Guidance on subnetting/VLAN

General
1

Howdy,

I’d like to get some opinions on building a solid network layout for a home environment.

My current setup is:

  • Router 10

  • One switch

  • 3 × AP6 Pro access points

I’ve noticed that many YouTubers (often in the Ubiquiti/UniFi space) recommend splitting a home network into multiple subnets/VLANs, mainly for security reasons (at least that’s how I understand it).

As an example, I’m thinking about something like this:

  • 192.168.10.0/24 – Core / management (Alta / network equipment)

  • 192.168.20.0/24 – Servers (Proxmox, Home Assistant, Homey, Apple TV, Sonos, etc.)

  • 192.168.30.0/24 – Client devices (desktops, laptops, iPads, phones)

  • 192.168.40.0/24 – IoT devices (lighting, smart plugs, robot vacuum, mower, etc.)

  • 192.168.50.0/24 – Guests

I understand that Alta has AltaPass, which allows you to split the network by using different Wi-Fi passwords, but I’m curious how you guys typically do this in your own homes or small/medium office setups.

Are you actually using setups like this with multiple subnets/VLANs (not sure if I’m even using the right terminology here — I’m not a networking expert), or is this overkill for a home network?

If the main purpose is security, I’m struggling a bit to understand how this works in practice. For example:

  • My IoT devices need to communicate with Home Assistant and Homey

  • My iPhone and iPad need access to the smart hubs and media devices

At the same time, I fully understand that guest devices should only have internet access and nothing else.

So my questions are:

  • How do you handle communication between these networks in real life?

  • Do you set up static routes or firewall rules between VLANs?

  • Can access be limited to specific devices or services (for example, allowing a smart bulb to talk only to its hub)?

  • Or is all of this typically handled automatically by the router/firewall once VLANs are in place?

Any advice or real-world examples would be greatly appreciated.

Thanks!

2

I would love a write up on this as well. How to segment home networking

3

My network is still a work in progress, but here is how I currently have it set up using:

1x AP6 Pro

1 x S24 Switch,

1 x Route10

1 x Hardware Controller

Network is as follows:

3 vlans - 1, 10, and 20.

Vlan 1 is my home network

Vlan 10 is for the security cameras

Vlan 20 is the NVR

Vlan 1 is on a 10.x.x.x subnet, Vlan 10 and 20 are on a 172.x.x.x. subnet.

Wi-Fi is on Vlan 1 with 5 networks - Home (5 and 2 Ghz separate), Guest (both 5 and 2 Ghz combined), IOT only (5 and 2 Ghz separate).

No static routes are setup, however, there are firewall rules in place to prevent the cameras from reaching the internet or other networks. They can only talk to the NVR.

The Wi-Fi networks are set up using the appropriate type i.e. Standard, Guest, IOT, etc.

The Route10 provides DHCP for network devices on Vlan1 with all servers, printer and network gear utilizing static IPs.

2 Likes
4

My network have evolved continuously and looks like this at the moment:

1gbps ISP (Single mode fibre)
|
Route10
|
3 x Switch S8
|
2 x AP6 Pro (on separate switches)
wireless & wired devices like PC, NAS, SBCs, IPTV box, LG SmartTV, IoT devices, Multiroom HiFi, etc.

Hardware controller is offline at the moment, and I haven’t gotten it up and running properly again after some experimenting and major network breakdown.

WiFi SSIDs:

  • Main (VLAN 2 & 4, WPA2, Standard/Internet, multi-pwd multi VLAN)
  • Guest (VLAN 10, Internet, ditto)
  • IoT (VLANs 20, 21, 30 & 31, IoT/Internet/Standard/Internet, ditto)

VLANs:

  • 1: Network devices: Route10, SwitchS8, AP6Pro
  • 2: Main WiFi: Android devices, Win PC
  • 3: Main Wired: Win PC
  • 4: Kids WiFi (isolated): Tablets
  • 10: Guest WiFi (isolated)
  • 20: IoT: AC
  • 21: IoT (isolated): Roborock, Shelly IoT devices, etc.
  • 30: Multimedia: Multiroom HiFi, SmartTV with Cromecast
  • 31: Multimedia (isolated); IPTV, XBox
  • 40: SBCs: Raspberry Pis for Home automation and utility
  • 50: NAS: Synology NAS

Ports for wired devices/clients set to Native VLAN X and Allowed VLAN X.

Firewall with:

  • Allow Main traffic to some of the other VLANs
  • Allow some specific Multimedia to NAS and SBC
  • Allow specific return traffic from other VLANs back to Main+more
  • Drop inter-VLAN traffic to and from isolated VLANs (to still have them fully isolated of I experiment and disable final drop rule)
  • Final drop all inter-VLAN (otherwise all inter-VLAN-traffic would be allowed)

Now a lot of customization with fail2ban integration, integration of abuseipdb lookup and reporting. Also, bogon, geo and abuse IP blocking, more for experimenting than anything else :slightly_smiling_face: Furthermore, LED and link status lights control and scheduling. Tied it all together with a couple of management scripts for symlinking, path setup and cron scheduling. Also, some customization of the AP brackets and using standoffs to get slightly better cooling for the :zany_face:

2 Likes
Route10 Firmware 1.4p Released!