps on a VLAN-capable router (pfSense, OPNsense, Ubiquiti UniFi, TP-Link Omada, or similar):
- Create a new VLAN with its own ID (e.g., VLAN 20) and assign it a subnet (e.g., 192.168.20.0/24). Enable DHCP on this VLAN interface.
- Create a Wi-Fi SSID (e.g., "Home-IoT") and tag it to VLAN 20. This SSID should be 2.4 GHz or dual-band, with WPA2-AES (not WPA3-only) for maximum device compatibility.
- Set firewall rules: allow IoT VLAN → internet (WAN); block IoT VLAN → main LAN. Optionally add specific allow rules for services IoT devices need to reach locally (e.g., allow IoT VLAN to reach a Home Assistant server on the main LAN at a specific IP and port).
- Tag switch ports for wired IoT devices (cameras, hubs) to VLAN 20 on a managed switch.
- Test: connect a phone to the IoT SSID and verify it cannot reach a device on the main network (e.g., ping your main router's LAN IP should fail).
Frequently Asked Questions
Will IoT devices still work if they can't reach the main LAN?
Yes — most cloud-controlled smart home devices only need internet access, not access to your local network. They communicate with vendor cloud servers and do not need to reach your computers or NAS. The exception is locally-controlled systems: a Home Assistant server, a Philips Hue Bridge that your phone queries directly, or a Sonos system that uses local discovery protocols. For these, create specific firewall rules that allow traffic from the main LAN to those specific devices on the IoT VLAN, without opening broad access in either direction.
Do I need a managed switch for an IoT VLAN?
Only for wired IoT devices. If all your IoT devices are Wi-Fi only, the VLAN lives entirely in the router and access point — no managed switch is needed. If you have wired devices (a PoE camera, a wired Ethernet hub, a wired NVR) that should be on the IoT VLAN, you need a managed switch that supports 802.1Q VLAN tagging to assign those physical ports to the correct VLAN. Unmanaged switches cannot be segmented by VLAN.
My router only has a guest network option, not VLANs — is that enough?
For most homes, yes. A properly configured guest network with client isolation enabled provides the core benefit: IoT devices can reach the internet but cannot initiate connections to the main LAN. The limitation is that wired IoT devices cannot be included (guest networks are Wi-Fi only on most consumer routers) and you cannot create granular allow rules. If you have only Wi-Fi IoT devices and no need for local IoT-to-server communication, a guest network is a practical and effective solution without requiring advanced networking equipment.