Most home networks are a flat layer-2 mess. Your work laptop, your smart TV, your kids' tablets, that sketchy IoT thermostat, and your NAS all share the same broadcast domain. If any one of those devices is compromised, it has a clear path to everything else.
VLANs fix this. They are not complicated, but the documentation online is usually written for enterprise network engineers. This guide is written for someone who knows what a router is and wants to actually get this done at home without a CCNA.
What You Need
To use VLANs you need hardware that supports them. Most consumer routers do not. Here is what the minimum setup looks like:
- A router that supports VLANs. OpenWrt-capable devices are the best value option. The TP-Link ER605 is a solid affordable choice if you want something purpose-built. pfSense or OPNsense on a mini PC gives you the most control.
- A managed switch. Unmanaged switches cannot tag VLANs. The TP-Link TL-SG108E (about $30) is a good entry point. The Netgear GS308E is another reliable option.
- VLAN-capable access points if you want wireless VLAN separation. Ubiquiti UniFi, TP-Link Omada, and OpenWrt-based APs all support this. Your ISP's combo modem/router almost certainly does not.
Plan Your VLANs First
Before touching any hardware, decide what you want to separate. A sensible home setup:
- VLAN 10: Main. Trusted computers, phones, NAS. Full local and internet access.
- VLAN 20: IoT. Smart TVs, speakers, thermostats, cameras, printers. Internet access only. Cannot reach VLAN 10 at all.
- VLAN 30: Guest. Visitors' devices. Internet access only. Isolated from everything else.
- VLAN 40: Servers/Lab. Optional. Home lab machines, development boxes, anything you want controlled access to.
Write this down. You will refer to it constantly during setup.
Router Configuration
The process varies by router firmware, but the concepts are the same everywhere. Using OPNsense as the example:
Go to Interfaces, then Assignments. Create a new VLAN interface for each VLAN you planned. Assign a VLAN ID (10, 20, 30, etc.) and a parent interface (your LAN port). Give each VLAN interface a static IP and enable the DHCP server for that subnet.
Then go to Firewall and create rules. The critical ones:
- VLAN 20 (IoT): Allow to WAN (internet). Block to all other VLANs. Block to router management IP.
- VLAN 30 (Guest): Allow to WAN. Block to all other VLANs. Block to router management IP.
- VLAN 10 (Main): Allow to WAN. Allow to VLAN 40 if you have a server VLAN. Block from IoT and Guest initiated connections.
Managed Switch Configuration
Using the TP-Link TL-SG108E web interface as the example. Log in and go to VLAN, then 802.1Q VLAN.
For each port, decide whether it is an access port (belongs to one VLAN, used for end devices) or a trunk port (carries multiple VLANs, used for uplinks to your router or other switches).
Set the PVID (Port VLAN ID) for each access port to match its untagged VLAN. This tells the switch which VLAN to assign untagged traffic coming in on that port.
Wireless VLAN Separation
If you are using UniFi or Omada access points, create separate SSIDs for each VLAN. Assign each SSID to its corresponding VLAN ID. The AP handles the tagging before traffic hits your switch trunk port.
This means your IoT devices connect to a different Wi-Fi network name and are automatically placed on VLAN 20, completely isolated from your main machines even though they are on the same physical access point.
Verifying It Works
Connect a device to each VLAN and verify:
- It gets an IP address in the correct subnet
- It can reach the internet
- From the IoT or Guest VLAN, it cannot ping any IP on VLAN 10
- From VLAN 10, you can still reach your NAS (if on VLAN 10) but not IoT devices
Use ping and traceroute to verify. If something is routing when it should not be, go back to your firewall rules. Missing a block rule is the most common mistake.
Want the Full Network Security Guide?
This article covers VLANs. Our Home Network Security Setup Guide covers the full picture: router hardening, DNS filtering with Pi-hole or NextDNS, device monitoring, WireGuard VPN setup, and a complete firewall rule template for OPNsense and pfSense. $19, instant download.