That $12 smart plug from Amazon? It’s on the same network as your laptop, your banking sessions, and your family photos. Most IoT devices have terrible security — outdated firmware, unencrypted traffic, sometimes outright phoning home to servers in other countries.

VLANs fix this by putting your IoT devices on an isolated network segment. They can still talk to Home Assistant, but they can’t see your computers, NAS, or anything else they shouldn’t.

What’s a VLAN?

A VLAN (Virtual Local Area Network) creates separate logical networks on the same physical infrastructure. Instead of buying separate switches and routers for each network, you configure your existing equipment to keep traffic separated.

Think of it like apartments in a building — same structure, separate living spaces, locked doors between them.

A Practical VLAN Layout

Here’s what I run:

VLAN ID	Name	Subnet	What’s On It
1	Management	10.0.1.0/24	Router, switches, APs
10	Trusted	10.0.10.0/24	Computers, phones, NAS
20	IoT	10.0.20.0/24	Smart plugs, bulbs, sensors
30	Servers	10.0.30.0/24	Home Assistant, media server
40	Guest	10.0.40.0/24	Guest Wi-Fi

The Firewall Rules That Matter

The magic is in the firewall rules between VLANs:

IoT VLAN Rules

• ALLOW IoT → Home Assistant (port 8123, 1883 for MQTT)
• ALLOW IoT → DNS server (port 53)
• BLOCK IoT → all other local networks
• ALLOW IoT → internet (some devices need cloud, unfortunately)

Trusted VLAN Rules

• ALLOW Trusted → everything (it’s your main network)
• ALLOW Trusted → IoT (so you can configure devices)

Guest VLAN Rules

• ALLOW Guest → internet
• BLOCK Guest → everything local

Server VLAN Rules

• ALLOW Servers → IoT (Home Assistant needs to reach devices)
• ALLOW Servers → internet (for updates, integrations)
• BLOCK Servers → Trusted (servers shouldn’t initiate connections to your laptop)

Setting This Up

What You Need

• A managed switch that supports 802.1Q VLANs (UniFi, TP-Link, Netgear managed — not the $20 unmanaged ones)
• A router/firewall that supports VLANs (OPNsense, pfSense, UniFi Dream Machine, even some consumer routers like Asus with Merlin firmware)
• Wi-Fi access points that support multiple SSIDs with VLAN tagging

OPNsense Example

1. Create VLAN interfaces: Interfaces → Other Types → VLAN — add each VLAN with its ID and parent interface
2. Assign interfaces: Interfaces → Assignments — assign each VLAN as a new interface
3. Configure DHCP: Services → DHCPv4 — set up a DHCP server for each VLAN subnet
4. Create firewall rules: Firewall → Rules — add rules for each VLAN interface following the pattern above

UniFi Example

If you’re in the UniFi ecosystem:

1. Settings → Networks — create each VLAN with its ID and subnet
2. Settings → WiFi — create SSIDs and assign each to a VLAN
3. Settings → Firewall & Security — create rules between network groups

UniFi makes this easier than OPNsense but gives you less granular control.

Common Pitfalls

mDNS / Device Discovery

Many smart home protocols (HomeKit, Chromecast, Sonos) use mDNS for discovery, which doesn’t cross VLAN boundaries by default. You need an mDNS reflector/repeater.

• OPNsense: Install the mdns-repeater plugin
• UniFi: Enable “Multicast DNS” in network settings
• Avahi: Run avahi-daemon with reflector mode on a Linux box

IoT Devices That Need Internet

Some devices (cloud-only bulbs, robot vacuums that need map downloads) won’t work without internet access. Allow internet from the IoT VLAN but block local network access. This way, a compromised device can call home but can’t pivot to your LAN.

MQTT Across VLANs

If you run MQTT (Mosquitto) for Zigbee2MQTT or other integrations, make sure the IoT VLAN can reach your MQTT broker’s IP and port (usually 1883). Add a specific firewall allow rule for this.

Is This Overkill?

For a few smart bulbs? Probably. For a house with 50+ IoT devices, cameras, locks, and a NAS full of family data? Not even close.

The effort is a one-time setup cost of a few hours. After that, new devices just get assigned to the right VLAN and everything works.

If you’re running Home Assistant, you’re already the kind of person who cares about how their home works. VLANs are the security foundation that makes everything else safer.

Minimum Viable Setup

Don’t have managed networking gear yet? Start here:

1. TP-Link TL-SG108E managed switch (~$30) — supports VLANs, dirt cheap
2. A router that supports VLANs (OPNsense on any old PC, or a $60 Protectli box)
3. An AP that supports multiple SSIDs (TP-Link EAP series, UniFi)

Total cost to add VLANs to an existing network: roughly $50-100 if you need a managed switch. If you already have UniFi gear, it’s free — just configuration.

Once your network is segmented, you’ll want devices that work locally without needing cloud access through your firewall. Check out my 15 smart home devices that work without internet and my best Zigbee devices guide for hardware that’s built for local-first operation.