How to Set Up Home Network VLAN Segmentation with pfSense and a Managed Switch
How to Set Up Home Network VLAN Segmentation with pfSense and a Managed Switch
VLAN segmentation is one of the most effective ways to secure your home network. By isolating IoT devices, work computers, and guest Wi-Fi into separate virtual LANs, you reduce attack surfaces and gain granular control over traffic flow. This guide walks you through a complete setup using pfSense as your firewall/router and a managed switch to handle VLAN tagging.
Why VLAN Segmentation Matters at Home
Modern homes contain dozens of connected devices — smart thermostats, security cameras, voice assistants, and more. These IoT devices are notoriously insecure and rarely receive firmware updates. Without network segmentation, a compromised smart bulb could potentially reach your work laptop or NAS containing sensitive files. VLAN segmentation solves this by creating logically separate networks that share the same physical infrastructure. Each VLAN operates as if it were its own isolated network, and traffic between VLANs must pass through your pfSense firewall where you define the rules.
What You Need
- pfSense firewall/router — a dedicated box or virtual machine running pfSense CE or pfSense Plus- Managed switch — any switch that supports 802.1Q VLAN tagging (e.g., Netgear GS308E, TP-Link TL-SG108E, or Ubiquiti USW-Lite-8-PoE)- Wireless access point — capable of multiple SSIDs with VLAN tagging (e.g., TP-Link EAP series, Ubiquiti UniFi AP)- Ethernet cables — Cat5e or Cat6 for trunk links between pfSense, switch, and AP
VLAN Planning
Before touching any hardware, plan your VLAN layout. Here is a recommended structure:
| VLAN ID | Name | Subnet | Purpose |
|---|---|---|---|
| 1 | Management | 192.168.1.0/24 | Switch management, pfSense admin |
| 10 | Trusted / Work | 10.0.10.0/24 | Work computers, NAS, printers |
| 20 | IoT | 10.0.20.0/24 | Smart home devices, cameras |
| 30 | Guest Wi-Fi | 10.0.30.0/24 | Visitors and untrusted devices |
Step 1: Configure VLANs in pfSense
- Log in to your pfSense web interface (typically at
192.168.1.1).- Navigate to Interfaces > Assignments > VLANs.- Click Add to create a new VLAN. Select the parent interface (your LAN port connected to the managed switch), set the VLAN Tag to10, and enter a description like Trusted_Work.- Repeat to create VLAN 20 (IoT) and VLAN 30 (Guest).- Go to Interfaces > Assignments, assign each new VLAN as an interface, and click Save.
Step 2: Configure VLAN Interfaces
- Click on each newly assigned interface (e.g., OPT1 for VLAN 10).- Enable the interface, rename it to something descriptive like WORK.- Set IPv4 Configuration to Static IPv4 and enter the gateway address:
10.0.10.1/24.- Repeat for VLAN 20 with10.0.20.1/24and VLAN 30 with10.0.30.1/24.- Click Apply Changes.
Step 3: Set Up DHCP for Each VLAN
- Navigate to Services > DHCP Server.- Select the WORK tab. Enable DHCP and set the address pool range, for example
10.0.10.100to10.0.10.200.- Repeat for the IoT VLAN (10.0.20.100 – 10.0.20.200) and Guest VLAN (10.0.30.100 – 10.0.30.200).- Optionally set DNS servers (e.g.,1.1.1.1or your local DNS resolver) for each VLAN.
Step 4: Create Firewall Rules
This is the most critical step. Navigate to Firewall > Rules and configure rules for each VLAN interface:
- WORK (VLAN 10): Allow all traffic to the internet. Allow access to specific resources on other VLANs if needed (e.g., printing from an IoT printer). Block all other inter-VLAN traffic.- IoT (VLAN 20): Allow traffic to the internet (required for cloud-based IoT services). Block all traffic to VLAN 10 and VLAN 1 (management). Block access to the pfSense admin interface using a rule that denies traffic to
This Firewallon ports 80/443.- Guest (VLAN 30): Allow DNS (port 53) and internet access (HTTP/HTTPS). Block all RFC1918 private address ranges to prevent guests from accessing any internal resources. Block access to the pfSense admin interface.Tip: Create an alias in pfSense called RFC1918 containing10.0.0.0/8,172.16.0.0/12, and192.168.0.0/16to simplify guest isolation rules.
Step 5: Configure the Managed Switch
- Log in to your managed switch’s web interface.- Navigate to the VLAN configuration section (often under 802.1Q VLAN).- Create VLANs 10, 20, and 30.- Set the port connected to pfSense as a trunk port (tagged for VLANs 10, 20, 30 and untagged for VLAN 1).- Set the port connected to your wireless access point as a trunk port (tagged for VLANs 10, 20, 30).- Set ports connected to work computers as access ports on VLAN 10 (untagged).- Set ports connected to wired IoT devices as access ports on VLAN 20 (untagged).
Step 6: Configure the Wireless Access Point
- Create three SSIDs on your access point: one for your trusted/work network, one for IoT devices, and one for guests.- Assign each SSID to its respective VLAN tag: Work SSID → VLAN 10, IoT SSID → VLAN 20, Guest SSID → VLAN 30.- Use WPA3 or WPA2 with a strong password for the Work and IoT SSIDs.- For the Guest SSID, consider enabling client isolation so guests cannot see each other’s devices.
Step 7: Test and Verify
- Connect a device to each VLAN and verify it receives an IP address from the correct DHCP pool.- From a guest device, try to ping
10.0.10.1— it should be blocked.- From a work device, confirm full internet access and access to local resources.- From an IoT device, confirm internet connectivity but no access to work or management subnets.- Check pfSense logs under Status > System Logs > Firewall to verify rules are being applied correctly.
Additional Recommendations
- Enable pfBlockerNG on pfSense to add DNS-based ad blocking and threat intelligence feeds per VLAN.- Use static DHCP mappings for critical devices like your NAS, printers, and security cameras.- Monitor bandwidth with pfSense packages like ntopng or Darkstat to detect unusual IoT traffic patterns.- Update firmware regularly on your pfSense box, managed switch, and access points.
Frequently Asked Questions
Can I allow specific IoT devices to communicate with my work VLAN?
Yes. Create a targeted firewall rule on the IoT VLAN interface that allows traffic from a specific IP address (using a static DHCP mapping) to a specific destination and port on VLAN 10. For example, you might allow your network printer on VLAN 20 to accept print jobs from VLAN 10 devices. Always use the most restrictive rule possible — specify source IP, destination IP, and port rather than opening broad access between VLANs.
Do I need an expensive managed switch for VLAN segmentation?
No. Budget-friendly managed switches like the Netgear GS308E or TP-Link TL-SG108E cost between $30 and $50 and fully support 802.1Q VLAN tagging. These are more than sufficient for a home network. The key requirement is 802.1Q support — avoid unmanaged switches as they cannot handle VLAN tags. If you need Power over Ethernet for access points, look at models like the Netgear GS305EP.
What happens if a device on the IoT VLAN gets compromised?
With proper VLAN segmentation and firewall rules, a compromised IoT device is contained within VLAN 20. It cannot reach your work computers on VLAN 10 or your management network on VLAN 1. The attacker would only have access to other devices within the same IoT VLAN. To further limit blast radius, you can create additional firewall rules within the IoT VLAN to restrict device-to-device communication, or enable private VLAN (port isolation) features on your managed switch if supported.