A VLAN (Virtual Local Area Network) separates your smart home devices onto their own network segment, isolated from your computers, phones, and NAS. This improves security (a compromised smart device cannot reach your laptop), reduces unwanted cloud traffic, and gives you precise control over what devices can communicate where.
Why VLANs Matter for Smart Homes
Most smart home devices are made by small manufacturers with minimal security focus. A vulnerability in a cheap Zigbee bulb or a budget IP camera could potentially expose other devices on the same network. A VLAN limits the blast radius — a compromised IoT device on the IoT VLAN cannot directly reach your personal computer on the main VLAN.
VLANs also allow you to block smart devices from accessing the internet entirely (forcing truly local operation) while still allowing Home Assistant to communicate with them.
What You Need
- A router that supports VLANs (Ubiquiti UniFi, pfSense, OPNsense, or some prosumer routers)
- A managed network switch (for wired devices)
- A Wi-Fi access point that supports multiple SSIDs with VLAN tagging
Recommended Budget Setup
- Router: GL.iNet GL-MT6000 (Flint 2) ~$90 — runs OpenWrt, excellent VLAN support
- Switch: TP-Link TL-SG108E managed switch ~$35
- AP: TP-Link EAP670 or Ubiquiti U6 Lite ~$100
Network Architecture
VLAN 1 (Main): 192.168.1.0/24 — Computers, phones, NAS
VLAN 10 (IoT): 192.168.10.0/24 — Smart devices (Wi-Fi based)
VLAN 20 (Cameras): 192.168.20.0/24 — IP cameras (no internet access)
VLAN 30 (HA): 192.168.30.0/24 — Home Assistant hub (reaches all VLANs)Firewall Rules to Configure
- IoT VLAN to Main VLAN: Block (IoT devices cannot reach computers)
- IoT VLAN to Internet: Allow (for devices that need cloud, like Google Home)
- Camera VLAN to Internet: Block completely (cameras never phone home)
- Home Assistant VLAN to All VLANs: Allow (HA needs to reach all devices)
- Main VLAN to Home Assistant VLAN: Allow (you need to access HA)
Step: Configure Wi-Fi SSIDs
Create a separate Wi-Fi network for IoT devices (e.g., “HomeNet-IoT”) tagged to VLAN 10. Connect all Wi-Fi smart home devices to this SSID. Your personal devices stay on your main SSID.
Testing the Setup
From a device on the IoT VLAN, try to reach a device on your main VLAN (your computer IP). The connection should be blocked. From your computer (main VLAN), verify you can reach Home Assistant. From Home Assistant, verify you can reach IoT devices. If all three tests pass, your VLAN setup is working correctly.