Your Smart Fridge Is Talking to Your NAS. That Should Bother You.
Picture this: you’ve got a shiny new NAS sitting on your home network. It’s got years of family photos, your entire movie collection, and maybe some work documents you’d rather not share with the internet. A few feet away on the same flat network sits a $12 smart lightbulb you bought at a gas station because the packaging promised “smart home integration.” The lightbulb’s firmware hasn’t been updated since 2019. Its vendor may or may not still exist.
These two devices are peers. Network peers. They can reach each other freely.
Sleep well.
VLANs — Virtual Local Area Networks — are the solution to this particular flavor of home lab anxiety. They let you segment your physical network into multiple logical networks, all running over the same cables and switches, without buying additional hardware. This guide walks you through the concepts and the actual setup, because understanding VLANs is one of those skills that makes you feel genuinely competent and slightly superior at dinner parties.
What a VLAN Actually Is (No Hand-Waving)
A VLAN is a broadcast domain — a group of devices that can talk to each other at Layer 2 (Ethernet) — defined in software rather than physical wiring. Without VLANs, every device on your switch can hear every broadcast packet from every other device. It’s a shouting match, and your IoT devices are invited.
With VLANs, you assign each port (or wireless SSID) to a numbered VLAN. Devices in VLAN 10 can’t directly reach devices in VLAN 20. Traffic between VLANs must route through a Layer 3 device — your router or firewall — where you can apply rules.
802.1Q: The Tag That Makes It Work
The magic is 802.1Q tagging. When a switch forwards a frame between VLAN-aware devices (like switch-to-router or switch-to-switch), it inserts a 4-byte tag into the Ethernet frame header. That tag contains the VLAN ID (a number from 1-4094). The receiving device reads the tag and knows which VLAN the traffic belongs to.
End devices (your laptop, phone, lightbulb) typically don’t know about VLANs. They send and receive untagged frames. The switch handles the tagging transparently.
Trunk Ports vs. Access Ports: The Two Modes You Need to Know
Every port on a managed switch operates in one of two modes:
Access Ports
An access port belongs to exactly one VLAN. Traffic coming in is untagged (normal device traffic), and traffic going out is also untagged. The device plugged in has no idea VLANs exist. Use this for:
- End devices: computers, phones, smart TVs
- IoT gadgets
- Anything that isn’t network infrastructure
Trunk Ports
A trunk port carries traffic for multiple VLANs simultaneously, using 802.1Q tags to identify which VLAN each frame belongs to. Use this for:
- The uplink between your switch and your router/firewall
- Links between switches
- Your access point, if it needs to broadcast multiple SSIDs on different VLANs
[Device] --- access port (untagged, VLAN 20) --- [Switch] --- trunk port (tagged, VLANs 10/20/30) --- [Router]The router sees the tags, routes between VLANs based on your firewall rules, and sends traffic back down the trunk.
Why You Want VLANs in Your Home Lab
Let’s be concrete about what you’re protecting and why:
IoT Isolation: Your smart devices are a security nightmare. Many have hardcoded credentials, unpatched firmware, and phone home to vendors in ways that are frankly suspicious. Put them on their own VLAN with internet access but zero ability to reach your actual computers. If one gets compromised, it’s contained.
Guest Network: Friends visiting? Give them internet, not access to your file server. A guest VLAN with client isolation means your brother-in-law’s malware-laden laptop can’t browse your SMB shares.
NAS/Storage Traffic: Separate your bulk file transfer traffic. This also lets you apply QoS (quality of service) rules on your router to prioritize or throttle storage traffic so a backup job doesn’t saturate your entire network at 2am.
Management VLAN: Your switches, access points, and router management interfaces live here. Only you have access. This is how you prevent someone on the guest network from hitting your router’s admin panel.
DMZ: Internet-facing services live here. Your home server running a public website or game server sits in a VLAN with inbound rules from the internet and strict limits on reaching anything internal.
| VLAN | Name | Reaches Internet | Reaches Other VLANs |
|---|---|---|---|
| 10 | Trusted (PCs, laptops) | Yes | Management only |
| 20 | IoT | Yes (limited) | None |
| 30 | Guest | Yes | None |
| 40 | NAS/Storage | No | Trusted only |
| 50 | DMZ | Yes | None |
| 99 | Management | No | All (admin access) |
Setting Up VLANs on a Managed Switch
You need a managed switch. Unmanaged switches (the cheap ones) don’t support VLANs — they’re just dumb packet repeaters. TP-Link’s TL-SG108E (about $30) and the Netgear GS308E are popular budget options for home labs.
TP-Link TL-SG108E Configuration
The easy-smart switches use a web interface at their default IP (check the label, usually 192.168.0.1).
- Log in (default credentials: admin/admin — change these immediately)
- Navigate to VLAN > 802.1Q VLAN
- Enable 802.1Q VLAN
Creating your VLANs:
| VLAN ID | Ports (Tagged) | Ports (Untagged) | Description |
|---|---|---|---|
| 10 | Port 8 (uplink) | Ports 1-3 | Trusted devices |
| 20 | Port 8 (uplink) | Port 4 | IoT |
| 30 | Port 8 (uplink) | Port 5 | Guest |
| 99 | Port 8 (uplink) | — | Management |
Port 8 (your router connection) is tagged for all VLANs — it’s your trunk port. The device ports are untagged for their assigned VLAN.
- Navigate to VLAN > 802.1Q PVID and set each port’s PVID to match its untagged VLAN assignment. This tells the switch which VLAN to assign to incoming untagged traffic.
Netgear GS308E Configuration
Netgear uses a similar interface via their Insight app or the local web GUI.
- Navigate to Switching > VLAN > VLAN Configuration
- Add VLANs (10, 20, 30, 99)
- Under VLAN Membership, for each VLAN:
- Set uplink port to T (Tagged)
- Set device ports to U (Untagged) for the appropriate VLAN
- Under Port PVID, set each access port’s PVID
pfSense / OPNsense VLAN Setup
Your router/firewall is where VLANs become useful — this is where inter-VLAN routing and firewall rules live.
Creating VLAN Interfaces in pfSense
- Interfaces > Assignments > VLANs tab
- Click Add:
- Parent Interface: your LAN interface (e.g.,
igb1) - VLAN Tag:
10 - Description:
TRUSTED
- Parent Interface: your LAN interface (e.g.,
- Repeat for each VLAN (20, 30, 40, 50, 99)
Assigning and Configuring Interfaces
- Interfaces > Assignments
- Under “Available network ports,” you’ll see your new VLAN interfaces (e.g.,
igb1.10,igb1.20) - Click Add for each, then navigate to each interface to configure:
- Enable the interface
- Set IPv4 Configuration Type: Static IPv4
- Assign the gateway IP for that VLAN subnet
VLAN 10 (Trusted): 192.168.10.1/24
VLAN 20 (IoT): 192.168.20.1/24
VLAN 30 (Guest): 192.168.30.1/24
VLAN 40 (NAS): 192.168.40.1/24
VLAN 99 (Mgmt): 192.168.99.1/24DHCP for Each VLAN
Services > DHCP Server — you’ll see a tab for each interface you’ve configured. Enable DHCP and set a range for each VLAN.
Firewall Rules
This is the actual security. Navigate to Firewall > Rules and add rules for each interface.
IoT VLAN rules (example):
# Allow IoT to internet (WAN)
Action: Pass
Interface: IOT
Source: IOT net
Destination: !RFC1918 (not private IP ranges)
Protocol: Any
# Block IoT from reaching anything internal
Action: Block
Interface: IOT
Source: IOT net
Destination: AnyTrusted VLAN rules:
# Allow trusted to reach NAS
Action: Pass
Interface: TRUSTED
Source: TRUSTED net
Destination: NAS net
Protocol: TCP/UDP
# Allow trusted to internet
Action: Pass
Interface: TRUSTED
Source: TRUSTED net
Destination: AnyWireless VLANs: Your Access Point Needs to Play Along
Not all access points support multiple SSIDs on different VLANs. Budget consumer gear typically doesn’t. Home lab favorites that do:
- UniFi (UniFi Network Application handles this elegantly)
- OpenWrt-flashed routers (almost any consumer router can be flashed)
- TP-Link EAP series (with Omada controller)
In UniFi: create a network with your VLAN ID, create a wireless network tied to that VLAN network, and the AP handles the tagging. Your IoT WiFi SSID puts devices in VLAN 20 automatically.
Practical Segmentation Strategy for Home Labs
Here’s a sane starting point:
Start small. Don’t try to implement six VLANs on day one. Begin with two: trusted and IoT. Get that working. Add guest. Add management later when you care about it.
Label everything. Stick labels on your switch ports. You will forget which port is which. This is guaranteed.
Test before you rely on it. From an IoT device, try to ping your NAS. You should get nothing. From a trusted device, it should work. Verify your firewall rules are actually blocking what you think they’re blocking.
Keep a console connection. When you inevitably lock yourself out of your switch or router by misconfiguring something, you’ll want a physical console cable. Ask me how I know.
Where to Go From Here
Once your VLANs are working, the next logical steps are:
- Inter-VLAN routing policies: Rate-limit the IoT VLAN. Block certain categories of traffic. Use pfSense’s traffic shaper.
- DNS per VLAN: Run separate DNS resolvers for each VLAN. Your IoT devices don’t need to resolve your internal hostnames.
- 802.1X authentication: Port-based authentication where devices prove their identity before getting VLAN access. Enterprise stuff, but doable in home labs with FreeRADIUS.
Your network is now a series of moats rather than one big swimming pool. The smart lightbulb is isolated, your NAS is safe, and you’ve spent an afternoon doing something that’s genuinely useful. That’s a good weekend.