Guest Networks & VLAN Isolation

Why Isolate Networks?

Every device on your home network can potentially access every other device. A compromised smart bulb could scan your NAS, a guest's infected laptop could access your shared folders. Network isolation prevents this.

Guest Network Basics

Most modern routers support a guest network — a separate Wi-Fi SSID with its own password and client isolation:

What guest isolation does: - Guests can access the internet but not your LAN devices. - Guest devices cannot see or communicate with each other. - You can set bandwidth limits for the guest network. - Some routers allow time-based access (auto-expire after 24 hours).

What to put on the guest network: - Visitors' devices. - IoT devices (smart speakers, cameras, thermostats). - Anything you do not fully trust.

VLANs: Advanced Isolation

VLANs (Virtual LANs) provide hardware-level network segmentation. Each VLAN is a separate broadcast domain with its own subnet and firewall rules.

Typical home VLAN setup:

Hardware Requirements

For VLANs you need:

• Managed switch — Supports VLAN tagging (802.1Q). UniFi, Netgear, TP-Link managed switches start at $30.
• VLAN-capable router — pfSense, OPNsense, UniFi, or many prosumer routers.
• VLAN-capable access point — Must support multiple SSIDs mapped to different VLANs.

Firewall Rules Between VLANs

# Typical inter-VLAN rules:
VLAN 10 (Trusted) → Internet: ALLOW
VLAN 10 → VLAN 20 (IoT): ALLOW (to control devices)
VLAN 20 (IoT) → VLAN 10: DENY (IoT cannot access personal)
VLAN 20 → Internet: ALLOW (for cloud services)
VLAN 30 (Guest) → VLAN 10: DENY
VLAN 30 → VLAN 20: DENY
VLAN 30 → Internet: ALLOW

Quick Setup Without VLANs

If your router does not support VLANs, you can still improve security:

1. Enable guest network with client isolation.
2. Change default passwords on all devices.
3. Disable UPnP — prevents devices from opening ports automatically.
4. Keep firmware updated on all network devices.