Setting Up VLANs for IoT: Why Your Smart Devices Need Their Own Network

Every IoT device is a potential security risk. Cheap sensors, cloud-dependent cameras, devices that phone home to servers in unknown countries. My solution: every smart home device lives on its own VLAN, completely isolated from my computers and phones.

The Problem

Most home networks are flat – everything on one subnet. This means a compromised smart bulb could potentially access your laptop, NAS, or financial data. In 2024 alone, researchers found critical vulnerabilities in Tuya, Tapo, and Wyze devices. Network segmentation is not paranoia, it is basic hygiene.

My VLAN Setup

I run a UniFi Dream Machine Pro with three VLANs. VLAN 1 (10.0.1.x) is for trusted devices – laptops, phones, NAS. VLAN 20 (10.0.20.x) is for IoT devices that need internet access – cloud cameras, voice assistants. VLAN 30 (10.0.30.x) is for local-only devices – Zigbee coordinator, Home Assistant, local sensors. Firewall rules prevent cross-VLAN traffic except specific allowed flows.

What Gets Allowed Through

Home Assistant on VLAN 30 can reach devices on VLAN 20 for control. Devices on VLAN 1 can access the Home Assistant web interface on VLAN 30. Nothing on VLAN 20 or 30 can initiate connections to VLAN 1. DNS requests from all VLANs go through Pi-hole on VLAN 30 for ad blocking and logging.

Setup took one afternoon. The result: even if every smart bulb in my house gets compromised, my personal data remains isolated. That peace of mind is worth the effort.