VLANs for the Homelab: Network Segmentation Guide

By LK Wood IV · 2026-06-13 · ~13 min read · St. Louis County, MO

A flat network — every device on the same /24 subnet — is fine until you have IoT devices you don’t fully trust, a guest network you want isolated, or a homelab server you want to reach without exposing it to your smart TV’s firmware. VLANs solve all of this with a managed switch and a router that supports inter-VLAN routing.

This guide covers the why, the concepts, and the concrete configuration steps for OPNsense + MikroTik switch + Proxmox — the most common homelab VLAN stack.

Why segment your network

IoT isolation. Smart TVs, cameras, speakers, and consumer IoT devices often have weak or abandoned firmware. Putting them on a separate VLAN with firewall rules that block them from reaching your main network (and from reaching each other, if you’re paranoid) limits the blast radius if one gets compromised.

Guest network. Visitors get internet access without access to your NAS, Proxmox management, or local services.

Homelab management VLAN. Your Proxmox hosts, switches, and UPS management interfaces live on a restricted VLAN that only admin devices can reach.

Separation of services. Production VMs and development VMs on different VLANs. Outbound firewall rules per VLAN (production services can only make outbound connections to specific destinations; dev VMs can go anywhere).

VLAN planning

Before configuring anything, plan your VLANs on paper:

VLAN IDNameSubnetPurpose
1Default192.168.1.0/24Main trusted devices
10Homelab192.168.10.0/24Proxmox nodes, NAS, homelab infra
20IoT192.168.20.0/24Smart devices, cameras, Zigbee gateways
30Guest192.168.30.0/24Visitor devices
99Management192.168.99.0/24Switch management IPs, OPNsense admin

VLAN IDs are arbitrary but conventional: 10/20/30/40 for user VLANs, 99 for management, 1 as default (usually untouched, treated as “untagged native VLAN”). Avoid using VLAN 1 for anything important — it’s the default native VLAN and can receive untagged traffic that wasn’t intentionally sent to it.

OPNsense configuration

Create VLAN interfaces

Navigate to Interfaces → Other Types → VLAN:

For each VLAN you’re creating:

  • Parent interface: your LAN NIC (e.g., igc1)
  • VLAN Tag: the VLAN ID (e.g., 10)
  • Description: Homelab, IoT, Guest, etc.

After creating the VLAN subinterfaces, assign them:

Interfaces → Assignments:

  • Add each VLAN interface (igc1.10, igc1.20, igc1.30, igc1.99) as a new interface
  • Rename them to meaningful names: HOMELAB, IOT, GUEST, MGMT

Configure IP addresses on each VLAN interface

For each new interface (e.g., Interfaces → HOMELAB):

  • Enable: checked
  • IPv4 Config Type: Static
  • IPv4 Address: 192.168.10.1/24

Repeat for each VLAN.

Enable DHCP on each VLAN

Services → DHCPv4 → [HOMELAB]:

  • Enable DHCP
  • Set range: 192.168.10.100 to 192.168.10.199

Repeat for IoT (192.168.20.100–200), Guest (192.168.30.100–200).

Add firewall rules

Firewall → Rules:

IoT VLAN (192.168.20.0/24):

Block: Source=IoT net, Destination=RFC1918 (any private IP)  → prevents IoT reaching your other LANs
Pass: Source=IoT net, Destination=any → allows internet access

Order matters — the Block rule must be above the Pass rule. OPNsense evaluates rules top-down.

Guest VLAN:

Block: Source=Guest net, Destination=192.168.0.0/8 → blocks access to all local subnets
Pass: Source=Guest net, Destination=any → allows internet

Homelab VLAN:

Pass: Source=Homelab net, Destination=any → full access (trusted infrastructure)

Management VLAN — strict:

Block: Source=any non-MGMT, Destination=MGMT net → no devices from other VLANs reach switch management
Pass: Source=MGMT net, Destination=any → management devices can reach everything

MikroTik switch configuration

For a MikroTik CRS305 or similar, connect via WinBox or the web UI.

Create the VLANs:

/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
add interface=ether1 name=vlan20 vlan-id=20
add interface=ether1 name=vlan30 vlan-id=30

Configure the uplink trunk port (to OPNsense):

The port connected to OPNsense’s LAN NIC carries all VLANs tagged:

/interface bridge port
set [find interface=ether1] pvid=1

Configure the bridge VLAN table to allow tagged VLANs on the trunk:

/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=10,20,30,99

Configure access ports (for end devices):

Port ether2 for a Proxmox node (VLAN 10):

/interface bridge vlan
add bridge=bridge1 untagged=ether2 vlan-ids=10
/interface bridge port
set [find interface=ether2] pvid=10

Port ether3 for an IoT hub (VLAN 20):

/interface bridge vlan
add bridge=bridge1 untagged=ether3 vlan-ids=20
/interface bridge port
set [find interface=ether3] pvid=20

For MikroTik CSS/CRS hardware-switched bridges, add frame-types=admit-only-untagged-and-priority-tagged to access ports to ensure they only accept untagged frames:

/interface bridge port
set [find interface=ether2] pvid=10 frame-types=admit-only-untagged-and-priority-tagged

MikroTik VLAN management IP

Set the switch’s management IP to the Management VLAN:

/interface vlan
add interface=bridge1 name=vlan99 vlan-id=99

/ip address
add address=192.168.99.2/24 interface=vlan99

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.99.1

Remove or restrict management access on ether1 (the trunk port) — you don’t want the switch’s management interface accessible from the trunk.

Proxmox VLAN-aware bridge

In Proxmox, a single VLAN-aware bridge can carry all your VLANs over a single trunk uplink to the switch.

Datacenter → pve01 → System → Network:

  • Select your bridge (vmbr0)
  • Enable VLAN aware
  • Save and apply

The bridge’s physical NIC (e.g., eno1) connects to a trunk port on your switch. The bridge now carries tagged traffic for all VLANs.

Assigning VMs/LXCs to VLANs:

When creating or editing a VM/LXC, in the network tab:

  • Bridge: vmbr0
  • VLAN Tag: 10 (for Homelab VLAN)

The VM gets an untagged interface that Proxmox places on VLAN 10. The VM itself doesn’t need to know about VLANs.

For a VM that needs to be multi-homed (accessible from multiple VLANs), add multiple network interfaces with different VLAN tags. Home Assistant, for example, might need VLAN 1 (main) for user access and VLAN 20 (IoT) to discover and control IoT devices.

Testing your VLAN setup

After configuration, verify each VLAN is isolated:

Test 1: IoT can reach internet, not LAN:

# From an IoT device (or a VM on VLAN 20)
ping 1.1.1.1        # should work
ping 192.168.1.1    # should fail (blocked by firewall)
ping 192.168.10.1   # should fail

Test 2: Main LAN can reach Homelab VLAN:

# From a laptop on the main VLAN
ping 192.168.10.10  # should work (Proxmox node)

Test 3: IoT can’t reach Homelab:

# From IoT VLAN
ping 192.168.10.10  # should fail

If inter-VLAN tests fail unexpectedly, check:

  1. OPNsense firewall rules — verify order (block before pass)
  2. OPNsense DHCP — devices must be getting IPs from the correct VLAN pool
  3. Switch VLAN table — verify untagged port assignments match VLAN IDs

Common mistakes

IoT VLAN with “any” allow rule: If you add a pass-any rule before your block-private-networks rule, IoT devices can still reach your main LAN. OPNsense processes rules top-to-bottom, first match wins.

Forgetting to assign the VLAN interface: After creating a VLAN subinterface in OPNsense, you must also assign it under Interfaces → Assignments. Until assigned, it has no IP and can’t route traffic.

Switch trunk port not tagged for all VLANs: If VLAN 20 traffic isn’t reaching OPNsense, verify the trunk port is explicitly allowed to carry VLAN 20 in the switch’s VLAN table.

Proxmox management on a VLAN: If you put Proxmox’s management interface on a VLAN and something goes wrong with the VLAN configuration, you can lock yourself out of the Proxmox web UI. Always keep console access (via iKVM or direct keyboard/monitor) as a fallback.

VLANs need a capable router to enforce inter-VLAN firewall rules. The OPNsense setup guide covers the firewall side. For physical networking gear, the 10GbE home networking guide covers switch selection.