It was challenging for me to manage different wired and wireless devices on my home network. I had a tough time identifying a rogue device or bandwidth-guzzling culprit. Since I was still teething with VLANs, I decided to start small and only separate the devices without over-segmenting them. Also, I learned the hard way that well-structured firewall rules are crucial when using VLANs. To keep things simple for my home network, I have only segmented them into wired and wireless categories. Here are some reasons why I prefer my VLANs on separate wired devices from wireless ones.
Simplicity of the home network
Managing all kinds of devices comfortably
I prefer using a LAN cable to connect the computing devices directly to the router for a wired backhaul in my room, at least. Hard-wiring is still my go-to method for computers, smart TVs, game consoles, mini PCs, SBCs, and NAS devices. Setting up dedicated VLANs for wired and wireless devices allows me to keep things simple and manage the relevant devices without complicating the segmentation. It can help limit rogue devices from infecting others on the network.
It’s a good idea to segment wireless smart devices into an IoT-specific VLAN, but I only use a score of such devices. If you have hundreds of smart devices, create an IoT-specific VLAN. I frequently host friends and guests. So, I created a separate guest network and guest VLAN to prevent temporary devices from disrupting or infecting the other devices on your home network. With two to three VLANs, I avoid further segmenting by role or device type.
Prioritizing traffic and avoiding wireless congestion
Distribute bandwidth for stability and low-latency
Separating wired devices from wireless allows me to set traffic priorities. For starters, I ensure that all wired devices receive relatively more bandwidth than wireless devices, even if that includes my MacBook. The QoS rules based on VLAN setup help all wired devices to enjoy stable and low-latency connectivity. Meanwhile, wireless devices offer better performance based on their signal quality. Bandwidth limits apply to them to prevent overconsumption.
That’s how gaming on consoles or streaming directly from a NAS delivers low latency and rarely suffers from buffering hiccups. With the QoS rules for wireless devices, I have noticed that the connection quality varies, and the performance is often inconsistent, with periods of high performance interspersed with periods of low performance. So I put them on a separate VLAN to ensure they don’t affect the performance of the wired devices.
Configuring firewalls and setting up rules
Increasing security between VLANs with relevant policies
My wired devices, such as Windows 11 desktop, PlayStation 5, Raspberry Pi 4, mini PC, and NAS, enjoy better bandwidth quality. I have set more permissive firewall rules for wired devices in an OPNsense instance. Mostly because I rarely move the wired devices, they’re in secure areas. Meanwhile, I can use wireless devices from anywhere in my house, as long as I get proper signals. Therefore, I don’t allow internal wireless or wired devices to communicate with each other through VLANs easily. For the guest network, I allow all devices to go through NAT and have stricter web browsing access rules to prevent them from falling prey to malware or attacks.
Additionally, the VLAN can easily isolate traffic from wired devices, allowing for more consistent application of firewall rules. Setting Internet-only access rules for wireless devices prevents access to any local traffic. Besides, I’ve blocked VLAN-to-VLAN access by default. However, limiting access to only select wireless devices, such as my computers or mini PC, ensures that I share only the necessary resources.
Simplified monitoring and troubleshooting
Easier to trace issues with connection and congestion
Separate VLANs for wired and wireless devices have made it easy for me to monitor the usage and identify the culprit devices whenever there’s network congestion. Bandwidth monitoring enables me to adjust the QoS rules, and using Quad9 public DNS allows for filtering, primarily for wireless devices. It has also helped me set proper firewall rules and restrictions on the guest network, preventing anyone from taking advantage of my Wi-Fi. Apart from limiting guest usage, I can also identify the devices that are causing congestion on the Wi-Fi.
The network traffic also allows me to tweak the access control lists for tracing and isolating devices, or exposing them between LANs. That’s how I learned that an incorrect firewall rule was preventing my iPad from accessing my NAS. Of course, that discovery took place after I nosedived into the logs and paid attention to the notifications from OPNsense.
Better IP tracking and reducing DHCP churn
Assigning subnet sizes as necessary
Despite having a relatively small number of devices, I have a tough time tracking their IP addresses. While my router’s DHCP service handles all the wired and wireless devices easily, I have assigned a separate subnet for the guest network. I overcame my problem of assigning static IP addresses and let the DHCP server handle the task for non-critical devices, such as my game console. Because I have a limited number of wired devices, I used OPNsense to create multiple interfaces with their VLAN tags and a separate DHCP server.
That also saves me from creating a spreadsheet of devices with specific IP addresses. VLAN segmenting makes it easy to track the device groups with relevant IP addresses by separate subnets. For instance, I assigned a relatively smaller DHCP range for wired devices, compared to the DHCP range for wireless devices.
Separating wired and wireless devices with VLANs makes sense
Initially, I presumed that VLANs had a steep learning curve, but that became quite easy, thanks to OPNsense. I wanted to manage traffic on my home network efficiently. With separate VLANs for wired and wireless devices, my home network feels more organized and gives me control over how different devices talk to each other. I committed a bunch of mistakes while configuring VLANs, but I realized that well-structured firewall rules are equally important to make segmentation work.