Most home networks are flat: every device — your laptop, your phone, your smart fridge, your IP camera — lives on the same subnet. If any one of them is compromised, the attacker can pivot to everything else. This post documents how I redesigned mine from scratch.
Why segment at all?
A flat /24 gives you 254 usable addresses and zero trust boundaries. The moment an IoT device with a backdoor hits your network, it can talk freely to your NAS, your workstation, your Raspberry Pis. Segmentation with VLANs enforces isolation at layer 2 — no routing between zones unless you explicitly allow it.
Hardware I used
- pfSense (running on a Protectli VP2420 mini-PC) as the router/firewall
- TP-Link TL-SG108E managed switch — 8-port, supports 802.1Q VLANs, costs ~$30
- Ubiquiti UAP-AC-Lite access point (supports multiple SSIDs per VLAN)
VLAN layout
| VLAN | Name | Subnet | Purpose |
|---|---|---|---|
| 10 | TRUSTED | 10.0.10.0/24 | Laptops, phones |
| 20 | LAB | 10.0.20.0/24 | Servers, Raspberry Pis |
| 30 | IOT | 10.0.30.0/24 | Smart plugs, cameras |
| 99 | MGMT | 10.0.99.0/24 | Switch, AP management |
pfSense firewall rules
The key rule set: IOT can never initiate connections to TRUSTED or LAB. Only return traffic is allowed (stateful firewall handles this automatically). LAB can reach the internet but not TRUSTED.
# IOT outbound — internet only
pass out on VLAN30 all
block in on VLAN30 destination <trusted_net>
block in on VLAN30 destination <lab_net>Switch configuration
On the TL-SG108E: set each port as an access port for a single VLAN (untagged) or a trunk port carrying multiple VLANs (tagged) toward the pfSense uplink and the AP.
Port 1 → pfSense (tagged: VLAN10, 20, 30, 99)
Port 2 → AP (tagged: VLAN10, 30)
Port 3 → NAS (untagged: VLAN20)
Port 4-6 → Lab servers (untagged: VLAN20)What I learned
- Start with the firewall rules before plugging anything in. It is much easier to open holes selectively than to close them retroactively.
- VLAN 1 is the default VLAN on most switches — never put production traffic on it. Use it for nothing, or disable it.
- DNS matters. Run a separate Pi-hole per VLAN or use pfSense’s DNS resolver with VLAN-aware overrides so IoT devices can not query your internal hostnames.
The result: a network where my IP cameras literally cannot reach my laptop, even if I try.