Is the title Greek? Or, up until recently, are you like me and have a little idea of what a VLAN is? There is a good reason to divide your home network with VLANs. I’ll introduce VLANs, why they make sense, and a general overview of how to create them.
What’s a VLAN?
I’m going to explain this from my perspective as an amateur. A VLAN, or Virtual Local Area Network, is easy to wrap your head around; less easy to implement sometimes. This is going to be super basic (relatively), since true IP subnetting and VLAN assignments are in truth much more complicated.
Single LAN (most common)
The basic home network consists of the WAN (or connection to the web) and the LAN (Local Area Network). Your router assigns IP addresses to each device and handles all traffic on the network. Devices on the LAN can also see and talk to each other since all devices are in the same IP subnet range (e.g. 192.168.1.X).
In general, this is okay. We usually want things to talk. Its convenient, since everything is on the same network (or IP subnet) no fancy firewall rules have to be applied to allow for crosstalk between subnets (from IP 192.168.2.X to 192.168.1.X for example).
Multiple VLANS/subnets (less common)
In this network devices are grouped based on type of device. Division is also based on the type of access needed for functionality. This network has several divisions: web servers, entertainment devices (smart TVs, Roku streaming devices), IoT devices (Amazon Echo, Google Home, Hubitat, SmartThings), and the native LAN. Typically, trusted devices are left on the native (or base) LAN. These devices are typically your main PC, network attached storage devices, printers, etc.
Why divide your home network with VLANs?
What’s the advantage here? Why divide your home network with VLANs this way? In an nutshell: improved security. If a device on one VLAN is compromised it cannot compromise the entire network. Through firewall rules we define exactly how each device on the VLAN talks to devices on other VLANs.
IoT devices and Smart TVs in particular can be problematic from a security standpoint. These devices may not have regular firmware updates, and this can jeopardize the network. As an example, how many times has your phone or Windows PC been updated? Pretty sure I have updated my phone 3 times this last week. These updates are crucial to plugging security holes.
Another item specific to some IoT devices is their “chattiness”. Some of these things can spam a network with data. While this isn’t usually a problem in small networks of a couple hundred devices or less, I just find it annoying and sloppy. Keep that chatting within the network its meant for.
If you’ve got a small network with a handful of devices, you probably don’t need to even worry about separating your devices. On the other hand, if your network is like mine and has 50 or more devices that include IoT devices, Smart TVs, and a Web Server; you should probably consider limiting some of the data being transferred.
Okay, so how do I do it?
Most routers now have the ability to add a virtual network. Usually the ability is found in the advanced settings part of your router. In a nutshell, to create a VLAN you define the network (IoT, Entertainment, NoT, VOIP) and then assign devices to it.
My network uses the Ubiquiti Unifi network OS, so it is not going to look or work the same as non-Unifi routers. In general, the basic process is the same. In my case, I created 5 networks in addition to the native LAN: Amcrest, Entertainment VLAN, IoT VLAN, VPN, and Web Server VLAN. Each VLAN operates on a different subnet. For example, you can assign IoT devices IP address in the subnet 192.168.2.X, Entertainment devices in the subnet 192.168.3.X, and so on. Many operators will make the subnet match the VLAN ID. For example, my IoT devices have a VLAN tag of 3. The IP addressing follows 193.168.3.X. This simply makes it easier to determine a device VLAN simply by looking at the IP address.
Something that Unifi does that is very nice is allows you to manually specify the number of IP address that a given subnet can lease. For example, my web server is on a subnet completely by itself. It has zero communications with the rest of my network. It’s also the only device on the subnet, so I limited the IP range of that subnet to only a few IP addresses.
Here’s where it can get a little more complicated. Prosumer routers and access points like Ubiquity’s Dream Machine support broadcasting multiple wireless SSIDs. Many lower-cost consumer-grade routers do not. You’re stuck with one main WiFi network plus a guest network.
If you really want to subdivide your network, however, you can still do it even if your router doesn’t allow multiple SSID broadcasting. Just use the guest network. Generally, the guest network is assigned a subnet of its own and is not allowed to communicate with internal network devices. While not the best option, if you have no other option I’d recommend this for at least Smart TVs and IoT devices that don’t have to communicate with other network devices.
Unifi is pretty cool with their way of handling VLAN assignments on WiFi SSIDs. Simply add a new WiFi network and under the Network dropdown select the correct network assignment. Unifi handles the rest. The router creates a new SSID with the given name and assigned network. Any devices that join this network will be part of the appropriate VLAN and subnet.
Of note, don’t worry about a WiFi network if the only devices attached to that VLAN are wired. My web server, for example, is on a network that is hardwired. No need for a Wifi connection. Likewise, my camera network is all hardwired, and thus doesn’t need its own Wifi network. I personally prefer hardwired, but there are times that WiFi is unavoidable.
The firewall is where the magic happens when you divide your home network using VLANs. It great that you’ve got everything in its own virtual space. One problem: its not really working for you. Plus, interdependencies will break; Smart TVs that pull media from Plex won’t be able to find the Plex server, automations won’t work since they can’t find the controller. Been there, done that.
Rule of thumb: treat everything as hostile and only allow specific connections. What does that mean? Let’s consider the following:
- Example 1: I have a Synology NAS that hosts shared files for all computers. The NAS also runs the Plex media server. I have all my streaming media devices (Smart TVs, Roku players) on a VLAN. These devices can see and chat with each other because they are on the same subnet but they cannot see or communicate with the NAS because it is on the native LAN. As a result, my streaming devices cannot access the content on Plex.
- Example 2: My home automation devices are all on a separate subnet and VLAN. However, my Raspberry Pi4 that runs Node-RED and Pi-Hole is on the native LAN. I only need the hub to see the Pi4, everything else only needs to see the hub.
- Example 3: My hub backs up to my NAS FTP server weekly. Both are on different subnets, but the information only has to flow one way. I do not need a rule created to allow information to flow back to the hub.
Creating rules for access
Using firewall rules we will create the channels that allow specific devices to accomplish their specific tasks while blocking all other traffic. These rules should be specific and limited in scope.
Unifi handles things a little differently than other routers. However, the basic principles are the same. You’ll have to follow the specific guide for your router to add the rules. In general, remember that the rules need to allow communication both ways; you’ll need a rule for the device to request data and a rule to send the data back.
For example, using the first scenario I need to allow my streaming devices access to Plex. I’m going to create a rule that allows the Entertainment VLAN network to communicate specifically with the Plex server on my NAS. More specifically, devices can only communicate with my server only on specific ports. For example, the Entertainment network can communicate with the NAS at IP 192.168.5.1 on ports 32400, 1500, and 2490 (examples). I’ll create another rule in reverse allow return traffic from the NAS IP and port group to the entertainment network.
Creating rules to block access
The remaining handful of rules that I create deny connections between VLANs unless explicitly allowed by previous rules. These are pretty easy; essentially the rules will drop all requests from one VLAN to another and to the native LAN. This is a broad rule and pretty easily secures inter-VLAN chatting. It also makes it more difficult for a compromised device to access your trusted network.
I’ve harped on this before, but I cannot over state the importance of setting a static IP address for core network devices. When using VLANs it is essential if you are setting rules to allow access to specific devices between VLANs.
Something else to consider (only because I’ve seen some forums where it has happened)…don’t put the computer you are using to assign VLANs/subnets on a different subnet than the main router. You run the risk of kicking yourself out of the router settings if you don’t set the rules up appropriately beforehand. Not a huge issue, just inconvenient since you’ll have to use another device to get back into the router.
Lastly, if using Unifi OS don’t forget that assigning DHCP reservations, creating the networks, and creating the rules won’t do anything until you assign a port profile to the specific switch ports. Not an issue with many other routers, but its a step I initially missed when I first started with Unifi.
Wrapping it up
“Large” network? Divide your home network with VLANs. In summary, this can improve both the security and the stability of your network. Even if your network is just a few IoT devices, segregating those smart TVs and cameras can potentially save you a headache later from compromised data. Questions? Drop a comment.
YouTube video on setting up VLANs and Firewall Rules using Unifi OS. Really breaks it down well using the latest Unifi OS version.
This article from Guru99 has a more in-depth explanation of VLANs and uses.