Posted inHomeLab

VLANs for HomeLabs: Stop Letting Your Smart Fridge Talk to Your Servers

HomeLab tutorial - IT technology blog
HomeLab tutorial - IT technology blog

The Messy Reality of a Flat Home Network

I still remember the afternoon I set up my first Proxmox node. I was excited to host a few web servers and a database, all plugged directly into a standard-issue ISP router. It worked perfectly until I ran a routine security scan. To my horror, I realized my $15 generic smart plug and my production-ready test servers were all sitting in the same 192.168.1.x IP range.

Running that scan felt like a wake-up call. Because everything was on one “flat” network, a single compromised VM could have acted as a gateway to my personal laptop’s shared folders. If a hacker breached a lab experiment, they’d have a straight path to my family’s private photos and banking sessions. In a HomeLab environment, treating your experimental servers and your personal data as equals is a recipe for disaster.

Why Your HomeLab is a Security Risk

This vulnerability exists because of how standard home networking operates. Most consumer routers create one giant broadcast domain. When a device sends out a broadcast packet—like an ARP request—every single device on that wire hears it. There is no Layer 2 isolation.

Technically, this means a malware-infected IoT device can sniff traffic or exploit vulnerabilities on any other machine in your house. Beyond security, a busy lab can ruin your domestic peace. A high-traffic backup job or a series of mDNS discovery packets from smart bulbs can easily saturate your Wi-Fi, causing lag for everyone else. Without boundaries, you have zero control over traffic flow.

Comparing Ways to Isolate Your Network

When I realized I needed to fix this, I looked at three main options. Here is how they actually compare in a real-world setup:

  • Physical Separation: You could buy a second router and a separate set of switches. It works, but it’s a cable nightmare. It also wastes electricity and makes it nearly impossible for your phone to talk to your media server when you actually want it to.
  • Subnetting without VLANs: You can assign different IP ranges (like 192.168.10.x and 192.168.20.x) to the same switch. Don’t fall for this. It’s just “security by obscurity.” A savvy user can simply change their static IP to jump between networks because they are still sharing the same physical wire.
  • VLANs (Virtual Local Area Networks): This is the industry standard. Using the 802.1Q protocol, you “tag” traffic so one physical cable can carry multiple isolated networks. It gives you the security of physical separation with the ease of software management.

The Better Way: Implementing VLANs

Moving from a hobbyist to a pro-level setup requires moving away from flat networks. VLANs allow you to build a “Trusted” zone for your PCs, a “Lab” zone for servers, and an “IoT” quarantine for those untrustworthy smart bulbs. It’s the most efficient way to manage a growing lab.

Step 1: Planning Your Subnets

Before moving any cables, grab a notebook. You need to assign a VLAN ID (a number from 2 to 4094) and a matching IP range. Here is the template I use for my own rack:

  • VLAN 10 (Management): 192.168.10.0/24 — Reserved for switches, Proxmox hosts, and TrueNAS.
  • VLAN 20 (Home): 192.168.20.0/24 — For your trusted laptops, iPads, and phones.
  • VLAN 30 (Lab): 192.168.30.0/24 — For experimental VMs and Docker containers.
  • VLAN 40 (IoT): 192.168.40.0/24 — For smart devices that don’t need to talk to anything else.

Step 2: Configuring the Router (The Gateway)

Your router must be “VLAN-aware.” If you’re using pfSense, OPNsense, or a Ubiquiti Dream Machine, this is simple. You create “Virtual Interfaces” on top of your physical LAN port. On a Linux-based router, the configuration logic looks like this:

# Create a VLAN interface for the Lab on eth1
ip link add link eth1 name eth1.30 type vlan id 30

# Assign the gateway IP for the Lab network
ip addr add 192.168.30.1/24 dev eth1.30

# Activate the interface
ip link set dev eth1.30 up

In a GUI like pfSense, head to Interfaces > Assignments > VLANs. Add a new tag on your LAN parent interface and enable it. It takes about 30 seconds.

Step 3: Setting Up the Managed Switch

Managed switches are the backbone of this setup. You can’t do this with a $15 unmanaged “dumb” switch from a big-box store. You need something like a TP-Link Omada or a used Cisco enterprise switch. You will deal with two port types:

  1. Trunk Ports (Tagged): This is the “pipe” between your router and switch. It carries all VLANs at once. Each packet gets a tiny digital sticker (a tag) so the switch knows where it belongs.
  2. Access Ports (Untagged): Use these for your PC or Raspberry Pi. The device has no idea VLANs exist. The switch simply strips the tag off and forces that port into a specific network.

On a Cisco CLI, configuring an access port for your Lab would look like this:

interface GigabitEthernet0/1
 description Lab_Server_Port
 switchport mode access
 switchport access vlan 30
 spanning-tree portfast

Step 4: Writing Firewall Rules (The Real Security)

Creating VLANs only separates traffic at Layer 2. By default, your router will still try to route traffic between them at Layer 3. To actually secure the lab, you need firewall rules. I use a “Default Deny” strategy for my Lab network:

  • Rule 1: Allow Lab -> DNS (so servers can resolve names).
  • Rule 2: Allow Lab -> WAN (so you can run apt update).
  • Rule 3: Block Lab -> Home Network (the most important rule).
  • Rule 4: Block Lab -> Router WebGUI (keeps compromised VMs away from your network settings).

Testing Your Isolation

Once the config is live, always perform a ping test. Plug your laptop into a port assigned to VLAN 20 and try to ping your gateway at 192.168.20.1. It should work. Now, try to ping a server on the Lab network at 192.168.30.10. If your firewall rules are solid, that request should time out.

If the ping goes through, check your rule order. Most firewalls read from the top down. If you have an “Allow All” rule at the top, your “Block” rules further down will be ignored. Move your blocks to the top.

Final Thoughts

Building a segmented network takes a bit of planning, but it provides a professional foundation for your lab. You can break things, test malware, or host public-facing services without worrying about your family losing internet access.

Plus, understanding VLAN tagging and trunking is a massive advantage if you ever plan to work with enterprise networking or cloud environments like AWS VPCs. Map it out on paper first, take it one step at a time, and your network will be significantly more resilient.

Share:
Tags: