How to Use VLAN Tagging in Your Homelab
Learn how to configure and use VLANs in your homelab for network segmentation. From basic concepts to real configs, take your homelab network security from zero to production-grade.
1. What Is a VLAN?
A <strong class="text-white">VLAN (Virtual LAN)</strong> is a logical network segmentation that lets you divide a single physical switch into multiple isolated networks. Devices on different VLANs cannot communicate with each other directly — they must pass through a router (or layer-3 switch), where you control exactly what traffic is allowed.
Think of it as having multiple separate switches, but all running on the same physical hardware. This is incredibly powerful for homelabs: it lets you isolate your IoT devices from your main workstations, your homelab servers from your family's devices, and your DMZ from everything else — all with one $50 managed switch.
2. Why Use VLANs in a Homelab?
The single biggest security improvement you can make to a home network:
🛡️ IoT Isolation
Smart cameras, plugs, and sensors are notoriously insecure. Put them on their own VLAN with no access to your main devices or homelab servers.
🖥️ Homelab Isolation
Your homelab servers, Docker hosts, and Proxmox VMs should be reachable only from your admin machine — not from any random device on the network.
📱 Guest Network
Give guests internet access but block them from your NAS, homelab services, and personal devices.
👨💻 Work-from-Home Security
Isolate work devices from personal devices on the same physical network.
📊 Traffic Management
Apply different QoS rules, bandwidth limits, or firewall policies to different device groups.
3. Plan Your VLAN Structure
Before touching any hardware, plan your VLANs. Here's a practical homelab VLAN scheme:
| VLAN ID | Name | Purpose | Internet Access | Access From |
|---|---|---|---|---|
| 10 | Management | Switches, IPMI, Proxmox nodes | No | Admin VLAN only |
| 20 | Main LAN | Laptops, phones, personal devices | Yes | Any |
| 30 | Homelab | Servers, NAS, Docker hosts | Via proxy only | Management VLAN + VPN |
| 40 | IoT / Smart Home | Cameras, sensors, smart devices | Yes (filtered) | Main LAN |
| 50 | Guests | Visitor devices | Yes | None (internet only) |
| 60 | DMZ | Public-facing services, VPN server | Yes | Internet + Management |
4. Configure a Managed Switch
You need a managed switch that supports VLANs. Good budget options include TP-Link JetStream (e.g., TL-SG108E), Netgear Smart Managed Plus, or MikroTik CRS305. Here's how to configure it:
Access the switch management interface
Find the switch's default IP (usually on a sticker or in the manual). Connect to it via browser or SSH.
Create VLANs
Navigate to VLAN → VLAN Membership. Create each VLAN by ID and name.
# Example via SSH (MikroTik)
/vlan/add vlan-id=30 name=Homelab ports=1-4,8
/vlan/add vlan-id=40 name=IoT ports=5-6
/vlan/add vlan-id=20 name=MainLAN ports=7-8Set port membership (tagged vs untagged)
Untagged: the device connected to this port will be on this VLAN. Tagged: the port accepts VLAN-tagged traffic (for trunk links between switches or to a router).
Connect a trunk port to your router
One port on the switch should be a trunk — it carries all VLANs to your router. Tag this port on all VLANs.
# Trunk port configuration
# Port 8: connects to router, carries ALL VLANs (tagged on all)Test connectivity
Connect a device to an untagged port. It should get an IP in that VLAN's subnet. Verify it cannot ping devices in other VLANs without going through the router.
5. Inter-VLAN Routing
By default, VLANs cannot talk to each other. To allow selective communication (e.g., your laptop on VLAN 20 accessing your homelab server on VLAN 30), you need inter-VLAN routing.
The simplest approach for a homelab: use your router's firewall rules to control which VLANs can talk to which.
Create sub-interfaces (router-on-a-stick)
If your router has only one Ethernet port, create VLAN sub-interfaces (802.1Q tagged). Each sub-interface gets an IP in its VLAN subnet — this becomes the default gateway for that VLAN.
# Example: OpenWrt router VLAN sub-interfaces
# Create sub-interface br0.10 (Management VLAN)
# Create sub-interface br0.20 (Main LAN)
# Create sub-interface br0.30 (Homelab)
# Each gets IPs: 192.168.10.1/24, 192.168.20.1/24, 192.168.30.1/24Configure firewall rules
By default, OpenWrt/pfSense/OPNsense blocks inter-VLAN traffic. Add rules to allow specific traffic flows you want.
# OpenWrt: Allow Main LAN → Homelab (only to specific service)
sudo uci add firewall rule
sudo uci set firewall.@rule[-1].src="lan"
sudo uci set firewall.@rule[-1].dest="homelab"
sudo uci set firewall.@rule[-1].dest_ip="192.168.30.10"
sudo uci set firewall.@rule[-1].dest_port="443"
sudo uci set firewall.@rule[-1].proto="tcp"
sudo uci set firewall.@rule[-1].target="ACCEPT"
sudo uci commit firewall && /etc/init.d/firewall restartBlock by default, allow explicitly
The safest approach: default deny all inter-VLAN traffic, then add specific allow rules for each service you need. This means your IoT devices can reach the internet but can never reach your NAS or homelab servers.
Frequently Asked Questions
What is the difference between a managed switch and an unmanaged switch?
An unmanaged switch simply forwards all traffic between all ports — every device can talk to every other device. A managed switch lets you control which ports belong to which VLANs, create trunk ports, and configure QoS. For VLANs, you need a managed switch.
Do all my devices need to support VLANs?
No. Regular devices (laptops, phones) connect to "untagged" ports — they see only one VLAN and work normally, completely unaware of VLANs. Only your switch and router need to be VLAN-aware.
Can I use VLANs without a managed switch?
Not with pure VLANs. You can use a consumer router's "guest network" feature to create a second isolated network segment, but this is limited. For true VLAN segmentation, a managed switch is required.
How do I access my homelab from outside using VLANs?
You don't — VLANs are for internal network segmentation. For remote access, set up WireGuard VPN or Tailscale. Your VPN server sits in the DMZ (VLAN 60) and is accessible from the internet. Once connected to VPN, you can access all VLANs based on your VPN user's permissions.
What happens if I plug a device into the wrong VLAN port?
It gets an IP in that VLAN's subnet and can only communicate with other devices on that VLAN. If it's your homelab server port and you accidentally plug a guest laptop in, the guest laptop is now on your homelab VLAN — this is why management VLAN access is restricted to admin devices only.