Set up a virtual LAN (VLAN), they said. It would be fun, they said. Actually, configuring VLANs is incredibly fun and worthwhile as it can segment your network and secure various devices. Think about all those random guest phones that gain access to your wireless network. There's no telling what those visiting your home may do on their devices. All it takes is one innocent visit to a dodgy streaming website with malware ready to ship out to the next unsuspecting victim. Once that code is on your network, it can spread to other devices, which is what VLANs can help protect against.
Then there's the fact that you may not want all devices communicating with one another. I certainly didn't, and this is why I needed to split up smart home products and my sensitive Proxmox-powered home lab. That's the power of virtual LANs and why they're so often recommended by enthusiasts. More and more routers are supporting this feature, providing less tech-savvy home owners with the means to achieve some advanced setups. This is both brilliant and terrible, depending on how easy the implementation is to use. When configured incorrectly, VLANs can ruin your network.
Why using VLANs is the right way
It's better to be safe than sorry
Regardless of how easy or not VLANs are to configure on your network, it's important to consider using them, especially if you have countless clients connected through your router. Just about everything has internet capabilities, including appliances like washing machines and even toothbrushes. Ask yourself: do you want all these clients connected to the same network as your desktop PC? Do you trust everything on the LAN to operate safely with regard to safeguarding the wider network against outside threats? I don't, and neither should you. That new smart plug may want to call home.
That's where VLANs can make a world of difference. Instead of having everything connected on the same network, VLANs split up the physical network into virtual segments. No extra hardware purchases required. Simply configure VLANs on your router, switches, access points, and other hardware, and you're good to go. And though it is technically that simple, things can get out of hand. For my setup, I split everything into five VLANs:
- Primary VLAN for trusted devices (phones, laptops, etc.).
- IoT VLAN for all things relating to the smart home.
- Security VLAN for cameras and sensors.
- Homelab VLAN for servers and network infrastructure.
- Finally, one more VLAN for guests.
It didn't seem too convoluted at first, and it looked like I had all bases covered on paper. The problem is that home networks aren't really designed with strict segmentation in mind, at least not with basic consumer-grade devices. Devices and the like are designed to work on the same network, expecting unrestricted access to the internet as well as anything else on the LAN. VLANs go against this by placing restrictions on specific clients. Without properly configuring these firewall rules, I managed to break a few things.
How I used VLANs to separate my smart home devices — and why you should too
Why I now always use VLANs to separate smart home devices.
What can go wrong with VLANs
Properly configure the network first
Getting firewall rules right doesn't require a computer science degree. It's not actually that difficult, but I somehow managed to mess it up after more than two decades working with networks and computers. I have a serious problem where I find myself being unable to tap into the vast wealth of knowledge I've accumulated over the years when it comes to my own home network or home lab. That saying of "Practice what I preach" couldn't be truer. You would have gasped at my backup strategy just a few years ago, before finally getting around to properly sorting it all out.
The same went for my network. I've configured VLANs elsewhere yet never made the plunge at home, largely because I didn't have the free time that coincided with everyone else being offline or away. That changed recently when I decided enough was enough, and I needed to properly isolate parts of the network. I no longer wanted my servers to be accessed by IoT devices, nor did I want cheap smart plugs calling home to some random server. After applying a few firewall rules and setting all the VLANs up throughout the network, I tested everything, and it all worked well.
But then devices would go offline without warning. They'd return before I got around to figuring out why and then put it down to some weird bug or glitch in the Matrix. Clients weren't being flat-out denied access to specific parts of the network, but they were being allowed now and then. After troubleshooting various devices to see if the issue was local, I ended up checking my firewall rules, and that's when it all made sense. I blocked access to a server on the network, but allowed parts of that same device through when testing something. I then configured other clients to use this server, and things then went awry.
Allowing port 80 through meant that, should I switch to HTTPS for a particular device or service, it would be blocked due to the deny-all rule. Apps using the server would time out, but then other things worked, and loading something running that used port 80 would provide the false pretense that everything is fine. The fix was incredibly simple, but it shows just how easy it can be to completely ruin your network with incorrectly set firewall rules. Either you're going to have trouble when moving data between VLANs, or something is going to fail in connecting to the outside world.
My network kept dropping devices until I stopped over-engineering and checked my firewall rules
When you keep overlooking the solution.
VLANs don't solve everything
Effectiveness depends on proper traffic policies
It's easy to treat VLANs as a saving grace for the network, but they're only effective at protecting clients on your LAN when paired with a well-thought-out traffic policy. If nothing is put in place, clients who aren't supposed to communicate with one another will talk all day long. The opposite could also occur, where things can be locked down to the point that everything stops working. As we self-host more at home and look to consolidate data, this can prove damning for a budding home lab. It's also easy to take things too far and create an enterprise-grade network at home in mind only.
Manufacturers of hardware deemed less secure often expect flat networks and universal discovery with zero configuration. Implementing firewall rules and VLANs goes against this, which can prove challenging when vendors fail to document precisely how things should be configured locally to ensure services remain live. It's a little ironic that smart home equipment largely expects a dumb network since most of it is all cloud-based these days. So long as the cloud API can pass through your home LAN, the smart home device is nothing but a basic product with remote management.
Making the LAN smarter
Depending on how you have your smart home configured to operate, Home Assistant and other platforms must have access to all your smart home sensors and devices. The same goes for IP cameras that need to send live feeds to something like Frigate. I've had the case where I needed to rethink my approach to ensure the network video recorder (NVR) will continue functioning as expected. Instead of outright blocking everything, I decided to deny by default and intentionally allow all required data flow. Allowing smart home devices to connect to the Home Assistant Proxmox node was vital.
The same goes for those cameras and Frigate. Blocking IoT and their weak security policies from accessing trusted clients on the main LAN was a worthy addition to the setup. Not forgetting about mDNS and multicast discovery was important to consider too, especially when using technologies like HomeKit and Chromecast. The goal should be to create a better flat network, not one that barely works and takes an age to diagnose. Start small and work from there, configuring one new VLAN at a time.