VLANs let one physical network act like several smaller ones. The goal is simple: keep devices in sensible groups so security rules, noise, and troubleshooting get easier without adding hardware.

What A VLAN Is

Think of a VLAN as a label on each frame. Switches and APs read the label; clients do not need to.

• 802.1Q tagging marks traffic with a VLAN id over trunks
• Access ports deliver one network untagged (PVID sets that network)
• Trunks carry multiple tagged VLANs between switch and router

Why I Use VLANs At Home

I group devices by role so one group cannot surprise another and policies are cleaner.

• Separate lanes for management, user devices, servers, IoT, and guests
• Limit blast radius and keep chatty devices out of the way
• Apply different firewall rules per group instead of per device

My VLANs

These are the actual segments and roles in my network.

• Management (VLAN 99)
  • Purpose: router, switch, APs, and admin access
  • DNS: internal
  • Access: outbound admin to all, inbound limited
• Trusted Clients (VLAN 10)
  • Purpose: laptops, desktops, Apple TV
  • DNS: internal
  • Access: full internet, full to Servers, limited control to IoT
• Trusted Servers (VLAN 20)
  • Purpose: NAS, DNS, Home Assistant, monitoring
  • DNS: internal
  • Access: provides services to all, full internet
• IoT (VLAN 30)
  • Purpose: cameras, speakers, lights, appliances
  • DNS: internal only
  • Access: no internet, cannot initiate to internal; discovery bridged on purpose
• Guest (VLAN 40)
  • Purpose: visitors and transient devices
  • DNS: public
  • Access: internet only, no internal access
• Work Devices (VLAN 50)
  • Purpose: isolated work laptop and peripherals
  • DNS: public
  • Access: internet only, no access to internal VLANs

Wireless mirrors this. Separate SSIDs map to user, IoT, and guest. UniFi tags per SSID and hands the switch the right VLAN.

Switch And Router Basics

• Access ports: one untagged VLAN, PVID set to match
• Trunk ports: carry the tagged VLANs between switch and router
• Router: one interface (or sub interface) per VLAN for routing and firewall
• In my setup the router uplink to the switch is the SFP plus port as a trunk, and a dedicated management port is untagged on VLAN 99

DHCP, DNS, And Discovery

Each VLAN gets its own DHCP scope and DNS that match its role.

• Clients, Servers, and Management use internal DNS
• Guest and Work use public DNS
• IoT resolves only through internal DNS If you need cross segment discovery for media or printing, add mDNS helpers on purpose; do not rely on accidents.

IoT Isolation And Exceptions

Most IoT devices talk to the internet constantly. Many ship with weak defaults, slow updates, and phone‑home behavior you do not control. Treat them as untrusted and keep them isolated.

What I run

• IoT has no direct internet access
• IoT cannot initiate to any internal VLANs
• Discovery is explicit and limited

Curated exceptions from my setup

• Home Assistant access into IoT: I allow Home Assistant in the Servers VLAN to initiate connections to IoT devices and cameras. The allow rule sits above the IoT isolation drop so automations work while IoT stays contained
• Specific devices that need cloud sync: Two Garmin health devices are in an address list that is allowed to the WAN only. Everything else in IoT remains blocked from the internet

Firewall Posture

Default deny between user, server, IoT, work, and guest. Then allow only what you actually need.

• Clients and Servers can talk to each other for normal services
• Management can reach everything for admin
• IoT cannot initiate to internal and has no internet
• Guest and Work have internet only with no internal access

Real Firewall Examples From My Setup

• Allow Home Assistant into IoT: added a specific allow from the Home Assistant server to the IoT address list, placed before the IoT isolation rule
• Permit only two IoT devices to the internet: created a Garmin address list and allowed it out to the WAN while keeping the rest of IoT blocked
• Work VLAN internet‑only: Work devices get full internet but are blocked from all internal VLANs to keep work separate
• Base policy on the router: accept established/related, drop invalid, then specific allows, and a final drop. Isolation rules for IoT, Guest, and Work enforce the boundaries

MikroTik Allow/Deny Gotcha

If you come from Cisco style ACLs, MikroTik can feel inverted at first.

• MikroTik filter rules are default allow until you explicitly drop. Plan on a deliberate final drop rule
• Rules are first‑match. Put specific allows above broad isolation drops or you will block yourself
• Chains matter. Use the forward chain for inter‑VLAN traffic, input for traffic to the router itself. Mixing them up is a common source of confusion

Verification Checks

A quick path that catches most mistakes:

1. From a client, ping the local VLAN gateway
2. If it fails, check ARP for the gateway MAC
3. Mirror the client access port to confirm unicast leaves the device
4. Mirror the trunk to confirm tagged frames reach the router

Why This Is Worth It

You get cleaner security boundaries, less broadcast noise, and simple, repeatable troubleshooting. The network feels calmer without adding more hardware or chasing one off rules.