Homelab Vlan Segmentation
Split a flat home LAN into trusted, IoT, server, and guest VLANs with trunk ports, SSID mapping, and inter-VLAN firewall rules on UniFi, pfSense, or MikroTik.
Overview
Homelab VLAN Segmentation is an agent skill most often used in Operate (also Ship security prep) that guides home network VLAN design, switch trunks, and firewall rules on UniFi, pfSense/OPNsense, and MikroTik.
Install
npx skills add https://github.com/affaan-m/everything-claude-code --skill homelab-vlan-segmentationWhat is this skill?
- Contrasts flat 192.168.1.0/24 risk vs segmented VLAN 10/20/30/40 style layouts
- Covers UniFi, pfSense/OPNsense, and MikroTik configuration patterns
- Includes access vs trunk ports and SSID-to-VLAN mapping for Wi-Fi
- Stresses verifying connectivity after each firewall change in a maintenance window
- Positions VLAN isolation as a high-impact home security upgrade for IoT and guests
- Example layout uses four VLAN roles: trusted, IoT, servers, and guest with distinct /24 subnets
Adoption & trust: 1.1k installs on skills.sh; 210k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your home or homelab runs IoT, guests, and trusted gear on one broadcast domain, so compromise on a cheap device can reach your NAS and dev machines.
Who is it for?
Indie developers self-hosting services at home who want IoT and guest isolation without enterprise networking staff.
Skip if: Purely cloud-hosted products with no on-prem LAN, or teams needing formal compliance VLAN designs for regulated offices.
When should I use this skill?
Setting up VLANs on a home network, isolating IoT or guest Wi-Fi, configuring trunk/access ports and SSID-to-VLAN mapping, or troubleshooting inter-VLAN routing on pfSense/OPNsense/UniFi.
What do I get? / Deliverables
You get a segmented VLAN plan with SSID mapping and inter-VLAN firewall steps verified segment-by-segment for isolated IoT, guests, servers, and trusted clients.
- VLAN and subnet diagram
- Trunk, access, and SSID mapping checklist
- Inter-VLAN firewall rule set
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is Operate → Infra because VLAN segmentation is sustained production networking for homelab and home production, not one-off app coding. Infra subphase covers switch trunks, router firewalls, and wireless SSID-to-VLAN binding that keep services reachable while isolating risky devices.
Where it fits
Quarantine new smart-home devices on a dedicated IoT VLAN before they can reach your self-hosted API server.
Segment guest Wi-Fi ahead of exposing a homelab service to friends and beta testers.
Place agent runners and CI boxes on a server VLAN while keeping developer laptops on trusted Wi-Fi.
How it compares
Homelab-focused L2/L3 segmentation guide—not a Terraform cloud VPC module or generic Docker networking cheat sheet.
Common Questions / FAQ
Who is homelab-vlan-segmentation for?
Solo builders running UniFi, pfSense/OPNsense, or MikroTik at home who self-host APIs, agents, or NAS and need practical VLAN isolation steps.
When should I use homelab-vlan-segmentation?
During Operate infra when hardening a home lab, before exposing self-hosted apps at Ship security prep, or when guest Wi-Fi and IoT devices must not reach trusted subnets.
Is homelab-vlan-segmentation safe to install?
It describes network changes that can lock you out if misapplied; review the Security Audits panel on this page and keep console access during maintenance windows.
SKILL.md
READMESKILL.md - Homelab Vlan Segmentation
# Homelab VLAN Segmentation How to split a home network into isolated VLANs so IoT devices, guests, and your main PCs cannot talk to each other. The most impactful security upgrade for a home network. All firewall rules shown here add isolation between segments — they do not remove existing protections. Apply changes in a maintenance window and verify connectivity between segments after each step before moving on. ## When to Use - Setting up VLANs on a home network for the first time - Isolating IoT devices (smart bulbs, cameras, TVs) from trusted devices - Creating a guest Wi-Fi network that cannot reach home devices - Explaining how VLANs work to someone unfamiliar with the concept - Configuring trunk ports, access ports, and SSID-to-VLAN mapping - Troubleshooting inter-VLAN routing or firewall rule issues on pfSense/OPNsense/UniFi ## How It Works ``` Without VLANs — flat network: All devices on 192.168.1.0/24 Smart TV (potential malware) → can reach your NAS, PCs, everything With VLANs: VLAN 10 — Trusted 192.168.10.0/24 (PCs, phones, laptops) VLAN 20 — IoT 192.168.20.0/24 (smart TV, bulbs, cameras) VLAN 30 — Servers 192.168.30.0/24 (NAS, Pi, VMs) VLAN 40 — Guest 192.168.40.0/24 (visitor Wi-Fi) VLAN 99 — Management 192.168.99.0/24 (switch/AP web UIs) Smart TV → blocked from reaching 192.168.10.0/24 and 192.168.30.0/24 Guests → internet only, cannot see any home devices ``` ## VLAN Design Template ``` VLAN Name Subnet Gateway Purpose 10 trusted 192.168.10.0/24 192.168.10.1 PCs, phones, laptops 20 iot 192.168.20.0/24 192.168.20.1 Smart home devices 30 servers 192.168.30.0/24 192.168.30.1 NAS, Pi, self-hosted 40 guest 192.168.40.0/24 192.168.40.1 Visitor Wi-Fi 99 management 192.168.99.0/24 192.168.99.1 Network gear web UIs ``` ## Examples **Typical homelab with UniFi AP and managed switch:** ``` Scenario: 3-bedroom house, UniFi Dream Machine + UniFi 8-port switch + 2 APs VLAN 10 — Trusted 192.168.10.0/24 MacBook, iPhones, iPad VLAN 20 — IoT 192.168.20.0/24 Nest thermostat, Philips Hue, Ring doorbell, smart TVs VLAN 30 — Servers 192.168.30.0/24 Synology NAS (192.168.30.10), Pi-hole (192.168.30.2) VLAN 40 — Guest 192.168.40.0/24 Visitor Wi-Fi — internet only SSID → VLAN mapping: "Home" → VLAN 10 (WPA2, strong password, trusted devices only) "IoT" → VLAN 20 (WPA2, separate password, printed on router for setup) "Guest" → VLAN 40 (WPA2, simple password you can share freely) Switch port behavior: Port 1 → trunk to router (tagged VLANs 10,20,30,40,99) Port 2 → trunk to APs (tagged VLANs 10,20,40; AP handles per-SSID tagging) Port 3 → access VLAN 30 (NAS — untagged, no VLAN awareness needed) Port 4 → access VLAN 30 (Pi-hole — untagged) Port 5–8 → access VLAN 10 (wired workstations) Firewall rules applied (all rules add isolation, none remove existing protections): IoT → Trusted: BLOCK IoT → Servers: BLOCK except 192.168.30.2:53 (Pi-hole DNS allowed) IoT → Internet: ALLOW Guest → Local networks: BLOCK Guest → Internet: ALLOW Trusted → everywhere: ALLOW ``` ## UniFi Configuration ### Create Networks in UniFi Controller ``` Settings → Networks → Create New Network For each VLAN: Name: IoT Purpose: Corporate (gives DHCP + routing) VLAN ID: 20 Network: 192.168.20.0/24 Gateway IP: 192.168.20.1 DHCP: Enable DHCP Range: 192.168.20.100 – 192.168.20.254 ``` ### Map SSIDs to VLANs (UniFi) ``` Settings → WiFi → Create New WiFi Name: IoT-Network Password: <separate password> Network: IoT ← select your VLAN here # All devi