Networking

Homelab Network Segmentation Guide: VLANs, IoT Isolation, and Firewall Rules That Actually Work

Design a segmented homelab network with VLANs, IoT isolation, local DNS, and firewall rules that protect servers without breaking your apps.

AU

Author

Marcus Chen

This article contains affiliate links. If you purchase through these links, we may earn a commission at no additional cost to you.

After I flattened my entire network with one bad firewall rule, I stopped treating segmentation like a nice future project and started treating it like plumbing. You only ignore plumbing until something leaks into the walls. In a homelab, that leak is usually an IoT device, a badly behaved container, or your own overconfidence at 11:47 PM.

The good news is that homelab network segmentation is not complicated. The bad news is that it becomes complicated very quickly if you start with twelve VLANs, three half-documented switches, and a belief that "I will remember why I allowed that rule later." You will not. None of us do.

Key Takeaways

  • Most homelabs only need 4 to 5 security zones, not a glorious pile of VLANs that turns your switch into a regret machine.
  • Put management, trusted clients, servers, IoT, and guests in separate networks with default-deny inter-VLAN rules.
  • Local DNS matters more than people admit. If you do not plan DNS early, segmentation breaks services in ways that feel personal.
  • Keep Proxmox, NAS, reverse proxies, and backup targets on predictable server networks instead of sprinkling them around because it felt tidy at the time.
  • Log blocked traffic for the first week. That log becomes your map of what the lab actually does, not what you imagined it does.

If you need a broader starting point first, read my Homelab Network Architecture Guide and then come back here for the stricter version.

What network segmentation is solving in a homelab

A flat network is comfortable right up until it is not. Your laptop, Home Assistant box, NAS, Proxmox host, test containers, cameras, printer, and whichever mystery device came with a cloud account you never asked for all share the same trust boundary.

That is convenient. It is also lazy.

Segmentation fixes three real problems:

1. Containment - if one device gets popped, it should not have line-of-sight to everything else.

2. Operational clarity - when traffic crosses a boundary, you can decide whether that should happen.

3. Troubleshooting - weird traffic is easier to understand when each network has a job.

I am not trying to make a homelab look like a Fortune 500 network diagram drawn by someone paid by the rectangle. I want a design that survives normal life:

  • Docker services pulling updates
  • Proxmox hosts moving backups
  • Home Assistant talking to IoT junk
  • reverse proxies reaching apps
  • guest devices staying out of everything that matters

That means building small, obvious trust zones.

The segmentation model I actually recommend

Start with five zones.

VLAN Example Subnet What lives here Rule of thumb
Management 10.10.10.0/24 Router, switch, AP, IPMI, hypervisor management Only admin devices should reach it
Trusted 10.10.20.0/24 Laptops, desktops, phones you trust Can initiate to most internal services
Servers 10.10.30.0/24 NAS, Docker hosts, reverse proxy, backup server, monitoring Accepts connections from Trusted, limited outbound
IoT 10.10.40.0/24 Cameras, smart plugs, TVs, random Wi-Fi nonsense Internet plus tightly scoped local exceptions
Guest 10.10.50.0/24 Visitors, temporary devices Internet only

That is enough for most people.

If you run a more serious lab, add a sixth Lab network for experimental VMs and container stacks. I often do. But I add it because I know what I want to isolate, not because VLAN 60 looked lonely.

The mistake I made

I used to put servers and management on the same network because it felt efficient. It was efficient in the same way storing power tools in the kitchen is efficient. Everything was close by. Everything was also in the wrong room.

When a container stack misbehaved, it could see management interfaces. When I was testing firewall changes, I risked locking myself out of both services and the devices needed to fix them. Separating management from servers was the single cleanest improvement I made.

The access model before the firewall rules

Do not start by writing rules. Start by answering who should initiate connections.

That usually looks like this:

  • Trusted -> Management: allowed for HTTPS, SSH, and whatever your switches/APs need
  • Trusted -> Servers: allowed for app access, SMB/NFS admin tasks, SSH, dashboards
  • Servers -> Internet: allowed for updates, package repos, DNS, NTP
  • IoT -> Internet: allowed, but keep it narrow where possible
  • IoT -> Servers: blocked by default, with exceptions only if something genuinely needs local control
  • Guest -> Anything internal: blocked
  • Management -> Everything: usually limited to administration and monitoring, not casual browsing

If you already have a good mental model for firewall policy, my earlier piece on homelab firewall rules complements this article well.

A sane firewall matrix

Here is the boring but useful version.

Source Destination Allow? Typical ports / notes
Trusted Management Yes 443, 22, vendor management ports
Trusted Servers Yes 80, 443, 22, 2049, 445, app-specific ports
Trusted IoT Sometimes Home Assistant control, printer access, cast targets
Servers Internet Yes 80, 443, 53, 123
Servers Management Rarely Monitoring or backup hooks only
IoT Internet Yes Usually 80, 443, NTP, DNS
IoT Servers No by default Add narrow exceptions if required
IoT Trusted No This should stay blocked
Guest Internet Yes NAT out, no internal access
Guest RFC1918 networks No Block 10/8, 172.16/12, 192.168/16

The pattern is simple:

  • allow known flows
  • block sideways movement
  • log denied traffic during rollout

That last part matters. Traffic logs are where you discover that your TV wants to discover a media server across VLANs, your backup job was hardcoded to an IP you forgot about, and one app treats DNS failure like a personal insult.

VLAN design for Proxmox, Docker, and storage

This is where generic home-network articles usually go soft. A homelab is not just laptops plus a guest SSID. You are probably running a hypervisor, containers, maybe storage, maybe monitoring, maybe all of them on a box you promised yourself was temporary in 2024.

My default placement looks like this:

  • Proxmox management UI on Management
  • Proxmox VM and container workloads on Servers or Lab, depending on risk
  • NAS and backup targets on Servers
  • Reverse proxy on Servers
  • Monitoring stack on Servers
  • Home Assistant either on Servers or a dedicated automation VLAN if you are unusually committed to pain

For Proxmox networking details, read Proxmox Networking Explained. The short version is that VLAN-aware bridging keeps life manageable.

Example Proxmox VLAN-aware bridge

auto lo\niface lo inet loopback\n\niface enp1s0 inet manual\n\nauto vmbr0\niface vmbr0 inet manual\n    bridge-ports enp1s0\n    bridge-stp off\n    bridge-fd 0\n    bridge-vlan-aware yes\n    bridge-vids 10 20 30 40 50\n\nauto vmbr0.10\niface vmbr0.10 inet static\n    address 10.10.10.11/24\n    gateway 10.10.10.1

That puts the host management interface on VLAN 10 while allowing tagged VM traffic across the bridge.

Example Linux VLAN interface

If you need a tagged interface on a Linux box:

ip link add link eno1 name eno1.30 type vlan id 30\nip addr add 10.10.30.25/24 dev eno1.30\nip link set eno1.30 up

It is not glamorous. It is also reliable, which is a quality I have become weirdly sentimental about.

Docker changes the conversation

Docker is convenient, but segmentation gets awkward if you pretend every container is a first-class network citizen. Most of them do not need to be.

My rule is simple:

  • keep most app containers behind a reverse proxy on the Servers network
  • do not throw containers directly onto separate VLANs unless you have a clear reason
  • reserve special networking modes for services that truly need layer 2 presence or multicast weirdness

The official Docker docs on macvlan networking are worth reading before you get adventurous. Macvlan looks elegant until you discover host-to-container communication caveats and start inventing side interfaces to compensate.

A normal Compose stack for internal services usually belongs on one server VLAN behind an ingress layer:

services:\n  traefik:\n    image: traefik:v3.0\n    ports:\n      - "80:80"\n      - "443:443"\n    networks:\n      - edge\n\n  grafana:\n    image: grafana/grafana:latest\n    networks:\n      - edge\n      - internal\n\n  prometheus:\n    image: prom/prometheus:latest\n    networks:\n      - internal\n\nnetworks:\n  edge:\n  internal:\n    internal: true

That design keeps east-west app traffic internal while exposing only the proxy entrypoint.

DNS is where segmentation either works or becomes a hobby

Most segmentation writeups treat DNS like a side note. That is adorable.

DNS is the reason people think segmentation broke the network, when what actually broke was name resolution, service discovery, or a bad assumption about how clients find services.

I strongly recommend this pattern:

  • run one local resolver stack on the Servers network
  • allow DNS from Trusted, Servers, and IoT to that resolver
  • use local records for internal services
  • use split-horizon DNS if the same service name must resolve differently inside and outside the lab

For resolver options, I already compared Pi-hole vs AdGuard Home. Either can work. The point is centralizing DNS, not starting a sect.

Why split-horizon DNS matters

Suppose grafana.example.net points to your public reverse proxy externally, but internally you want that name to resolve to 10.10.30.15.

Without split-horizon DNS, you often end up with one of these bad outcomes:

  • internal clients hairpin through the public endpoint
  • TLS and reverse-proxy behavior gets messy
  • services behave differently depending on where the request started

If your firewall or resolver supports host overrides, use them. It is cleaner than the pile of hosts-file hacks people swear are temporary.

IoT isolation without breaking the house

This is the part where good intentions meet Chromecast, printers, cameras, and a smart speaker that becomes emotionally unavailable if multicast traffic changes shape.

IoT isolation works best when you assume deny by default and add only what you can justify.

A typical IoT policy might be:

  • IoT -> Internet: allow 80/443, DNS, NTP
  • IoT -> local resolver: allow port 53 to your DNS server
  • Trusted -> IoT: allow only from devices that manage those endpoints
  • Home Assistant -> IoT: allow required device ports
  • IoT -> Servers: block by default

If you use Home Assistant, document every exception. Do not leave yourself mystery rules named allow-stuff-temp-final-2 and pretend that is a system.

Hardware I would actually buy for this

You do not need enterprise gear pulled from a rack with its own emotional history.

A few sensible pieces go a long way:

If you want a deeper switch comparison, I already did the homework in Best Managed Switch for Homelabs in 2026.

What breaks first after you segment the network

Usually one of these:

1. mDNS and broadcast discovery

AirPlay, Chromecast, some printers, and various smart-home devices depend on multicast discovery that does not naturally cross VLAN boundaries.

You can solve this with an mDNS repeater, an mDNS reflector on your router, or by accepting that some devices should stay on the same segment as their controllers. Not every problem needs a heroic design pattern.

2. Backup traffic

A backup job that worked fine on a flat network may suddenly fail because the NAS is now on Servers, the client is on Trusted, and you forgot to allow NFS or SMB.

Be explicit:

  • NFS - 2049
  • SMB - 445
  • rsync - 873
  • SSH-based backup traffic - 22

3. Reverse proxy reachability

Your proxy may live on Servers while apps sit on Lab, or vice versa. If the proxy cannot initiate to backend services, everything looks dead even though the apps are healthy.

4. Monitoring blind spots

Prometheus, LibreNMS, Zabbix, and friends need access across boundaries. Monitoring is one of the few cases where carefully scoped cross-VLAN access is a feature, not a mistake.

A staged rollout plan that will not ruin your weekend

Do not rebuild the entire network in one night unless you enjoy emergency console sessions.

Phase 1 - Create the VLANs and subnets

  • create Management, Trusted, Servers, IoT, and Guest
  • map SSIDs to the right VLANs
  • move one non-critical device first

Phase 2 - Move infrastructure

  • move switch and AP management to Management
  • move the DNS resolver and reverse proxy to Servers
  • confirm Trusted can still reach core services

Phase 3 - Move IoT and Guest devices

  • put cameras, TVs, plugs, speakers, and similar devices on IoT
  • put visitors on Guest
  • watch logs for unexpected local dependencies

Phase 4 - Add stricter rules

  • default deny between VLANs
  • add only documented exceptions
  • review logs daily for a week

This approach is slower. It is also how you avoid discovering that your spouse's streaming setup depended on a mystery broadcast path you removed in the name of network hygiene.

My default rule philosophy

I like firewall rules that a tired version of me can understand six months later.

That means:

  • group aliases by role, not by random IP memory
  • comment every allow rule with the actual service need
  • prefer destination-specific allows over wide-open network access
  • review rules after major app changes
  • delete old temporary exceptions aggressively

This is not just security advice. It is maintenance advice.

When you should add more VLANs

Add more segmentation only when you can explain the risk or operational benefit.

Good reasons:

  • isolated lab experiments
  • cameras with especially ugly vendor behavior
  • DMZ-style public services
  • separate storage or backup replication traffic

Bad reasons:

  • you saw a neat diagram on Reddit
  • your switch supports 4094 VLANs and you took that personally
  • complexity feels like progress

External docs worth keeping open while you build

Those are the three references I would keep handy while wiring up a segmented lab.

Final recommendation

If you are starting from scratch, build five zones and stop there until the network proves you need more. Put management on its own VLAN. Put servers together. Treat IoT like it is guilty until proven innocent. Give guests internet and nothing else.

Most importantly, solve DNS and logging early. People love talking about VLAN IDs. The parts that actually save you are naming, policy clarity, and the ability to see what got blocked.

That is the difference between a segmented network and a confusing one.

Frequently Asked Questions

How many VLANs should a homelab have?

Most homelabs only need 4 to 5 VLANs: management, trusted, servers, IoT, and guest. Add more only when you can explain the risk reduction or operational benefit in one sentence.

Do I need a managed switch for homelab network segmentation?

Yes. If you want proper wired VLAN segmentation, you need a switch that supports 802.1Q tagging. An unmanaged switch will happily forward traffic while pretending your design choices are somebody else's problem.

What usually breaks first after VLAN segmentation?

Usually mDNS-based discovery, local DNS assumptions, backup jobs, or reverse proxy backend access. That is why logging denied traffic during rollout is more useful than guessing.

Should Proxmox management be on its own VLAN?

Yes. Management interfaces should live on a dedicated management VLAN that only trusted admin devices can reach. It keeps the blast radius smaller and the rule set cleaner.

Can IoT devices stay usable after segmentation?

Yes, but you need to allow specific control paths from trusted devices or platforms like Home Assistant. The goal is not to make IoT unusable. The goal is to stop it from roaming the network like it pays rent.