NetworkingSecurity

Homelab Firewall Rules: How to Isolate VLANs Without Breaking DNS, Backups, or Your Sanity

Build better homelab firewall rules with a default-deny VLAN policy, DNS and backup exceptions, and practical OPNsense or pfSense examples.

AU

Author

Marcus Chen

Disclosure: This article contains affiliate links. If you purchase through these links, we may earn a commission at no additional cost to you.

Key Takeaways

  • Start with a small zone model - management, servers, clients, IoT, and guests - then write rules for traffic between zones instead of making one-off exceptions forever.
  • Default deny is still the right answer for inter-VLAN traffic, but you need explicit allows for DNS, NTP, HTTPS, SSH, backups, and monitoring.
  • Use aliases for subnets, ports, and infrastructure hosts. If your rules read like a crossword puzzle, you will hate yourself in six months.
  • Logging blocked traffic is not optional. It is how you discover that the "broken app" is actually one sad little DNS request hitting a wall.
  • Keep hypervisor, NAS, switch, and firewall management interfaces off the general LAN. Temporary flat networks have a suspicious tendency to become permanent.

After running segmented networks in both production and my homelab, I have made one mistake more than any other: I built VLANs first and only thought seriously about firewall policy after everything started breaking.

That is backwards.

VLANs are just containers for your bad decisions until you write sane rules between them. The good news is you do not need enterprise policy sprawl to fix this. You need a few clean zones, a default-deny stance, and the discipline to allow only what your services actually need.

If you already read my Homelab Network Architecture Guide, think of this as the practical sequel where we stop admiring the blueprint and start tightening the bolts.

The zone model I actually recommend

Most homelabs do not need 14 VLANs and a laminated diagram worthy of a hospital network. They need enough separation to keep management, core services, users, IoT junk, and guests from tripping over each other.

This is the five-zone model I keep coming back to:

Zone Example subnet What lives here Default trust level
Management 10.10.10.0/24 Firewall UI, switches, APs, hypervisor management, IPMI/iDRAC Highest
Servers 10.10.20.0/24 Proxmox guests, Docker hosts, NAS, DNS, reverse proxy, monitoring High
Clients 10.10.30.0/24 Laptops, desktops, tablets, phones you actually trust Medium
IoT 10.10.40.0/24 Cameras, TVs, plugs, assistant speakers, random "smart" nonsense Low
Guests 10.10.50.0/24 Visitor devices Lowest

That is enough for most people.

You can add a lab VLAN, a storage VLAN, or a DMZ later if you have a reason. If you start with 12 networks because you saw a YouTube rack tour, you are probably optimizing for screenshots instead of reliability.

The policy rule that keeps everything sane

My baseline policy is boring, which is exactly why it works:

1. Allow each VLAN to reach the internet as needed.

2. Block inter-VLAN traffic by default.

3. Add explicit allows only for real service flows.

4. Log blocked inter-VLAN traffic.

5. Use aliases everywhere.

That last point matters more than people think.

In Proxmox Networking Explained, I talked about how small naming mistakes turn into operational pain. Firewall policy is even less forgiving. 10.10.20.53 means something today. Six months from now, it means "why is production DNS on line 47 and why did I think I would remember this?"

Create aliases for:

  • subnets like NET_MGMT, NET_SERVERS, NET_CLIENTS, NET_IOT, NET_GUESTS
  • infrastructure hosts like HOST_DNS_1, HOST_PROXMOX_1, HOST_NAS_1
  • service ports like PORT_DNS, PORT_NTP, PORT_HTTPS, PORT_SSH
  • update mirrors or backup targets if you need tight outbound rules later

If you are running OPNsense, the official firewall documentation is worth bookmarking. If you are on pfSense, Netgate's rule methodology guide is the right place to confirm rule behavior and evaluation order.

The starter inter-VLAN policy table

This is the small-policy version I would hand my past self before he spent a Saturday breaking Chromecast, backup jobs, and SSH access in one majestic run.

Source zone Destination zone Allow? Typical ports Why
Management All zones Yes, limited 22, 443, 8006, vendor-specific mgmt ports Admin access to infrastructure
Servers Management Rarely As needed only Usually monitoring pull or backup callbacks
Clients Management Very limited 443, 8006, 22 to specific hosts Admin workstations only
Clients Servers Yes, limited 53, 80, 443, app-specific ports Access to dashboards and self-hosted apps
Servers Clients Rarely Monitoring or backup agent ports only Avoid lateral movement
IoT Servers Minimal 53, 123, maybe MQTT/HTTPS to one host DNS, time sync, narrowly scoped services
Servers IoT Sometimes 8123, 1883, vendor-specific ports Home Assistant, media control, automations
Guests Servers No None Guests should not touch internal services
Guests Management No None Obvious, but apparently not obvious enough
IoT Management No None Your TV does not need to manage your switch

That table is the strategy. The actual rule list depends on the services you run.

Here is the practical translation.

The rules I create first on a new firewall

1) Allow DNS to your chosen resolver

If you run Pi-hole or AdGuard Home, point every zone at those resolvers and allow only that path. Do not allow arbitrary outbound DNS from every client unless you enjoy debugging devices that hardcode external resolvers and ignore your filters.

I covered the resolver tradeoffs already in Pi-hole vs AdGuard Home. Whichever one you use, make it the approved target.

Example policy:

PASS  NET_CLIENTS -> HOST_DNS_1  TCP/UDP 53\nPASS  NET_IOT     -> HOST_DNS_1  TCP/UDP 53\nPASS  NET_GUESTS  -> HOST_DNS_1  TCP/UDP 53\nBLOCK NET_IOT     -> any         TCP/UDP 53 except HOST_DNS_1\nBLOCK NET_GUESTS  -> any         TCP/UDP 53 except HOST_DNS_1

That one rule set fixes a surprising amount of chaos.

2) Allow NTP

Devices with broken clocks break TLS, logs, tokens, and your patience. You can either let VLANs use public NTP directly or centralize time sync through one internal host.

My preference is simple:

PASS NET_CLIENTS -> any         UDP 123\nPASS NET_IOT     -> any         UDP 123\nPASS NET_GUESTS  -> any         UDP 123

If you are security-paranoid or bandwidth-obsessed, point them at an internal NTP source instead. Most people do not need to turn NTP into a religion.

3) Allow clients to reach self-hosted services

Users need to hit dashboards, apps, and reverse proxies in the server network. That means HTTP and HTTPS at a minimum, often via a single reverse proxy host.

PASS NET_CLIENTS -> HOST_REVERSE_PROXY  TCP 80,443\nPASS NET_CLIENTS -> NET_SERVERS         TCP 443  (only if direct app access is needed)

If your apps are behind a reverse proxy, keep the rule pointed there. Do not casually allow NET_CLIENTS -> NET_SERVERS any. That is how rule sets go from tight to decorative.

For proxy design, my current recommendation still leans on Caddy vs Traefik vs Nginx Proxy Manager. The firewall angle is simple: fewer published entry points means fewer rules and fewer regrets.

4) Allow admin access from trusted devices only

This is where people get sloppy.

Do not allow your whole client VLAN to hit Proxmox, your NAS admin panel, switch management, and firewall UI just because it is convenient. Create an alias for trusted admin workstations or a dedicated admin jump host.

Alias: HOST_ADMIN_CLIENTS = 10.10.30.10, 10.10.30.11\n\nPASS HOST_ADMIN_CLIENTS -> NET_MGMT    TCP 443,22\nPASS HOST_ADMIN_CLIENTS -> NET_SERVERS TCP 8006,22,443\nBLOCK NET_CLIENTS       -> NET_MGMT    any

If you are running Proxmox, the official firewall and network docs are useful for understanding the difference between what belongs on the hypervisor and what belongs on the perimeter firewall. I strongly prefer keeping the main allow/deny policy on the central firewall and using host firewalls as a second layer, not the primary map.

5) Allow backup traffic one way, on purpose

Backup flows should be explicit.

If your NAS pulls backups from clients, allow the NAS to poll or mount exactly what it needs. If Proxmox Backup Server receives data from hypervisors, allow that path and nothing broader.

PASS HOST_PROXMOX_CLUSTER -> HOST_PBS TCP 8007\nPASS HOST_NAS_1           -> NET_SERVERS TCP 22,873,445,2049

I would rather spend ten minutes documenting backup flows than discover during a restore that I never actually allowed the path I assumed was working. The article on Proxmox Backup Strategies gets into the disaster-recovery side of that story.

6) Allow monitoring and logging

Monitoring traffic often gets forgotten because it is invisible right up until you need it.

If Zabbix, LibreNMS, or Uptime Kuma needs to probe services across VLANs, write those rules intentionally:

PASS HOST_MONITORING -> NET_SERVERS TCP 80,443,9100,10050,161\nPASS HOST_MONITORING -> NET_MGMT    TCP/UDP vendor-specific monitoring ports\nPASS HOST_MONITORING -> NET_IOT     ICMP, TCP 80,443 (only if you truly monitor IoT)

My bias is to keep monitoring centralized in the server VLAN and let it reach outward on a short leash. That model is easier to reason about and easier to audit later.

If you are still choosing a stack, Zabbix vs LibreNMS vs Uptime Kuma covers the tradeoffs.

Example OPNsense or pfSense alias layout

This is not glamorous, but it is the part that keeps future-you from swearing at a web UI at 11:40 PM.

NET_MGMT        = 10.10.10.0/24\nNET_SERVERS     = 10.10.20.0/24\nNET_CLIENTS     = 10.10.30.0/24\nNET_IOT         = 10.10.40.0/24\nNET_GUESTS      = 10.10.50.0/24\n\nHOST_DNS_1      = 10.10.20.53\nHOST_PBS        = 10.10.20.70\nHOST_MONITORING = 10.10.20.80\nHOST_NAS_1      = 10.10.20.90\nHOST_PROXY      = 10.10.20.20\n\nPORT_DNS        = 53\nPORT_NTP        = 123\nPORT_WEB        = 80,443\nPORT_ADMIN      = 22,443,8006

Once you have this structure, your rules become readable:

PASS NET_IOT -> HOST_DNS_1 PORT_DNS\nPASS HOST_ADMIN_CLIENTS -> NET_MGMT PORT_ADMIN\nBLOCK NET_GUESTS -> NET_SERVERS any

Readable rules are safer rules.

Complicated-looking rules that nobody understands are basically ambient technical debt wearing a security costume.

The annoying traffic everyone forgets

This is the section where many clean firewall designs meet reality.

mDNS, AirPlay, Chromecast, and service discovery

Segmentation breaks discovery protocols because they often assume local broadcast or multicast behavior. That is not your firewall being mean. That is the protocol behaving exactly as designed.

You have three options:

1. keep those devices on the same VLAN as the clients that use them

2. use an mDNS repeater or gateway feature on your firewall or router

3. accept that not every smart speaker deserves cross-VLAN convenience

I usually choose option 3 more often than my family would prefer.

Package updates

Some IoT devices and appliances need outbound HTTPS to vendor clouds. Fine. Allow outbound internet access from the IoT VLAN if you must, but still block access to internal networks.

A basic pattern looks like this:

PASS  NET_IOT -> any          TCP 80,443\nBLOCK NET_IOT -> NET_SERVERS  any\nBLOCK NET_IOT -> NET_MGMT     any\nBLOCK NET_IOT -> NET_CLIENTS  any

That is not perfect zero trust. It is still much better than letting your camera talk to your NAS because nobody wrote a rule.

Remote access

For remote admin, I still prefer VPN over exposed ports for most homelabs. If you need public access to a web app, a tunnel or reverse proxy can make sense, but keep the management plane private.

I already compared the tradeoffs in Cloudflare Tunnel vs VPN vs Port Forwarding. The firewall summary is easy: remote access rules should terminate into the smallest possible surface area, not your entire server subnet.

Recommended gear if you are building this from scratch

You do not need a datacenter budget to write sane firewall rules, but a few hardware choices make segmentation much less miserable.

I am not claiming hardware will solve a bad rule set. It will not. But a managed switch, a dedicated firewall, and a UPS remove three completely unnecessary ways to ruin your weekend.

The mistake I made

The worst firewall mistake I made in my own lab was pretending that temporary broad allows were harmless.

I told myself I would lock them down later.

Later turned into months.

During that time, my client network could talk to far more infrastructure than it needed, my IoT network had more outbound access than I was comfortable with, and my backup flows were so poorly documented that I had to rediscover them through firewall logs like some sort of digital archaeologist.

If you take one thing from this article, make it this: broad temporary rules harden into permanent architecture faster than you think.

A dead-simple validation checklist

After creating or tightening rules, test from each zone.

From a client VLAN:

# DNS should work\nnslookup proxmox.lab.example 10.10.20.53\n\n# Reverse proxy or app access should work\ncurl -I https://app.lab.example\n\n# Firewall admin should fail unless you are on an approved admin client\ncurl -k https://10.10.10.1

From an IoT or restricted host:

# DNS should work only to your approved resolver\nnslookup jellyfin.lab.example 10.10.20.53\n\n# Direct access to management or random servers should fail\nnc -zv 10.10.10.1 443\nnc -zv 10.10.20.11 22

From your monitoring server:

# Service checks should succeed where explicitly allowed\ncurl -I https://10.10.20.20\nping -c 2 10.10.20.90

Then check the firewall logs.

The logs tell you whether the problem is policy, routing, DNS, or an application binding to the wrong interface. Guessing is slower, and less entertaining, than people imagine.

Frequently Asked Questions

Should I block all inter-VLAN traffic by default?

Yes. Start with default deny between VLANs, then add narrow allow rules for DNS, NTP, HTTPS, SSH, backups, and monitoring as needed. That gives you a policy you can reason about instead of a messy web of implicit trust.

How many VLANs does a normal homelab actually need?

Most homelabs are well served by five zones: management, servers, clients, IoT, and guests. Add more only when you have a clear operational reason, not because your switch dropdown makes it look easy.

What traffic should IoT devices be allowed to reach?

Usually DNS, NTP, and limited outbound HTTPS are enough. If you run Home Assistant, MQTT, or a media-control workflow, allow only those specific destinations and ports instead of opening broad access into the server VLAN.

Should Proxmox management live on the same network as user devices?

No. Keep Proxmox, firewall, switch, AP, and NAS management interfaces on a dedicated management VLAN and allow access only from approved admin devices or a jump host.

Final recommendation

If you are staring at a flat LAN right now, do not try to boil the ocean.

Create the five zones. Move management first. Point every network at one approved DNS resolver. Block inter-VLAN traffic by default. Then add only the service flows you can explain in one sentence.

That is enough to take a homelab from "surprisingly functional accident" to "small infrastructure with actual boundaries." Which, in my experience, is the point where it becomes a lot more useful and a lot less chaotic.