I avoided VLANs on my home network for years because they sounded like a very “enterprise-level” and complicated security-focused requirement. I presume the racks of networking gear and hardware are best suited for the IT department and not my humble homelab. My setup includes a router, a mini PC functioning as a home server, a couple of Raspberry Pis, a desktop, laptops, several phones, a game console, smart TVs, and a swarm of IoT devices.
Everything worked fine with my existing setup — at least, that’s what I thought. But after setting up VLANs, a bunch of problems that I never thought were dragging my home network. At the same time, I had been ignoring most of them and only tweaking QoS in the hope of achieving seamless performance. I initially dreaded VLANs, but segmenting my network changed many things for the better, things I hadn’t considered before.
Setting up OPNsense on a mini PC was easier than configuring my old router
Consistent performance with predictable behavior
Calming down the broadcast storm problem
Silencing devices’ shoutouts
Only after checking did I realize how often my devices keep hollering at other devices on the network. Besides, every device hears eachother on the network. So, the mDNS discovery traffic from my HomePod, media servers, and smart TVs was overwhelming. I don’t know why I wasn’t surprised when some of them could easily reach my SMB shares, which weren’t meant for them.
Since I don’t have a managed network switch for my home network, the consumer router dealt with all the noise. That explained the spike in CPU usage and temperature even when I was simply browsing, and no one was streaming any multimedia. By segmenting my network with OPNsense on my mini PC, I ensured mDNS continued to work across VLANs for easier access and management. With the growing number of Wi-Fi-enabled devices on my home network, segmenting them nearly removed most of the network slowdowns I often experienced while accessing or managing particular devices.
Besides segmenting the smart home devices, I also changed the backup schedules of my primary machines to late nights when I don’t use them. All these steps freed the network from the sluggishness I’d experience at times.
Stopping IoT devices from accessing everything
Segmenting smart home devices
It goes without saying that IoT devices, especially the inexpensive ones, are notoriously insecure. When I discovered that a couple of the cheap smart plugs were phoning home, I got concerned since those devices shared the network with my personal gadgets. It was shocking that those devices had open access to my SMB shares, which often carried some personal documents. Clearly, setting up an SMB share for personal documents was a mistake.
By default, all trusted and untrustworthy devices lived on the same network. So it became essential for me to expose select network shares and other services only to specific devices. Meanwhile, the smart devices on their dedicated VLAN happily talk to each other and avoid peeking into folders or details not meant for them.
QoS had stopped working most of the time
Setting boundaries helped
Even though I had set up Quality of Service on my router, I’d often find that web and local media streaming stuttered. Upon investigation, I found that my nephew’s gaming sessions and torrent traffic spikes negatively impacted the streaming experience. So all services and devices were competing for bandwidth simultaneously.
I used OPNsense to shape traffic per interface by isolating torrent traffic into a separate VLAN and moving media streaming to the trusted devices VLAN. Besides, applying rate limits to torrent traffic prevented it from hogging bandwidth while I could enjoy streaming from my Jellyfin server locally. So even under loads, streaming and gaming were fairly enjoyable without stepping on each other’s toes.
Creating simpler VLANs helped
Efforts were worth it
In my minimal setup, the ASUS RT-AX88U router runs Merlin firmware. Meanwhile, the HP ProDesk 600 G6 hosts OPNsense, along with other VMs, as the router, and I am considering investing in a managed switch. Considering the helpful VLAN rules from my colleague, Joe Rice-Jones, my setup involves VLAN10 for primary and trusted devices (computers, NAS, and phones), VLAN20 for smart home devices, VLAN30 for my home lab experimentation, and VLAN40 for Guest Wi-Fi.
Each VLAN has its own subnet, and DHCP is enabled for each interface.
That’s possible with my ASUS router running Merlin firmware, which assigns SSIDs to separate Linux bridges and tags each bridge with a VLAN ID on the router’s Ethernet uplink port connecting to the OPNsense running mini PC. So, OPNsense gets multiple tagged VLANs over a single Ethernet uplink port and presents them as separate interfaces with their own firewall rules, subnets, and DHCP range.
All this was possible because I flashed firmware on the ASUS router, which unlocked features otherwise unavailable in stock firmware.
9 things to avoid when building your dream OPNsense firewall
Building your own firewall can be incredibly rewarding, but here are some things to watch out for.
VLANs made things in my home manageable
Experimenting with VLANs involves a learning curve about networking and firewall rules. That made me aware of the problems I had never managed to figure out otherwise. With dedicated VLANs for specific devices, I ensured that firewall rules don’t cause smart home devices to bother other machines.
The overall home network felt organized and relatively responsive, rather than congested as earlier. With VLANs, my home server and work computers won’t have to deal with unwanted traffic from noisy devices. As I continue to add more wired devices, deploying a managed switch for a cleaner and simpler network is the next upgrade for my home lab.
