7 min read

Homelab VLANs Explained: Network Segmentation & Inter-VLAN Routing

Learn how VLANs work in a homelab, how network segmentation improves security, and how inter-VLAN routing connects separated networks.
Homelab VLANs Explained: Network Segmentation & Inter-VLAN Routing
Photo by Kirill Sh / Unsplash

This is part 2 of a multi-part homelab networking series. If you missed it or need a refresher, please go back to part 1 here. We'll start with VLANs. I've been using VLANs at home now for about 10+ years and although they can be more complex to setup they are well worth the short term pain.

In Part 1, we learned how IP addresses, subnets, and routing work. Now we’re going to separate networks on purpose.

This is where your homelab starts becoming powerful.

If you're new to networking, this guide is part of a structured homelab networking roadmap. Start from Part 1 and work forward.


Why Flat Networks Are a Problem

Most home networks look like this:

  • Everything on 192.168.1.0/24
  • All devices can see each other
  • No segmentation / No isolation

That means:

  • IoT devices can reach your NAS
  • Guest devices can scan your servers
  • Malware can move laterally

Convenient? Yes.

Secure? No!

What Is a VLAN? (In Plain English)

A VLAN (Virtual Local Area Network) is a way to logically separate devices on the same physical switch. Even though everything is plugged into the same switch, VLANs make devices behave as if they’re on completely different networks.

Important connection: Each VLAN = its own subnet.

Example:

  • VLAN 10 → 192.168.10.0/24
  • VLAN 20 → 192.168.20.0/24
  • VLAN 30 → 192.168.30.0/24

Now devices in VLAN 10 cannot talk directly to VLAN 20. They need a router.

This is where Part 1 knowledge clicks into place.

Think of a VLAN Like…

Without VLANs, your network is one big open floor plan style room - every broadcast can be heard by every device. VLANs build walls inside that room. Then you have more of a structured home vs a warehouse.


VLANs vs Subnets: How They Work Together

This is the key concept. They are tied at the hip and meant to be so.

  • VLAN = Layer 2 separation (switch level)
  • Subnet = Layer 3 IP range (IP addressing level)
  • Router = Connects different subnets
  • Firewall = Controls traffic between them

In a properly designed homelab - each VLAN has:

  • Its own subnet
  • Its own DHCP scope
  • Its own firewall policy

Example:

  • VLAN 10 → 192.168.10.0/24
  • VLAN 20 → 192.168.20.0/24
  • VLAN 30 → 192.168.30.0/24

Devices in VLAN 10 cannot directly talk to devices in VLAN 20 unless the router allows it.

That’s intentional.

Relationship to Switch Configuration

Your switch will also be configured with VLANs. You’ll assign ports on the switch to specific VLANs. This determines which VLAN a device connected to that port will belong to.

Concept Summary Table

ConceptDescription
VLANLogical network segment
SubnetIP address range for a VLAN
Switch PortAssigns a device to a specific VLAN

How Inter-VLAN Routing Works

Let’s say:

  • Your laptop is in VLAN 30 (192.168.30.50)
  • Your server is in VLAN 20 (192.168.20.10)

When your laptop tries to reach the server:

  1. Traffic is sent to the default gateway.
  2. The router receives the packet.
  3. The router checks firewall rules.
  4. If allowed, the packet is forwarded to VLAN 20.

All communication between VLANs flows through the router. This gives you full control.

You can allow:

  • User devices → Servers
  • Management → Everything
  • IoT → Internet only

And block everything else. That’s real segmentation!

flowchart TD
    %% Router
    subgraph Router["🛡️ OPNsense Router"]
        O["🛡️ OPNsense"]
    end

    %% VLANs
    subgraph VL1["🔧 Management VLAN (VL1)"]
        M["💻 Management Devices"]
        O --> M
    end

    subgraph VL2["🏠 Home VLAN (VL2)"]
        H["🖥️ Home Devices"]
        O --> H
        M --> H
    end

    subgraph VL3["📡 IoT VLAN (VL3)"]
        I["📱 IoT Devices"]
        O --> I
    end

    subgraph VL4["👥 Guest VLAN (VL4)"]
        G["🧑‍💻 Guest Devices"]
        O --> G
    end

    subgraph VL5["📷 Camera VLAN (VL5)"]
        C["📷 IP Cameras"]
        O --> C
        M --> C
    end

    %% Node Styling
    style O fill:#f88,stroke:#333,stroke-width:2px,color:#111
    style M fill:#d8b4fe,stroke:#333,stroke-width:2px,color:#111
    style H fill:#93c5fd,stroke:#333,stroke-width:1px,color:#111
    style I fill:#5eead4,stroke:#333,stroke-width:1px,color:#111
    style G fill:#cbd5e1,stroke:#333,stroke-width:1px,color:#111
    style C fill:#fcd34d,stroke:#333,stroke-width:1px,color:#111

    %% Subgraph Styling
    style Router fill:transparent,stroke:#888,stroke-width:1px,stroke-dasharray: 4 4
    style VL1 fill:transparent,stroke:#888,stroke-width:1px,stroke-dasharray: 4 4
    style VL2 fill:transparent,stroke:#888,stroke-width:1px,stroke-dasharray: 4 4
    style VL3 fill:transparent,stroke:#888,stroke-width:1px,stroke-dasharray: 4 4
    style VL4 fill:transparent,stroke:#888,stroke-width:1px,stroke-dasharray: 4 4
    style VL5 fill:transparent,stroke:#888,stroke-width:1px,stroke-dasharray: 4 4

Real-World Homelab VLAN Design

Here’s a clean and scalable layout you can start with:

  • VLAN 10 – Management
    Switches, hypervisors, firewall UI
  • VLAN 20 – Servers
    Proxmox, Docker hosts, NAS
  • VLAN 30 – User Devices
    Laptops, desktops, phones
  • VLAN 40 – IoT
    Smart plugs, TVs, cameras
  • VLAN 50 – Guest Network
    Internet access only

Each VLAN:

  • Uses its own subnet
  • Has its own DHCP scope
  • Has firewall rules controlling access

This structure allows your network to grow without becoming chaotic. This is how you scale safely! You can 'grow' by adding devices/connections into each of these VLANs and 'zones' and control what they can touch or access.


Access Ports vs Trunk Ports

To make VLANs work correctly, you need to understand port types.

Access Port

  • Assigned to one VLAN
  • Used for end devices (PCs, TVs, printers)
  • Untagged traffic

Trunk Port

  • Carries multiple VLANs
  • Used between switches or between switch and router
  • Tagged traffic

In a homelab:

  • Device ports → Access mode
  • Switch-to-router or switch-to-switch links → Trunk mode

Misconfiguring this is one of the most common beginner mistakes.

💡
Trunk Ports vs Access Ports
1. Access port → carries one VLAN (end devices)
2. Trunk port → carries multiple VLANs (between switches or to router)

Common VLAN Mistakes

Here’s where people get stuck:

  • Forgetting to create a DHCP scope for each VLAN
  • Blocking DNS between VLANs and breaking name resolution
  • Misconfiguration of trunk ports
  • Using overlapping subnets
  • Not documenting VLAN IDs

Take your time. Plan before configuring. VLAN design is architecture, not just clicking settings.

What Comes Next

VLANs create separation. Routing connects them. Firewalls enforce policy.

How to Set Up OPNsense: The Ultimate Homelab Firewall Guide (2026)
Build the ultimate homelab fortress. A step-by-step guide to OPNsense installation, VLAN segmentation, and automated security blocklists. Start here.

In Part 3, we’ll look at NAT and how your homelab safely communicates with the internet — including how to expose services without exposing your entire network.


FAQ: VLANs & Inter-VLAN Routing

  • Do VLANs improve security on their own? Not exactly. VLANs provide segmentation (logical separation), but security comes from the firewall rules you place between them. Think of a VLAN as the wall and a Firewall Rule as the locked door.
  • Can devices in different VLANs communicate? Only through a router. This is called "Inter-VLAN Routing." Without a router or a Layer 3 switch to bridge the gap, devices in separate VLANs are effectively on different physical networks.
  • Does each VLAN need its own subnet? Yes. For a network to function correctly, there should be a 1:1 relationship between a VLAN and a Subnet (e.g., VLAN 10 = 192.168.10.0/24). This allows your router to know exactly where to send traffic.
  • Do I need a managed switch for VLANs? Yes. An unmanaged switch is "VLAN-blind"; it will either drop tagged traffic or strip the tags, breaking your segmentation. You need a switch that supports the 802.1Q standard.
  • Why can't my IoT devices see my Phone across VLANs? This is usually due to mDNS (Multicast DNS). Devices like Chromecasts and AirPlay speakers use "discovery" packets that don't cross VLAN boundaries by default. You will need to enable an "mDNS Repeater" or "Avahi" on your router to fix this.
  • What happens if I plug a device into a Trunk Port? Usually, nothing. Most end devices (like a laptop) don't know how to handle "tagged" traffic. They will only see traffic on the "Native VLAN" (usually VLAN 1) and ignore everything else.