Ramblings of an aging IT geek
← Ramblings of an aging IT geek
networking

cutting a flat homelab into vlans without burning it down

A weekend project to segment a single flat homelab network into VLANs, why I'd put it off for years, and the order of operations that kept me from locking myself out.

John Mylchreest
John Mylchreest
2022-03-27 · 6 min read

A bundle of network cables and a switch

Everything in my homelab lived on one flat /24 for years. One subnet, one broadcast domain, the NAS and the smart plugs and the work laptop and the dodgy IoT camera all sharing the same gossip. I knew this was wrong. I'd known it was wrong for a long time. The thing that finally moved me wasn't a breach or a scare, it was buying a camera I didn't fully trust and realising that, as things stood, it could see and talk to every other device in the house. That's the homelab equivalent of leaving the back door open because the front door has a good lock.

So I spent a weekend cutting the flat network into VLANs, and it was more painful than I'd told myself it would be. Not because VLANs are hard, but because a flat network is a thousand small assumptions you've never written down, and segmenting it makes every one of them surface at once.

why I'd put it off

The honest reason is that flat networks just work. There's nothing to configure. Everything can reach everything, so nothing is ever blocked, so you never debug a connectivity problem that's actually a firewall problem. The cost is entirely invisible right up until it isn't, and "invisible cost" is the hardest kind to spend a weekend fixing.

The trigger was the trust boundary. I wanted three rough zones to start: trusted (my machines and the NAS), IoT (the cameras, plugs, the smart telly that phones home more than I'd like), and a guest zone. The principle is simple. IoT devices should reach the internet and nothing else on my network. Guests should reach the internet and not me. Trusted devices can reach everything. Stated that plainly it sounds like an afternoon. It was not an afternoon.

the plan, and the order that mattered

The single most important decision was the order of operations, because the thing doing the routing and firewalling was the same thing I was reconfiguring, over the network, from a laptop that was about to be on the wrong side of a new firewall rule. Lock yourself out of your own router and the weekend gets a lot longer and involves a crash cart.

So the order was deliberate:

  • Build the VLANs and their subnets on the router first, with DHCP scopes, but leave them empty and wide open.
  • Move exactly one non-critical device onto a new VLAN and confirm it gets an address and reaches the internet.
  • Only once a VLAN was proven did I move anything I cared about onto it.
  • Firewall rules went in last, default-allow first so nothing broke, then tightened one rule at a time.
  • The machine I was working from stayed on the trusted VLAN with full access until the very end.

The VLANs themselves were the easy bit. Tagged on the trunk to the switch, an interface and subnet per VLAN on the router.

# router, roughly
vlan 10  trusted   10.10.10.0/24
vlan 20  iot       10.10.20.0/24
vlan 30  guest     10.10.30.0/24

A rack and patch panel, datacenter style

where the pain actually was

The VLANs worked first time. The pain was everywhere the flat network had been quietly doing me a favour. mDNS and discovery were the worst of it. On a flat network, the telly finds the Chromecast and the printer announces itself and AirPlay just works, because broadcast and multicast reach everything. Segment the network and all of that stops, because that traffic doesn't cross VLANs by default. Suddenly half the "smart" things in the house couldn't see each other, and the people I live with noticed before I'd finished my coffee.

The fix was an mDNS reflector, a little daemon that listens for those discovery announcements on one VLAN and rebroadcasts them onto another, so a phone on the trusted VLAN can still find a speaker on the IoT VLAN without the two networks being fully open to each other. It's a deliberate, narrow hole rather than a flat plain.

# avahi reflector, the short version
[reflector]
enable-reflector=yes

Then the firewall, tightened one rule at a time. The rule I cared most about was the IoT zone: allow established and related traffic back, allow out to the internet, drop anything from IoT to the trusted subnet. The moment that rule went in and the camera could still stream to the internet but could no longer ping my laptop, the whole weekend justified itself.

# pf-ish pseudocode
block in  on iot from iot:network to trusted:network
pass  out on iot from iot:network to any

was it worth it

Yes, and I should have done it years earlier. The IoT devices now live in a box where, if any of them is compromised, the blast radius is the internet and the other IoT devices, not my files and my workstation. Guests get internet and nothing else. And the exercise forced me to write down what should be able to talk to what, which I'd never actually done in all those flat years.

If you're sitting on a flat network and putting this off, the advice that would have helped me is just this: go slowly, prove each VLAN empty before you trust it, leave your own machine fully connected until the very last step, and expect mDNS to be the thing that bites you, not the routing. The VLANs are easy. It's all the convenient magic of a flat network, the stuff you forgot was magic, that makes you pay.