Small Business and Home Network Setup - Separate VLANs for Everything

M
Matthew Diakonov
networkingvlanssmall-businesshome-officesecurity

Small Business and Home Network Setup - Separate VLANs for Everything

When your business runs from home, your work laptop and your kid's iPad should not be on the same network segment. VLANs solve this, and the setup is straightforward with modern prosumer equipment. Here is the full architecture with specific configurations.

Why a Flat Network Is a Problem

A flat network means every device can reach every other device. Your business NAS with client data sits on the same broadcast domain as the Roku TV that hasn't received a security update since 2021. Your development server is reachable from the $15 IoT temperature sensor running firmware that predates modern TLS.

This matters because lateral movement is how breaches spread. An attacker who compromises one device on a flat network can probe and attack everything else. VLANs contain the blast radius.

A flat home office network in 2026 typically has 30-80 devices - laptops, phones, tablets, smart TVs, speakers, thermostats, cameras, printers, gaming consoles. Treating all of these as equally trusted is not a security posture, it's an accident waiting to happen.

The Four-VLAN Architecture

For a combined home/small-business setup, four VLANs cover almost every scenario:

VLAN ID Subnet Purpose
Business 10 10.10.10.0/24 Work laptops, servers, NAS
Personal 20 10.10.20.0/24 Phones, tablets, personal laptops
IoT 30 10.10.30.0/24 Smart home devices, cameras
Guest 40 10.10.40.0/24 Visitor devices

The VLAN IDs match the third octet of the subnet - this is a convention that makes firewall rules easier to read. VLAN 10 is 10.10.10.x, VLAN 20 is 10.10.20.x, and so on.

Hardware Requirements

You need two components:

A managed switch - Unmanaged switches pass all traffic on all ports and cannot enforce VLAN tagging. Any switch labeled "managed" or "smart" works. The TP-Link TL-SG108E ($30) handles four VLANs fine for a small office. For more ports, the UniFi USW-Lite-8-PoE ($110) integrates with UniFi's controller.

A VLAN-capable router/firewall - Consumer routers from ISPs do not support VLANs. Options:

  • UniFi Dream Machine SE - easiest setup, unified controller
  • pfSense on a mini PC (Protectli VP2420, ~$400) - most flexible, free software
  • OPNsense - similar to pfSense, more frequent updates

UniFi is the easiest path if you don't want to manage a server. pfSense/OPNsense gives you more control.

UniFi Configuration Walkthrough

In the UniFi Network controller:

Create the VLANs (Settings > Networks > Add Network):

Name: Business
VLAN ID: 10
IP Range: 10.10.10.1/24
DHCP: Enabled, range 10.10.10.100-10.10.10.200

Name: Personal
VLAN ID: 20
IP Range: 10.10.20.1/24
DHCP: Enabled, range 10.10.20.100-10.10.20.200

Name: IoT
VLAN ID: 30
IP Range: 10.10.30.1/24
DHCP: Enabled, range 10.10.30.100-10.10.30.200

Configure WiFi networks (Settings > WiFi):

Create separate SSIDs for each segment. You do not need to expose the VLAN numbers - "BusinessNet" and "HomeNet" and "SmartDevices" are fine names. Assign each SSID to its corresponding network.

Set firewall rules (Settings > Firewall & Security > Rules IPv4):

The critical rules that enforce isolation:

Rule 1 - IoT cannot reach Business:
Action: Drop
Source: IoT (10.10.30.0/24)
Destination: Business (10.10.10.0/24)

Rule 2 - IoT cannot reach Personal:
Action: Drop
Source: IoT (10.10.30.0/24)
Destination: Personal (10.10.20.0/24)

Rule 3 - Personal cannot reach Business:
Action: Drop
Source: Personal (10.10.20.0/24)
Destination: Business (10.10.10.0/24)

Rule 4 - Guest gets internet only:
Action: Drop
Source: Guest (10.10.40.0/24)
Destination: RFC1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)

All VLANs retain full internet access. The rules only block inter-VLAN traffic.

pfSense Configuration

If you are on pfSense, create the VLANs under Interfaces > Assignments > VLANs, then enable each as an interface. DHCP servers go under Services > DHCP Server for each interface.

Firewall rules in pfSense go under Firewall > Rules, with a tab per interface. The logic is the same: add block rules for traffic from IoT and Personal toward Business subnets.

A useful pfSense convention - add allow rules before block rules. pfSense processes rules top-to-bottom and stops at the first match:

# On IoT interface tab:
Allow: Source IoT, Destination any:80,443 (web browsing)
Allow: Source IoT, Destination DNS server
Block: Source IoT, Destination 10.10.0.0/16 (all internal)
Allow: Source IoT, Destination any (internet)

Wired Device Assignment

For wired devices on a managed switch, each port gets assigned to an access VLAN:

  • Ports 1-4: VLAN 10 (business devices)
  • Ports 5-6: VLAN 20 (personal devices)
  • Port 7: VLAN 30 (wired IoT like smart TV)
  • Port 8: Trunk to router (carries all VLANs)

In UniFi, go to the switch port settings and set the "Profile" for each port. In pfSense, manage this directly in the switch's web UI.

Where AI Agents Fit In

A desktop AI agent running on the business VLAN is useful for network monitoring tasks that are too manual to script but too frequent to do by hand:

  • Checking for new devices that appeared on the IoT VLAN overnight
  • Verifying that firewall rule counts have not changed unexpectedly
  • Summarizing bandwidth usage per VLAN from router logs
  • Flagging when an IoT device starts making unusual outbound connections

The agent connects to the router's API (UniFi has a full REST API; pfSense has fauxapi) with read-only credentials scoped to the business VLAN. This keeps automation within the secure segment while giving it the visibility it needs.

# UniFi API example - list devices on IoT VLAN
import requests

session = requests.Session()
session.post(f"https://{controller}/api/login",
    json={"username": user, "password": password},
    verify=False)

devices = session.get(f"https://{controller}/api/s/default/stat/sta").json()
iot_devices = [d for d in devices["data"] if d.get("vlan") == 30]

Network management is exactly the kind of recurring task where an AI agent earns its place - too structured for prose notes, too variable for a fixed script.

Common Mistakes

Not segmenting printers. Printers are notoriously vulnerable and typically need to be reachable from the business VLAN. Put them on a dedicated VLAN (VLAN 50) with explicit allow rules from business devices only.

Forgetting mDNS. Apple AirPlay, Chromecast, and printer discovery use mDNS, which doesn't cross VLAN boundaries. If you want a device on the IoT VLAN to be castable from the Personal VLAN, you need an mDNS reflector (Avahi on pfSense, or enabled in UniFi Network under Settings > Advanced).

Using the default 192.168.1.0/24. Many IoT devices have hardcoded assumptions about 192.168.1.x subnets. Using non-overlapping RFC1918 ranges (10.10.x.x) avoids headaches.

Fazm is an open source macOS AI agent. Open source on GitHub.

More on This Topic

Related Posts

Manus AI Vercel Key Authentication Leak in My Computer Mode

Manus AI's My Computer mode exposed Vercel API keys during local agent execution. Why credential isolation matters for desktop AI agents and how to prevent authentication leaks.

Third-Party Apps: What They Are, How Permissions Work, and Security Risks

A complete guide to third-party apps covering what they are, how they access your data through OAuth and APIs, common security risks, and how to audit and manage permissions across platforms.

AI Agent Blast Radius: What It Is and How to Measure It

AI agent blast radius defines the maximum damage an agent can cause in a single failure. Learn how to measure, categorize, and reduce blast radius across desktop, cloud, and code agents.