Suggestion needed on subnet/VLAN granularity

So I have a broken foot and have two months to spend at my desk. Lots of time to improve my home network.

Here is a picture of the actual situation.

I have only one subnet as the smart switch (16 ports) was aquired this week.

  • The grayed boxes show equipment that is physically in the same room.
  • There is only 1 CAT6 from the ground floor to the locker downstairs (damn).
  • There is 2 CAT6 from the locker room to the garage.
  • The garage is 20m from the locker room.

My main concern is to protect the Server, running:
Emby (video server) in a jail
Asset (music server) in a debian VM

The main threat seems to be the WAP on the same unmanage switch than the server.

Here are some questions on how this should be subdivided

  1. I guess I should put another smart switch in the locker in order to put the server and the WAP on two different subnets?
  2. Is the Kid’s PC more at risk than adult’s PC, hence requiring a subnet for the kid?
  3. What are the risks of the VoIP AT
  4. What are the risk of the Lutron (smart light switch).

Any insights on how to subdivide this would be greatly appreciated.


  1. I would recommend putting a smart switch where there is a unmanaged switch

  2. If you don’t want your kids reaching the admin portals of your servers then I would separate them out but, I would put the adult and kids pc in the same VLAN and create block rules specifically for the kids.

  3. I would put the voip in its own VLAN and lock it down. Even though it’s probably a small network it’s always good from a security standpoint that the right devices are able to access only what they need.

  4. I put all IoT devices on its own VLAN for security reasons and have granular control over what devices connect to what. Also don’t want them going rogue and phoning home.

On a side note I personally I like to put all server and management devices on it’s on VLAN. And please put the guest network on it’s own VLAN if it isn’t already lol. Also this configuration might be overkill to some but, I I’m all about security especially when it comes to my own network :slightly_smiling_face:

1 Like

It sounds like you believe vlans can do more than it can! It will just segment your network, not make it more secure, but it can help make it more secure.

Agree with @xMAXIMUSx mostly. Though I would put in place a children’s vlan for more control not security.

I’d have the cams on a vlan with access to the Internet blocked, won’t be long before they are unsupported. Do not forward those cam ports or you’ll be found on shodan.

802.1x will ensure that username / password / certificate are needed for WiFi access instead of the same password. Handy if your AP supports multiple ssids.

The printer I’d put on a vlan which can be accessed by all other vlans, so guests, children and adults can print but still be isolated.

The vlans are easy to setup once you know how, but if you want more security you need to harden pfsense… Set up openvpn to access cams etc…

As you say you have time… Your network can easily suck all that up.

1 Like

Oh the other thing is you need to set up rules accordingly between vlans depending on how you want traffic to flow, or you’ll end up with basically the same setup but with vlans now.

Personally I blocked all ports then added them as I needed them to an alias. Took a while but eventually got there.

I have the odd instance where a Web page won’t work because so many things are locked down. In that case I’ll jump on the guest vlan which is completely open.

If it helps my vlans consist of:

1 - MGMT for switches, AP, routers
2 - ISP for traffic leaving via my ISP
3 - VPN for traffic leaving via my VPN
4 - CAM for for IP cams
5 - GUEST for guests
6 - IoT for tablets and phones that go out via my VPN
7 - PRINT for my printer


I am not sure I understand what your say here…

I understand than VLANs are not safe as is.

But once iptables exists in an unmanaged switch on a single network, nothing prevents a compromised device to access any other host on the same network. Higher security arise when firewall rules block traffic between subnets.


In my actual setup, I already have as much control over the kid as I think is possible within a single network.

  • All the kid’s devices are on static IPs
  • Schedules to manage WAN access
  • DNS at

I understand that since even me can click a compromised attachment though email, my desktop PC is to be considered at same risk level as the kid’s PC so no need to to segregate me and kid in different subnets.

Also, cameras are already blocked from WAN access except through my openVPN.

The thing is, like for VPN marketing picturing it as absolutely necessary, subnetting a home network by router physical NIC (if any) or VLANs does not have consensus.

Some say that with solid firewall rules, chances of beeing hacked are dim. But ransomware do exist and I can appreciate how subnets can increase protection.

But honestly, like for VPN again, I am not convinced this is necessary. But since I have much time to spend for 2 months, I am willing to fiddle with pfSense and smart swiches.

That said, if any of you want to list pros and cons of going all that way, I am all ears.

And thanks for your input.

@neogrid @xMAXIMUSx

What I mean is that while vlans will segment traffic, you will still have a need to have cross vlan traffic, it depends on the rules.

If somehow access is gained on your vlan, then access to your router is possible then vlans won’t matter. Putting in rules on your IoT / Childs vlan to prevent access to the pfsense GUI is an easy solution for example.

IMHO it’s more efficient to apply rules to a network than an IP address. Just add the new machine to the vlan, nothing else to do.

You’re probably much more secure running pfsense rather than something else, it took me at least, a while to come up with a small suite of rules that worked but I could also easily follow. If you have too many rules, it can be difficult to troubleshoot.

As for ransomware, the best thing is not to allow it access to the internet and vice versa, if possible.

Best to take constant snapshots while you are tweaking pfsense, it will come in handy later.

Here is an update network scheme of what I understand you are proposing. That would be 9 VLANs.

What do you think of that?
Is it not a bit overkill? Be honest; I have already ordered an additional 5 port smart switch and have plenty of time.

How do you think the QoS wizard in pfSense will deal with that ?

Thanks again

Looks fine.

Though I would have a management vlan and place switches / APs on that.

I would match the vlan numbering with subnets, I’ved used 10’s as it’s easier to remember.

Vlan 1 tends to be a default, I wouldn’t use it, instead start from 10 onwards.

LOL 5 port switch, to few ! If you can run more cable I would put 2 in an LACP lagg when connecting 2 switches.

I think you will have fun with the rules :slight_smile:

1 Like

Seems weird with the extent of the network but it’s in the locker room downstairs. For now, I dont see it would need more.

Unless I had gotten an 8 POE managed…, not the same price.

  • Uplink
  • Locker cam
  • Server
  • AP in the garage
  • Switch in the garage

Not sure as I haven’t used it. Instead I’ve used Limiters to address buffer bloat. There are many options for traffic shaping, some really pressing the skull, I’m only familiar with Limiters.

1 Like

If I replace the number for VLAN1 to VLAN5, would it not be the management VLAN with only pfSense and the 2 smart switches ?

What PC would be safe enough to be on this VLAN ?

IMHO ordinarily PC’s wouldn’t need access to the GUI of switches, AP’s etc.

However, in my home network I allow my ISP vlan access to the MGMT vlan, mainly because I can’t be bothered to switch cables.

Personally I prefer to keep the vlans and modify rules.

You SSH them?

Mines are just low cost smart switches, not full managed. No SSH or console port. The only way to configure the vlan’s ports are through the GUI.

I just access them via the GUI. I have a rule that allows my ISP-VLAN to access the MGMT-VLAN, from a networking point of view I can see why you wouldn’t in an organisation.

So either put everything on the same network or have rules dictating what you allow across vlans. Six of one half a dozen of the other, so to speak.

1 Like

@neogrid @xMAXIMUSx

The physical server T610 has 3 physical LAN.

  • iDRAC
  • LAN0
  • LAN1

As of now, only the iDRAC and LAN0 are used but in a single subnet.

The T610 is running TrueNAS which itself has:
A few data repository

  • camera recording
    • connected to my PC through iSCSI (maybe I should try to run the NVR in a VM on TrueNAS ?)
  • Media
    • accessed from either Emby server or my PC through SMB
  • Docs
    • accessed from my PC through SMB

A few jails and a VM

  • Emby server, accessed from the Android TV box (Kodi)
  • Seafile server, accessed from my PC only (for now)
  • Asset server, accessed from my music streamer AND cellphone as a control point

Q1 - As I am segmenting through VLAN subnets, should I make any use of the LAN1 on the T610

Q2 - Should the TrueNAS file hosting be in different vlans than the VM and jails that are servers and mainly accessed from IOT?

Q3 - Should I start another thread named TrueNAS VMs and subnets ? :grin:

I don’t think it’s that complicated.

Some devices will need access to services on a different network. So those services could be hosted on a machine capable of accessing multiple vlans or one vlan. So either you create rules to allow access for say your phone or you move your phone to that network.

If you want to put your phone in an IOT vlan isloated from the rest of the network, you have to decide if you then want to use that device to access your secure network.

It’s easier to create rules for the networks and then move devices between them, say like your phone.

Either way, after a few iterations you will find what works for you and then just stick with it.

As I’m using vlans, I just have the LAN configured directly on pfSense in case I need to access pfsense directly for some reason.

1 Like

One thing I am implementing during my time off work in November is to move all traffic to a VLAN this allows the default VLAN to be isolated from the rest of my network, So unless a port has been given access to a VLAN it will go nowhere.

Here are the VLANs I have for my new setup:
Core Network
Server IPMI
Physical Servers
Virtual Servers
Security Cameras & Smart Home
Entertainment, Printers & Scanners

I always try to think of VLANs as if I had to add physical hardware and cabling otherwise I found I got VLAN crazy and at one point in on of my previous designs had over 25 VLANs

1 Like

VLANs can become a rabbit hole and an administrative burden. If somebody gets onto your network, they will pivot from VLAN to VLAN without much friction. It’s safe to assume your “adult pc” will have access to everything, since that will be from where you touch all the things. Somebody breaks that glass door and all those VLANs become a moot point.

For a home network, you would simply segment the things you trust from the things you do not trust. Personal computers and servers are both “trusted” and with or without VLANs will be able to talk to each other regardless. What’s the point of sticking the servers on a separate VLAN only to create firewall rules opening all the ports lol. You don’t run a service you don’t intend to use right?

Really you only “need” 2 segments: One for IOT (which you have little to no control over, and no insight) and one for the devices you do control and have insight (personal computers / servers).

You could establish a third segment for Cameras, plop a VPN server onto that segment and require a VPN connection (from both internal and external) for access - this is a way to add authentication before accessing the Camera VLAN - just depends on the sensitivity of what those cameras see.

The best modern defense is update your junk, put encryption + authentication in front of sensitive information, and have some type of backups + snapshots to help protect against ransomware. Always assume you’re compromised and adjust accordingly.

That’s exactly why I started this post and why, while I have time to invest in trying this, I am skeptical on the usefulness of the whole operation.

In one of his videos on YT, @LTS_Tom is showing how to use mDNS to isolate the IOT from one vlan to the other. This is the only thing, from what I gathered from different vlan segmenting videos, that may convince me that it’s worth the effort to do segmentation.

Otherwise, if I put let’s say, my Android TV box in a VLAN for unsecure IOT, only for it to pull movies or music from the NAS; my limited knowledge of network security keeps me skeptical.

I am still awaiting the delivery of the second smart switch so there is still time to make my mind from all the different comments I get here.

Not to say either is right or wrong; more like different schools. I am just too much of a noob to have a straight opinion. I just have the will to learn and time to spend…

So for movies / NAS working with IOT is tricky business. Some form of compromise has to be made when you only have the 1 silo.

Ideally the bastion server will be your Media server (in my case Plex) that ultimately has access to both networks and is ultimately the weak point. But at least it becomes a single port of entry which you can attempt to protect (hardening etc…) it to limit the attack surface. I would limit its amount of access to the NAS (no web GUI, no management access) and limit what shares it has access to. Again most of the “security” being in how you configure your storage and media server than the segment / firewall.

1 Like