Building a Secure Homelab Network with VLANs and Smart Architecture

The Journey Begins: Why My Homelab Needed a Security Overhaul

When I first set up my homelab, like most enthusiasts, I plugged everything into the same network switch and called it a day. My Kubernetes cluster, smart home devices, media servers, and security cameras all lived on the same subnet—a ticking time bomb of security vulnerabilities. One compromised IoT device could have meant instant access to my entire network. That’s when I realized I needed to architect something better.

This is the story of how I transformed my chaotic home network into a segmented, secure infrastructure using VLANs (Virtual Local Area Networks) and thoughtful architecture—all while learning what it really means to design for security at home.

Part 1: Understanding the Problem - Why Network Segmentation Matters

The Flat Network Nightmare

Imagine your entire house is one big hallway. The front door security system, your personal computer, the kitchen smart fridge, and your server with all your photos and documents are all standing in the same hallway with no walls between them.

If someone (or something) compromises any device on your network, they have a clear path to everything else. This is exactly what happens with a flat, unsegmented network.

The real risks: - Compromised IoT devices (like a hacked smart bulb) can scan and exploit other devices - Man-in-the-Middle (MITM) attacks happen when someone intercepts traffic between devices - Lateral movement - An attacker gains access to one device, then pivots to sensitive systems - Data exfiltration - Sensitive files are stolen by malware or attackers without your knowledge

The VLAN Solution

VLANs are like building walls in that hallway. They create separate networks that appear as distinct subnets, even though they share the same physical network infrastructure. Think of it like this:

  • VLAN 10 (Management): Your network infrastructure, cameras, and admin tools - highly restricted
  • VLAN 20 (Servers): Production services like Kubernetes, databases, file storage
  • VLAN 30 (IoT/Smart Home): Smart bulbs, thermostats, and cameras - untrusted by default
  • VLAN 40 (Guests): Visitors’ devices - completely isolated
  • VLAN 50 (Work/Personal): Your PCs, laptops, and trusted devices

With VLANs, even if someone compromises your IoT network, they can’t directly access your server infrastructure. They hit a firewall rule instead of an open connection.

Part 2: My Network Architecture - A Story of Thoughtful Design

The Hardware Foundation

Internet
   ↓
[pfSense Firewall/Router]
   ↓
[Managed Switch with VLAN Support]
   ↓
├─ VLAN 10 (Management) → Network monitoring, SSH access points
├─ VLAN 20 (Servers) → Kubernetes, databases, services
├─ VLAN 30 (IoT) → Smart home devices, restricted access
├─ VLAN 40 (Guests) → Isolated visitor network
└─ VLAN 50 (Trusted) → Personal computers, laptops

Key Component: The Managed Switch

The switch is your segmentation point. It understands VLANs and can tag traffic appropriately. I’m using a switch that supports: - VLAN tagging (802.1Q) - Access and trunk ports - Basic QoS for traffic prioritization - Managed configuration (not just plug-and-play)

Why pfSense as the Firewall:

I chose pfSense because: 1. VLAN-aware - It understands VLAN tagging and can route between them 2. Firewall rules by VLAN - I can create granular rules like “IoT can only reach DNS and specific servers” 3. Open source - Full transparency into security rules 4. Community-driven - Constantly updated with security patches

Part 3: Setting Up VLANs - The Implementation

Step 1: Configure the Switch

On your managed switch, you need to:

  1. Create VLAN IDs (untagged):

    VLAN 10 - Management (10.0.10.0/24)
VLAN 20 - Servers (10.0.20.0/24)
VLAN 30 - IoT (10.0.30.0/24)
VLAN 40 - Guests (10.0.40.0/24)
VLAN 50 - Trusted (10.0.50.0/24)

  2. Configure ports as access or trunk:

    • Access ports (connect to regular devices):
      • Port 1 → VLAN 30 (IoT device)
      • Port 2 → VLAN 50 (Your laptop)
      • Port 3 → VLAN 40 (Guest WiFi AP)
    • Trunk ports (connect to other switches/firewall):
      • Port 24 → Connects to pfSense (carries all VLANs)

  3. Set VLAN 1 as native (untagged traffic defaults to VLAN 1)

Step 2: Configure pfSense for VLAN Routing

In pfSense, create virtual interfaces for each VLAN:

Interfaces → Assignments
- VLAN 10 (em0.10) → OPT1 (Management)
- VLAN 20 (em0.20) → OPT2 (Servers)
- VLAN 30 (em0.30) → OPT3 (IoT)
- VLAN 40 (em0.40) → OPT4 (Guests)
- VLAN 50 (em0.50) → OPT5 (Trusted)

Assign IP addresses to each interface:

Management:  10.0.10.1/24
Servers:     10.0.20.1/24
IoT:         10.0.30.1/24
Guests:      10.0.40.1/24
Trusted:     10.0.50.1/24

Step 3: Create Firewall Rules

Now for the magic—the rules that actually enforce security:

IoT VLAN Rules (most restrictive):

- Allow: IoT → DNS (53)
- Allow: IoT → NTP (123)
- Allow: IoT → Specific server (e.g., Home Assistant on VLAN 50)
- Deny: IoT → Any other network (default)
- Deny: IoT → Internet (no direct outbound)

Server VLAN Rules:

- Allow: Servers ↔ Servers (internal communication)
- Allow: Servers → Internet (managed outbound)
- Allow: Trusted → Servers (selective access)
- Deny: IoT → Servers (complete isolation)

Trusted VLAN Rules:

- Allow: Trusted → All VLANs (user devices need flexibility)
- Allow: Trusted → Internet
- Deny: Untrusted → Trusted

Guest VLAN Rules:

- Allow: Guests → Internet only
- Allow: Guests → Public services (e.g., Plex, HomeAssistant)
- Deny: Guests → Any internal network

Part 4: The Security Benefits I’ve Realized

Real-World Protection

After implementing this architecture, here’s what changed:

  1. Attack Surface Reduction: Even if my security camera gets compromised, it’s trapped in VLAN 30. It can’t reach my server data, my work laptop, or my personal files.

  2. Compliance-Ready: If I ever need to pass security audits, I have documented network segmentation.

  3. Service Isolation: My Kubernetes cluster failures don’t affect IoT devices. A misconfigured app in VLAN 20 doesn’t break smart home automation in VLAN 30.

  4. Visibility: pfSense logs show me exactly who’s talking to whom. A suspicious IoT device trying to reach internal networks gets logged immediately.

  5. Guest Confidence: I can give guests WiFi (VLAN 40) without worrying they’ll stumble across my server data.

Part 5: Advanced Techniques and Lessons Learned

VLAN Hopping - A Real Threat I Defended Against

When I first set up VLANs, I thought the firewall rules alone would protect me. Wrong. An attacker could potentially “hop” between VLANs using: - 802.1Q double-tagging: Sending specially crafted packets - Switch exploitation: Misconfigured switch ACLs

My defense: 1. Kept all switch firmware updated 2. Disabled unused ports (set to access mode on a dead VLAN) 3. Protected management access with strong credentials 4. Implemented DHCP snooping and ARP inspection 5. Regular security audits of VLAN configurations

WiFi Integration - Bridging Physical and Wireless

My WiFi APs are in VLAN 40 (Guests), VLAN 50 (Personal), and VLAN 30 (IoT). Each SSID is configured to tag traffic appropriately:

SSID "HomeNetwork" → Tagged VLAN 50 (WPA3, strong password)
SSID "IoT-Devices" → Tagged VLAN 30 (WPA2, unique password)
SSID "Guests" → Tagged VLAN 40 (WPA2, shared password)

The AP doesn’t need to understand VLANs deeply—just needs to tag traffic with the right VLAN ID based on which SSID the device connects to.

Monitoring and Logging

I set up pfSense state tables monitoring:

# Monitor active connections
pfctl -s states

# View firewall logs
tail -f /var/log/filter.log

# Count traffic between VLANs
tcpdump -i em0 vlan 10 and vlan 30

Suspicious patterns I watch for: - IoT devices initiating connections to servers (should only respond to requests) - Large data transfers from trusted networks - Connections to unusual ports - Any traffic from guests to internal networks

Part 6: Cost and Practical Considerations

Hardware Requirements

What you’ll need: - Managed switch with VLAN support: $200-600 USD depending on port count - pfSense-capable hardware: $150-400 (or repurpose old PC) - WiFi APs with VLAN tagging: $100-300 per AP (UniFi, TP-Link Omada)

Optional but recommended: - Network monitoring tool (Zabbix, Prometheus) - Dedicated logging server - Intrusion detection system (Suricata)

Complexity vs. Security Trade-off

VLANs add some complexity, but it’s manageable: - Initial setup takes 4-8 hours - Monthly management: 30 minutes - Troubleshooting: VLANs are sometimes blamed for issues that are actually elsewhere (I’ve been there)

Part 7: Lessons I Wish I’d Known Earlier

  1. Document everything - Keep a diagram of VLAN IDs, IP ranges, and firewall rules. Future you will thank you.

  2. Start simple, expand gradually - Don’t create 20 VLANs on day one. Start with 3-4 and add as needed.

  3. Test rules before enforcing - Set up logging first, then gradually move from “Allow all” to “Deny all except…”

  4. VLAN 1 is special - Keep it unused or used only for management. Don’t put production devices there.

  5. Management VLAN access is critical - If you lock yourself out of your management VLAN, you’ll need physical access to recover. Learned this the hard way.

  6. Not all devices support VLANs well - Some older IoT devices don’t understand VLAN tagging. Keep a fallback unsegmented network for legacy devices if needed.

Conclusion: From Chaos to Architecture

What started as a flat network with everything connected to one switch transformed into a thoughtfully segmented infrastructure. Every device now lives in its own neighborhood with clear rules about who can visit whom.

The security improvement is significant. The operational complexity? Actually minimal once you understand the concepts.

If you’re building a homelab today, I highly recommend starting with VLAN segmentation from day one. It’s like building with walls from the start instead of trying to add them later.

This architecture isn’t just about security—it’s about having confidence in your network. When you understand the traffic flow and have explicit rules for each segment, you can relax knowing that a compromised IoT device isn’t a threat to your entire infrastructure.

Quick Reference: My Final Configuration

┌─────────────────────────────────────────────────────────┐
│                  HOMELAB NETWORK DESIGN                 │
├─────────────────────────────────────────────────────────┤
│ VLAN 10: Management    (10.0.10.0/24) - CRITICAL        │
│ VLAN 20: Servers       (10.0.20.0/24) - CORE SERVICES   │
│ VLAN 30: IoT/Smart     (10.0.30.0/24) - UNTRUSTED       │
│ VLAN 40: Guests        (10.0.40.0/24) - ISOLATED        │
│ VLAN 50: Trusted/Work  (10.0.50.0/24) - PERSONAL        │
└─────────────────────────────────────────────────────────┘

Traffic Rules (Default: DENY)
├─ Trusted ↔ All (flexible access)
├─ Servers ↔ Servers + controlled access
├─ Management → All (admin access)
├─ IoT → DNS, NTP, specific services only
└─ Guests → Internet only

Build smart. Segment intentionally. Sleep well knowing your network is secure.