In This Article
Why VLANs Matter for Smart Homes
A typical home network puts every device on the same flat network. Your laptop, your phone, your smart fridge, your IP cameras, and your kids' tablets all share the same subnet. This is convenient but creates a serious security problem: if any one device is compromised, an attacker has a clear path to everything else on the network.
Smart home devices — particularly cheap IoT sensors, budget cameras, and white-label smart plugs — are frequently found to have security vulnerabilities. Many phone home to Chinese servers. Some have hardcoded credentials. Putting them on your main network alongside your NAS, your work laptop, and your banking sessions is not a risk worth taking.
VLANs solve this. They partition your physical network into logically separate segments. IoT devices can still reach the internet but can't reach your main devices. Cameras can record to a NAS but can't be reached from the IoT VLAN. It's network security that actually works.
What Is a VLAN?
A Virtual Local Area Network (VLAN) is a logical partition of a physical network. Devices on different VLANs cannot communicate directly — traffic between VLANs must pass through a router or firewall, where rules can be applied.
From a device perspective, being on a VLAN feels identical to being on a normal network. The device gets an IP address, a gateway, and DNS — it just can't reach devices on other VLANs unless a firewall rule explicitly allows it.
What You Need
- A VLAN-capable router/gateway — UniFi Express, UniFi Dream Machine, or similar
- A managed switch (if you need wired VLAN ports) — UniFi switches recommended
- A Wi-Fi access point that supports multiple SSIDs with VLAN tagging — all UniFi APs do
- About 30-60 minutes of configuration time
Recommended VLAN Design
For a typical smart home, three VLANs cover most needs:
└── Laptops, phones, tablets, NAS, work devices
└── Full internet access, can reach NAS
└── Wi-Fi SSID: "SmartWired_Main"
VLAN 20 — IoT (192.168.20.0/24)
└── Smart bulbs, plugs, sensors, voice assistants
└── Internet access, NO access to Main VLAN
└── Wi-Fi SSID: "SmartWired_IoT"
VLAN 30 — Cameras (192.168.30.0/24)
└── IP cameras, NVR
└── NO internet, can reach NAS on Main VLAN (controlled)
└── Wired only (no Wi-Fi SSID needed)
Setting Up VLANs on UniFi
Step 1 — Create the Networks
In UniFi Network → Settings → Networks → Create New Network. Create one network for each VLAN. Set the VLAN ID (e.g., 20 for IoT), the subnet, and enable DHCP. Give each a descriptive name.
Step 2 — Create Wi-Fi SSIDs
Settings → WiFi → Create New WiFi Network. Create a separate SSID for your IoT devices (e.g., "Home_IoT"). Under "Network", select the IoT VLAN you created. Keep this network on 2.4GHz only — most IoT devices don't support 5GHz.
Step 3 — Configure Firewall Rules
This is the critical step. Settings → Firewall & Security → Rules. Create rules to:
- Block IoT VLAN → Main VLAN (deny all traffic from 192.168.20.0/24 to 192.168.1.0/24)
- Allow established/related sessions (so devices you initiate connection to still respond)
- Allow specific traffic if needed (e.g., mDNS for Home Assistant discovery)
Step 4 — Connect Your IoT Devices
Join your smart home devices to the IoT SSID instead of your main network. Start with devices you trust least — cheap plugs, sensors, voice assistants. Devices that need to talk to Home Assistant may need a specific firewall rule allowing traffic from IoT → Home Assistant's IP on specific ports.
Connecting Home Assistant Across VLANs
Home Assistant typically runs on your Main VLAN. Your IoT devices sit on the IoT VLAN. By default, they can't reach each other — which is what you want, except Home Assistant needs to discover and control those devices.
The solution is a targeted firewall rule: allow traffic from the IoT VLAN to Home Assistant's static IP on port 8123 (and any device-specific ports). This gives Home Assistant full control while keeping the IoT devices isolated from everything else on your main network.
For mDNS discovery (used by many smart home devices), enable Avahi or the Home Assistant mDNS repeater add-on to bridge discovery across VLANs without opening full network access.
Common Issues
Device not connecting to IoT SSID: Many smart home devices only support 2.4GHz. Ensure your IoT SSID is broadcasting on 2.4GHz and that minimum data rate isn't set too high.
Home Assistant can't discover devices: Enable the mDNS repeater add-on in Home Assistant, or create a firewall rule allowing mDNS (UDP port 5353) from IoT to Main VLAN.
Camera can't reach NAS: Add a specific firewall rule: allow Cameras VLAN → NAS IP address on port 445 (SMB) or whichever protocol your NVR uses.
UniFi Express — Best Starting Point for Home VLANs
Full VLAN support, built-in controller, Wi-Fi 6. The most accessible way to get enterprise-grade network segmentation at home.
Check Price on AmazonSmartWired participates in the Amazon Associates Programme. We may earn a commission from qualifying purchases at no extra cost to you.