How to Set Up Home Network VLANs for Work, Smart Home & Guest WiFi Using a Consumer Router
How to Set Up a Home Network with Separate VLANs for Work, Smart Home Devices, and Guest WiFi
As remote work expands and smart home ecosystems grow, a flat home network where every device shares the same broadcast domain becomes a serious security and performance risk. Virtual LANs (VLANs) let you segment traffic so a compromised smart bulb can never reach your work laptop, and guests can browse the web without touching your private files. This guide walks you through creating three separate VLANs on a consumer-grade router.
What You Need Before You Start
- A VLAN-capable router — Consumer routers from brands like ASUS (with Merlin firmware), TP-Link (Omada series), Ubiquiti EdgeRouter, or any router running OpenWrt or DD-WRT firmware.- A managed or smart switch (optional but recommended) — Needed if you want to carry VLANs to different physical ports. Models like the TP-Link TL-SG108E or Netgear GS308E work well.- A wireless access point that supports multiple SSIDs mapped to VLANs — Many modern APs support this natively; alternatively, your VLAN-capable router’s built-in WiFi may suffice.- An Ethernet cable and a computer for initial configuration.
Understanding the VLAN Layout
| VLAN ID | Name | Subnet | Purpose | Internet Access | Cross-VLAN Access |
|---|---|---|---|---|---|
| 10 | Work | 192.168.10.0/24 | Laptops, desktops, NAS for work | Yes | No |
| 20 | Smart Home | 192.168.20.0/24 | IoT cameras, bulbs, sensors, speakers | Yes (restricted) | No |
| 30 | Guest | 192.168.30.0/24 | Visitor devices | Yes | No |
Step 1: Flash or Enable Advanced Firmware
If your router does not natively support VLANs, install open-source firmware. OpenWrt is the most widely supported option.
- Visit openwrt.org and search for your router model in the hardware table.- Download the appropriate firmware image (sysupgrade or factory, depending on whether you already run OpenWrt).- Log into your stock router admin panel, navigate to Firmware Upgrade, and upload the OpenWrt image.- Wait for the router to reboot, then access the new interface at 192.168.1.1.
Step 2: Create the VLANs on the Router
- Log into the router’s admin interface (LuCI for OpenWrt).- Navigate to Network → Switch (or Network → Interfaces in newer OpenWrt versions).- Create three new VLAN entries: VLAN 10, VLAN 20, and VLAN 30.- Assign the WAN port as untagged on VLAN 1 (default) and off for the other VLANs.- Set the LAN ports you want for each network. For example, Port 1 as untagged VLAN 10 (work desk), Port 2 as untagged VLAN 20 (IoT hub).- Tag the port connected to your managed switch or AP so it carries all VLANs as tagged traffic (trunk port).
Step 3: Create Network Interfaces for Each VLAN
- Go to Network → Interfaces and click Add New Interface.- Name the first one WORK, set protocol to Static address, and attach it to the VLAN 10 device (e.g.,
eth0.10).- Assign IP 192.168.10.1 with netmask 255.255.255.0.- Under the DHCP Server tab, enable DHCP and set the range (e.g., 192.168.10.100–192.168.10.250).- Repeat for SMARTHOME (192.168.20.1, attached toeth0.20) and GUEST (192.168.30.1, attached toeth0.30).
Step 4: Configure Firewall Zones
This is the most critical step — firewall rules enforce the actual isolation between VLANs.
- Navigate to Network → Firewall.- Create three new zones: work, smarthome, and guest.- For each zone, set Input to Accept, Output to Accept, and Forward to Reject.- Under Inter-zone forwarding, allow each zone to forward to the WAN zone only. Do not allow forwarding between work, smarthome, or guest zones.- For the smarthome zone, consider adding additional rules to block access to the router’s management interface (port 80/443/22) so compromised IoT devices cannot tamper with your settings.- For the guest zone, enable the option to isolate clients so guest devices cannot see each other.
Step 5: Set Up Wireless SSIDs per VLAN
- Go to Network → Wireless.- Edit your existing WiFi network or create a new one. Name the SSID Home-Work and assign it to the WORK network interface. Use WPA3 or WPA2 with a strong passphrase.- Add a second SSID called Home-IoT mapped to the SMARTHOME interface.- Add a third SSID called Home-Guest mapped to the GUEST interface. Consider enabling client isolation here as well.- Save and apply all changes.
Step 6: Configure the Managed Switch (If Used)
- Log into your managed switch’s admin panel.- Create VLANs 10, 20, and 30 on the switch.- Set the uplink port (connected to the router) as a tagged trunk carrying VLANs 10, 20, and 30.- Set individual access ports as untagged members of the appropriate VLAN based on what device is plugged into them.
Step 7: Test and Verify Isolation
- Connect a device to each VLAN (via WiFi SSID or physical port).- Confirm each device receives an IP address in the correct subnet (192.168.10.x, 20.x, or 30.x).- From the guest network, try to ping 192.168.10.1 — it should fail, confirming cross-VLAN isolation.- Verify all three VLANs can reach the internet.- From the smart home network, try to access the router admin page — it should be blocked if you added the rule in Step 4.
Pro Tips for Ongoing Maintenance
- Label your ports — Physically label switch ports with their VLAN assignment to avoid confusion later.- Use DNS filtering — Apply stricter DNS rules (like Pi-hole or NextDNS) to the IoT VLAN to block telemetry from smart devices.- Update firmware regularly — Keep your router firmware, switch firmware, and IoT devices updated to patch vulnerabilities.- Monitor traffic — Use the router’s built-in traffic graphs or tools like ntopng to watch for unusual activity on the IoT VLAN.- Rotate the guest password — Change the guest WiFi password monthly or use a captive portal for temporary access codes.
Frequently Asked Questions
Can I set up VLANs without flashing custom firmware?
Yes, but your options are limited. Some consumer routers like the ASUS RT-AX86U with stock firmware support a basic guest network that is isolated from the main LAN. The TP-Link Omada series and Ubiquiti UniFi Dream Machine also support VLANs out of the box without custom firmware. However, for full three-way VLAN segmentation on a budget router, OpenWrt or DD-WRT typically provides the most flexibility and control over firewall rules.
Will VLANs slow down my network speed?
No. VLAN tagging adds only 4 bytes to each Ethernet frame, which has a negligible impact on throughput. The routing between VLANs (inter-VLAN routing) is handled by the router’s CPU, but since the goal is to block inter-VLAN traffic rather than route it, the firewall simply drops those packets with virtually zero performance cost. Your internet speed and local file transfer speeds within the same VLAN will remain unaffected.
How do I allow specific cross-VLAN communication, such as casting to a smart TV from my work laptop?
You can create targeted firewall rules that permit only specific traffic between VLANs. For example, to allow casting, you would add a rule permitting mDNS/Bonjour traffic (UDP port 5353) from the work VLAN to the smart home VLAN and allow established/related connections back. In OpenWrt, you can install the avahi-daemon or umdns package to act as an mDNS reflector across VLANs, which is the cleanest solution. Always keep these exceptions as narrow as possible — allow only the specific ports and protocols needed rather than opening full access between VLANs.