Setting up a proper home network
When my homelab was one machine running a few Docker containers, network configuration did not matter much. Everything was on the same subnet, the router handled DHCP, and it worked. Then I added more devices, exposed services to the internet, and realized I needed proper network segmentation.
Why bother?
If your IoT devices, personal computers, and homelab servers are all on the same network, a compromised smart bulb can theoretically reach your NAS. That is an extreme example, but the principle matters: separate things that do not need to talk to each other.
VLANs (Virtual LANs) let you create isolated network segments on the same physical hardware. Devices on different VLANs cannot communicate unless you explicitly allow it through firewall rules.
My network layout
I split my network into four VLANs:
- VLAN 1 (Default): Personal devices (laptop, phone, tablet)
- VLAN 10 (Homelab): Servers, NAS, Docker hosts
- VLAN 20 (IoT): Smart home devices, cameras
- VLAN 30 (Guest): Guest Wi-Fi, isolated from everything
Each VLAN gets its own subnet:
- Default: 192.168.1.0/24
- Homelab: 192.168.10.0/24
- IoT: 192.168.20.0/24
- Guest: 192.168.30.0/24
graph TD
FW[OPNsense Firewall / Router]
FW --- V1["VLAN 1 — Personal<br/>192.168.1.0/24"]
FW --- V10["VLAN 10 — Homelab<br/>192.168.10.0/24"]
FW --- V20["VLAN 20 — IoT<br/>192.168.20.0/24"]
FW --- V30["VLAN 30 — Guest<br/>192.168.30.0/24"]
V1 -.-|"can access"| V10
V1 -.-|"can access"| INT((Internet))
V10 -.-|"can access"| INT
V20 -.-|"can access"| INT
V30 -.-|"can access"| INT
What you need
A managed switch (one that supports VLANs) and a router/firewall that can handle inter-VLAN routing. I use a small managed switch and a firewall appliance running OPNsense, but you can achieve the same thing with a router running OpenWrt.
Consumer routers from your ISP typically do not support VLANs. That is the one hardware upgrade you might need.
Firewall rules
The firewall controls what traffic flows between VLANs:
- Personal devices can access the homelab (to use self-hosted services) and the internet
- Homelab can access the internet (for updates, external APIs) but cannot initiate connections to personal devices
- IoT can access the internet (for firmware updates, cloud services) but cannot access personal devices or the homelab
- Guest can only access the internet
This means if an IoT device gets compromised, it cannot reach your NAS, your password vault, or your personal files.
DNS per VLAN
Each VLAN uses AdGuard Home as its DNS server, but with different filtering rules. IoT devices get aggressive ad blocking. Personal devices get standard filtering. The guest network gets basic DNS with no special filtering.
AdGuard Home's per-client settings make this straightforward. Each VLAN's subnet gets its own configuration.
Was it worth the effort?
For a basic homelab with a few services, this level of network segmentation is overkill. If you are exposing services to the internet, running IoT devices, or storing sensitive data on your network, it is worth the weekend of setup.
The peace of mind from knowing that my smart plugs cannot talk to my password vault is worth more than the time I spent configuring it.
Sources
Related posts
Uptime Kuma told me everything was fine. It wasn't.
Green checkmarks are not observability. Here is what I learned building a real monitoring stack.
TrueNAS: reliable storage for your homelab
Why I use TrueNAS for network storage in my homelab, how to set it up, and the features that make it worth running over a simple file share.
Proxmox Backup Server: incremental backups done right
Why I use Proxmox Backup Server for my homelab backups, how incremental backups save massive amounts of storage, and how to set it up.
Enjoying the blog? Subscribe via RSS to get new posts in your reader.
Subscribe via RSS