A practical guide to VLANs in an existing home network

VLANs can be quite confusing but are a powerful concept to help improve isolation, security and creating network topologies that are not limited by physical constraints.

VLAN stands for Virtual LAN and as the term implies, we create virtual LANs or broadcast domains.

If there is one important thing to keep remembering as you explore VLANs – VLANs are a Layer 2 (Data Link – typically Ethernet) concept. While we eventually will map the VLAN to different IP subnets, it is important to keep grounding ourselves on the concept that a VLAN is fundamentally a Layer 2 concept as this can help figure out problems in setup better.

In a home network, one reason to utilize VLANs is the proliferation of smart home devices – these devices are WiFi enabled (typically) but often are not known for the greatest security practices. In addition, you may want to isolate and restrict their access differently from other devices on your network that can have more permissive policies for them.

A brief and practical introduction to VLANs

• VLAN is a layer 2 concept. While you will need a router to route between VLANs, if you are thinking about whether device1 on IP subnet 1 can reach device 2 on IP subnet 2, forget the IP subnets first. Make sure that there’s a path for a packet on layer 2 from device1 to reach device2 on layer 2. If there is, then you can think about whether there is a path in layer3 that allows routing between the two subnets.
• VLANs have a few concepts that are important to understand:
  • Tagging – This only applies to packets going out of a switch port. Switch ports can be configured to either tag or strip tags for packets being sent out through that port for a given VLAN.
    • When a port is tagged for a VLAN, all packets destined for that VLAN coming out of that port will be tagged with the VLAN tag.
  • Primary VLAN ID or Default VLAN ID – This only applies to packets coming into a switch port. Packets coming into a switch port can carry a VLAN tag or not have any VLAN tag. The Primary VLAN ID determines the VLAN that is assigned to untagged incoming packets to a switch port.
    • When a switch port receives an untagged packet, it applies the Primary VLAN tag to the packet and processes it as if it carried the primary VLAN tag.
  • VLAN Membership – Every switch port can be part of a VLAN or not be part of a VLAN.
    • If a switch port is part of a VLAN, when it receives a packet with that VLAN tag, it will forward it to the relevant port(s) of the same VLAN on the switch.
    • If a switch port is not part of a VLAN, when it receives a packet with that VLAN tag, it will drop that packet.
  • WiFi and VLAN – you can assign a VLAN tag to a WiFi SSID.
    • All devices on that WiFi SSID can be considered to be part of the same VLAN.
    • The WiFi Access Points are responsible for tagging the packet from any given SSID with the appropriate VLAN ID and sending it through the wired network for routing.

Implementation Specific Quirks

Be careful to watch out for implementation specific quirks:

• Most implementations consider VLAN ID 1 to be the default VLAN/PVID. So you probably want to just treat and set VLAN ID 1 as the default VLAN in your network setup.
• I have a TP-Link Omada Switch and a Netgear Ethernet Plus switch. The Omada switch seems to be a proper managed switch with VLAN support. The Netgear on the other hand has a few different VLAN modes but behaves randomly in several of them. Only the Advanced VLAN mode seems to do what is expected. In addition, I don’t know if that switch actually isolates the broadcast domains for VLANs or not given how quirky the implementation is.
• Unifi devices really don’t like it if the PVID for the Access Point is tagged – they have an elaborate article explaining this. What’s even more important is that their UX does not like if the LAN port gets tagged for the PVID either. The only lesson I learned from misadventures here is not to tag the PVID on any connections to Unifi devices.

Configuring VLANs in an existing Home Network

This is the likely path of least resistance for a working VLAN configuration in many home networks:

• Plan on using your default VLAN as the IoT VLAN – Put your current WiFi network into this default VLAN. This avoids a lot of problems including the fact that you do not need to reconfigure all your IoT devices to a new WiFi network which is a major hassle for most IoT devices. This also has the added benefit that your default VLAN is your most untrusted one which is how it should be. You can also set this to be a IPv4 only network with only WPA2 support, possibly also 2.4 GHz only if needed to make it maximally compatible with IoT devices.
• Create a separate VLAN (Trusted VLAN) for your devices that are more trusted or more valuable – I created a VLAN for all my tablets, phones, laptops and PCs. This is my more trusted network and also more restricted one in that it only has a limited number of devices. This network can be setup to support IPv6, WPA3/WPA2 combination, both 2.4 and 5 GHz (or 6 GHz if your APs support that).
• Because of the above setup, tagging and VLAN membership setup in switches is pretty simple
  • Make the Trusted VLAN always tagged on every switch port where it should be accessible. Make it not accessible on all other switch ports.
  • Make the default VLAN untagged everywhere – the only exceptions will be host ports to shared services that you want to expose to both VLANs. All ports to your routers and APs can be untagged for the default VLAN and must be untagged if you are using Unifi devices.
• Setup your firewall policies to:
  • Allow all traffic from Trusted VLAN to Default VLAN – this allows your trusted devices full access to IoT network and devices.
  • Block new and unrelated traffic from Default VLAN to Trusted VLAN – this ensures that only established and related traffic can flow back from Default VLAN to Trusted VLAN.

In Part 2, we look at how we can expose our Linux based services on multiple VLANs even if the machines only have a single interface.