Home Network Setup for Homelabs: VLANs Without the Headache
Why VLANs matter for homelab security, the difference between managed and unmanaged switches, and how to set up basic network segmentation.
Most homelab guides skip the network setup. They assume you’ll plug everything into the same switch your router came with and call it a day. For a basic setup, that works fine. But as soon as you start adding IoT devices, untrusted services, or anything you’re experimenting with, sharing a flat network with the rest of your house becomes a problem worth solving.
VLANs fix this. They’re not complicated once you understand what they’re actually doing, but the terminology and marketing around managed switches makes the whole thing seem harder than it is.
This is the networking setup I run, explained from the beginning.
What a VLAN Actually Is
A VLAN (Virtual LAN) is a way to divide a single physical network into multiple isolated logical networks. Devices on different VLANs cannot communicate with each other by default, even if they’re plugged into the same physical switch.
Without VLANs, your network is flat: every device can reach every other device. Your phone, your laptop, your smart TV, your homelab server, that one cheap IoT plug you bought — all on the same network, all able to attempt connections to each other.
With VLANs, you can separate traffic:
- VLAN 10: Trusted — laptops, phones, the stuff you actually use
- VLAN 20: Homelab — your server, containers, NAS
- VLAN 30: IoT — smart bulbs, cameras, anything with firmware you don’t fully trust
- VLAN 40: Guests — internet access only, can’t reach anything else
Traffic between VLANs can only flow through your router (or firewall), which means you control exactly what can talk to what.
Why This Matters for Homelabs
Two reasons.
IoT devices are a security problem. Cheap IoT hardware often has poor firmware security, ships with known vulnerabilities, and gets infrequent updates (or no updates). If a smart camera or thermostat on your network gets compromised, on a flat network it has a clear path to everything else — your NAS, your server, your laptops. On a VLAN-segregated network, a compromised IoT device can reach the internet but can’t reach your homelab.
Homelab experiments shouldn’t touch production. When you’re learning, you’re running things you don’t fully understand yet. A misconfigured service, an exposed port, a container with an old image — isolating your homelab traffic means an experiment gone wrong can’t directly affect your household’s devices.
Neither of these concerns requires complex enterprise networking to address. Basic segmentation with a $30 managed switch handles both.
Managed vs. Unmanaged Switches
This is the fork in the road. An unmanaged switch is what most home routers ship with built-in, or what you buy at a big-box store for $15: plug in devices, they’re all on the same network, no configuration possible. Fine for a simple home network, useless for VLANs.
A managed switch supports VLANs. You can configure which ports belong to which VLANs, whether ports are access ports (device gets one VLAN, doesn’t know about the others) or trunk ports (carries multiple VLANs, used for uplinks between switches or to a router). Management switches are slightly more expensive but not significantly so.
The $30 option that actually works: TP-Link TL-SG108E
The TL-SG108E is an 8-port managed switch that costs about $30. It supports 802.1Q VLANs, has a web management interface, and works reliably. It’s the most commonly recommended managed switch for homelab use because it’s cheap, available everywhere, and does exactly what you need without complexity.
For larger setups, the TP-Link TL-SG116E (16 ports, ~$60) is the same deal with more ports.
What about a managed switch in your router?
If you have an OpenWRT-capable router (common mid-range options include the GL.iNet MT6000 or the Asus RT-AX88U with custom firmware), you may be able to configure VLANs directly on the router without a managed switch. This works well for simpler setups where all your devices connect through the router directly.
For homelab use, a dedicated managed switch is cleaner. You run one uplink from your router to the switch (a trunk port carrying all your VLANs), and each device plugs into an access port assigned to the right VLAN.
VLAN Setup: The Basic Approach
This isn’t a step-by-step for a specific router — configurations vary too much by vendor. But here’s the logical flow that applies regardless of what hardware you’re using:
1. Plan your VLANs before configuring anything.
Pick VLAN IDs and assign them to use cases. Common convention:
| VLAN ID | Name | Purpose |
|---|---|---|
| 1 | Default | Avoid using this one for anything important |
| 10 | Trusted | Daily driver devices |
| 20 | Homelab | Servers and services |
| 30 | IoT | Smart devices |
| 40 | Guest | Internet-only access for visitors |
Write this down. You’ll reference it constantly while configuring.
2. Create the VLANs on your router.
In your router’s interface, create the VLANs as separate network interfaces — each with its own IP range. For example:
- VLAN 10: 192.168.10.0/24
- VLAN 20: 192.168.20.0/24
- VLAN 30: 192.168.30.0/24
Enable DHCP on each VLAN interface so devices get addresses automatically.
3. Set firewall rules between VLANs.
This is where the security lives. By default, configure your router to:
- Allow all VLANs to reach the internet (WAN)
- Block inter-VLAN traffic by default
- Add specific exceptions where needed
Example exceptions that make sense:
- Allow Trusted (VLAN 10) to reach Homelab (VLAN 20) — so your laptop can access your services
- Block IoT (VLAN 30) from reaching everything except WAN — it just needs internet
- Block Guest (VLAN 40) from reaching everything except WAN
4. Configure trunk and access ports on the switch.
The uplink from your router to the switch should be a trunk port — it carries traffic tagged with VLAN IDs for all your VLANs simultaneously.
Each device port is an access port assigned to a single VLAN. The device plugged into that port doesn’t know about VLANs — it just gets an IP from whichever VLAN that port belongs to.
On the TP-Link TL-SG108E via the web interface:
- Go to 802.1Q VLAN and define your VLANs with the appropriate member ports
- Set the uplink port as tagged on all VLANs
- Set each device port as untagged on whichever VLAN it belongs to
- Configure the PVID (Port VLAN ID) for each access port to match its VLAN
That’s the core of it. Each vendor’s UI is different, but the concepts are the same.
For Proxmox Users: VLANs on the Server
If your homelab server is running Proxmox, you can extend VLAN logic into your VMs and containers without needing additional physical ports. Proxmox supports VLAN-aware Linux bridges.
In Proxmox, go to your node’s Network configuration and check the VLAN-aware checkbox on your main bridge (usually vmbr0). Then when creating a VM or container, you can assign it to a specific VLAN tag. The Proxmox bridge handles the tagging — the VM thinks it’s on a regular network, but the traffic hits your switch trunk with the correct VLAN tag.
This means you can run:
- Your homelab server connected to one trunk port on the switch
- VMs on VLAN 20 (Homelab)
- A separate VM for untrusted experiments on a different VLAN
- All managed at the Proxmox layer without needing additional physical cables
Common Mistakes
Leaving VLAN 1 (the default) as a production VLAN. VLAN 1 is the default native VLAN on most switches and is treated differently in some configurations. Best practice is to not use it for anything important. Assign your actual traffic to higher VLAN IDs.
Forgetting to move your own devices. After configuring VLANs, you need to physically (or via your router’s wireless settings) move devices to the right VLANs. Your IoT devices don’t move themselves — you have to change which SSID they connect to, or which switch port they plug into.
Creating rules but not testing them. After setup, verify your firewall rules actually work. From a laptop on VLAN 10, try to ping a device on VLAN 30. From a device on VLAN 30, try to reach something on VLAN 20. If the blocking rules aren’t working, you’ll know immediately — and it’s better to know now than to assume segmentation is working when it isn’t.
Over-engineering on day one. Four VLANs is a reasonable starting point. You don’t need fifteen. Start with Trusted, Homelab, and IoT. Add more if you have a specific reason to.
The Gear Worth Buying
For a basic segmented homelab network:
- TP-Link TL-SG108E (~$30) — 8-port managed switch for connecting everything to the switch layer
- Any VLAN-capable router — OpenWRT-flashed GL.iNet, Firewalla Gold, or a dedicated pfSense/OPNsense box for more control
If you’re already happy with your router and it doesn’t support VLANs, that’s the bottleneck. The managed switch alone can’t create VLANs without a router that understands them — both sides need to cooperate.
VLANs feel intimidating the first time because of the terminology. Once you’ve set one up and tested it, the underlying concept is simple: devices on different VLANs can’t reach each other unless your router explicitly allows it. That’s the whole idea.