Network Segmentation for Smart Homes
Every smart device on your network is a potential entry point. VLANs create walls between your IoT devices and your personal data. Here is how to set them up properly without breaking anything.
Part of our Home Network Guide
Why You Should Segment IoT Devices
Your smart bulb, your laptop with your bank login, and your NAS with family photos all share the same network by default. That is a problem.
The Risk
- IoT devices rarely get firmware updates
- Many have known, unpatched vulnerabilities
- Some send data to unknown overseas servers
- A compromised camera can see your entire LAN
- One bad device can be used to attack everything else
The Fix
- Put IoT on a separate VLAN (virtual network)
- Block IoT from accessing personal devices
- Allow IoT to talk only to Home Assistant
- Optionally block IoT internet access entirely
- A compromised device is contained to its VLAN
Think of VLANs as walls inside your house. Without them, every room has an open door to every other room. With VLANs, your IoT devices are in a room with a locked door. They can talk to the hallway (internet, if you allow it) and Home Assistant (through a specific opening), but they cannot wander into your office and access your files.
VLAN Basics Explained Simply
A VLAN (Virtual Local Area Network) creates separate, isolated networks on the same physical hardware. Instead of buying separate routers and switches for each network, you create virtual boundaries inside one device.
Each VLAN Gets Its Own:
VLAN IDs Are Just Tags
A VLAN ID is a number (1-4094) that tags network traffic. Devices on VLAN 10 can only talk to other devices on VLAN 10 by default. To communicate across VLANs, traffic must pass through the router and be explicitly permitted by firewall rules. Common convention: VLAN 1 = management, VLAN 10 = trusted, VLAN 40 = IoT, VLAN 50 = guest.
Practical Setup: UniFi Example
This walkthrough uses UniFi because it is the most common platform we install in Oklahoma homes. The concepts apply to any VLAN-capable router. For full UniFi hardware recommendations, see our UniFi Home Network guide.
Create the IoT Network
In the UniFi Network app, go to Settings, then Networks, then Create New Network. Name it "IoT", set the VLAN ID to 40, and choose a subnet like 192.168.40.1/24. Enable DHCP and set the range to 192.168.40.100-192.168.40.254.
Create the IoT WiFi SSID
Go to Settings, then WiFi, then Create New WiFi Network. Name it "Home-IoT" (or whatever you prefer), assign it to the IoT network you just created, and set a strong password. This SSID will be on VLAN 40 automatically.
Set Up Firewall Rules
Go to Settings, then Firewall & Security, then Firewall Rules. Create rules that: (a) Allow IoT VLAN to reach your Home Assistant IP, (b) Block IoT VLAN from all other LAN subnets, (c) Optionally block IoT VLAN from internet access. Order matters: allow rules must come before block rules.
Enable mDNS Reflection
If you have Chromecast, AirPlay, Sonos, or similar discovery-based devices, enable mDNS under Settings, then Network. This allows device discovery across VLANs without opening broad firewall holes.
Reconnect IoT Devices
Connect each IoT device to the new "Home-IoT" WiFi network. This moves them to VLAN 40. Verify they get a 192.168.40.x IP address. Update any static IPs in Home Assistant if needed.
Essential Firewall Rules
These are the minimum firewall rules for a properly segmented smart home. Apply them in order (top rules take priority).
| # | Action | Source | Destination | Purpose |
|---|---|---|---|---|
| 1 | Allow | IoT VLAN | HA server IP | IoT devices can talk to HA |
| 2 | Allow | IoT VLAN | DNS server IP | Name resolution (AdGuard/Pi-hole) |
| 3 | Allow | Established/Related | Any | Return traffic for allowed connections |
| 4 | Block | IoT VLAN | All RFC1918 | Block IoT from all private networks |
| 5 | Block | Guest VLAN | All RFC1918 | Guest can only reach internet |
RFC1918 explained: RFC1918 addresses are all private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Blocking IoT from "All RFC1918" means it cannot reach any device on any private network in your home, except for the explicit exceptions in rules above it.
What Goes on Each VLAN
Not every device is equal. Here is where each type should live.
Trusted VLAN (Personal)
- Phones, laptops, tablets
- Desktop computers
- NAS / file servers
- Home Assistant server
- Printers
IoT VLAN
- Smart bulbs, plugs, switches
- Cameras (Reolink, Amcrest)
- Smart speakers (Alexa, Google)
- Smart thermostats
- Robot vacuums
- Smart locks, sensors
Guest VLAN
- Visitor devices
- Kids' devices (optional)
- Internet-only access
- No access to any local device
Edge Cases
- TVs / streaming devices: IoT VLAN (needs internet)
- Gaming consoles: Trusted (needs low latency)
- Sonos / AirPlay: IoT (with mDNS reflection)
- Zigbee/Z-Wave: No VLAN needed (not on WiFi)
Testing Your Segmentation
After setup, run these three tests to verify everything works correctly.
Test 1: IoT Cannot Reach Trusted
From a device on the IoT WiFi, try to ping your laptop's IP or access your NAS web interface. Both should fail with a timeout. If either succeeds, your inter-VLAN block rule is not working.
Test 2: IoT Can Reach Home Assistant
From a device on the IoT WiFi, try to access your Home Assistant dashboard (e.g., http://192.168.10.100:8123). This should load successfully. If it fails, your allow rule for HA is incorrect or not ordered before the block rule.
Test 3: Guest Cannot Reach Anything Local
Connect to the Guest WiFi and try to ping any local IP (on any VLAN). All should timeout. Internet browsing should still work. If local access succeeds, your guest isolation rules need adjustment.
Common Pitfalls
These are the mistakes we see most often when homeowners set up VLANs for the first time.
Forgetting mDNS Reflection
Without mDNS reflection, Chromecast stops appearing on your phone, AirPlay disappears, and Sonos cannot find its speakers. This is the number one "VLANs broke everything" complaint, and it is a one-toggle fix.
Wrong Firewall Rule Order
Firewall rules are processed top-down. If your "block all" rule is above your "allow HA" rule, the block fires first and HA communication never reaches the allow rule. Always put specific allow rules before broad block rules.
Locking Yourself Out
If you accidentally put your management computer on the wrong VLAN and block it, you can lose access to your router's admin interface. Always keep a wired connection to the default VLAN as a backup, or configure a "break glass" rule that allows your MAC address from any VLAN.
Blocking DNS for IoT
If you block all traffic from IoT to your LAN but forget to allow DNS, IoT devices cannot resolve hostnames and many will not function. Always have an explicit allow rule for DNS traffic (port 53 to your DNS server).
Frequently Asked Questions
Common questions about IoT network segmentation.
Do I really need VLANs for my smart home?
If you have more than a handful of smart home devices, yes. IoT devices are the weakest link on your network. They often run outdated firmware, have known vulnerabilities, and some actively send data to unknown cloud servers. Without VLANs, a compromised smart bulb has the same network access as your laptop with your bank accounts, tax documents, and personal photos. VLANs contain the blast radius of a compromised device to just the IoT segment.
Can I set up VLANs without a UniFi router?
Yes, but you need a VLAN-capable router. Besides UniFi, TP-Link Omada, pfSense, OPNsense, and MikroTik all support VLANs. Most consumer routers (Netgear Nighthawk, Asus, Linksys) do not support VLANs out of the box. Some can be flashed with DD-WRT or OpenWrt for VLAN support, but this is advanced and we do not recommend it for most homeowners.
Will VLANs break my Chromecast or AirPlay?
They can if not configured correctly. Chromecast, AirPlay, Sonos, and similar devices use mDNS (multicast DNS) to discover each other on the network. mDNS does not cross VLAN boundaries by default. The fix is enabling mDNS reflection or an IGMP proxy on your router. On UniFi, this is a single toggle under Network Settings. Once enabled, your phone on the Trusted VLAN can discover and control a Chromecast on the IoT VLAN.
How do I know if my segmentation is working?
Run three tests. First, from a device on your IoT VLAN, try to ping a device on your Trusted VLAN. It should fail (timeout). Second, from a device on your IoT VLAN, try to reach your Home Assistant server. This should succeed (you need to allow this in firewall rules). Third, from a device on your Trusted VLAN, try to access the IoT VLAN. This should also fail unless you have explicitly allowed it. Use the ping command or a network scanner app to verify.
What happens if I make a mistake with firewall rules?
If you accidentally block something you need, devices will stop communicating but nothing will be damaged. You can always log into your router and adjust or delete rules. The worst case is temporarily losing control of a smart device until you fix the rule. Start with a "deny all between VLANs" rule and then add explicit allow rules for the traffic you need (like IoT to Home Assistant). This deny-first approach is safer than trying to block specific threats.
Want Professional Network Segmentation?
We configure VLAN segmentation for smart homes across Oklahoma. Proper isolation, firewall rules, mDNS reflection, and Home Assistant integration. Set up right the first time.
Or call us at (405) 785-7705