Keystone Integration
All articles
April 18, 202610 min read

VLANs explained for homeowners: why your IoT devices should not share a network with your laptop

A VLAN splits one physical network into separate segments that can not see each other. Here is the non-engineer version: what VLANs do, why they matter once you have 10+ smart devices, the typical home layout, and why the setup is easier than it sounds.

VLANsNetwork securityIoTSmart HomeNetworking

If you’ve read anything we’ve written about guest Wi-Fi isolation, camera segmentation, or IoT security, you’ve seen the word “VLAN” come up repeatedly. Most explanations of VLANs are written for network engineers and are full of terms like “802.1Q tagging” and “trunk ports” that are not useful if you just want to know what it does and why it matters for your house.

This is the homeowner version.

What a VLAN is, in one sentence

A VLAN is a way to split one physical network into multiple separate networks that can’t see each other unless you explicitly allow it.

That’s it. Everything else is implementation detail.

Why it matters for your house

A typical home network in 2026 has 30–60 connected devices: phones, laptops, tablets, TVs, game consoles, smart speakers, thermostats, door locks, light switches, cameras, robot vacuums, appliances, doorbells, garage openers, and whatever else showed up on Black Friday.

On a normal home network — the one your ISP router creates by default — all of these devices are on the same network. They can all see each other. Your work laptop and your Ring doorbell are neighbors on the same wire. Your kid’s gaming PC and your smart lock share a subnet. A cheap smart plug from Amazon and your banking session live on the same broadcast domain.

This is the digital equivalent of an office building where every tenant has a master key to every other tenant’s office. It works, until it doesn’t.

The risk is not theoretical

IoT devices are the weakest link on any network. Not because the idea is bad, but because the hardware is cheap and the manufacturers are incentivized to ship fast, not patch forever.

  • Mirai (2016): a botnet that compromised hundreds of thousands of IP cameras and DVRs with default passwords, then used them to launch one of the largest DDoS attacks in history. Those cameras were on the same network as everything else in the house.
  • Eufy (2022–2023): security cameras that were supposed to be “local only” were discovered sending unencrypted thumbnails to cloud servers. On a flat network, a compromised Eufy camera has the same network access as your laptop.
  • Smart bulbs and plugs: multiple vendors have shipped devices with hard-coded credentials, open Telnet ports, or unencrypted local APIs. A compromised $12 smart plug on a flat network can scan and attack your work machine.

A VLAN doesn’t make the IoT device more secure. It makes the rest of your network secure from the IoT device.

How VLANs work (the non-engineer version)

Think of a VLAN like floors in a building. Every floor has its own hallway and rooms. People on one floor can’t walk to another floor unless there’s a staircase (a firewall rule) explicitly connecting them.

In network terms:

  • You create a VLAN and give it a number (like VLAN 20 for IoT, VLAN 30 for Guest, VLAN 10 for Main).
  • You create a Wi-Fi SSID and bind it to that VLAN. Connecting to the “MyHome-IoT” SSID lands you on VLAN 20. Connecting to “MyHome” lands you on VLAN 10.
  • The router/firewall applies rules between VLANs: “VLAN 20 (IoT) can reach the internet but cannot initiate connections to VLAN 10 (Main).”
  • The switch and APs carry all the VLANs on the same physical cables — the tagging is invisible to the devices. No extra wiring needed.

The devices don’t know they’re on a VLAN. They connect to their SSID, get an IP address, and talk to the internet. They just can’t talk to devices on other VLANs unless the firewall allows it.

The typical home VLAN layout

This is what we deploy on most installs (we covered this from the guest-Wi-Fi angle in a separate post; this is the VLAN-specific deeper dive):

VLAN 10 — Main (trusted)

Phones, laptops, desktops, tablets. The devices you own, patch, and trust. This VLAN can reach everything if needed (though we usually restrict it from reaching the camera VLAN directly — you use the NVR app, not direct camera access).

SSID: MyHome

VLAN 20 — IoT

Thermostats, smart plugs, smart switches, robot vacuums, appliances, TVs, streaming sticks. Can reach the internet for cloud services and updates. Cannot initiate connections to VLAN 10. Your phone on VLAN 10 can reach into VLAN 20 to control devices (via mDNS reflector or explicit allow rules), but a compromised smart plug cannot reach back out to scan your laptop.

SSID: MyHome-IoT

VLAN 30 — Guest

The SSID you give to visitors. Internet-only. Cannot reach any other VLAN. Client-to-client isolated (guests can’t see each other’s devices either). Optionally rate-limited to prevent a guest from pegging your upload.

SSID: MyHome-Guest

VLAN 40 — Cameras

Security cameras on their own isolated network. Can only reach the NVR (which sits on this VLAN or has an interface on it). Cannot reach the internet, cannot reach IoT, cannot reach Main. This is the most locked-down VLAN in the house, because cameras are high-value targets and should have the smallest attack surface possible.

No SSID (cameras are wired on PoE).

VLAN 50 — Media / Sonos (optional)

For homes with Sonos or other multicast-heavy devices that need mDNS discovery from Main but benefit from being logically separated. An mDNS reflector bridges discovery between Main and Media so the Sonos app finds the speakers.

SSID: MyHome-Media (or shared with IoT, depending on complexity).

The mDNS / Bonjour problem (and the fix)

The most common gotcha when segmenting a home network: devices that use mDNS (Apple’s Bonjour protocol) to discover each other stop working across VLANs. This includes Sonos, AirPlay, Chromecast, HomeKit, printers, and Apple TV.

The fix is an mDNS reflector (or “mDNS repeater”) — a small service on the router that copies mDNS announcements between specified VLANs. UniFi has a built-in toggle for this. On other platforms (pfSense, OPNsense, MikroTik), it’s a package or a script.

With the reflector enabled between Main and IoT/Media, your iPhone on VLAN 10 discovers your Sonos speakers on VLAN 20 or VLAN 50 as if they were on the same network. Playback works. AirPlay works. But the speakers still can’t initiate connections back to your laptop. Best of both worlds.

What gear supports VLANs (and what doesn’t)

  • Supports VLANs: UniFi (all models), Aruba Instant On, TP-Link Omada, MikroTik, pfSense, OPNsense, Firewalla, most managed switches.
  • Does not support VLANs: most consumer routers (Eero, Google Wifi, Orbi, Nighthawk, TP-Link Deco, Asus consumer). These may have a “guest network” toggle, but it’s not a real VLAN with firewall rules — it’s a simplified isolation that usually falls short.

This is one of the primary reasons we recommend moving off consumer routers once a house has more than a handful of smart devices. The mesh-vs-wired-AP decision is as much about VLAN support as it is about throughput.

Do you actually need this?

Honestly, not every house does. If you have a laptop, a phone, a TV, and a printer, a flat network is fine. The inflection point is usually:

  • 10+ IoT devices — enough cheap connected hardware that the risk surface becomes non-trivial.
  • A work-from-home setup — your employer’s data should not share a broadcast domain with your Ring doorbell.
  • Cameras — especially local-NVR cameras that store footage on-premises. Isolating the camera network prevents any single camera compromise from reaching the rest of the house.
  • Guests or tenants — an ADU, an Airbnb, or regular dinner parties. Anyone you give Wi-Fi to should not have access to your devices.
  • Kids — a separate VLAN with bandwidth limits and content filtering, if that’s something you care about.

If any of those apply, VLANs are worth the setup. If none of them do, a simple guest-network toggle is probably fine for now.

The setup is easier than it sounds

On UniFi, creating a VLAN is:

  1. Create a network (give it a name and a VLAN ID).
  2. Create a Wi-Fi SSID and assign it to that network.
  3. Write one or two firewall rules (e.g., “block IoT → Main, allow established/related”).
  4. Enable mDNS reflector if you have Sonos or AirPlay devices.

Total time for someone who’s done it before: 15 minutes. The devices themselves don’t need any configuration — you just connect them to the appropriate SSID.

The first time takes longer because you’re learning the concepts. But once it’s set up, it runs silently forever. No ongoing maintenance, no subscription, no app updates. Just rules on a firewall doing their job.

Bottom line

A VLAN splits your network so your IoT devices, cameras, guests, and trusted devices each live on their own isolated segment. It doesn’t make cheap hardware more secure — it makes the rest of your network secure from cheap hardware. The setup is a one-time job on gear that supports it, and it runs silently for the life of the network.

If your house has more than a handful of smart devices, a work laptop, cameras, or guests on the Wi-Fi, VLANs are the single most impactful security improvement you can make without changing any hardware.

Keystone Integration designs and deploys VLAN-segmented networks across West Jordan and the rest of the Wasatch Front — guest isolation, IoT segmentation, camera networks, and the firewall rules that hold it all together. You can see the full list of what we do on our main site, or get in touch to segment your network properly.

Keep reading