The average home now has dozens of networked devices, from computers to smart devices and streaming boxes. Each of these comes with different considerations about how they use the network, and that’s an issue if they’re all on the same IP range. Those smart home devices should really be kept away from the rest of your network. Streaming devices send tons of broadcast chatter out, and that’s before getting into IP security cameras and other devices you may have set up. But there’s a simple solution, using virtual LANs aka VLANs.
Setting up VLANs on your home network might sound like a lot of work, but it’s really very simple. The hard part is ensuring they’re designed in an orderly manner, which makes setup, maintenance, and troubleshooting much easier. I’ve learned over the years that some basics make the complicated parts much easier, and these are the things I consider whenever setting up a new network with VLAN segments.
Avoid the native VLAN (VLAN 1)
Use this for management or unused ports only
Every managed network switch will have a default VLAN that handles all untagged traffic. That’s good in some ways, as it ensures connectivity across your home network, but it’s not the best practice and if you’re defining VLANs, the default one shouldn’t be used for general traffic. Most switches use VLAN 1 but it could be VLAN 0 or any other number, so it’s best to check the manual for your particular switch.
We want to be intentional with our Layer-2 configuration, so change the default (or native) VLAN to another number that you’re not using for any network segments. That way, non-tagged network traffic won’t go to any of your devices. This keeps you safer, even if adding new devices requires a little more setup. The other reason you do this is because different manufacturers use a different VLAN tag for their default. By manually setting it, you don’t run into oddities when adding new hardware.
For example, on Cisco hardware you’d use the following:
!
interface GigabitEthernet1/1/1
switchport mode trunk
switchport trunk allow vlan 10,20,30
switchport native vlan 888
!
Then, once you’ve done that, any unused ports on your network switches should be set to use the VLAN 888 tag. This means someone can’t plug their computer into an unused port and gain access to your network. It’s perhaps overkill for home network use, but it’s better to learn the best practice way of doing things to know how things work in an enterprise environment.
Space VLAN IDs apart
And match the VLAN IDs to IP subnet third octets
While you could set your VLAN segments to VLAN 2, VLAN 3, VLAN 4, etc., I’d caution against that. It’s not just that it’s too easy to misconfigure ports when adding VLAN tags by tapping the key next to the one you meant to use, although that’s part of it. It’s easier to read as well later on, and it also gives you space to add related VLANs in future expansions.
The other part is that when setting subnets for those VLANs, you can match the third octet to the VLAN tag number. This gives you an instant way to recognize which VLAN devices are on and simplifies troubleshooting. IP ranges shouldn’t overlap between VLANs, and using /24 subnets is probably enough for any home VLANs. Maybe your guest VLAN and IoT VLAN should be on a /32, but that’s all.
For example:
- VLAN10 – 192.168.10.0/24
- VLAN20 – 192.168.20.0/24
This also gives you virtual parking space between your VLANs for future needs. Think of as these initial VLAN segments as folders on your computer. They’re set to encompass a wider range of devices, but you might add so many IoT devices that you want to segregate them further, or set up per-room VLANs for another need. Using initial VLAN segments that are 10 apart gives you space to organize new segments near the original, making everything easier.
Create VLANs according to the devices that will use them
This will make things faster for every device, and it’ll be easier to troubleshoot
You’ve probably seen that IoT devices should be on their own VLAN. Yes, this is because of security, but why should that be the only reason? When you take inventory of your network devices, group them according to function. Then, create VLANs for each of those groups.
For example:
- VLAN10 – main devices like laptops and PCs
- VLAN20 – media/streaming devices
- VLAN30 – security cameras
- VLAN40 – guest network
- VLAN50 – IoT devices
- VLAN60 – servers/NAS devices
This organized way of creating VLANs will make setting firewall rules easier because you can set them per network segment and don’t have to set individual rules for devices. It makes troubleshooting easier. And it makes each network segment work better, because the noisy devices are apart from devices like your laptop, which require a lower latency, more responsive connection.
Use descriptive VLAN names
Don’t rely on memory or spreadsheets to remind you of what’s on each tag
While you might know which VLAN segment your devices are going on when you set them up, will you always remember that? Sure, you could make a chart or document showing which VLAN tag has which devices, and you probably should, but there’s another way. Most switches let you set a descriptive VLAN name when setting up the number to use for the tag, which makes things infinitely better.
From the VLAN tags in the previous segment, we’d get:
- VLAN10 – MAIN-DEVICES
- VLAN20 – STREAMING-DEVICES
- VLAN30 – CAMERAS
- VLAN40 – GUEST-NETWORK
- VLAN50 – IOT-DEVICES
- VLAN60 – SERVERS-NAS
See how much easier it is to read at a quick glance? Naming conventions aren’t just for machine readable tags, but they should be used for the ones read by humans as well.
Set up firewall rules to control inter-VLAN communications
Including keeping IoT devices away from any other network segment
Now that you’ve got every networked device on its corresponding VLAN, it’s time to consider which ones need to be able to talk to each other. Setting up firewall rules for IPv4 (and IPv6 if you’re using it) gives you control, while making every device safer. And because you’ve grouped similar devices with each other, you can set up inter-VLAN rules, instead of having to set up individual rules for everything.
For example, firewall rules for the IoT VLAN could look like:
# Example rule structure:
LAN: Allow outgoing connections, block incoming connections from IoT VLAN
IoT: Allow outgoing to internet, block outgoing to LAN except for authorized services
Then your main devices probably need access to the server VLAN and the IoT VLAN for control. Security cameras should only be able to touch the server that they’re being recorded on, guest devices might need access to the internet but nothing else (unless you want to let them print documents), and so on.
This might be different depending on your firewall and router. Most manufacturers have a default deny all between VLANs, but Ubiquiti has a default allow rule, so adjust things accordingly.
Using these VLAN rules makes all your devices happier
These don’t just make it easier to set up your home network, they bring a big boost to speed for the devices you’re using. Why? Because instead of your dozens of devices getting the broadcast traffic from the others, they now only get broadcast traffic from the few devices they actually want to see. Gaming devices not being slowed down by IoT devices, work laptops not being slowed by security camera traffic and the like. It’s a good reminder that download speeds and latency, Wi-Fi coverage and NIC speeds aren’t the only things to consider when building your home network.