For years the homelab was one flat /24. Everything on it: the servers, the laptops, the NAS, two smart plugs, a thermostat, a telly that phones home more than I'd like, and whatever a guest's phone happened to be. It worked, in the sense that a single shared room with no walls works, right up until you think about who's actually in there with you. The telly and the thermostat sitting on the same broadcast domain as the box that runs my backups had finally started to bother me enough to do something about it.
The goal was four segments: management for the infrastructure, trusted for my own machines, IoT for the things I don't trust, and guest for visitors. The hard part isn't designing that. It's getting there from a flat network while the household keeps using it, because "the internet's down" is a support ticket that arrives in person and does not wait for a maintenance window.
the order matters more than the config
The mistake I nearly made was cutting everything over at once. New VLANs, new subnets, new DHCP scopes, new firewall rules, all in one evening. That way lies a dark house and a long night. Instead I did it one layer at a time, and crucially, kept the old flat network alive as one of the new VLANs rather than killing it.
The plan that worked:
- Define the VLANs on the router and create the subnets, but leave every switch port on the original untagged VLAN. Nothing changes for any device yet.
- Set up DHCP, DNS and firewall rules for the new VLANs and test them with a single laptop on a single tagged port. Prove the plumbing before moving anything real.
- Move devices a category at a time, starting with the ones nobody will notice, then ending with the ones everyone will.
The IoT migration first, because if I broke a smart plug for an hour the only casualty was my pride. The trunk to the switch carries the tags, the access ports stay untagged into each device:
# router, the trunk towards the switch
interface eth1
vlan 10 name mgmt
vlan 20 name trusted
vlan 30 name iot
vlan 40 name guest
# switch port for the telly: untagged into VLAN 30
interface gi1/0/12
switchport mode access
switchport access vlan 30
Then the firewall, which is the whole point of the exercise. IoT gets internet and nothing else. It cannot reach management, it cannot reach trusted, it cannot start a conversation with anything inside. Trusted can reach IoT (so I can still cast to the telly), but not the other way round.
# default deny between segments, allow established back
iot -> wan : allow
iot -> any-lan : drop
trusted -> iot : allow
trusted -> mgmt : allow
guest -> wan : allow
guest -> any-lan : drop
the bits that bit
Two things went wrong, both predictable in hindsight. The first: I moved the NAS to the management VLAN and immediately couldn't reach its shares from my laptop on trusted, because I'd written the inter-VLAN allow rule but forgotten that mDNS and SMB discovery don't cross subnets on their own. The shares were reachable by IP the whole time; it was discovery that broke. An mDNS reflector sorted it, and the lesson stuck: segmenting a network breaks every protocol that assumed one broadcast domain, and most of the annoying ones are discovery protocols.
The second: a couple of IoT gadgets refused to renew DHCP after the move and sat there with stale addresses from the old scope, sulking. A reboot of each fixed it, but it's a reminder that cheap devices cache aggressively and forgive nothing.
It took an evening and a bit of the next, done in slices, with the old flat network surviving as the trusted VLAN so there was never a moment where everything was down at once. The house stayed online, the telly is now in its box where it belongs, and I can finally stop thinking about what shares the same wire as my backups. Worth it. Do it incrementally, default-deny between segments, and expect discovery protocols to be the thing that ruins your evening.