Brian Strickland

ServiceNow Platform Manager | Product Owner | AI Enthusiast | Developer | CISSP

Segmented Home Network Lab Setup with VLANs

February 22, 2025

Segmented Home Network Lab Setup with VLANs

After weeks of tinkering, I finalized a segmented home network lab that supports IoT isolation, Home Assistant control, and smart device access to the internet while maintaining traffic boundaries. This post documents my final setup, port configurations, VLAN assignments, and key learnings.


🧠 Network Design Goals

  • Isolate IoT devices (like Alexa, smart lights, etc.) from main devices
  • Provide a secure path for Home Assistant to control IoT devices
  • Allow Alexa and others to access the internet
  • Support multiple subnets via VLANs
  • Enable future scalability and visibility for SOC experiments

πŸ› οΈ Equipment Overview

DeviceIP AddressPurpose
AT&T Router192.168.1.254Primary Internet Gateway (VLAN 1)
TP-Link 8-Port Switch192.168.1.104Main switch for routing tagged traffic
TP-Link 5-Port Switch192.168.1.105IoT/VLAN uplink + WAVLINK bridge
WAVLINK Router192.168.10.1IoT Router for 192.168.10.0/24 subnet
Home Assistant (Beelink)192.168.1.113 / 192.168.10.2Main automation server (dual VLAN access)

🧩 VLAN Summary

VLAN IDPurposeSubnet
1Main Network192.168.1.0/24
10IoT Devices192.168.10.0/24

PortDescriptionVLANsTaggedUntagged
1Uplink to AT&T Router1, 10NoYes
3To WAVLINK LAN port10NoYes
4To WAVLINK WAN port1NoYes
5Uplink to 8-Port Switch1, 10101

PortDescriptionVLANsTaggedUntagged
1General Devices/PCs1NoYes
4Home Assistant (HA)1, 10NoYes (1)
7IoT Devices / Alexa10NoYes
8From 5-Port Switch (uplink)1, 10101

πŸ”„ Traffic Flow Breakdown

  • VLAN 1 (Main) is the core network. It routes to the AT&T router and provides general internet access.
  • VLAN 10 (IoT) is isolated from VLAN 1, routed internally by the WAVLINK router, and all IoT traffic stays here unless routed via HA.
  • Tagged traffic on uplink ports ensures inter-VLAN communication only where needed.
  • HA device is dual-homed using a VLAN subinterface (enp1s0.10) to access both VLAN 1 and VLAN 10.
  • Alexa devices get internet access through VLAN 10 + NAT on WAVLINK.

πŸ§ͺ Lessons Learned

  • Getting VLAN tagging and switch port isolation right took many iterations
  • WAVLINK needs to stay in router mode to provide NAT for IoT
  • Tagged VLAN uplinks are essential for proper segmentation
  • tcpdump is a lifesaver when debugging inter-VLAN ping failures
  • mDNS doesn’t always cross VLANs β€” direct IP control for devices like Kasa works better

This setup gives me a strong foundation for building secure, scalable smart home automations while isolating potentially insecure devices. Next step? Integrate firewall rules and logging for SOC visibility!


Created: June 2, 2025


Comments

Loading comments...

Leave a Comment