VLAN Segmentation at Home: Keeping Your Smart Toaster Away from Your NAS

Here is an uncomfortable fact about most home networks: every device on them can talk to every other device. Your laptop, your phone, your NAS full of irreplaceable photos, and that £25 smart plug running firmware last updated when it left the factory in Shenzhen — they’re all on the same flat subnet, able to reach each other freely. The smart plug has a hardcoded telnet password and a cloud connection you can’t see into. The NAS has everything you care about. On a flat network, the first is one hop from the second.

VLANs fix this. A VLAN — virtual LAN — lets a single physical switch and router behave as if they were several separate networks that don’t trust each other. You put the toaster, the doorbell and the dodgy IoT gadgets in one segment, your trusted computers in another, guests in a third, and then you write rules about who’s allowed to talk to whom. It’s the single highest-leverage thing you can do for home network security, and it’s more approachable than the acronyms suggest.

1 What a VLAN actually is

Ethernet frames can carry a tag — an 802.1Q tag — that stamps them with a VLAN ID, a number from 1 to 4094. A VLAN-aware switch reads that tag and keeps tagged traffic logically separate even though it’s all flowing down the same copper. A “trunk” port carries multiple tagged VLANs between switches and your router; an “access” port belongs to exactly one VLAN and hands untagged frames to a single device.

The practical upshot: VLAN 10 is your trusted LAN, VLAN 20 is IoT, VLAN 30 is guests. Devices on 20 get an IP from the 20 subnet, devices on 10 from the 10 subnet, and by default they cannot see each other unless your router routes between them and a firewall rule permits it.

2 Drawing the segments

A sensible starting layout for a house:

VLAN 10  Trusted   10.0.10.0/24   laptops, phones, desktops
VLAN 20  IoT       10.0.20.0/24   smart plugs, bulbs, cameras
VLAN 30  Guest     10.0.30.0/24   visitors' devices
VLAN 40  Servers   10.0.40.0/24   NAS, homelab, hypervisors

Each VLAN gets its own SSID if it’s wireless, or its own access ports if it’s wired. The interesting part is what you forbid between them.

3 The firewall rules that earn their keep

Segmentation without firewall rules is just tidy addressing — the security comes from inter-VLAN policy. The rules I’d start with, expressed in plain pf/nftables terms:

# IoT can reach the internet but nothing internal
block in on vlan20 from 10.0.20.0/24 to 10.0.0.0/16
pass  in on vlan20 from 10.0.20.0/24 to !10.0.0.0/16

# Guests get internet only, fully isolated
block in on vlan30 from 10.0.30.0/24 to 10.0.0.0/16

# Trusted can reach servers; servers can't initiate back
pass  in on vlan10 from 10.0.10.0/24 to 10.0.40.0/24
block in on vlan40 from 10.0.40.0/24 to 10.0.10.0/24

The principle is default-deny between segments, then poke holes only where you actually need them. Your phone needs to reach the NAS, so allow VLAN 10 to VLAN 40. The IoT segment never needs to reach anything internal, so it doesn’t get to. A compromised camera can now phone its cloud, but it cannot scan your NAS, because the router simply drops the packets.

4 The annoying bits, because there are some

This isn’t free of friction. The big one is mDNS and discovery: Chromecasts, AirPlay, smart-home hubs and printers all rely on multicast that doesn’t cross VLANs by default. The moment you put your TV on IoT and your phone on Trusted, casting stops working. The fix is an mDNS reflector (Avahi, or your firewall’s repeater feature) that relays discovery across the two segments you actually want talking — which means you’ve punched a deliberate, narrow hole rather than leaving the whole network open.

You also need hardware that supports it: a managed switch and a router that does VLANs and inter-VLAN firewalling. A flat ISP router won’t cut it. And the first time you misconfigure a trunk you’ll lock yourself out of something and learn a valuable lesson about console access.

5 The verdict

If you have a NAS, a homelab, or any data you’d be upset to lose, and you also own cheap IoT gear — which is to say, if you’re a normal person in 2023 — VLAN segmentation is worth the weekend it takes to set up. It is the difference between a compromised gadget being an annoyance and being a breach. You don’t need to segment everything on day one; even just splitting “my real computers” from “internet-connected junk I don’t trust” buys you most of the protection.

The smart toaster is going to get hacked eventually. The whole point is to make sure that when it does, it finds itself alone in a room with a locked door, staring at your NAS through glass it can’t break.