Setting Up VLANs for IoT Devices: Secure Your Smart Home Network
Your smart home devices don't need access to your personal files. Here's how to use VLANs to isolate IoT devices on their own network segment, improving security without sacrificing functionality.
Your smart light bulbs don't need access to your family photos. Your robot vacuum doesn't need to see your work laptop. Yet on most home networks, every device can talk to every other device.
VLANs (Virtual Local Area Networks) solve this by segmenting your network into isolated zones. Your IoT devices can reach the internet but can't access your personal devices. Here's how to set it up.
Why Isolate IoT Devices?
Security Risks of Smart Home Devices
IoT devices are notoriously insecure:
- Rarely updated — Many manufacturers abandon devices after a year
- Weak security — Default passwords, unencrypted traffic
- Attack surface — Each device is a potential entry point
- Data collection — Some devices phone home with usage data
If a hacker compromises your smart plug, they could potentially access everything on your network — your NAS, your computers, your phone. VLANs prevent this lateral movement.
What is a VLAN?
A VLAN is a way to create separate networks using a single physical infrastructure. Devices on different VLANs can't communicate with each other unless you explicitly allow it.
Think of it like having two separate routers, but without buying extra hardware.
Common VLAN Setup
- VLAN 1 (Default) — Management, network equipment
- VLAN 10 (Trusted) — Computers, phones, tablets
- VLAN 20 (IoT) — Smart home devices, cameras
- VLAN 30 (Guest) — Guest WiFi, untrusted devices
What You Need
VLANs require hardware that supports them:
- A VLAN-capable router — UniFi Dream Machine, pfSense, OPNsense, or similar
- Managed switches — If you need wired VLANs (UniFi switches, TP-Link managed, etc.)
- VLAN-capable access points — To broadcast multiple SSIDs on different VLANs
Consumer mesh systems like Eero and Google Nest WiFi do NOT support VLANs. This is one of the main reasons enthusiasts choose UniFi or build their own router.
Setting Up VLANs (UniFi Example)
Step 1: Create the VLAN
- Open the UniFi Network console
- Go to Settings → Networks
- Click Create New Network
- Name it (e.g., "IoT")
- Set VLAN ID (e.g., 20)
- Configure DHCP range (e.g., 192.168.20.1/24)
- Save
Step 2: Create a WiFi Network for IoT
- Go to Settings → WiFi
- Click Create New WiFi Network
- Name it (e.g., "Home-IoT")
- Assign it to your IoT VLAN/network
- Set security (WPA2/WPA3)
- Save
Step 3: Set Up Firewall Rules
By default, VLANs can communicate with each other. You need firewall rules to block this:
- Go to Settings → Firewall & Security
- Create a rule: Block IoT to Trusted
- Source: IoT network
- Destination: Trusted network
- Action: Drop
- Save
You may also want to allow specific traffic, like letting IoT devices be controlled from your phone:
- Allow Established/Related connections (so your phone can initiate connections to IoT)
- Block New connections from IoT to Trusted (so IoT can't initiate)
Which Devices Go Where?
Trusted Network (VLAN 10)
- Computers, laptops
- Phones, tablets
- NAS / file servers
- Game consoles (if you trust them)
IoT Network (VLAN 20)
- Smart bulbs, plugs, switches
- Robot vacuums
- Smart TVs
- Security cameras
- Voice assistants (Alexa, Google Home)
- Smart appliances
Guest Network (VLAN 30)
- Guest devices
- Anything you don't fully trust
Common Issues and Solutions
Casting/AirPlay Doesn't Work
Chromecast, AirPlay, and Spotify Connect use mDNS/Bonjour to discover devices. This doesn't cross VLANs by default.
Solution: Enable mDNS reflector/repeater in your router, or use an Avahi reflector. In UniFi, enable "Multicast DNS" in network settings.
Smart Home App Can't Find Devices
If your phone is on the Trusted VLAN and your smart plug is on IoT, the app might not find it during setup.
Solution: Temporarily connect your phone to the IoT WiFi for initial setup, then switch back.
Devices Need Internet but Keep Failing
Make sure your IoT VLAN can reach the internet (WAN). Only block inter-VLAN traffic, not WAN access.
Testing Your Setup
After configuration:
- Connect a device to each VLAN
- Try to ping devices on other VLANs (should fail)
- Try to access the internet from each VLAN (should work)
- Test casting/AirPlay if you enabled mDNS reflection
Is It Worth It?
Setting up VLANs takes effort, but for me, the peace of mind is worth it. My cheap Chinese smart plugs can't snoop on my network traffic. My robot vacuum can't access my NAS.
If you're running dozens of IoT devices, VLANs are almost mandatory for proper security hygiene. If you have just a few devices and they're from reputable brands, it's less critical — but still a good practice.
Related Reading
- Compare routers that support VLANs in my mesh WiFi comparison
- Improve IoT WiFi coverage with my WiFiman guide
- Learn about Matter and Thread in my smart home protocols guide
