Home VLANs explained: isolate your IoT devices without a networking degree

The average home network in 2026 contains a remarkable number of devices: phones, laptops, smart TVs, thermostats, security cameras, voice assistants, smart light bulbs, and more. Most of these devices sit on a single flat network — the same broadcast domain, able to see and communicate with each other freely. From a security perspective, this is a significant problem. A single compromised smart bulb has network access to your laptop and NAS. VLANs are the solution, and they are more accessible to implement than their reputation suggests.

Why IoT devices are a security risk

IoT devices — the broad category of internet-connected devices that are not general-purpose computers — have a poor security track record. Manufacturers in this space compete primarily on price and features, with security frequently de-prioritised. The practical consequences are predictable:

• Infrequent or absent firmware updates: Many IoT devices receive security patches for a year or two after release, then are abandoned. Devices remain in use for five, ten, or more years after this point, accumulating unpatched vulnerabilities.
• Weak authentication: Default credentials — "admin/admin", "1234" — are common. Even when users change them, the underlying authentication mechanism is often weak.
• Unnecessary network services: Many IoT devices run web servers, Telnet, SSH, or custom protocols on open ports that serve no user-facing purpose.
• Opaque firmware: IoT firmware is typically closed-source. Independent security research is difficult. Vulnerabilities may exist and be exploited before they are discovered and patched.

When an attacker compromises an IoT device, they gain a foothold on your network. From there, they can scan for other devices, attempt lateral movement, and potentially reach machines containing your data. Network segmentation prevents this: a compromised IoT device on an isolated VLAN cannot reach your laptop even if it has been fully exploited.

What a VLAN is

A VLAN — Virtual Local Area Network — is a logical partition of a network. It allows you to create multiple separate network segments on the same physical hardware. Devices on VLAN 10 cannot directly communicate with devices on VLAN 20, even if they are connected to the same switch and the same router, unless you explicitly configure routing between them — and you control what routing is allowed.

VLANs operate at Layer 2 (the data link layer) of the OSI model. Traffic is tagged with a VLAN ID using the IEEE 802.1Q standard. Managed switches understand these tags and enforce the separation. From a device's perspective, it simply sees a network — it has no knowledge that it is segmented.

The practical goal: what you are trying to achieve

The target architecture for a home with IoT devices is straightforward in concept:

• IoT VLAN: smart TV, thermostat, cameras, light bulbs, voice assistants. These devices can reach the internet. They cannot reach any device on your main VLAN.
• Main VLAN: laptops, phones, tablets, NAS. These devices can reach the internet. They can optionally initiate connections to IoT devices (to control them) but IoT devices cannot initiate connections back.

The security model is asymmetric: you retain control over IoT devices from your main network, but a compromised IoT device cannot reach back to attack your machines.

What hardware you need

VLAN implementation requires hardware that understands VLAN tags:

• Managed switch: Unlike unmanaged switches, managed switches can be configured to assign ports to VLANs and understand 802.1Q tags. Budget managed switches from TP-Link, Netgear, or Ubiquiti start from around €30–50. Unmanaged switches cannot support VLANs.
• VLAN-capable router: Your router must be able to create and route between VLANs and apply firewall rules between them. Consumer routers running stock firmware frequently do not support this, or support it in a limited, poorly documented way. Routers running OpenWrt support VLANs fully.
• Access point supporting multiple SSIDs: Wireless devices connect via Wi-Fi, so your access point must support multiple SSIDs — one per VLAN. Each SSID is tagged with the appropriate VLAN ID. Devices connecting to the IoT SSID land on the IoT VLAN; devices connecting to your main SSID land on the main VLAN.

OpenWrt setup in outline

On a router running OpenWrt, the VLAN setup involves three components: bridge interfaces, VLAN configuration, and firewall zones. You create a new bridge interface (for example, br-iot) and assign it a VLAN ID. You create a new firewall zone for IoT traffic and write rules specifying that this zone can reach the internet (WAN) but cannot forward traffic to the main LAN zone. You create a Wi-Fi interface with a separate SSID and associate it with the IoT bridge.

The result: any device connecting to the IoT SSID is on br-iot, in the IoT firewall zone, and the firewall rules prevent it from initiating any connection to devices on your main network. Your laptop, on the main network, can optionally be given a rule allowing it to connect to IoT device IPs — for example, to access a smart TV's control interface — without those devices being able to connect back uninitiated.

Guest network as a simpler partial solution

If full VLAN configuration is beyond your current hardware or comfort level, most modern routers — including many consumer models — support a guest network feature. A guest network creates a separate SSID with client isolation: devices on the guest network can reach the internet but cannot see or communicate with devices on the main network. This is not a full VLAN implementation, but it provides meaningful isolation for IoT devices and is available on hardware you likely already own.

The limitations: guest networks typically don't allow you to control traffic from the main network to guest devices, give you less control over firewall rules, and may not support tagging multiple SSIDs with different VLAN IDs for use with a managed switch. For a complete setup, a VLAN-capable router is required.

What a privacy router provides pre-configured

Setting up VLANs, firewall zones, multiple SSIDs, and correctly written inter-zone rules is achievable by anyone willing to spend time in the OpenWrt documentation. The configuration is not conceptually complex, but it requires attention to detail — an incorrectly written firewall rule that allows bidirectional traffic defeats the purpose of the segmentation entirely.

A pre-configured privacy router handles this from the outset: IoT VLAN, main VLAN, correct asymmetric firewall rules, and separate SSIDs are all set up before the device ships. You connect your devices to the appropriate SSID and the segmentation is in place. The Norypt encrypted router arrives with IoT isolation pre-configured alongside DNS filtering, VPN integration, and hardened OpenWrt firmware — the complete stack, ready to deploy.